Reverse engineering

9 replies [Last post]
Smurf breh
Offline
Neophyte
Joined: 2011/05/11

Ok, so I just started learning about reverse engineering and am doing a tutorial. Currently I am on part 3 of 40.
I've gotten passed 2 key entries in two different ways so far. At the end of the second part I got extremely confused because the tut didn't give me enough info to let me know exactly what was happening. I was just doing what it said to do. I would like to just list the thing's I believe to be true so far and hopefully you guy's could help me out in telling me if I am thinking correctly or not.

1. Jumps, most jumps are conditional relying on the flag's to tell it whether to jump or not (motly the Z/C/O flag's)
Just a regular jmp you always jump I don't know if there is any way around these unless you jump the jmp.
2. Alot of other commands, such as cmp or TEST, set the flag's for an upcoming jump.
Commands like these rely on the registers unlike the jmp's that rely on the flag's.
3. All i know about the stack is it's a temporary memory that holds info in reverse order and most of the info is API's?
4. I mostly know the hex dec and bin number systems and can convert to and from with calc.exe. I know all number's in the code are hex such as {MOV DWORD PTR DS:[4021A3],0} the 0 is hex but I don't know how to convert that so I really don't know what that means. Im guessing 4021A3 is also hex but I know that is a virtual address.
5. Virtual addresses are exactly that. Addresses where information is stored and can be looked up. Im not sure of the significance of these addresses Im guessing all the information stored there are numbers or bits and byte's and such. These virtual addresses can be looked up in the hex dump I think? I don't know the difference between the addresses in the main CPU window or the addresses in the hex dump window or the addresses in the stack window.
6. I'm also pretty lost on the registers. I think they hold one piece of info at a time from the last command that used it. they used to have specific purpose hence the different letters and names but usually modern computers use all for any information storing.
7. Push command(?) is used to push API information onto the stack in reverse order then the CALL command is used to run the API?
8. API's are basically mini programs in a program. Used to talk to the kernel which talks to the CPU.

That's pretty much all I have learned so far and most of this is pure speculation on my part.
I would appreciate any help. Also, I have a couple questions.

1. What determines the flag's being set before the program runs
In this particular program im working on atm I load up the program and the P and Z flag's are already set as soon as the program starts.
2. MOV DWORD PTR DS:[4021A3],0 So I think I know what this command(?) does.
It moves the information at 0(hex) to the virtual address [4021A3] (also hex)?

Thanks