Log in

View Full Version : question from a pre-n00b :)


SirSnuggleBunny
January 11th, 2004, 11:34
question from a pre-n00b

Howdy all, this is my first post here, so hi there

I'm not even a n00b yet, more like a nuuuuw- or just a nnnnnnnnnnhhh. but I'll ask anyway...
my background is lingo, java, perl, and what ever else I end up needing. so finally I ended up here.
this whole reversing thing has me fascinated, I love a puzzle! I've been reading through this forum, and a bunch of other sites for the last week... I'm hooked!

I have searched this forum, and the web for a great BEGINNER tutorial on how (where) to start reverse engineering,
I am overwhelmed, I must have read over a hundred by now, some I fully understood, and some that were way beyond me.
however, most "beginner" tuts are, well, not really for the beginner.

i.e.. before I can walk, I must learn how to crawl. before I can crawl, I need to know what my legs and hands are, and how to use them.

so what I'm looking for are suggestions on where to start. links to tutorials for the real beginner.
In fact I'm mentioning tutorials and tuts, and beginner a few times, so in the future any one searching this forum may find a great list of tuts on where to start

my first attempt/ project I have picked for myself, is a time limited (yet fully functional ) demo. from what I've read, this should be easy.
In fact, even as a pre-n00b, I have already found where it needs to be changed! and the protection seems so lame that if I turn back my clock, it works! so this is my first project.

I have:
NuMega SoftICE Driver Suite ( I run XP for music stuff, so softice 4.05 won't work for me)
W32Dasm Version 8.x Series,
Debuggy By Vanja Fuckar ( to play with 'till I found softice)
various coctails
do I need anything else?

Any suggestions, comments on where to start would be greatly appreciated
thanks in advance,
cheers!
Sir SnuggleBunny

edit/ oops, just found this thread.... http://www.woodmann.com/forum/showthread.php?t=5297
embarrassed.... sorry... /edit

SirSnuggleBunny
January 11th, 2004, 11:54
PS I forgot to mention, stuff like this is VEERRRYYY HELPFULL!!!

