[System Security] 2. How to learn reverse analysis and Lü Buchuan game reverse case

You may have seen a similar article I wrote before, why do you have to repeat it? I just want to better help beginners understand virus reverse analysis and system security, and be more systematic without destroying the previous series. Therefore, I reopened this column to prepare systematically and in-depth study of system security, reverse analysis and malicious code detection. The "System Security" series of articles will be more focused, more systematic, and more in-depth. It is also the author's slow growth history. Changing majors is really difficult. Reverse analysis is also a hard part, but I also try to see how much I can learn from it in the next four years. The long journey is long and I tend to go to Hushan. Enjoy the process, come on together~

The author of the system security series will conduct in-depth research on malicious sample analysis, reverse analysis, offensive and defensive combat and Windows vulnerability exploitation, etc., and learn from bloggers through online notes and practical operations, hoping to make progress with you. The author of the previous article will first lead everyone to learn what reverse analysis is. This article will continue to popularize the basic knowledge of reverse analysis, tell you how to learn reverse analysis, and combine the author’s experience to recommend reverse analysis routes, and finally give a reverse case of Lu Buchuan game.

This article is also a video shared by the author learning Career Qian Linsong at Huazhong University of Science and Technology. It is highly recommended for everyone to take a look. Without further ado, let us start a new journey! Your likes, comments, and favorites will be your greatest support to me. I am grateful to go all the way on the safe road. If there is any bad writing, you can contact me to modify it. Basic article, I hope it will be helpful to you. The author's purpose is to make progress with the safety people. Come on~

Author's github resources:

• System Security: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
• Network Security: https://github.com/eastmountyxz/NetworkSecuritySelf-study

Statement: I firmly oppose the use of teaching methods to commit crimes. All criminal behaviors will be severely punished. We need to maintain the green network together. It is recommended that you understand the principles behind them and better protect them. (See the references below)

---

1. How to learn software reverse engineering skills

1. Software reverse frontier

How to learn software reverse engineering skills?
Teacher Qian said that "software reversal is a work of moving bricks." Haha! Indeed, any technology and any subject direction will find it fun when you first begin to participate in actual work, and when you do more, you will feel that it is a work of moving bricks. When you first touch it, you will think it is a skill. If you rely on it to eat every day, it will no longer be a skill.

In reverse analysis, many people will go to the Internet to learn tutorials such as shelling, and will teach you where to place a breakpoint. After pressing F7, F8, F9 a few times, you will reach the designated position and right-click to shell. This series The operation is the accumulation of years of experience of the master. You may have learned this simplest solution, but you don't understand the specific principles. The first person to propose a solution needs to walk through the various pits of this shell to form this so-called skill. It is to save time and labor costs, repeat the work countless times without affecting the quality of the solution.

When this kind of optimal solution is provided to newcomers, he will feel that it is full of skills or incomprehension, but when you learn reverse analysis, you should still think less about the skills and just do it. There are various tools on the market, such as shelling. You need to learn how to write the shell first, and then you will feel how fragile the shell is. There are bugs everywhere in my program. If someone else triggers the program At some point, my shell may be destroyed. At the same time, some people will study anti-debugging and even compile more than a dozen anti-debugging techniques. Why can't you find it? Why can't you summarize one by yourself? As long as you write a debugger yourself, many solutions will appear. When you finish writing a debugger, you will find that the debugger is also very fragile. If you accidentally a sample will crash your debugger, then once you find the pattern of the sample, for your debugger It is a kind of anti-debugging. Therefore, if you just learn the unpacking and anti-debugging skills of others on the Internet, it is useless. You need to practice and understand deeply, and then summarize your own skills.

As far as the confrontation industry is concerned, there is no luck. If you can rub your opponent on the ground, you will win. Similarly, many times we only see the glamorous side of security analysts, and only see the patch and attack in the last few seconds, but we don’t know that the analyst has been tortured by this shell and debugging. Repeatedly lying in the pit can finally solve it. . Therefore, what confronts the test is human willfulness and basic skills.

