Preface 1

hacker disassembling uncovered

(second edition)
(draft, for internal usage ONLY)
annotation
very deep inside disassembling there is a wonderful world with off-the-wall rules. no any
communication bridges there're around. only endless sands of the primeval forest haunted
with sacred knowledge there is out there. the surviving is the first hacker's trick. without ex-
act roadmap, without good guider and a couple buggy ghosts you'll be nothing, you'll turn
into dust and jam! well, I give you everything you needs. I show you how to break into the
code's hierogram and find out its means. did you ever see the first edition of the book? that
was a shit!!! I'd explained what each assembler's brick does and which high-level construc-
tion its corresponds, but... I totally forgot to mention what you have to do. you stand in front
of the endless disassembling listing without any idea where to set afoot an inquiry. in
essence, you need more methodology. previous book definitely have a lack of it, now the
huge gap has sealed. the book was considerably rewrote, revisited and recast. keeping errata
in mind, I fixed many errors, added quantity of the new chapters and updated the rest. newer
compiler and good old ones (like CGG and INTEL C/C++) was described in details, I de-
picted 64-bit CPUs, LINUX/BSD disassembling specificity, far-out ulink linker by leg-
endary Yury Haron and many others stuff. in other words, I give you *really* new book.

Preface
I've been obsessed by computers since childhood. I specialize in reverse engineering (disas-
sembling), finding vulnerabilities (holes) in existing protection mechanisms, and developing
my own protection systems. I was inspired to write this book by a natural curiosity in
"what's under the hood" of a computer and a desire to crack something using a crowbar or
hammer (figuratively, of course). Without doing so, is it possible to understand how this
thing works? If hackers are individuals obsessed by understanding the universe, then I am a
hacker.
Hacking is a natural need of many sentient beings. They pass along the thorny path of un-
derstanding the true essence of surrounding things, bent on destruction. Just look around:
Nuclear physicists split atoms, analysts separate long molecules into lots of smaller ones,
and mathematicians actively use decomposition. And not one of them deserves reproach!
Strangely, code diggers, who try to do the same things with software, are often censured.
Are accusations against them justified? Is hacking in general, and disassembling in particu-
lar, illegal?
 Preface 2

Hacking is not the same thing as vandalism. Hacking is the demonstration of natural curios-
ity and the desire to understand the surrounding world. Disassembled listings, machine com-
mands, black screens of SoftIce that are reminders of the early days of MS-DOS—all these
are interesting and captivating. Among them is the entire world of hidden mechanisms and
protection code. Do not look for them on maps; this world exists only in fragments of print-
outs, technical manuals automatically opening at the most interesting positions, and sleep-
less nights spent at the monitor.
Hackers and developers of protection mechanisms are not just opponents but also col-
leagues. If you assume that hackers are parasitic, exploiting programmers' inability to build
high-quality protection mechanisms, then you have to realize that programmers are also par-
asitic, exploiting users' inability to write programs.
Hacking and programming have much in common. Creating high-quality and reliable pro-
tection mechanisms requires low-level programming skills; the ability to work with the op-
erating system, drivers, and equipment; and knowledge of the architecture of contemporary
processors, the specific features of code generation typical for specific compilers, and the
"biology" of the libraries being used. At this level of programming, the distinction between
programming and hacking becomes so slight that I won't even try to draw a line between
them.
To develop protection mechanisms, the programmer must have at least a general idea about
the working methods and technical tools used by an opponent. To master this technical arse-
nal at a level no lower than that of the opponent is even better. Practical experience (in
cracking programs) is highly desirable because it allows the programmer to study the tactics
and strategy of the offensive party carefully, thus allowing the organization of an optimal de-
fense. It simply allows the programmer to detect and reinforce the most probable targets
against hacker attacks, concentrating on them the maximum available intellectual resources.
This means that a developer of protection mechanisms must be inspired by hacker psychol-
ogy and must start thinking like a hacker.
Thus, mastering the information-protection technology assumes mastering the cracking tech-
nology. If you don't know how protection mechanisms are cracked, are unaware of their vul-
nerabilities, and have no information about the hacker's arsenal, you won't be able to create
a strong protection mechanism that is inexpensive and easy to implement. Books about se-
curity that consider this subject exclusively from the protection point of view have the same
drawback as storage devices that can only write information—they have no practical appli-
cation.
This book is neither a manual on cracking nor a manual on antihacker protection. Such
books are already available in abundance. Rather, it contains the "travel notes" of a code
digger. You'll examine Intel's compilers, look inside the protection mechanisms of commer-
cial programs, and learn how disassemblers and debuggers work and how to work with them
expertly. If you are not so afraid that you immediately close this book and throw it away,
you'll learn many new and interesting facts.
 Preface 3

