Different Reversing Approaches
There are many different approaches for reversing and choosing the right one
depends on the target program, the platform on which it runs and on which it
was developed, and what kind of information you’re looking to extract. Gen-
erally speaking, there are two fundamental reversing methodologies: offline
analysis and live analysis.Offline Code Analysis (Dead-Listing)
Offline analysis of code means that you take a binary executable and use a dis-
assembler or a decompiler to convert it into a human-readable form. Reversing
is then performed by manually reading and analyzing parts of that output.
Offline code analysis is a powerful approach because it provides a good out-
line of the program and makes it easy to search for specific functions that are
of interest.
The downside of offline code analysis is usually that a better understanding
of the code is required (compared to live analysis) because you can’t see the
data that the program deals with and how it flows. You must guess what type
of data the code deals with and how it flows based on the code. Offline analy-
sis is typically a more advanced approach to reversing.
There are some cases (particularly cracking-related) where offline code
analysis is not possible. This typically happens when programs are “packed,”
so that the code is encrypted or compressed and is only unpacked in runtime.
In such cases only live code analysis is possible.Live Code Analysis
Live Analysis involves the same conversion of code into a human-readable
form, but here you don’t just statically read the converted code but instead run
it in a debugger and observe its behavior on a live system. This provides far
more information because you can observe the program’s internal data and
how it affects the flow of the code. You can see what individual variables con-
tain and what happens when the program reads or modifies that data. Gener-
ally, I’d say that live analysis is the better approach for beginners because it
provides a lot more data to work with. For tools that can be used for live code
analysis, please refer to the section on debuggers, later in this chapter.Disassemblers
The disassembler is one of the most important reversing tools. Basically, a dis-
assembler decodes binary machine code (which is just a stream of numbers)110 Chapter 4