G2 s4 Reverse Engineering

Grade 2 Session 4
==================

Reverse Engineering
====================

Engineering : To manufacture a product.
=	Forward Engineering
=	Reverse Engineering

Forward Engineering
====================
To use raw material and to make a fully working product
			Engineer a car  :
				Tyre
				Engine
				Seats

				Windows - Olly Debugger, Immunity Debugger
				Linux - GDB


1. Memory Address Register (MAR):
	This register holds the address of memory where CPU wants to read or write data. When CPU wants to store some data in the memory or reads the data from the memory, it places the address of the required memory location in the MAR.
2. Memory Buffer Register (MBR):
	This register holds the contents of data or instruction read from, or written in memory. The contents of instruction placed in this register are transferred to the Instruction Register, while the contents of data are transferred to the accumulator or I/O register. In other words you can say that this register is used to store data/instruction coming from the memory or going to the memory.
3. Flag Register:
	The Flag register is used to indicate occurrence of a certain condition during an operation of the CPU. It is a special purpose register with size one byte or two bytes. Each bit of the flag register constitutes a flag (or alarm), such that the bit value indicates if a specified condition was encountered while executing an instruction.


Reverse Engineering
=====================
	We got the car, we will dismantle it, and will get the juicy stuff out of it.
	Softwares and products,
		CD keys
		Registration IDS
		To convert a demo software into a full working software

Eg.

Install Games in computer ----> Copy ---> crack|Patch and paste it, where it is installed. ---> Patching

Assembely Language Basics
=========================
	1. ADD
		add eax, ebx
			eax = eax + ebx
		add eax, 45
			eax = eax + 45
	2. MUL
	3. SUB
	4. DIV
	5. Push --> Enter data into the data structure
	6. POP ---> Deletes the top most data from the stack.

Conditional Branching
=====================
	1. CMP --> Compare
	2. JMP --> To Jump on certain memory address
	3. JZ ---> Jump if the result is zero, to a certain memory location
	4. JNZ --> Jump If the result is non zero
	5. JE  --> Jump if the data is equal to the data in accumulator
	6. JNE --> Jump if the data is not equal to the data in accumulator


Application Patching
====================
	There are some application, which are very badly coded and can be cracked and there are many bugs inside those application. We use application patching for fixing these bugs.
	We do not need to enter any CD keys, Seriel Number, or any sort of registery keys for getting the license and full fledge version of the application.

Tool > Debugger Tool
	Windows OS > OllyDBG
			   > Immunity Debugger
	Linux > GDB > By Default installed in every linux based OS

OllyDBG
=======
	It is GUI Based tool, which is used in application patching and used for reverse engineering as well.
	1. Address Column
	2. Referencce Column
	3. Instruction Column
	4. String Column

Reverse Engineering via Algorithm Reversing
===========================================
	We are going to make some changes in the application's algorithm and will make it work as we want it to do.
	It shows, Please enter the serial keys for making it a full version


OLly Debugger : http://www.ollydbg.de/download.htm

Walkthrough :
We Enter something
THe Error Message came
-	 We will search in the algorithm
-	 Make the algorithm to jump

1. Custom Based Application : Small application in C programming Language
2. BPK Keylogger Detector
3. POWER ISO

Requirements
============
1. Debugger - OllyDBG, Immunity Debugger
		http://www.immunityinc.com/products/debugger/
	Linux - GDB
2. OS : Windows 7 ultimate, XP(any service pack)
3. Vulnerable applications


1. Custom Based Applciation Cracking
====================================


#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
int main()
{
	int key, inp;
	key = 112233;
	printf("Please Enter the CD-KEY for continue = ");
	scanf("%d",&inp);
	if(key == inp)
	{
		printf("Successfully Registered, You can continue with the full version\n");
	}
	else
	{
		printf("Invalid Key\n");
	}
	getch();
	return 0;
}

C to exe converter :http://www.onlinecompiler.net/


Convert this into .exe via Online Convertors.
-----------------------------------------------------------------------------

Steps to Reverse Engineer :

004012E8  |. C70424 2C30400>MOV DWORD PTR SS:[ESP],reee.0040302C     ; |ASCII "Successfully Registered....
You can continue with the full version
"

JMP 004012E8


2. BPK Keylogger Detector
=========================

Download Link  :    https://www.sendspace.com/file/722rb6
					https://ufile.io/q9xgl


---------------------------
Registration error
---------------------------
Registration code or user name is invalid. Please check all fields and try again!
---------------------------
OK
---------------------------

Successfull MEssage
004049A5  |. 68 504B4900    PUSH antispy.00494B50                    ; |Text = "Registration succeeded. Thank you for choosing Keylogger Detector!"

Copy the address

JMP 004049A5

------------------------------------------------------------------------------------


3. Power ISO
============
 Download Link : https://www.filehorse.com/download-poweriso-32/

---------------------------
PowerISO
---------------------------
The username or serial number is invalid.
---------------------------
OK
---------------------------


Successfull Message

00467D3F   . 68 84066A00    PUSH PowerISO.006A0684                   ;  UNICODE "Thank you for your registration."

JMP 00467D3F