• Willfulness: Belief Support
• Basic skills: write code, read code

Basic skills are very important. There are many tutorials on the Internet, such as how to shell out in three days and anti-debugging in two days, but we need basic skills. For example, during the reverse analysis of minesweeping, there are also many tutorials about OllyDbg. They explain in detail what each function does. These functions can actually be learned briefly. What we need to do is to make the code of the disassembly window shown in the figure below. It's OK to understand. These automation tools may not be very familiar, but work efficiency is slower; but from another perspective, if you can use every function and shortcut in the OD tool, but the code in the disassembly window cannot be understood, then you will be useless. ? Therefore, everyone's attention should be placed on the disassembly window.

The same is true for IDA static analysis, it also has many functions, but our focus is actually the code window. Because people who are engaged in security will encounter a lot of information, inductive learning and summarizing is a necessary skill (which can be cultivated through training), which can help you find the key points quickly. Therefore, skill is not the decisive factor, and what reverse analysts really do is the basic skills.

So, how to learn programming language or reverse analysis?
Don't learn like this:

• Just read the book, not on the machine
• Run only, not debug
• Do only exercises after class, not engineering projects

It should be learned like this:

• Type more code, important actual combat
• The program is not written, but called
• Do more projects of a certain scale according to your own interests or market needs

Three courses recommended at the bottom of reverse analysis:

• data structure
• operating system
• Compilation principles: Reverse theoretical knowledge courses. If you want to reverse reverse assembly and restore it to high-level code, you need to have a certain understanding of the compiler, otherwise you can only read the techniques announced by others.

For example, "Operating System" course, can you build a small operating system? "Compilation Principle" Can you find an open source compiler to look at the source code of lexical analysis and grammatical analysis, and write some comments? Before 2000, Mr. Qian was playing hacking tools, but later discovered that he couldn't learn the essence. All he learned was skills, and skills were time-sensitive. Therefore, if you want to learn well, you have to study the essence, and there is very little knowledge of reverse analysis. Update, and the upper-level technology updates faster.

---

2. Reverse skill learning route

What kind of project preparation can be done in school?

• Pay attention to the online community, participate in technical discussions, and recommend watching the snow forum
• Search for recruitment information of security companies to understand the skill requirements (reverse skill list)
• Targeted development of actual projects

Cree reverse company recommends everyone to learn from the reverse information shared by Xuexue.

• Reverse and disclose the principle of Ollydbg
• Reverse and disclose the principle and process analysis of the xp version of CreateProcess
• Reverse and disclose the principle and process analysis of CreateProcess for Win7 x64
• Reverse and disclose the principle and process analysis of xp version ReadProcessMemory

Reverse engineering skill tree
The following is a list of software reverse engineering skills, including advance knowledge, basic skills, development skills, reverse engineering skills, study books and practical projects.

(1) Basic skills
Including assembly language, C language, C++ language, data structure, you have to learn at least a low-level language and a high-level language, and then an object-oriented language, focusing on data structure.

(2) Development skills
Reverse analysis requires understanding of development. Development requires at least one operating system platform programming. You can choose Windows or Linux, such as Windows SDK programming; then you need to understand at least one framework (Java framework, Microsoft MFC, etc.). At the same time, you need to understand network programming (Socket, TCP, HTTP, etc.), and you can learn about design patterns when you have time. You need project experience before learning design patterns, because you will encounter them when reading large-scale project codes. Then, the database is a skill that must be learned, which is very important.

In database learning, you should study the data relationship theory (paradigm, set, etc.), and you may pay more attention to the following SQL statements. why? Because the statement is likely to change (such as Neo4j and MySQL are different), and the relational theory has always been there. At the same time, our operating system can also be understood as a dedicated database, its responsibility is to manage and allocate hardware resources. For example, our system has more than 50 processes running. The theoretical address space of a 32-bit process is assumed to be 2G, which requires 100G of memory. How to solve this problem? It can be solved through data relationships. Microsoft's operating systems all use data relationships, and will create tables and primary and foreign keys to avoid unreasonable or repeated use of space.

(3) Reverse skills
The reverse engineering skills are more practical. Windows reverse engineering includes OllyDbg, PE file format, IDA usage, Windows kernel driver development (core operating system), and Android reverse engineering includes BakSmail, DEX file format, Linux kernel, NIX operation, etc.

(4) Study book list
Mainly recommend programming language development, mathematical foundations, mathematical structures and algorithms, operating systems, compilation principles, software analysis, tools, and reference manuals. The foundation of mathematics is also very important, but our reverse engineering focuses on application, and a simple understanding of mathematics is good.

