### Opcodes originally not included CLD Clear Direction Flag SHR Shift 13. Often used api 33. FPU mnemonics 37. OllyScript ### Data sizes |Name |Bits|Bytes|Digits| |-----------|----|-----|------| |Bit |1 |1/8 | |Nibble |4 |1/2 |1 |Byte |8 |1 |2 |Word |16 |2 |4 |Double word|32 |4 |8 ### Registers | |Description | | |---|-----------------------------|-| |EAX|Extended Accumulator Register| | |EBX|Extended Base Register |Stack | |ECX|Extended Counter Register | | |EDX|Extended Data Register |Reminder | |ESI|Extended Source Index | | |EDI|Extended Destination Index | | |EBP|Extended Base Pointer |Stack | |ESP|Extended Stack Pointer | | |EIP|Extended Instruction Pointer | | EAX is 32-bits big. AX is lower half of EAX and is 16-bits big. AH and AL are upper and lower high/low halves of AX. They are each 8-bits big. |32 |16|8 |8 | |---|--|--|--| |EAX|AX|AH|AL| |EBX|BX|BH|BL| |ECX|CX|CH|CL| |EDX|DX|DH|DL| |ESI|SI|--|--| |EDI|DI|--|--| |EBP|BP|--|--| |ESP|SP|--|--| |EIP|IP|--|--| #### Segment registers CS: Code Segment DS: Data Segment ES: Extra Segment SS: Stack Segment ### Flags Flags are 1-bits of 32-bit Flag register Z: Zero, set: 1, clear: 0, CMP sets to 1 O: Overflow C: Carry Segment: Page Offset: Line 32-bit: Offsets = 00000000 - FFFFFFFF = ### Stack push/pop from/to register ### Instructions ADD EAX, EBX NOT EAX IMUL EAX, EDX, 64 DWORD PTR [XXX]: DWORD (4 byte) value at memory offset [XXX] WinTel CPUs use the so called "Little Endian" format. Bytes are in reverse order in memory. add eax,ebx ;; Register, Register add eax,123 ;; Register, Value add eax,dword ptr [404000] ;; Register, Dword Pointer [value] add eax,dword ptr [eax] ;; Register, Dword Pointer [register] add eax,dword ptr [eax+00404000] ;; Register, Dword Pointer [register+value] add dword ptr [404000],eax ;; Dword Pointer [value], Register add dword ptr [404000],123 ;; Dword Pointer [value], Value add dword ptr [eax],eax ;; Dword Pointer [register], Register add dword ptr [eax],123 ;; Dword Pointer [register], Value add dword ptr [eax+404000],eax ;; Dword Pointer [register+value], Register add dword ptr [eax+404000],123 ;; Dword Pointer [register+value], value ADD dest, src AND dest, src: clears O and C flags CALL address: Pushes RVA (relative virtual address) (of instruction?) that follows to stack, address can be literal value, value in specified register CDQ: Convert double word to quad word, used before divisions, sets all bytes of edx to value of highest bit in eax,EDX = EAX < 80000000 ? 00000000 : FFFFFFFF CMP dest, src: Compares, sets Z-flag if operands are equal DEC something: Decrease something DIV divisor: unsigned division EAX /= divisor, EDX = EAX % divisor IDIV divisor: integer division, signed division IMUL value/dest, value, value/dest, value: EAX *= value / dest = value * value / EAX = dest * value INC register: increment INT dest: generate call to interrupt handler INT3: generate call to interrupt 3 handler INTO: generate call to interrupt 4 handler JUMPS JA* jump if (unsigned) above CF=0,ZF=0 JAE jump if (unsigned) above or equal CF=0 JB* jump if (unsigned) below CF=1 JBE jump if (unsigned) below or equal CF=1,ZF=1 JC jump if carry flag set CF=1 JCXZ jump if CX is 0 CX=0 JE** Jump if equal ZF=1 JECXZ Jump if ECX is 0 ECX=0 JG* Jump if (signed) greater ZF=0,SF=OF (SF = Sign Flag) JGE* Jump if (signed) greater or equal SF=OF JL* Jump if (signed) less SF != OF (!= is not) JLE* Jump if (signed) less or equal ZF=1,OF != OF JMP** Jump Jumps always JNA Jump if (unsigned) not above CF=1 or ZF=1 JNAE Jump if (unsigned) not above or equa CF=1 JNB jump if (unsigned) not below CF=0 JNBE Jump if (unsigned) not below or equal CF=0 and ZF=0 JNC Jump if carry flag not set CF=0 JNE** Jump if not equal ZF=0 JNG Jump if (signed) not greater ZF=1 or SF!