INWT CO255-L Reverse Eng

Can monitor networking activity, file access and registry access. Expose a program's use of operating system objects such as mutexes, pipes, events, and so forth.

Programs that take a programs executable binary as input and generate texual file that contains the assembly language code for the entire program or parts of it.

A processor - specific process, some support multiple CPU architectures. A high quality ________ is a key component in a reversers tool kit.

A program that allows software developers to observe thier program while it is running. The two basic features are the ability to set breakpoints and the ability to trace through code.

______ can step through the disassembled code and essentially "watch" the CPU as it's running the program one instruction at a time.

Takes an executable binary file and attempts to produce readable high-level language code from it.

What are the tool categories used to reverse engineer applications?

A program that takes one representation of a programs as its input and produces a different representation of the same input.

Transforms programs from their high-level human-readable form into a lower-level, machine-readable form.

________ is usually high-level code while ________ is usually low level code.

________ level programming languages hide quite a few details reguarding data management.

What are the three basic components of a compiler?

This compiler component: Analyzes high level code; performs lexical analysis; least revelant component to reversers.

This compiler component: Improves Effeciency; aimed at speed or size, original intent is maintained and has two targeted areas of: code structure and redundant elimination.

This compiler component: Generates target-specific code; performs tin three stages: Instuction Selection, Register Allocation, Instruction scheduling.

What are two benifits of programs running on virtual machines?

What are the primary stages of Net Burst?

What stage of Net Burst is responsible for decoding each instruction and producing sequences of ops that represent each instruction?

What stage of Net Burst is when components recieve sequences or ops from the front end and reorders them based on the availabiltity of the various resources of the processor. Idea is to use the available resources as aggressively as possible to achieve parallelism.

What stage of Net Burst is primarily responsible for ensuring that the original order of instructions in the program is preserved when applying the results of the out-of-order execution?

What is the purpose of Out Of Order Core?

What are the three Win32 API categories?

The actual interface to the Windows NT system. It doesn't include any graphics-related services. Most direct interface into the Windows Kernel.

Provides interfaces for direct interfacing with the memory manager, Input and Output system, object manager, and processes and threads.

A very large set of functions that make up the official low-level programming interface for Windows applications.

This takes place when user-mode code needs to call a kernel-mode function. Frequently happens when an application calls an operating system API.

True or False,

It is possible to directly call a kernel function from user mode.

Are special CPU feature that allow the processor to pause execution when a certain memory address is accessed, and transfer control to the debugger.

A component that sits along side the system's kernel and allows for stopping and observing the entire system at any given moment.

This is usually for device developers; runs along side the kernel; unlimited control of system; able to "freeze time"; can set breakpoints at low-levels; used for application and OS code.

Kernel-mode debuggers are usually aimed at _________ such as device driver developers and developers of various operating system extensions, but can be useful for other purposes as well.

Allows for the creation of isolated systems that can be kernel debugged at any time, and even concurrently.

Use of ________ allows the system harddrive to be in a single file on the host and simplifies management and backups.

Supports nonpersistant drives that discard anything written to the hard drive when the system is shutdown or restarted. Perfect for dealing with malicious software that might try to corrupt the disk or infect additional files.

The process of extracting the knowledge or design blueprints from anything man-made.

Used to obtain missing knowledge, ideas, and design philosophy when such information is unavailable.

When is reverse engineering conducted?

What are the two categories of reverse engineering?

They often use reversing to located vulnerabilities in Operating Systems and other software.

They use reversing techniques to trace every step the program takes and access the damage it could cause; the expected rate of infection; how it could be removed from infected systems; and wether infections can be avoided altogether.

What are the two types of cryptographic algorithms?

This type of cryptographic algorithm is like childs play. The secret in these algorithms is the algorithm itself. Once exposed, its no longer secure.

Provides poor security because reversing makes it difficult to maintain the secrecy of the algorithm.

The secret is the key, some numeric value that is used by the algorithm to encrypt and decrypt message.

Within key based algorithms, the algorithms are usually made _______ and the keys are kept ________.

In order to decipher a message encrypted with a key-based cipher, what are the three ways?

They use reverse engineering techniques while attempting to defeat DRM technologies.

What can a cracker use to learn the inner secrets of the technology and discover the simplest possible modification that could be made to the program in order to disable the protection.

Reversing can be incredibly useful to software developers to:

Most popular application of reverse engineering; normally easier to develop a product from scratch, except for complex designs/algorithms that are difficult and costly to develop. High complex or unusual components might be reversed and re implemented in the new product.

The ability to sample a program binary in order to get an estimate of the general "quality" of the coding practices used in the program. Those companies that lack purchasing power to convience a major company access to product source code must either take the companies "product" word that its built well or, resort to reversing.

True / False

Reversing would never reveal as much about the products code quality and overall reliability as taking a look at the source code, but it can be highly informative.

What is system level reversing known as?

How does system level reversing help to analyze an application?

Every interaction that a program has with the outside world must go through the?

What types of tools are used by reverse engineers?