Search:
|
Access:
» Browsing through headers - an introduction to reverse engineeringRelated categories: Reverse Engineering | Generall Wojciech WarpechowskiViewed: 14549 | Article date: 2006-01-13 13:30:36 Reverse engineering software and hardware can be used to provide support for undocumented formats, communication protocols or peripherals. The article demonstrates the basic concepts of reverse engineering and shows how to write a fully functional program with encrypted code.
The author has been involved with software security for 5 years. He is currently a third year student at the Polish-Japanese Institute of Information Technology in Warsaw, Poland. Contact with the author: s3515@pjwstk.edu.pl When developing software for Windows, we seldom think about what the finished program physically looks like. Instructions in your programming language of choice are converted to suitable byte sequences, which are then executed and display windows, graphics or even play the occasional sound. Is there any point in looking at the bytes of a compiled application and seeing how they are arranged? Of course there is, especially as we can profit by the knowledge gained thereby. Information about the structure of computer programs is essential in many walks of IT life - some of the more obvious examples are programs for securing software (protectors), file compression utilities (packers) and virus scanners. Among other things, such knowledge is indispensable for reverse engineering, which is what we'll look at in this article. Windows executable file formatWindows programs usually arrive as files in Microsoft's PE (Portable Executable) format. PE files have a pretty straightforward structure. The file begins with the MZ header and DOS stub, followed by the PE and OPT headers, Data Directory, section table, file sections and a few other structures. Let's have a closer look at them. For the purpose of this article, I will use two size measures: WORD (2 bytes) and DWORD (4 bytes). I will also skip some of the less important structures, concentrating only on the ones relevant for this article. The bypassed header fields will be marked by ellipses (...). Table 1. Overview of MZ header structure
Converting RVA to VA Most of the addresses in PE file headers are stored as relative virtual addresses (RVAs). Converting them to virtual addresses (VAs) is pretty simple - just add the RVA to the ImageBase (the base address of the loaded program image). In other words, VA = RVA + ImageBase. MZ header and DOS stubThe MZ header is retained for backward compatibility with MS-DOS. You've probably noticed that when you try to run a Windows application from DOS, you get an error saying This program must be run under Win32. Printing this message and terminating the application is the job of the DOS stub - a tiny program included in each PE file (unless of course it has been modified or removed) right after the MZ header. Listing 1 presents the code of the DOS stub. The MZ header itself is 40h bytes long (see Table 1), but only the first 2 and last 4 bytes contain interesting information - the rest of the fields are deprecated or reserved. The MZ signature always contains the bytes 4Dh and 5Ah, corresponding to the ASCII codes for the letters M and Z- the initials of Mark Zbikowsky, one of the authors of the MZ header. The offset of the PE header is expressed relative to the start of the file and is necessary to inform the operating system where the PE header begins. Listing 1. Standard program located in the DOS stub
mov dx, 10h push cs pop ds mov ah, 9h int 21h mov ax, 4C01h int 21h db "This program must be run under Win32", 0Dh, 0Ah, "$"
|
  
|
|||||||||||||||||||||||||||||
SDJ Users: 
Shopping Cart
Copyright C 2006 by Software Developer's Journal. All rights reserved.