Properties of Real Numbers

Commutative Properties

• a + b = b + a
• Example: 7 + 3 = 3 + 7
• When we add two numbers, order doesn't matter.

• ab = ba
• Example: 3 * 5 = 5 * 3
• When we multiply two numbers, order doesn't matter.

Associative Properties

• (a + b) + c = a + (b + c)
• Example: (2 + 4) + 8 = 2 + (4 + 8)
• When we add three numbers, it does not matter which two we add first.

• (ab)c = a(bc)
• Example: (3 * 7) * 5 = 3 * (7 * 5)
• When we multiple three numbers, it does not matter which two we multiple first.

Distributive Property

• a(b + c) = ab + ac
• Example: 2 * (3 + 5) = 2 * 3 + 2 * 5
• When we multiply a number by a sum of two numbers, we get the same result as multiplying the number by each of the terms and then adding the products.
• (b + c)a = ab + ac
• Example: (4 + 5) * 2 = 2 * 4 + 2 * 5

Patterns of PI

When plotting graphs using radians I often found it tedious to have to try and memorize the formulas for degrees based on Pi.  However, it is not necessary to do so, if you can understand the fundamental concepts and are receptive to the continuing patterns throughout, charting graphs based on PI can be easy.

Watch the patterns !

π/2 , π, 3π/2, 2π, 5π/2, 3π, 7π/2, 4π, 9π/2, 5π, 11π/2, 6π, 13π/2, 7π, 15π/2, 8π

90, 180, 270, 360, 450, 540, 630, 720, 810, 900, 990, 1080, 1170, 1260, 1350, 1440 respectively. (degrees)

 Now let's incorporate that pattern into a similar pattern, this one including the special angles 30 and 60.

π/6, π/3, π/2, 2π/3, 5π/6, π, 7π/6, 4π/3, 3π/2, 5π/3, 11π/6, 2π, 13π/6, 7π/3, 5π/2, 8π/3, 17π/6, 3π

30, 60, 90, 120, 150, 180, 210, 240, 270, 300, 330, 360, 390, 420, 450, 480, 510, 540 respectively. (degrees)

Brief History of Electronics / PC

1642

• Blaise Pascal introduces Pascaline Digital Adding Machine

1822

• Charles Babbage introduces the Difference Engine & later the Analytical Engine, a true general-purpose computing machine

1906

• Lee DeForest patents the Vacuum Tube Triode, used as an electronic switch in the first electronic computer

1936

• Konrad Zuse begins work on a series of computers, considered the first electric binary computers, using electromechnical switches and relays
• Alan Turing publishes "On Computable Numbers" a paper in which he conceives an imaginary computer called the Turing Machine, considered one of the foundations of modern computing

1937

• John V. Atanasoff begins work on the Atanasoff-Berry Computer officially credited as first electronic computer

1945

• John von Neumann writes "First Draft of a Report on the EDVAC" which outlines the architecture of the modern stored-program computer

1946

• John Mauchly & J. Presper Eckert introduce ENIAC - an electronic computing machine.

1947

• William Shockley, Walter Brattain & John Bardeen successfully test the point-contact transistor, setting off the semiconductor revolution.

1949

• Maurice Wilkes assembles the EDSAC, the first practical stored-program computer.

1953

• IBM ships it's first electronic computer the 701.

1954

• Gordon Teal (Texas Instruments) perfects the silicon-based transistor, bring a tremendous reduction in costs.

1955

• Bell Laboratories announces the first fully transistorized computer, the TRADIC.

1956

• MIT researchers build the TX-0, the first general-purpose, programmable computer built with transistors.
• IBM - ushers in the era of magnetic disk storage, with shipment of a 305 RAMAC to Zellerbach Paper in San Francisco.

1958

• Jack Kilby (Texas Instruments) creates the first integrated circuit to prove that resistors and capacitators can exist on the same piece of semiconductor material.

1959

• IBM releases its 7000 series mainframes and are the company's first transistorized computer.
• Robert Noyce creates practical integrated circuit.  Allowing printing of conducting channels directly on the silicon surface.
• Bell Laboratories designs it's Dataphone, the first commercial modem, converting digital computer data to analog signals for transmission across it's long distance network.

1965

• Digital Equipment Corporation (DEC) introduces the PDP-8, the first commercially successful minicomputer.