What's New in the Second Edition

Initially, this book was targeted at professionals. However, after the first edition was pub -
lished, I obtained many reader reviews, both praising and critical. Most professionals didn't
like lots of "milk and water"—that is, simplistic explanations. But beginning code diggers
objected that what is milk and water for one individual might be wine and beer for another.
Naturally, each reader wants a book in the form most convenient for him or her. However, it
is impossible to satisfy the expectations and interests of all categories of readers in a single
book (especially one that doesn't pretend to be comprehensive). I back hacking beginners as
the widest and most thankful audience. I will be glad if this book helps them to get over the
main psychological barrier—a sense of helplessness before a computer.
Professionals have no need of such books. Most of them told me that there were about a
dozen interesting pages, scattered throughout the first edition, so that they only gave the
book a cursory examination. For example, one of the verdicts was as follows: "There is
good material here, but to me it lacked any real depth." Many professional readers re-
proached me for writing a book that was Windows-centric. Such statements helped me bet -
ter understand my role and destination.
When working over the second edition, I carefully considered all this criticism and took
these comments into account. The second edition of this book is complemented by practical
disassembling techniques. The provided materials describe what must be done when starting
disassembling, where to start analysis of a specific language construct, how avoid becoming
lost in megabytes of the disassembled code, and how to avoid becoming caught in intricate
traps. New chapters included in the book consider memory dump investigations, legal soft-
ware protection mechanisms, and malicious programs. The material is revised to take into
account new ideas and contemporary trends. Considerable attention is paid to such impor-
tant topics as overcoming antidebugging techniques and investigating packed, encrypted,
polymorphous, or simply obfuscated code. The revised edition also corrects errors and
omissions of the first edition.

Book Structure
The second edition is divided into four parts: Part I, "Introduction to Hacking Tools"; Part
II, "Basic Hacking Techniques"; Part III, "Advanced Disassembling Techniques"; and Part
IV, "Practical Code Investigation."
The book contains the following chapters:
 Chapter 1 provides a brief overview of the most popular hacking tools for Windows, in-
cluding debuggers, disassemblers, decompilers, hex editors, unpackers, and dumpers. In
addition, it provides a list of must-read books, which would allow you to gain the mini-
mum level of knowledge required for jumping into the area of hacking.
 Chapter 2 describes available hacking tools for UNIX and Linux.
 Chapter 3 concentrates on a popular and interesting topic—emulating debuggers and
emulators, which offer practically unlimited possibilities for code diggers. In addition to
describing the most popular emulators and areas of their application, this chapter pro-
 Preface 4

