Introduction to Software Reverse Engineering using HEX Editor

This article doesn’t entirely belongs to programming, It’s an reverse process of programming, Read it and understand it.

Introduction:

Reverse engineering is the process of extracting the knowledge or design blueprints from any man-made things. Reverse engineering (RE) is the process of discovering the technological principles of a device or a System through analysis of its structure, Function and operation. Software reverse engineering is reorganising and modifying existing software system (legacy system) to make them more maintainable and analysing software with a view to understanding its design and specification.

Reverse engineering has its origins in the analysis of hardware for commercial or military advantage. The purpose is to deduce design decisions from end products with little or no additional knowledge about the procedures involved in the original production. The same techniques are currently being researched for application to legacy software systems, not for industrial or defence ends, but rather to replace incorrect, incomplete, or otherwise unavailable documentation. Reverse engineering is the process of analyzing a subject system to create representations of the system at a higher level of abstraction.

It can also be seen as “going backwards through the development cycle”. is an inversion of the traditional WaterFall Model.

Reverse engineering Advantages

• Transforming obsolete products into useful ones by adapting them to new systems.
• Some features of the system needs to be refined out.
• It can be use, if there is no adequate documentation of the original design.
• Investigating and correcting errors and limitations in existing programs.
• Studying the design principles of a product as part of an education in engineering.
• Understanding how a product work
• Malware Analysis
• Vulnerability Analysis
• Security Assessment of 3rd-party COTS
• Evaluation/Breaking of copy-protection schemes
• To obtain the lost source code from executable code

 Why Still a Black Art

Many people think that it is used only for software cracking. Some people think Reverse Engineering as Hacking. But actually Reverse Engineering is an art to learn about a product in deep

 Approaches to Reverse Engineering

• White Box Analysis

It involves in analysis of source code. De-compiling the source code from binary code. Effective for finding programming and implementation errors in software.

• Black Box Analysis

Black box analysis refers to analyzing a running program by probing it with various inputs. This can be used to test for the security issues of the system.

•  Gray Box Analysis

Gray box analysis combines white box techniques with black box input testing. A good example of a simple gray box analysis is running a target program within a debugger and then supplying particular sets of inputs to the program.

Tools

Reversing is all about the tools. The following sections describe the basic categories of tools that are used in reverse engineering

• System-Monitoring Tools

System-level reversing requires a variety of tools that sniff, monitor, explore, and otherwise expose the program being reversed. Most of these tools displayinformation gathered by the operating system about the application and itsenvironment. Because almost all communications between a program and theoutside world go through the operating system, the operating system can usuallybe leveraged to extract such information.

Eg: Process Explorer

•  Disassemblers

As I described earlier, disassemblers are programs that take a program’s executable binary as input and generate textual files that contain the assembly language code for the entire program or parts of it. This is a relatively simple process considering that assembly language code is simply the textual mapping of the object code. Disassembly is a processor-specific process, but some dissemblers support multiple CPU architectures.

Eg: IDA Pro

• Debuggers

A debugger is a program that allows software developers to observe their program while it is running. The two most basic features in a debugger are the ability to set breakpoints and the ability to trace through code.

Eg: ollydbg

•  Decompiler

Decompilers are the next step up from dissemblers. A decompiler takes an executable binary file and attempts to produce readable high-level language code from it. The idea is to try and reverse the compilation process, to obtain the original source file or something similar to it.

A Reverse engineer must know the following things

1. IA-32 or 64 Architecture
2. IA-32 or 64 Instruction Set
3. Programming Skills

Because in reverse engineering the tools display machine codes which are maximum belongs to IA-32 or 64. If a reverser know all about that then only they can be successful in his job.

HEX Editor

A hex editor (or binary file editor or byte editor) is a type of computer software that allows a user to manipulate the fundamental Binary (0 / 1, zero / one) data that makes up computer Files.

By using a hex editor, a user can see or edit the raw and exact contents of a file, as opposed to the interpretation of the same content that other, higher level application software may associate with the format. A typical hex editor has three areas: an address area on the left, a hexadecimal area in the center, and a character area.

Address Area

The address area on the left side of the hex editor displays the address of the first byte of each line.

Hexadecimal Area

The middle hexadecimal area is the most commonly used area of a hex editor. It lists each byte of the file in a table, usually sixteen bytes per line.

Character Area

The character area on the right of the hex editor displays the ASCII representation of each of the bytes in the hexadecimal area.

Reverse Engineering  a C program using HEX Editor

I write a following C program, I compiled it and object file is obtained.

Program:

• #include<stdio.h>
• #include<conio.h>
• #include<string.h>
• void main()
• {
• char a[100];
• clrscr();
• printf(“\nEnter password….:”);
• scanf(“%s”,a);
• if((strcmp(a,”default”))==0)
• printf(“\nPassword Correct”);
• else
• printf(“\nWrong Password”);
• getch();
• }

 Explanation:

During execution this program displays a message” Enter password….:” then it get an String from the user and stored it in a character array. Then the obtained String is compared with String in the program. If it equal display “Password Correct” message otherwise display “Wrong Password” message.

Procedure:

Step1: open the HEX editor

Step2: Load the corresponding object file of the program.

Step3: Look at the yellow circle area in magnify it 

Here we can saw text which displayed in the output “Enter password….:”,then it get a string using %s ,after that we have 3 Strings,

• default
• Password Correct
• Wrong Password

Second string is displayed when entered password is correct, Third string is displayed when entered password is wrong. Therefore entered string is compared with the remaining unused first String, therefore First String is the password……..

The Password is default

Thus We find each statement of program using object code and HEX Editor.

This method is similar to Black box Analysis…….

This is an example to explain reverse engineering and cracking a Software.

Conclusion:

Reverse engineering is a vast and complex world, It can’t be learned easily like learning programming languages in a month. It needs both programming knowledge and hardware knowledge. With lot of practice we can make it easier. A good reverser know an application inside and outside.

Video Tutorial :