1969

• Department of Defense establishes four nodes on the ARPA network, in what will become the internet.
• The Unix operating system is conceived and implemented at AT&T's Bell Laboratories by Ken Thompson, Dennis Ritchies, Douglas McIlroy and Joe Ossanna.

1971

• Intel advertises first microprocessor, intel 4004
• Scientific American - advertises the KENBAK-1 for $750.00 USD, one of the first personal computers.
• Unix is released, entirely written in Assembly language.

1972

• Intel debuts the 8008 microprocessor

1973

• Robert Metcalfe (Xerox) devises the ethernet method of network connection.
• The Micral - the earliest non-kit personal computer based on a microprocessor, the Intel 8008.
• Dennis Ritchie rewrites Unix in the C programming language, except for the kernel and I/O.

1974

• Xerox designs the Alto.  The first workstation with a built in mouse for input.

1975

• Telenet, the first commercial packet-switching network and civilian equivalent of ARPA net.
• Popular Electronics features the Altair 8800 which is based on Intel's 8080 microprocessor.

1976

• Steve Wozniak designs the Apple I, a single-board computer
• Shugart Associates introduce the 5 1/4" floppy disk

1977

• Tandy Radioshack introduce the TRS-80
• Commodore introduces the PET (Personal Electronic Transactor)

1979

• Motorola introduces the 68000 microprocessor

1980

• Seagate Technology creates the first hard disk drive for microcomputers, the ST-506.

1981

• Xerox introduces the first personal computer with a graphical interface, called the Star.
• IBM introduces it's P.C (considered the Grandfather of modern P.C's)
• Sony debuts & ships the first 3 1/2" floppy disk drive.
• Phillips & Sony introduce the CD-DA (Compact Disc Digital Audio) format.
• Chase Bishop designs the first model of an electronic device and project "Interface Manager" (birth of Windows)

1983

• Apple releases Lisa.
• Richard Stallman announces and begins the GNU project.
• Microsoft announces Windows.

1984

• Apple launches Macintosh, with a mouse driven GUI

1985

• IBM releases PC-AT (Advanced Technology) 3x faster than original P.C
• s and is based on the Intel 286 chip.  The AT introduces the 16-Bit ISA Bus & is the computer on which all modern P.C's are based.
• Microsoft introduces an operating environment named Windows 1.0 as an add-on to MS-DOS.

1986

• Compaq announces desktop 386 first computer on the market to use Intel's 32-Bit 386 chip.

1987

• IBM introduces PS/2 machines, making 3 1/2" floppy disk drives & VGA video standard for P.C's.  PS/2 introduces microchannel architecture (MCA) bus, the first Plug N' Play bus for PC's.
• Andrew S. Tanenbaum releases MINIX, a Unix-like computer operating system based on microkernel architecture.
• Windows 2.0 is released.

1988

• Compaq and other P.C clone makers develop Enhanced Industry Standard Architecture (EISA) which unlike MCA, retains backward compatibility with the existing ISA Bus.

1989

• Intel releases the 486 (P4) microprocessor and also introduces the 486 motherboard chipsets.
• Richard Stallman writes and releases the GNU GPL.

1990

• Tim Berners-Lee (CERN) develops Hypertext Markup Language (HTML) and with it, the WWW is born.

1991

• Linus Torvalds develops the Linux kernel.

1993

• Intel releases the Pentium (P5) processor with numbers having been changed to names due to trademarks.  Intel also releases "Complete" motherboards.

... and the list goes on !

Numbers and Number Systems

Natural Numbers

• {1, 2, 3, ....}

Whole Numbers

• {0, 1, 2, 3, ...}

Integers

• Either signed or unsigned, denoted by  referring to the set of all integers

Decimal (Base 10) Digits 0 - 9

• Utilizes the digits 0 - 9

Rational Numbers

• Terminating decimals, or repeating decimals (P / Q) Where P & Q are both integers, and Q != 0.
• 1/1 = 1 is a rational number, 2/1 is a rational number.

Irrational Numbers

• Neither terminate nor repeat, ie:  π (Pi)

Real numbers

• Rational Numbers + Irrational Numbers

Binary

• Base 2
• Converting Whole numbers to binary is easy.
• Steps are as follows:

1. Divide by 2, remainder represents LSB (Least Significant Bit)
2. Continue to divide by two, until division by 2 is not possible. 
3. The final remainder will represent the MSB (Most Significant Bit)
4. Written MSB on left, LSB on right.

