Ray Of Hope

Reverse Engineering and assembly level debugging.

I would say reverse engineering is an art, a tough art to learn .. But once you have learnt it , its a pleasure. If you have the passion for it, you will enjoy every bit of the pain experienced during reverse engineering.

As it being an art, it requires certain set of tools and observations to correctly master it.

Assembly level debugging (when source file is not available , may be at customer premises), is another equally challenging and enjoyable activity. Only keyword is passion for doing it.

IDA-Pro and dissassembler are the prime tools that I use for reverse engineering. These are excellent tools that will give you the function names, variable names defined in the file that you are trying to decipher. (Sometime even this information is also not available).

Observations : (A walkthrough through my experience)

When I debugged a crash, it was happening in the system (Windows) graphic dll. On first round of step debugging I found that at the time of crash one of the parameter was 0xff. Thus I confirmed that crash is because of invalid parameter.

Further on second round of debugging, I noted down the parameters that are being passed to function in the dll. They were fine .. (None was negative or zero).

On third round of debugging, I step debugged each and every function and kept track of the modifications in the parameter that were happening inside the dll. (It was all assembly level debugging with no symbol information available. Parameters are tracked by noting down their addresses, when they are created and then keeping track of these addresses ).

A know-how of purpose of each of the register is also useful.

Finally I found that in the graphics dll , dll was subtracting some value from my param and the result was negative which was leading to the crash. THus, we figured out that value of the param , because of which crash is occuring, is less than the lower limit of the boundary condition as a result of which subtraction in the dll leads to a negative value and thus crash.

Another important point is note when a new function call is made, a series of push operations are done.

These are some of the points which will help in assembly level debugging or deciphering the logic from the dll or system file (reverse engineering)

Anshul Makkar, anshul_makkar@justkernel.com.

Originally Posted on: 2010-04-13 01:19:39



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.