Reverse Engg using Ollydbg
My Plan here is to show you how we can Reverse Engg. a Windows executable without even having to look into the Source code.
I have a very simple program to get started with -
I assume you have very basic understanding of C/C++ and memory allocation and function call in Stack.
Now lets say I compile and create an executable file for the above mentioned program and give it to you. You dont have access to the code of the Program and you need to alter the program. In such cases you need to reverse engg a program, and that's what we are going to do next.
I will be using Ollydbg (Win 32 disassembler) program to follow the next steps. The Software can be downloaded from the official Ollydbg website here. So lets open our program in Ollydbg. (Please note that I am using Ollydbg 2.0 here)
If you don't already know how to use Ollydbg then Please refer to the following post here Basics of Ollydbg Once opening the file in Ollydbg we now can see the Assembly instructions that are executed when the program runs. In simple words, we need to find the suitable place to change the Assembly instructions to get our work done.
- As you can see, I have simply printed output to the Screen so I try to find the referenced strings in the Program. To do it in Ollydbg, right click in the CPU Instruction window and choose "Search For" -> "All Referenced Strings" and see the new Window popup.
- Now I can see the Strings present in my Program -> I am targetting for "Hello Dinesh" So I set a break point in Ollydbg using key F2 as seen in the Image below.
- After setting the breakpoint hit F9 and let the program run untill our breakpoint gets hit.
Now As my focus is on the String "Hello Dinesh" which is at the Address "004013F6".
The Assembly code at the Address is "MOV DWORD PTR SS:[ESP+4],OFFSET 00440017"
If you are aware of the Programming basics and Stack operations then you already know that inside a single function all variables are pushed on the stack and poped out of the Stack and each function has a Base Pointer Address. Initially when the Function main() is called in our program, the Stack pointer and Base Pointer points to the same location. As our program executes, the Base Pointer remains constant and Stack pointer decreases (since the address in the Stack moves in the downward direction). So [ESP+4] means "Hello Dinesh" is pushed on the stack 3 items after the Base Pointer. Hence it is at [ESP+4] since the ESP < EBP.
- So I made a slight change in the Assembly instruction and change the [ESP+4] to [ESP+1]. What this will do is instead of using the 4 item on the Stack, now will use 1 item on the Stack. So let's change the Assembly instruction and Assemble it. After the change is made the instruction Forecolor now changes to red indicating the Assembly being modified.
- Select the area of the instructions changed in the CPU window. Right click and choose -> Edit -> Copy to Executable. This will open a new Popup window showing the changes made in the CPU instructions.
- Right click in the new window and select "Save File" which will indicate that the file varies from the original and ask you to save a copy of it. Give a proper name to the new file as in my case "CrashingExe_Changed.exe".
- Let's examine out changes by running both the Programs and there we go...looks like "Hello Dinesh" does not appear in our new executable. It has been replaced by "Integer beleiveme -" since it is the ASCII that is poined by [ESP+1]
So here you saw how you can change the Programs without having to need the source code and thus successfully Reverse Engineering. Hope you find it helpful and gives you a better scope and understanding of what you can do using the technique.
Last revised: 23 Aug, 2012 09:27 AM History
No new comments are allowed on this post.