Example: 25(base ten) : 25 / 2 = 12 r. 1[LSB], 12 / 2 = 6, r. 0, 6 / 2 = 3 r.0, 3/2 = 1 r.1, 1/2 = 0. r 1[MSB]
Written: 11001

• Like all systems utilizes place value.  Ie:  10110 = (1 * 2^4) + (0 * 2^3) + (1 *2^2) + (1 * 2^1) + (0 * 2^0) = 22

Hexadecimal

• Base 16
• Utilizes digits 0 - 9
• Expands, to include A, B, C, D, E, F - A representing 10, continuing respectively
• Utilizes the same place value system as used in our number systems across the board, however with a base of 16.
• Example: 2BD = (2 * 16^2) + (11 * 16^1) + (2 * 16^0)
• Converting Whole numbers to hexadecimal is identical to converting whole numbers to binary except a divisor of 16 is used.   Example:  589 / 16 = 36 r. 13, 36 / 16 = 2 r. 4, 2 / 16 = 0 r. 2 , written: 24D
• Converting hexadecimal to binary, divide the Hex Digits into 4 bit patterns (nibbles), 24D for example = 0010 / 0100 / 1101 -> 001001001101
• Each hex digit = nibble, 2 Hex digits = 1 byte

Beginner's Guide to Reverse Code Engineering

There may come a moment in every man's life, where one has the urge to understand the obfuscated functionality of a program they run on their Windows machine. There exist many reasons for wanting to understand how a closed-source precompiled binary works, but the most important would be for knowledge.
This guide was designed for beginner's who have very little to no experience in reversing, so the guide will be fairly straightforward. I suggest learning about C, x86 Assembly, the PE Specification, and of course, how to use a debugger.
Tools
The tools required for reversing will span far beyond the scope of this article however, you will be introduced to several vital tools:

• Ollydebug - the olly debugger, a scripted and powerful tool which will aid us for dynamic analysis of a closed-source program.
• PEiD - A useful tool for detecting packers, compilers and PE information.
• PE Explorer - Used for PE analysis, includes a disassembler
• IDA Pro - A static disassembler, very vital for understanding how assemblies work.

Sample Program
We'll be using a canned program called a crackme to get you acquainted with RCE. The crackme is called Zyrel's Simple KeygenMe#2 and the basic goals are to create a KeyGen.
Sometimes, we can use existing code to write a keygen, other times we must reverse the algorithm used to compute the serials. Since this is a beginner tutorial, you don't have to worry about reversing those algorithms.
PE Analysis
Start the program. You'll notice the Name and Key field. This should be pretty obvious. Typing in junk into those fields and clicking register will either a) cause the program to crash (a bug) or b) do nothing.

Load the program into PEiD. You can see standard PE segments, an entry point which is within .text and a "nothing found" on the bottom field. This just means that the program was written in standard C/C++, gcc probably. Also, note there is no packer installed (although this is not always the case).
Static Analysis
Open PE Explorer, let's see if we can determine anything from there. As we can see from the disassembler, nothing clear is shown for us (just remember, keep PE Explorer around, it will become more useful as the programs we're reversing become more complex).

Start IDA Pro, we will use it for static analysis of the program routines. Okay, I usually set auto-comments, stack values, and 9 opcode values. First, let's examine the strings window. Allow for C style strings (NULL terminated). You can see the strings used for the fields, title of the program and, most importantly, the strings used for notifying us of success (if we entered the right serial key):

.rdata:0043F084 00000037 C Seriale corretto, programma correttamente registrato.!
This looks like what we want. So this string is read once we type in the correct key. Double click on it. This will move you to the .rdata segment which contains the string. Select the string XREF. As you can see, this string is referenced only once in the code. Probably by the routine which tells us whether or not we have succeeded.


We can see that 00401D3B is branched off from a jnz (jump if not zero) instruction @ 00401D35. A cmp instruction @ 00401D2E checks that [ebp + 218] is equal to 0. As we can see, strcmp is called @ 00401D12, which compares two strings at [esp] and [esp + 4]. There is a high probability that the two strings are your input Key field (judging by a call to GetDlgItemTextA), and the computed string value. Perfect, this means we just have to fish for the key at runtime.
You may also go further up the function to determine which routine is used to compute the serial. This is not necessary as the only goal of the crackme is to create a keygen.
Label what you require and use IDA to export a .map file.
Dynamic Analysis
Once you have Ollydbg going, install the GODUP plugin. Load the crackme inside Olly, you'll notice that Olly will stop at the module entry point. Go to the GODUP plugin and load your .map file. This file will make use of the comments and function names generated by IDA, it will make it easier for us to orientate ourselves within code.
Go to instruction 00401D35, our jnz instruction indicated by IDA. Place a breakpoint on that instruction and run the program. Type in anything for the name field, and type in anything for the Key. The program should stop at 00401D35. The key is probably wrong, therefore cmp will check the output of strcmp (at ebp - 0x218), and set the EFL z-flag to 0 - jnz will jump to subroutine 00401E0F; we do not want this. Set the z-flag to 1, so the jump never occurs and our MessageBox says "Complimenti":


