Reverse basic Finding important/interesting stuff in the code (1)

Reverse basic Finding important/interesting stuff in the code (1)

V. Search for interesting or important parts of the Code

In modern software design, minimalism is not particularly important.

It is not because programmers write a lot of code, but because many libraries are usually statically linked to executable files. If all the external libraries are moved into the external DLL file, the situation will be different. (Another reason why C ++ uses STL and other template libraries)

Therefore, it is important to determine the source of the function, whether it comes from the standard library or other well-known libraries (such as Boost and libpng), and whether it is related to what we are looking for in the Code.

It is unrealistic to find what we want by rewriting all the C/C ++ code.

A major task of reverse engineers is to quickly locate the target code.

The IDA Disassembly tool allows us to search for text strings, byte sequences, and constants. You can even export it as a. lst or. asm file, and use tools such as grep and awk for further analysis.

When you try to understand some code functions, some open-source libraries are easier to understand than libpng. If you are familiar with some constants or text strings, you can use google to search for them. If you find that they use open-source projects in some places, you just need to compare the functions. These methods can solve some problems.

For example, if a program uses an XML file, the first step is to determine which XML library is used. Generally, standard libraries (or well-known libraries) are used instead of self-written libraries.

For another example, I tried to understand how to compress and decompress the Network Package in SAP 6.0. The entire software is very large, but there is a. PDB file containing detailed debug information at hand, which is very convenient. Finally, I found a function responsible for extracting the Network Package, called CsDecomprLZC. I immediately searched for the function name using google and found that MaxDB (an open-source SAP project) also used this function. Http://www.google.com/search? Q = CsDecomprLZC

Then I was surprised to find that MaxDB and SAP 6.0 use the same code to process compressed and decompressed network packets.

Chapter 2 Recognition of executable files 55.1 Microsoft Visual C ++

The following MSVC versions and DLL files can be imported:

Msvcp *. dll contains C ++ functions. Therefore, if such dll is imported, it can be assumed that it is a C ++ program.

55.1.1 naming Management

The name is usually named by question mark? Start.

Obtain