Assembly Programming Language Quick Reference
by Nicholas Janzen

Instructions
AAA - Ascii Adjust for Addition
AAD - Ascii Adjust for Division
AAM - Ascii Adjust for Multiplication
AAS - Ascii Adjust for Subtraction
ADC - Add With Carry
ADD - Arithmetic Addition
AND - Logical And
ARPL - Adjusted Requested Privilege Level of Selector (286+ PM)
BOUND - Array Index Bound Check (80188+)
BSF - Bit Scan Forward (386+)
BSR - Bit Scan Reverse (386+)
BSWAP - Byte Swap (486+)
BT - Bit Test (386+) BTC - Bit Test with Compliment (386+
BTR - Bit Test with Reset (386+)
BTS - Bit Test and Set (386+)
CALL - Procedure Call
CBW - Convert Byte to Word
CDQ - Convert Double to Quad (386+)
CLC - Clear Carry
CLD - Clear Direction Flag
CLI - Clear Interrupt Flag (disable)
CLTS - Clear Task Switched Flag (286+ privileged).
CMC - Complement Carry Flag
CMP - Compare
CMPS - Compare String (Byte, Word or Doubleword)
CMPXCHG - Compare and Exchange
CWD - Convert Word to Doubleword
CWDE - Convert Word to Extended Doubleword (386+)
DAA - Decimal Adjust for Addition
DAS - Decimal Adjust for Subtraction
DEC - Decrement.
DIV - Divide
ENTER - Make Stack Frame (80188+)
ESC - Escape
HLT - Halt CPU
IDIV - Signed Integer Division
IMUL - Signed Multiply
IN - Input Byte or Word From Port
INC - Increment
INS - Input String from Port (80188+)
INT - Interrupt
INTO - Interrupt on Overflow
INVD - Invalidate Cache (486+)
INVLPG - Invalidate Translation Look-Aside Buffer Entry (486+)
IRET/IRETD - Interrupt Return.
Jxx - Jump Instructions Table.
JCXZ/JECXZ - Jump if Register (E)CX is Zero
JMP - Unconditional Jump
LAHF - Load Register AH From Flags
LAR - Load Access Rights (286+ protected)
LDS - Load Pointer Using DS
LEA - Load Effective Address
LEAVE - Restore Stack for Procedure Exit (80188+)
LES - Load Pointer Using ES
LFS - Load Pointer Using FS (386+)
LGDT - Load Global Descriptor Table (286+ privileged)
LIDT - Load Interrupt Descriptor Table (286+ privileged)
LGS - Load Pointer Using GS (386+)
LLDT - Load Local Descriptor Table (286+ privileged)
LMSW - Load Machine Status Word (286+ privileged)
LOCK - Lock Bus
LODS - Load String (Byte, Word or Double)
LOOP - Decrement CX and Loop if CX Not Zero
LOOPE/LOOPZ - Loop While Equal / Loop While Zero
LOOPNZ/LOOPNE - Loop While Not Zero / Loop While Not Equal
LSL - Load Segment Limit (286+ protected)
LSS - Load Pointer Using SS (386+)
LTR - Load Task Register (286+ privileged)
MOV - Move Byte or Word
MOVS - Move String (Byte or Word)
MOVSX - Move with Sign Extend (386+)
MOVZX - Move with Zero Extend (386+)
MUL - Unsigned Multiply
NEG - Two's Complement Negation
NOP - No Operation (90h)
NOT - One's Compliment Negation (Logical NOT)
OR - Inclusive Logical OR
OUT - Output Data to Port.
OUTS - Output String to Port (80188+)
POP - Pop Word off Stack
POPA/POPAD - Pop All Registers onto Stack (80188+)
POPF/POPFD - Pop Flags off Stack
PUSH - Push Word onto Stack
PUSHA/PUSHAD - Push All Registers onto Stack (80188+)
PUSHF/PUSHFD - Push Flags onto Stack
RCL - Rotate Through Carry Left.
RCR - Rotate Through Carry Right
REP - Repeat String Operation
REPE/REPZ - Repeat Equal / Repeat Zero
REPNE/REPNZ - Repeat Not Equal / Repeat Not Zero
RET/RETF - Return From Procedure
ROL - Rotate Left.
ROR - Rotate Right
SAHF - Store AH Register into FLAGS
SAL - Shift Arithmetic Left / Shift Logical Left
SAR - Shift Arithmetic Right
SBB - Subtract with Borrow/Carry
SCAS - Scan String (Byte, Word or Doubleword)
SETAE/SETNB - Set if Above or Equal / Set if Not Below (386+)
SETB/SETNAE - Set if Below / Set if Not Above or Equal (386+)
SETBE/SETNA - Set if Below or Equal / Set if Not Above (386+)
SETE/SETZ - Set if Equal / Set if Zero (386+)
SETNE/SETNZ - Set if Not Equal / Set if Not Zero (386+)
SETL/SETNGE - Set if Less / Set if Not Greater or Equal (386+)
SETGE/SETNL - Set if Greater or Equal / Set if Not Less (386+)
SETLE/SETNG - Set if Less or Equal / Set if Not greater or Equal (386+)
SETG/SETNLE - Set if Greater / Set if Not Less or Equal (386+)
SETS - Set if Signed (386+)
SETNS - Set if Not Signed (386+)
SETC - Set if Carry (386+)
SETNC - Set if Not Carry (386+)
SETO - Set if Overflow (386+)
SETNO - Set if Not Overflow (386+)
SETP/SETPE - Set if Parity / Set if Parity Even (386+)
SETNP/SETPO - Set if No Parity / Set if Parity Odd (386+)
SGDT - Store Global Descriptor Table (286+ privileged)
SIDT - Store Interrupt Descriptor Table (286+ privileged)
SHL - Shift Logical Left
SHR - Shift Logical Right
SHLD/SHRD - Double Precision Shift (386+)
SLDT - Store Local Descriptor Table (286+ privileged)
SMSW - Store Machine Status Word (286+ privileged)
STC - Set Carry
STD - Set Direction Flag
STI - Set Interrupt Flag (Enable Interrupts)
STOS - Store String (Byte, Word or Doubleword)
STR - Store Task Register (286+ privileged)
SUB - Subtract
TEST - Test For Bit Pattern
VERR - Verify Read (286+ protected)
VERW - Verify Write (286+ protected)
WAIT/FWAIT - Event Wait
WBINVD - Write-Back and Invalidate Cache (486+)
XCHG - Exchange
XLAT/XLATB - Translate
XOR - Exclusive OR

--------------------------------------------------------------------------------

Jump on Condition Instructions
JA Jumps if the first number was above the second number
JAE same as above, but will also jump if they are equal
JB jumps if the first number was below the second
JBE Same as above, but will also jump if they are equal
JNA jumps if the first number was NOT above (JBE)
JNAE jumps if TDe first number was NOT above or TDe same as (JNB)
JNB jumps if the first number was NOT below (JAE)
JNBE jumps if the first number was NOT below or the same as (JA)
JZ jumps if the two numbers were equal
JE same as JZ, just a different name
JNZ jumps if the two numbers are NOT equal
JNE same as above
JC jump if carry flag is set

Note: the jump can only be a maximum of 127 bytes in either direction.