So, I've set EFL Z-Flag to 1, so the jump never takes place. Press F9 and you'll see that the Congrats message box tells us that we've found the serial. Also note:
strcmp() is passed [ebp - 0x20c] and a pointer stored in [ebp - 0x210]. These pointers are the generated key and typed-in key, respectively. Strcmp will obviously return -1, indicating that the strings do not match, this value will be stored in [ebp - 0x218]. cmp will then check that [ebp - 0x218] is 0 (which is the successful return value of strcmp()), if it is 0xffffffff, the serial and input serial do not match, therefore the MessageBoxA is never called.
As you can see, [esp] contains a pointer to the actual serial key and [esp + 4] contains our input key.
Patching
Next, we must patch the program in order to write the key generator for this keygenme. We can either:

• Reverse the algorithm

• Patch the program

I will show you how to patch the program, as this algorithm is rather straightforward, you should have no trouble writing it from scratch.
Okay, so the game plan is to remove instructions which we do not need and replace them with our own. I think the best way to do this would be:
NOP the cmp instruction at 00401D2E, which will give us 7 bytes of space.
NOP the jnz instruction at 00401D35, which will give us 6 bytes of space.
Also, NOP these four instructions:
.text:00401D3B 29C C7 44 24 0C 00 00 00 00 mov dword ptr [esp+0Ch], 0
.text:00401D43 29C C7 44 24 08 78 F0 43 00 mov dword ptr [esp+8], offset Caption ; "Complimenti"
.text:00401D4B 29C C7 44 24 04 84 F0 43 00 mov dword ptr [esp+4], offset Text ; "Seriale corretto, programma correttamen"...
.text:00401D53 29C C7 04 24 00 00 00 00 mov dword ptr [esp], 0 ; hWnd






Make sure you don't overwrite the Call to MessageBoxA, as we'll be using it to pass the serial key as a parameter:




Now that the junk has been NOP'd out, let's begin by passing our values onto the stack. MessageBoxA requires the following parameters:
int WINAPI MessageBoxA(
__in_opt HWND hWnd,
__in_opt LPCTSTR lpText,
__in_opt LPCTSTR lpCaption,
__in UINT uType
);
So, uType can be NULL, lpCaption can be NULL, lpText must be a pointer to our generated serial buffer, and our HWND (window handle) may be NULL:

[esp] hWnd
[esp + 4] lpText
[esp + 8] lpCaption
[esp + 12] uType
Alright, now we must craft the instructions which will manipulate the stack and push the proper parameters. Be careful with this part: do not expand or shrink the size of the stack, do not modify any registers except eax (because MessageBox will return a value through eax) and do not overwrite any other instruction except the NOP pool we have.
So, what instructions do we need? well, the stack has already been adjust for the compiler (instruction sub @ 401cfc), so we don't need to push anything, instead, we just modify the values on the stack to suit MessageBoxA:
mov eax, [esp] ; Load pointer at top of the stack to eax register
mov DWORD PTR [esp], 0 ; Zero out our hWin parameter
mov DWORD PTR [esp + 8], 0 ; Set the Caption parameter to NULL
mov [esp + 4], eax ; Write our serial key pointer to as our lpText parameter
mov DWORD PTR [esp + c], 0 ; Set uType to NULL
So, your instructions should look like this:



Also, check that your stack parameters align with the requirements of MessageBoxA.




When you run the program, you will see a message box pops up with the serial key, regardless of what key you enter into the Key field!


Okay, so the final thing would be to commit changes to the program, you can do that by selecting the modified code and writing changes to exe.




Okay, this concludes the tutorial, I hope you learned something new. Try to understand as much as possible about this program, understand how the algorithm works, see if you can reverse it yourself.
My next tutorial will be about memory dumping and unpacking. Have fun!