String Refferences

The most important and necessary first step in reverse engineering is to manage to locate the algorithm(s) that we are looking for among all those thousands and thousands of lines of assembly code that we see using a debugger or a simple disassembler. This can be achieved in various ways, depending on each case. Some of them are more widely used in different scenarios.

Using various references to specific strings of the executable module under analysis, we can, in some cases, locate the piece(s) of code that we need to analyze further. By string reference, we mean an assembly instruction that§ refers to a memory location where a string is stored.

It is time to search for the clue we found before, which is the message that let us know that the code we entered was invalid.

In the CPU window, right click, and then - Search for > All referenced text strings

In some cases, in order to save time instead of manually searching, we can right click > Search for text.

Personally, when searching through this utility, | uncheck the ‘Case sensitive’ option and check ‘Entire scope’. We can then search for more references to our required text by clicking Ctrl + L.

Basic Memory Patching

Here's the full instruction:

• 0x00402E76 751F JNZ 00402E97

Let's break this down into pieces in order to explain what it does,

clearly.

• 0x00402E76 - VA of the first byte (0x75) of the instruction

• 0x75 - opcode (operation code) of the short JNZ jump

instruction.

• 0x1F > number of bytes to ‘skip’ or jump’ by redirecting the EIP. In a few words, a short jump instruction (JZ, JNZ, JG, JL, etc.) is a two-byte long instruction comprised of the opcode and the number of bytes to redirect the EIP forward or backward (128 to +127 bytes).

So in this case we would have:

• 0x00402E76 9090 NOP NOP

Select the instruction, then right click - Binary = Edit and substitute both bytes with 0x90.

Run the application using F9 and enter a random code to see the results, and then right click > Undo selection to restore it back.

Another way, which also requires modification of fewer bytes, is to invert the logic of the jump.

In other words, turn the JNZ jump into a JZ (jump if zero) jump. This will invert the logic in the sense that in this new case, the application would accept every code as valid except for the correct one.

We can achieve that by modifying the number that indicates

how many bytes to jump (0x1F in this case) to zero.

So, in this case we would have:

« 00402E76 7500 JNZ 00402E78

In order to make these changes permanent, choose your preferred method from above and once you apply it, select the modified bytes > right click > Copy to executable > Selection. You can also choose ‘All modifications’ instead, unless you have other modifications that you don’t want written to the file.