Data Types in Assembly
bit - smallest type that can be two values ex. 1, 2

nibble - four bits has 16 values ex. 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F

byte - Most important data type - 8 bits - smallest addresable data item, bit inside are numbered from 7 - 0, 0 being low order bit and least significant, 1 being the high order bit and the most significant, contains 2 nibbles upper and lower, require 2 hex values, rages from 0 - 255.

word - contains 16 bits 0 - 15, 0 low order, 15 being high order, contains 2 bytes (low and high). Used for integer, offsets, segment values. The range is from 0 - 65,536 or signed -32,768 to 32,767.

dword - or double word, 2 words, 32bit, used maily for segmented adresses, but can also be used for 32bit integer ranging from 0 - 4,294,967,295 or signed -2,147,483,648 to 2,147,483,647, can also be used for 32bit floating point values.

Definitions
Monadic operation - means it accepts only one operand.

Signed numbers are - and +.

Thanks for reading my quick ref, please don't sell it, but it is for you for nothing, I encourage you to give it away. Hope it helped.

r4g3
January 11th, 2004, 18:03
*g* thanks this asm reference (backup?) copy here is truly useful
uhm but i think ill sell it anyways (for big $$$!) hope u dont mind ?
hm how about 250$ for soft version and 800$ for 1 hardcopy, everything distributed with enterprise licenses using rsa-17
anyone dont even think of stealing my business plan !

Aquatic
January 11th, 2004, 23:09
Before you get into RE, you should learn programming.

Then at least you have an idea of what you are reversing.

Aimless
January 12th, 2004, 01:39
You might want to also try and break:

1. Version5/6/7 of Winzip (freely available on the net)
2. Version 5/6 of MIRC (freely available on the net)

to check your readiness on proceeding further. You must also learn to use:

1. w32dasm (there is a vast difference between having the software and using the software)
2. Freeware version of IDA Pro.
3. A good hex editor (Ultraedit/HexWorkshop will do)
4. Smartcheck (try cracking VB based programs with it)
5. Ollydbg
6. Microsoft Debugger (for the time being, forget being leet and not using any Microsoft products)

Do not bother too much about learning to program in assembly. It is just important to be able to "read" assembly. Neverthless, its good to be able to know what chunk of assembly code is resulted from what codes.

Once you are through with the serial cracking, try breaking some time based programs. By this time, you will know what to look for when you are stuck up in something, or the targets that will possess the best challenge for your level of skills.

Do not forget, apart from all tools mentioned above, do not underestimate GOOGLE (yup!)

Have Phun,

SirSnuggleBunny
January 12th, 2004, 22:07
Thanks Aimless, for your suggestions, I'm already having fun!

Aquatic, well I think that's what I've been doing. I've learned things as I need them, or just out of pure curiosity. it's a small step from html to java. then from there, actionscript aint to hard, and lingo is... well almost like english. so learning another language(s) is just part of the process. it's fun.

I posted here in a noob forum, hoping to hear something like good luck, or I started by doing this, or try this tutorial...

oh well... I'll just keep reading.

P.S. and r4g3, too late, I already have it up for sale at my ultra secrete wares site for $666.66 [hard copy only]

Woodmann
January 12th, 2004, 22:28
Howdy,

Try this : http://www.woodmann.com/krobar/tutlist/tutlist1745.html

Good Luck

Woodmann

SirSnuggleBunny
January 14th, 2004, 16:09
Quote:
[Originally Posted by Woodmann]Howdy,

Try this : http://www.woodmann.com/krobar/tutlist/tutlist1745.html

Good Luck

Woodmann


Thanks Woodman, I got em all

soft ice is still a bit (ha! allot!) beyond me, but I'm getting the hang of W32Dasm and HIEW.
in fact, I just cracked my first program !
I'm still in shock! it works!

In trying to learn what makes things work, I had a look at several programmes on my box, and I came across one that quits when it sees a debugger.

How do you people reverse engineer a program like that?

just wondering... cheers,
SirSnuggleBunny

dELTA
January 15th, 2004, 20:04
Quote:
How do you people reverse engineer a program like that?


You have to begin with reverse engineering and defeating the anti-debug tricks. Two possible methods are by stepping the program from the entry-point or analyzing its deadlisting in a disassembler.

JMI
January 15th, 2004, 22:49
And there are several threads here which discuss debugger detection methods used again SICE. Try the Search button above and use "debugger detection" and check some of those out. Generally, programs can check for the presence of SICE's name (for its windows or exe, etc.) in various locations or as a running process and there are windows API that check for the presence of a debugger.

Regards,