cmsc 426 final lecture 8

What is the main goal of reverse engineering?

To understand how a system was designed, how it operates, and how to reproduce or enhance it, without access to the original design.

What are examples of reverse engineering in everyday life?

Taking apart an alarm clock to modify it, analyzing TikTok's recommendation algorithm, replicating the Coca Cola formula, or disassembling anti-cheat software.

What are Crackmes and their purpose?

reverse engineering challenges used to test and practice reverse engineering skills and explore computational complexity.

What are common strategies for reverse engineering/crackme tasks?

Check if you can add code, search for debug statements, attach a debugger, and remember the structure and behavior of the program.

What are types of binary executable files?

Windows: PE files, Linux: ELF files, Mac: Mach-O files. They define the program format and entry point for execution.

What is a disassembler and name examples?

A tool that converts machine code back to assembly. Examples include objdump, IDA, Ghidra, and Binary Ninja.

How is a process's address space structured?

It includes segments such as Stack, Heap, Global/Static variables, and Code/Text. The stack grows downward, and the heap grows upward.

What is stack allocation?

Memory allocated during program execution for local variables, function calls, parameters, and return addresses. It grows downward.

What is heap allocation?

Dynamically allocated memory using functions like malloc() or new. It grows upward and is controlled by the user.

What are buffer overflows and why are they dangerous?

They occur when data exceeds buffer size and spills into adjacent memory, potentially overwriting important data like return addresses (EIP).

What are common x86 registers and their functions?

EAX-EDX: data storage, ESI/EDI: string ops, ESP/EBP: stack tracking, EIP: instruction pointer.

What do PUSH and POP instructions do?

PUSH adds data to the stack and decreases ESP. POP retrieves data from the stack and increases ESP.

What does the CALL instruction do?

Pushes return address to the stack and jumps to the function address.

What does the RET instruction do?

Pops the return address from the stack into EIP to resume execution.

What is the 'cdecl' calling convention?

Used in C, it defines stack usage rules: parameter order, preserved registers, and stack cleanup by the caller.

How can vulnerable code be identified and avoided?

Use code inspection, fuzzing, enforce input size limits, use safe languages, and avoid deprecated functions like gets() or strcpy().

What are safe alternatives to unsafe functions?

Use fgets() instead of gets(), strncpy() instead of strcpy(), strncat() instead of strcat(), snprintf() instead of sprintf().