Reverse Engineering: Assembly- Machine Language BIT - The smallest possible piece of data. It can be either a 0 or a 1.

If you put a bunch of bits together, you end up in the 'binary number system' i.e. 00000001 = 1 00000010 = 2 00000011 = 3 etc.

BYTE - A byte consists of 8 bits. It can have a maximal value of 255 (0-255). To make it easier to read binary numbers, we use the 'hexadecimal number system'. It's a 'base-16 system', while binary is a 'base-2 system' WORD - A word is just 2 bytes put together or 16 bits. A word can have a maximal value of 0FFFFh (or 65535d). DOUBLE WORD - A double word is 2 words together or 32 bits. Max value = 0FFFFFFF F (or 4294967295d). KILOBYTE - 1000 bytes? No, a kilobyte does NOT equal 1000 bytes! Actually, there are 1024 (32*32) bytes. MEGABYTE - Again, not just 1 million bytes, but 1024*1024 or 1,048,578 bytes Registers: Registers are special places in your computer's memory where we can store data. Yo u can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder. On today s average WinTel CPU you have 9 32bit registers (w/o flag registers). The ir names are: EAX: EBX: ECX: EDX: ESI: EDI: EBP: ESP: EIP: Extended Extended Extended Extended Extended Extended Extended Extended Extended Accumulator Register Base Register Counter Register Data Register Source Index Destination Index Base Pointer Stack Pointer Instruction Pointer

The possibilities are: 32bit Register EAX EBX ECX EDX ESI EDI EBP ESP EIP Instructions: ADD (Addition) 16bit Register AX BX CX DX SI DI BP SP IP

Syntax: ADD destination, source SUB (Subtraction) Syntax: SUB dest,src AND (Logical And) Syntax: AND destination, source CALL (Call) Syntax: CALL something CMP (Compare) Syntax: CMP dest, source DEC (Decrement) Syntax: DEC something INC (Increment) Syntax: INC register MOV (Move) Syntax: MOV dest,src Jumps: JMP - jump syntax: jmp address For example jmp 00401001 it will directly jump to following address without checking. JNE - Jump if not equal This is same as jump but the only difference is it jump if results is not e qual JE - jump if equal JNZ - jump if not zero JZ - jump if zero Now let us use this instructions: mov ax,01h that means it is assigning 01h to ax...ax=1 Now lets use functions add ax,1 so the final result would be ax=2

Now suppose we have this asm here 1 2 3 4 5 mov jmp add sub add ax,2 5 ax,2 ax,2 ax,3

now when processor comes to 2nd address it will directly jump to 5th location. Now lets go to demostration... Tools required for Reverse Engineering OllyDBG - Debugger available on www.ollydbg.de winxp Appplication for demostration SMAC 2.0 Download & Install the same on your computer It requires you to enter the key Enter any random key Invalid Registration ID Now attach the file so that we can directly get to registration window now go to view> executable window select SMAC 2.0 Search for reference text: Invalid Registration ID Just before professional window there will be Text strings referenced in SMAC:.text, item 4831 Address=00467503 Disassembly=PUSH SMAC.004324D0 Text string=UNICODE "SMC2U-" Normally serial keys are like XXXX-XXXX-XXXX-XXXX

Text strings referenced in SMAC:.text, item 4906 Address=00477137 Disassembly=PUSH SMAC.0042DBE0 Text string=UNICODE "{4D36E972-E325-11CE-BFC1-08002BE10318}" Text strings referenced in SMAC:.text, item 5067 Address=0048711A Disassembly=MOV DWORD PTR SS:[EBP-A8],SMAC.00438C30 Text string=UNICODE "67BF-89E7-00E6-56C1-1F07" 67BF-89E7-00E6-56C1-1F07 SMC2U- so if we combine SMC2U-67BF-89E7-00E6-56C1-1F07 Invalid Registration ID entered so we are getting extra text here. This product has been successfully registered." Text strings referenced in SMAC:.text, item 5076 Address=004874EF Disassembly=MOV DWORD PTR SS:[EBP-A8],SMAC.00438A48 Text string=UNICODE "This product has been successfully registered."