vides a comparative analysis of existing emulators and describes the recent technological
advances in this area.
 Chapter 4 is dedicated to an overview of available assemblers, their advantages, and
their drawbacks. This topic is of special importance because a hacker that hasn't mas-
tered assembly languages is not a hacker. How can you disassemble anything if your
knowledge is limited to high-level programming languages? Special attention is paid to
the problem of choosing an assembly translator, which is crucial not only for beginners
but also for professional programmers.
 Chapter 5, which opens Part II, provides an overview of protection mechanisms, their
strong and weak points, and the most common implementation errors of the existing pro-
tection mechanisms. It also provides recommendations for protection developers, which
should help you strengthen your protection without causing inconveniences for legal
users.
 Chapter 6 introduces the basic techniques that hackers use to crack protection mecha-
nisms. It illustrates the basic techniques of working with a hex editor, an API spy, and a
disassembler (on the example of IDA Pro), and it provides simple and illustrative exam-
ples of practical hacking.
 Chapter 7 introduces application debugging. Although this book concentrates on disas-
sembling, analysis of the disassembled listing of an entire program is often inefficient.
Debuggers are most popular hacking tools, and they often are used with disassemblers.
This chapter illustrates the techniques of efficiently locating protection mechanisms us-
ing a debugger and illustrates them with a practical example.
 Chapter 8 is a logical continuation of the previous chapter, covering specific features of
debugging under UNIX and Linux. It discusses the efficient techniques of working with
one of the most powerful debuggers in the UNIX world—GDB. Special attention is
drawn to debugging binary files without symbolic information.
 Chapter 9 covers the topic of kernel debugging on the example of Linice, the debugger
suitable for hacking protected applications.
 Chapter 10, which concludes Part II, covers advanced debugging topics and prepares
you for serious code investigations. This chapter acquaints you with various hacking
tricks that allow more efficient hacking, including efficient techniques of working with
breakpoints, using SoftIce as a logger, using debuggers and disassemblers in combina-
tion, and quickly locating protection mechanisms within large programs.
 Chapter 11 is dedicated to disassembling 32-bit PE files. It describes the PE file struc-
ture and discusses various techniques of inserting foreign code into such files. This topic
is highly important for understanding further materials provided in this book, because
the techniques of code insertion are widely used by worms, viruses, shellcode, as well as
by protection mechanisms.
 Chapter 12 discusses the issues of disassembling ELF files, covers various techniques
of inserting foreign code into ELF files, and provides practical disassembling examples.
 Chapter 13 covers the issues of disassembling 64-bit executable files on the example of
the AMD 64 architecture.
 Preface 5

 Chapter 14 describes the technique of disassembling operating system kernels, focusing

on the example of the Linux kernels. It illustrates the techniques of investigating the ker-
nel and illustrates the material with a simple example of a kernel hack.
 Chapter 15 covers advanced patching techniques, including secrets and tricks of online
patching and stealth technologies. The patching techniques are illustrated on the example
of Windows NT/2000/XP kernel modifications. Also covered are important topics of us-
ing documented and undocumented features and functions for removing kernel protec-
tion against online patching. Special attention is drawn to overcoming the consequences
of unskillful kernel patching, including the use of SoftIce to overcome the BSOD.
 Chapter 16, the last chapter in Part III, concludes the topic of disassembling files of
various formats. In contrast to previous chapters, which covered the issues of disassem-
bling 32-bit and 64-bit PE files and ELF files, Chapter 16 demonstrates techniques of
disassembling files of other formats on the example of PDF files.
 Chapter 17 demonstrates the use of antidebugging techniques and the use of stealth
technologies in the world of Windows. Supplementary materials for this chapter, cover-
ing the same topics for UNIX and Linux, are provided on the CD supplied with this
book.
 Chapter 18 discusses the issues of investigating packed and protected programs under
Windows. The number of programs distributed in a packed form grows constantly. The
main goal of packers is complicating the code analysis; therefore, packers rapidly evolve
into protectors. The same weapon is used against hackers and legal users: worms,
viruses, and Trojan horses actively use packers and protectors to prevent their detection
by antivirus programs.
 Chapter 19 is dedicated to the topic of overcoming code obfuscation. Code obfuscation
is a set of techniques and methods that complicates software code analysis. This weapon
was created by hackers, and there are as yet no adequate techniques of counteracting it.
Nevertheless, the first steps toward creating such techniques have been made.
 Chapter 20 covers overcoming packers, protectors, and obfuscators under UNIX and
Linux. For the moment, such protection mechanisms in UNIX are suitable as crackme
examples only, which hackers use for training purposes. This is because most UNIX pro-
grams are open-source projects distributed in source code. However, the number of com-
mercial products for UNIX is growing; therefore, hackers are preparing to combat seri-
ous opponents.
 Chapter 21 discusses the urgent topic of auditing, detecting, and disassembling worms,
viruses, and other malware. This topic is of special importance because antiviral soft-
ware (even armed with all updates available) doesn't always correctly recognize mal-
ware. Experienced hackers trust only to their brains, the chosen debugger (usually, Soft-
Ice or anything better), and other tools, allowing them to discover the malicious code, no
matter where it might reside.