(5) Practical projects
Here are some recommended development projects and reverse engineering projects for everyone to learn. It feels that the difficulty is not small! Since the author has done a lot of development projects, only the realization process of a remote control software will be explained in detail later, and it is more about systematic learning and sharing of reverse projects. Remote control software is helpful for us to analyze Trojan horses, CAD software can help us analyze C++ programs, debuggers can assist anti-debugging, PE analysis tools can help understand the PE file format, and reverse projects can intuitively improve reverse analysis capabilities.

The following are some of the recommended projects, as well as the author’s completion status. I have really learned a lot over the years, o(╥﹏╥)o

• Write a small game, such as Tetris, Gobang, Snake, Tank(In 2012, he completed various games such as "Dream" in his sophomore year)
• Write a remote control software, support PC, Android(The design has been completed for the fourth year of 2014)
• Write a CAD, support graphics editing, image transformation, storage (Completed the third year graphics class in 2013 and Android in 2015)
• Write a debugger
• Write a small operating system(C++ implementation of U disk operating system in the third and elementary school in 2013)
• Write a task manager that can monitor program activities such as processes and threads(The design has been completed for the fourth year of 2014)
• Write a web chat room to support multi-person chat(Implemented in Python in 2015)
• Write a PE analysis tool
• Make a cheating program for Windows Minesweeper(Completed in 2020)
• Analyze an RPG game archive and write a program to modify the archive(Completed the archiver of "Sword 1" in the junior year of 2013)
• Add a menu program option to the Windows computer through the injection method
• By injecting inline hooks to realize the API monitoring of the specified program
• Detailed reverse analysis of a typical virus and mechanism(WannaCry worm analysis completed in 2020)
• No need to use a compiler, just use a hexadecimal compiler, you can write a compiler
• Durmp out an application from the memory and repair the import table and other messages
• Try PJ to see the various Crakeme exercises in the Crakeme module of the snow forum(In progress in 2019)
• Combine security mechanisms to find security vulnerabilities and submit CVE vulnerability reports

---

2. Recommended safety series of books and tools

As a security beginner, I combine my own experience and my friends' experience to simply recommend books in the three directions of network security, system security and artificial intelligence, as well as related technical tools. I hope you like them!

First of all, I recommend the following books. These are all I have read or are learning, and they are all pretty good.

• cyber security
  "White Hat Talks about Web Security" "Web Front End Hacking Techniques Revealed" "XSS Cross-site Scripting Attack Analysis and Defense""Web Offensive and Defensive Business Security Practice Guide", "Intranet Security Offensive and Defensive Penetration Testing Practical Guide", "The Road to Security Web Penetration Technology and Practical Case Analysis", "The Hacker Offensive and Defense Technology Collection Browser Practical Chapter", "Network Offensive and Defense Practical Research on Vulnerability Utilization and Rights Escalation "CTF Training Camp" etc.
• system security
  "Encryption and Decryption", "Malicious Code Analysis Actual Combat", "Windows Hacker Programming Technology Detailed Explanation""Reverse Engineering Authoritative Guide", "Software Security", "Windows Advanced Programming", "Windows PE Authoritative Guide", "IDA Pro Authoritative Guide", "Android Software Security and Reverse Analysis", "C++ Disassembly and Reverse Analysis Technology Revealed", "0day Security: Software Vulnerability Analysis Technology" etc.
• Artificial intelligence
  recommendation"Machine Learning" "Deep Learning" "Statistical Learning Methods" "Malware Data Science" Wait.

The following picture is some books of the author, I feel quite a lot, I suggest you read it in combination with actual combat, persistence is victory.

