Reverse Engineering - the process of analyzing with two goals:
- to identify the system's components and their interrelationships;
- to create representations of the system in a higher level of abstraction.
This process includes:
- architecture extraction;
- documentation generation.
Reverse Engineering objectives:
- Reversing and patching code;
- Applying Anti-Reversing Techniques;
- Reengineering and Reuse of Legacy Software;
- Identifying, Monitoring, and Reporting Malware.
A great deal of software that has been written, and which has survived for decades, is in use. About 70% of the source code in the entire world is written in COBOL. A great deal of legacy code is poorly designed and documented. Legacy programs are in use in governmental agencies, in commercial enterprises, and on operating systems such as IBM's z/OS, Microsoft's Windows, and Unix families. The only reasonable alternative to expensive replacement of legacy code has been to maintain and evolve the code with the concepts found in software reverse engineering.
Regardless of which application is being developed, as long as the end users are outside of the developing organization and the software is not open source, you should consider introducing some form of antireversing.
Eliminating Symbolic Information
This information can be extremely helpful to reversers, which is why it must be eliminated from programs where reversing is a concern.
Obfuscation is accomplished by modifying the program’s layout, logic, data, and organization in a way that keeps it functionally identical yet far less readable.
Embedding Antidebugger Code
Some approaches involve detecting that a debugger is present and terminating the program if it is.
Most of these tools display information gathered by the operating system about the application and its environment. System-monitoring tools can monitor networking activity, file accesses, registry access, and so on.
Disassemblers are programs that take a program’s executable binary as input and generate textual files that contain the assembly language code for the program.
A debugger is a program that allows software developers to observe their program while it is running. The two most basic features in a debugger are the ability to set breakpoints and the ability to trace through code. When the program reaches the breakpoint, the debugger stops (breaks) and displays the current state of the program. At that point, it is possible to either release the debugger and the program will continue running, or to start tracing through the program. Reversers use debuggers in disassembly mode. In disassembly mode, a debugger uses a built-in disassembler to disassemble object code on the fly.
A decompiler takes an executable binary file and attempts to produce readable high-level language code from it. The idea is to reverse the compilation process in order to obtain the original source file. On the vast majority of platforms, actual recovery of the original source code is not really possible. Decompilers are powerful tools that in some situations and environments can reconstruct a highly readable source code from a program binary.