Notes - MCS
Reverse Engineering
Notes - MCS
Reverse Engineering
  • Reverse Engineering
  • Introduction to Reverse Engineering
    • What is Reverse Engineering (RE)
    • RE Concepts
    • When do we have RE activities?
    • Why RE is Relevant and Required
    • Limitations of RE
    • Legal Framework
    • What RE Recovers?
    • Software Reversing
    • Low-level languages
  • Files and Filetypes
    • Files
    • File extensions
    • File Signature
    • Content Type Obfuscation
  • Android – Static Analysis
    • Java Language
    • Application Entry Points
    • Application Structure
    • AndroidManifest.xml
    • Exercise 1
    • Exercise 2
    • Exercise 3
    • Exercise 4
    • Native Applications
    • Java Native Interface
    • Android Native Development Kit (NDK)
    • Android binary libraries
    • JNI Dynamic Linking
    • JNI Static Linking
    • Exercise 5 and 6
    • Web and Hybrid applications
  • Android – Dynamic Analysis
    • Dynamic Analysis
    • Logs
    • Network MiTM
    • Certificate Pinning
    • Dynamic Code Instrumentation
    • Dynamic Binary Instrumentation
    • FRIDA
  • Binary Analysis
    • Binary Objects
    • Executable Symbols
    • What is inside an Object File?
    • ELF Files
    • ELF Program Headers
    • Dynamic Linker
      • Example
    • Binary Analysis Process
    • Function detection
    • Calling Conventions
    • Common Logic Structures
    • C++ code
  • Emulation and Instrumentation
    • Dynamic Binary Analysis
    • Considerations
    • Processes
    • Dynamic Binary Instrumentation (DBI)
    • DBI with Qiling
  • Obfuscation Techniques
    • Obfuscation Techniques
    • Content Type Obfuscation
    • Code Obfuscation
  • Serial Communication
    • Comunicação paralelo
    • Comunicação série
    • Sincronização entre transmissor e recetor
    • Sincronização de relógio
    • Transmissão de dados
    • Topologias de comunicação série
    • Elementos de uma ligação série
  • A interface RS-232C
    • RS-232C
    • Estrutura da trama
    • Camada física
    • Taxa de transmissão (baudrate)
    • Receção de dados
    • Identificar parâmetros de comunicaçãoIdentificar parâmetros de comunicação
    • Encontrar a UART
    • Captura de sinais
  • Norma SPI
    • Introdução
    • Descrição geral
    • Operação
    • Simulação do master SPI
    • Arquiteturas de ligação
    • Tipos de transferências
    • Configuração de um master SPI
    • Procedimento para identificação dos sinais
    • Exemplo
  • Norma I2C
    • Introdução
    • Caraterísticas básicas
    • Exemplo de interligação num barramento I2C
    • Terminologia
    • Masters e Slaves
    • Sinalização
    • Endereçamento
    • Transferência de dados
    • Clock stretching
    • Múltiplos masters
    • Arbitragem
    • Endereços reservados
Powered by GitBook
On this page
  • Conditional Branches (if else)
  • Switch case
  • loops
  1. Binary Analysis

Common Logic Structures

Last updated 1 year ago

When analyzing code, it’s important to recognize basic flow control structures.

  • Remember that the decompiler may be unreliable.

Basic structures:

  • If else

  • Switch case

  • For

Conditional Branches (if else)

Basic control-flow instructions: move execution to a defined address if a condition is true.

  • Usually, one condition is tested at a time. Complex If/else must be broken.

Assembly code is structured as a graph with tests and execution statements (the body of the condition).

x86 and most architectures have inherent support for many types of comparisons.

  • In x86 this is the jXX family of instructions.

  • Signed comparison: l < , le <=, g >, ge >=

  • Unsigned comparison: b <, be <=, a >=, ae >=

    • Below and Above.

  • Equality e

  • Every condition can be negated with n

  • z, s, c, o, and p for ZF, SF, CF OF, and PF

    • ZF: Zero Flag, 1 if the last operation was 0.

    • CF: Carry Flag. The last operation required an additional bit (e.g. 255 + 1, which has 9 bits).

    • OF: Overflow Flag. The last operation had an arithmetic overflow (127 + 127 in a signed variable results in overflow).

    • PF: Parity Flag. 1 if the last operation resulted in a value with an even number of 1.

    • SF: Sign Flag. 1 if the last operation resulted in a signed value (MSB bit = 1)

  • s means negative, ns non-negative.

    • Signal or not signal.

  • p and np are also pe “parity even” and po “parity odd”.

  • and, or, and xor clear OF and CF, and set ZF, SF, and PF based on the result.

  • test is like and but only sets the flags discarding the result.

  • Checking nz after test is like if (x & mask) in C

  • test a register against itself is the fastest way to check for zero or negative.

Direct jump: target(s) specified in code (harcoded).

Indirect jump: target selected from runtime data like register or memory contents.

Conditional jump: target differs based on a condition.

Structure can be recognized by one or more conditional branches, without loops.

je: jump equal.

js: jump is sign.

Switch case

A structure can be recognized by several comparisons and jumps or jump tables.

Observe the difference between what a programmer writes and what is produced.

  • A switch is written as an atomic instruction, but it isn’t.

  • Also, it is dangerous because of missing breaks.

Test: compare two registers. Set 3 flags:

  • PF: Even the number of bits

  • ZF: Zero

  • SF: Signed value

loops

For, while and do while are generally the same.

Identified by:

  • an index.

  • an increment.

  • a comparison.

  • two jumps.