Common security websites and forums:

• See snow( Https://bbs.pediy.com/ )
  Kanxue Forum is a software security technology exchange venue, providing a technology exchange platform and resources for security technology enthusiasts.
• freebuf( Https://www.freebuf.com/ ) The
  most concerned global Internet security media platform in China, a community for enthusiasts to exchange and share security technologies.
• I love PJ( Https://www.52pojie.cn/ )
  My Love PJ Forum is a non-profit technical forum dedicated to software security and virus analysis.
• i Spring Autumn( Https://www.ichunqiu.com/ )
  An information security online education platform created by the domestic network security agency Yongxin Zhicheng, with a lot of online network security resources.
• Security guest( Https://www.anquanke.com )
  Provides vulnerability information released by authoritative information, releases security information, shares security knowledge and live broadcasts of wonderful security activities.
• Prophet Community( Https://xz.aliyun.com/ )
  An open technology platform, including excellent security technical articles.
• Bilibili website( Https://www.bilibili.com/ )
  Station B really provides a lot of various learning resources. It is a good choice to go to Station B to learn safety courses.
• CSDN website( Https://blog.csdn.net/Eastmount ) The
  largest programming community in the country, unfortunately there are few security articles, but there are me who are improving, haha! More importantly, there are many good security sharing, such as Binghe, Xie Gongzi, etc. The author's article will summarize the white hats of CSDN in detail.
• WeChat public account
  The WeChat official account also provides a very convenient and safe learning environment, including many security resources. We recommend security+, Gcow, Xie Gongzi, Kanxue, Penetration Cloud and other official accounts.
• Safety cow（https://www.aqniu.com/）
• Safety reference（https://www.secrss.com/）
• NSFOCUS（http://www.nsfocus.com.cn/）
• Aliju Security（https://xlab.tencent.com/cn/）

Commonly used tools for network security are recommended as follows. The bold font is an excellent tool that the author has learned or used.

• Fiddler (Network Vulnerability Scanner)
• Burpsuite (Network Vulnerability Scanner)
• NMap (port scanner)
• Nessus (Vulnerability Scanner)
• Wireshark (manual analysis package tool)
• SQLMAP (Penetration Testing Tool)
• Metasploit (vulnerability monitoring tool)
• Cobalt Strike (Penetration Testing Framework)
• Hydra (password breaking J tool)
• Acunetix (network vulnerability scanning software)
• pangolin (SQL injection testing tool)
• Ettercap (man-in-the-middle attack tool)
• Maltego (forensic tool)
• OWASP Zed (Attack Agent Tool)
• Caidao (website penetration tool)
• China Ant Sword (website penetration tool)
• Behinder (website penetration tool)

The recommended tools for system security analysis are as follows:

• OllyDbg (dynamic analysis tool Yitianjian)
• IDA Pro (static analysis tool Tulong Knife)
• Windbg (Microsoft kernel-level debugging tool)
• PEiD (Shell Check Tool)
• Cuckoo sandbox (open source sandbox system)
• PEView (PE file viewing tool)
• 010Editor (binary analysis)
• Process Monitor (Windows monitoring tool)
• Process Explorer (file process viewer)
• Cheat Engine (memory modification editing tool)
• Outpost Firewall (shareware)
• hex editor (hexadecimal editing tool)
• Ubertooth (Bluetooth sniffing tool)
• Assembly language compiler

Let's share the common techniques of attack detection and countermeasures at the 2019 Kanxue Security Summit.

---

3. Reverse analysis of Lv Bu's game

Let's take the old game "Xin Lu Bu Chuan" as an example. This is a very old game.

When we play this game, we will encounter a problem, that is, the NPC speaks too slowly and is constantly going through the plot. We want to reverse the analysis so that it can quickly complete the dialogue and speed up the process of our game.

The first step is to open the Lu Buchuan game "Ekd5.exe" through OllyDbg software.

Second, right-click "Find" and select "Name in Current Module" to see which functions are opened in the game.

The return interface is shown in the figure below, including various functions that the game needs to call, and guess the application of various functions.

The third step is to find two abnormal functions.
What does the author set up two hook functions in the game? Do you want to detect our keyboard?

• UnhookWindowsHookEx: uninstall hook message function
• SetWindowsHookExA: install hook message function

PS: These analysis experiences need to be summarized by continuous practice. This is a process of a lot of repeated training. At present, the author is still in the process of learning. Let's work hard!

The fourth step is to select the function and right-click "set breakpoints on each reference".

You can see that two breakpoints have been set.

The fifth step is to run the program or double-click the breakpoint to enter the specific position of the disassembly window, you can see that it is a keyboard hook, and the callback function is 0x0040D307.

