Reverse Engineering For Beginners by Yurichev Dennis

Author:Yurichev, Dennis [Yurichev, Dennis]
Language: eng
Format: epub
Publisher: UNKNOWN
Published: 2020-03-21T16:00:00+00:00

Figure 54.5: IDA

That doesn’t work (JRE 1.7):

Exception in thread "main" java.lang.VerifyError: Expecting a stackmap frame at branch target ⤦ 24

Exception Details:

Location:

password.main([Ljava/lang/String;)V @21: ifeq

Reason:

Expected stackmap frame at this location.

Bytecode:

0000000: b200 0212 03b6 0004 b800 05b6 0006 4c2b

0000010: 1207 b600 0899 0003 b200 0212 09b6 0004

0000020: a700 0bb2 0002 120a b600 04b1

Stackmap Table:

append_frame(@35,Object[#20])

same_frame(@43)

at java.lang.Class.getDeclaredMethods0(Native Method)

at java.lang.Class.privateGetDeclaredMethods(Class.java:2615)

at java.lang.Class.getMethod0(Class.java:2856)

at java.lang.Class.getMethod(Class.java:1668)

at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)

at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)

But it should be mentioned that it worked in JRE 1.6.

We can also try to replace to all 3ifeqopcode bytes with zero bytes (NOP ), and it still won’t work. Seems like there are more stack map checks in JRE 1.7.

OK, we’ll replace the whole call to theequalsmethod with theiconst_1instruction plus a pack of NOP s: Figure 54.6: IDA

1 needs always to be in the TOS when theifeqinstruction is executed, soifeqwould never jump. This works.

54.18 Summary

What is missing in Java in comparison to C/C++?

• Structures: use classes.

• Unions: use class hierarchies.

• Unsigned data types. By the way, this makes cryptographic algorithms somewhat harder to implement in Java.

• Function pointers.

Part V

Finding important/interesting stuff in the code

Minimalism it is not a prominent feature of modern software.

But not because the programmers are writing a lot, but because a lot of libraries are commonly linked statically to executable files. If all external libraries were shifted into an external DLL files, the world would be different. (Another reason for C++ are the STL and other template libraries.)

Thus, it is very important to determine the origin of a function, if it is from standard library or well-known library (like Boost8 , libpng9 ), or if it is related to what we are trying to find in the code.

It is just absurd to rewrite all code in C/C++ to find what we’re looking for.

One of the primary tasks of a reverse engineer is to find quickly the code he/she needs.

TheIDA disassembler allow us to search among text strings, byte sequences and constants. It is even possible to export the code to .lst or .asm text files and then usegrep,awk, etc.

When you try to understand what some code is doing, this easily could be some open-source library like libpng. So when you see some constants or text strings which look familiar, it is always worth to google them. And if you find the opensource project where they are used, then it’s enough just to compare the functions. It may solve some part of the problem.

For example, if a program uses XML files, the first step may be determining which XML library is used for processing, since the standard (or well-known) libraries are usually used instead of self-made one.

For example, the author of these lines once tried to understand how the compression/decompression of network packets works in SAP 6.0. It is a huge software, but a detailed .PDB with debugging information is present, and that is convenient. He finally came to the idea that one of the functions, that was called CsDecomprLZC, was doing the decompression of network packets. Immediately he tried to google its name and he quickly found the function was used in MaxDB (it is an open-source SAP project)10 .

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.