=OF JNGE Jump if (signed) not greater or equal SF!=OF JNL Jump if (signed) not less SF=OF JNLE Jump if (signed) not less or equal ZF=0 and SF=OF JNO Jump if overflow flag not set OF=0 JNP Jump if parity flag not set PF=0 JNS Jump if sign flag not set SF=0 JNZ Jump if not zero ZF=0 JO Jump if overflow flag is set OF=1 JP Jump if parity flag set PF=1 JPE Jump if parity is equal PF=1 JPO Jump if parity is odd PF=0 JS Jump if sign flag is set SF=1 JZ jump if zero ZF=1 LEA dest, src: load effective address, like move, used for quick multiplications MOV dest, src: copy value from source to dest MOVS/MOVSB/MOVSW/MOVSD EDI, ESI: move byte/word/double word value form address at ESI to address at EDI MOVSX: expands byte/word to word/double word and keep sign of value MOVZX: expands byte/word to word/double word and fills with 0 MUL value: Multiply unsigned NOP: No operation = does nothing OR dest, src POP dest: POP loads the value of byte/word/dword ptr [esp] and puts it into dest, increases stack by size of popped value, so that the next POP would get the next value. PUSH operand: Pushes to stack and decreases stack size by size of operand, so that ESP points to the value that was PUSHed REP/REPE/REPZ/REPNE/REPNZ ins: Repeats ins until CX=0 OR (ZF=1, ZF=1, ZF=0, ZF=0) ins = string operation CMPS, INS, LODS, MOVS, OUTS, SCAS, or STOS RET digit: (clean stack if digit) and return SUB dest, src: dest -= src TEST EAX,EAX: sets Z flag if EAX is 0 XOR EAX,EAX: sets Z flag to 0 ### Parts/Lessons 01. Olly + assembler + patching a basic reverseme 02. Keyfiling the reverseme + assembler 03. Basic nag removal + header problems 04. Basic + aesthetic patching 05. Comparing on changes in cond jumps, animate over/in, breakpoints 06. "The plain stupid patching method", searching for textstrings 07. Intermediate level patching, Kanal in PEiD 08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor 09. Explaining the Visual Basic concept, introduction to SmartCheck and configuration 10. Continued reversing techniques in VB, use of decompilers and a basic anti-anti-trick 11. Intermediate patching using Olly's "pane window" 12. Guiding a program by multiple patching. 13. The use of API's in software, avoiding doublechecking tricks 14. More difficult schemes and an introduction to inline patching 15. How to study behaviour in the code, continued inlining using a pointer 16. Reversing using resources 17. Insights and practice in basic (self)keygenning 18. Diversion code, encryption/decryption, selfmodifying code and polymorphism 19. Debugger detected and anti-anti-techniques 20. Packers and protectors : an introduction 21. Imports rebuilding 22. API Redirection 23. Stolen bytes 24. Patching at runtime using loaders from lena151 original 25. Continued patching at runtime & unpacking armadillo standard protection 26. Machine specific loaders, unpacking & debugging armadillo 27. tElock + advanced patching 28. Bypassing & killing server checks 29. Killing & inlining a more difficult server check 30. SFX, Run Trace & more advanced string searching 31. Delphi in Olly & DeDe 32. Author tricks, HIEW & approaches in inline patching 33. The FPU, integrity checks & loader versus patcher 34. Reversing techniques in packed software & a S&R loader for ASProtect 35. Inlining inside polymorphic code 36. Keygenning 37. In-depth unpacking & anti-anti-debugging a combination packer / protector 38. Unpacking continued & debugger detection by DLL's and TLS 39. Inlining a blowfish scheme in a packed & CRC protected dll + unpacking Asprotect SKE 2.2 40. Obfuscation and algorithm hiding