• Hookproc Ekd5.0040D307
• HookType WH_KEYBOARD
• CALL SetWindowsHookExA

The sixth step, double-click the line of the callback function, copy the address 40D307, and enter Ctrl+G to follow to the specified location.

In the seventh step, press F2 at the location of the jumped address 0x0040D307 to add a new breakpoint.

The eighth step, press F9 to run the program and enter the dialog interface.

The ninth step, press a key, let's analyze this assembly code in detail.

The author pressed the number "9", the output result is stored in the EAX register, the corresponding hexadecimal is 0x39, and then it will check whether the ASCII code of my key is equal to 0x20 (space).

• CMP EAX, 20

The tenth step is to place a breakpoint at the location 0x0040D32A, and continue to run and analyze the code.
When the input spaces are equal, it compares whether the value of a global variable is 0, and then enters a new CALL.

• CMP ptr [500E0C], 0
• CALL Ekd5.00406A33

Run the code to enter the CALL function, and then go to the 0x00406A33 position, as shown in the figure below, and found that it has started a thread. We then need to locate the processing function of the thread.

• CreateThread
• PUSH Ekd4.00406A7F

The eleventh step, press Ctrl+G to follow to the 0x00406A7F position, and then analyze the assembly code.

Place a breakpoint at this position, and then analyze the content of the function. It is found that it first compares the status, and if the status is 0, it sets a WM_LBUTTONDOWN message, that is, click the mouse.

• Message = WM_LBUTTONDOWN
• Message = WM_LBUTTONUP

Then there is an interval of Sleep function, the time is 100 milliseconds, and then another UP message is set, which is equivalent to the pop up after the left button is pressed.

At this point, we found that the effect of the space is to repeatedly press the left button of the mouse and pop up the right button. It turns out that the game has its own scene function, which is to press "Space", haha! But the manual of the game does not describe the situation of this button, which is equivalent to a hidden function. Here you can also modify and make game assistants further. Here is mainly to lead everyone to learn the process of game reverse engineering, especially the basic usage of OD tools.

In short, if you like reverse analysis, it will be very interesting, including playing games and thinking from another angle; but if you don’t like reverse engineering, don’t enter this industry. You can change your favorite industry if you see reverse code every day and feel sick. , Because the reverse analysis work is soaking in the code pile every day.

---

Four. Summary

At this point, the introduction of this article is complete, I hope it will be helpful to you, and finally I will make a brief summary.

• 1. How to learn software reverse skills well
  1. Software reverse frontier
  2. Reverse skills learning route
• 2. Security series books and attack recommendations
• 3. Reverse analysis of Lv Bu's game

After studying safety for a year, I have met many safety leaders and friends. I hope everyone can make progress together. If there are some shortcomings in this article, please ask Haihan. The author is slowly growing up as a beginner in network security! I hope to write related articles more thoroughly in the future. At the same time, I am very grateful to the security experts in the reference for sharing their articles. I know that I am very good and I have to work hard.

"Jia Guoqing" The
bright moon is thousands of miles away, and the
breeze sends sorrows.
The Yangui Luojia flower has been thanked, and the
scenery is full of love and reflected in late autumn.

The newly opened "Nazhang AI Security Home" on August 18, 2020 mainly focuses on Python big data analysis, cyberspace security, artificial intelligence, Web penetration, and offensive and defense technology to explain, while sharing the algorithm implementation of the paper. Nazhang’s House will be more systematic, and will reconstruct all the author’s articles, explain Python and security from scratch, and have written articles for nearly ten years. I really want to share what I have learned and felt. I would also like to invite you to give me your advice and sincerely invite your attention! Thank you.

(By: Nazhang AI House Eastmount 2020-12-13 Written on the high-speed rail on Sunday)

---

References: I
sincerely recommend everyone to take a good look at these videos and articles, thank these big guys!

• Teacher Qian Linsong of Cree Reverse Engineering was invited by Huazhong University of Science and Technology-"Reverse Analysis and Calculation Guide"
• c++ study notes-add graphics.h header file in VS2015-Xinggeer
• https://www.bilibili.com/video/BV1J5411x7qz
• [Self-study on network security] 5. IDA Pro disassembly tool and reverse engineering decryption actual combat
• [Self-study on network security] 6. Basic usage of OllyDbg dynamic analysis tool and Crakeme reverse