Reversing : The Hacker's Guide to Reverse Engineering

Active Antidebugger Techniques Because a large part of the reversing process often takes place inside a debug- ger, it is someti ...

the program (such as the address of a certain variable) or it could simply be a code address within the executable (in which cas ...

code retrieves offset +30 from the Thread Environment Block (TEB) data struc- ture, which points to the current process’s PEB. T ...

using this scheme, only a serial-connection kernel debugger such as KD or WinDbg. For a straightforward detection of SoftICE, it ...

The Trap Flag This approach is similar to the previous one, except that here you enable the trap flag in the current process and ...

check that the function has not been modified. This method is not only effec- tive against debuggers, but also against code patc ...

Table 10.1 Common Reversing Tools and Their Disassembler Architectures. DISASSEMBLER/DEBUGGER NAME DISSASEMBLY METHOD OllyDbg Re ...

001B:0040101D JMP 00401020 001B:0040101F JNP E8910C6A 001B:00401025 XLAT 001B:00401026 INVALID 001B:00401028 JMP FAR [EAX-24] 00 ...

Figure 10.1A trivial opaque predicate that is always going to be evaluated to False at runtime. Figure 10.2A reversed opaque pre ...

Unfortunately, different disassemblers produce different output for these sequences. Consider the following sequence for example ...

0040103F. 50 PUSH EAX 00401040 E8 BBFFFFFF CALL compiler.main Olly is clearly ignoring the junk byte and using the conditional j ...

This time OllyDbg swallows the bait and uses the invalid 0040103Das the starting address from which to disassemble, which produc ...

The disadvantage of all of these tricks is that they count on the disassembler being relatively dumb. Luckily, most Windows disa ...

multibyte opcodes. I’m using the __LINE__macro in order to create unique symbol names in case the macro is used repeatedly in th ...

Beyond the mere additional complexity introduced by adding additional logic and arithmetic to a program, an obfuscating transfor ...

Control Flow Transformations Control flow transformations are transformations that alter the order and flow of a program in a wa ...

constantly generating new random values and storing them in a globally accessible data structure. The values stored in those dat ...

Confusing Decompilers Because bytecode-based languages are highly detailed, there are numerous decompilers that are highly effec ...

00401017 mov ebx,dword ptr [esp+18h] 0040101B shr edi,2 0040101E push ebp 0040101F add edi,1 00401022 mov ecx,dword ptr [edx] 00 ...

00401078 add ecx,1 0040107B jmp 00401060 0040107D cmp ebp,3 00401080 ja 00401071 00401082 mov ecx,9 00401087 jmp 00401060 004010 ...