I added two texts on the tools page for learning assembly language. One is called PC Assembly Language which is in a textbook style format, and the other is a nice tutorial by Thomas Bleeker. His site has some assembly resources that you can check out (I like his ‘snippets’ section) at http://www.madwizard.org/programming/tutorials/. I converted his tutorial to PDF (as the original is in CHM and sometimes hard to load on Windows 7), so check it out.
Tools
The Reverse Engineers Toolkit
I remember when I first got started in reverse engineering. Well, let’s be honest. It was cracking commercial software. but I digress. Anyway, when one first starts getting introduced to this world, it doesn’t take long to learn a very important tenet: Tools are King. Most budding young crackers start getting the ‘tool-bug’ and start amassing as many tools as possible; it doesn’t matter that you don’t know what most of them do (or that half are actually viruses), just that it felt like the more tools one had, the better potential cracker they would be.
After the initial tool-buzz wears off you soon learn that most of those tools (and viruses) you amassed really aren’t that pivotal in day-to-day cracking (if there is such a thing). Hell, most of them you never really learn what the heck they do anyway! In fact, after you’ve been reverse engineering as long as I have (much longer than I like to admit) you eventually learn that you really only use a small subset of all the tools out there. Some you use regularly, some semi-regularly, and some rarely, tho all of the ones you use have a purpose.
It can be hard for a beginner to learn even what tools are out there, much less the tools that are really important and which aren’t. In order to help those who are interested in getting into reverse engineering (and yes, sigh, cracking) I have put together a list of what I consider the most important tools for really getting involved in RCE. I have arranged the list by several qualities, first of which is how often you would use them, followed by their importance and experience needed to use them, and finally where you can get them. If they are tough to find, I am hosting on this site so you can download them here. I have also included a description of what the tool does. And just because everything sounds cooler as an anagram, I am calling it
R4ndom’s “Reverse Engineering And Cracking Tools Of Note” or R.E.A.C.T.I.O.N.
I know it doesn’t change anything, but damn, it sounds cool!!!!
Now, before you begin flaming me with your “How could you not include tool X!!!” and “Tool Y SUCKS!!!”, please keep in mind that these are tools ordered by importance for *ME*. I know that everyone will not share my same viewpoints, but I hope to at least get the beginner started. And my ratings may be a little ‘loose’.
And lastly, don’t get me wrong, I still get excited when I learn of a new tool, even if it was programmed in 1997, Norton won’t even let me open it, it’s packed with Themida, and it’s called BackOrifice. Just the idea that it might be that long lost ‘secret’ program that let’s you unpack, un-protect, disassemble into proper English, debug and remove all copy-protection with the click of a single button, well, you never know. Some dreams you just don’t get over.
Tutorial #3: Using OllyDBG, Part 1
In this tutorial, I will attempt to introduce you to using OllyDBG. Olly has many functions and the only way to truly learn them all is to experiment and practice. That being said, this tutorial will give you a brief overview. Additional topics not covered in this tutorial will be discussed in later tutorials, so that by the end, you should have a pretty good grasp of Olly.
I am including some files in this tutorial. You can download the files and PDF version of this tutorial on the tutorials page. They include a simple binary that we will be using in olly, an Olly cheat sheet, my version of Olly with some cosmetic changes, and a new ini file that you can replace Olly’s default init file with that will help with new users (thanks go out to the immortal Lena151 for this). They can be downloaded directly here or from the tutorials page. If you would rather use the original Olly, you can download it here .
Quick Guide To Some Important Ollydbg Plugins
I have compiled a list of what I consider to be the most important Olly plugins for reverse engineering. Every one of these will be used at some point in my tutorials. Of course, this list is nowhere near exhaustive (for that I would go to Tuts4You ), and I’m sure there are plenty that I am missing that some would consider ‘vital’. Mostly, I have listed these here for convenience for people going through my tutorials. I have included the name, the latest version that I could find, the author, and a quick outline of what they do. All of these can be downloaded from my tools page.
Cracking in a Sandbox
I wanted to mention a tool that has helped me in cracking a great deal, but one that may not be associated with cracking per se – a sandbox. A sandbox, for those that don’t know, is a ‘virtual’ area set up on a computer to run apps in. This virtual area is separated from the system, meaning nothing done in a sandbox can effect your system, even though the program running in the sandbox doesn’t know this; it thinks it has full control over your system. The nice thing about a sandbox is that you can install and run an app, play with it, and after you’re done you can simply ‘empty the sandbox’ and there will be no remnants left on your computer. Sandboxes also add other features, like surfing the web and being able to delete all traces when you’re done, and opening malicious looking emails.
I personally use Sandboxie , though there are others . Sandboxie is free, though after a month displays a timed nag and only allows one virtual box at a time, but I don’t suppose too many of you reading this will have to worry about that . Sandboxes are generally used in virus and malware research in order to protect your system from the virus changing anything or doing any damage. In this regard, a sandbox is similar to a virtual machine.
You may wonder what a sandbox has to do with reverse engineering binaries other than malware. Let me give you a couple examples:
Looking for Targets
When learning reverse engineering, you need to do a lot of experimenting. In order to experiment, you need binaries. After downloading several potential targets, I use Sandboxie to quickly install them, see what kind of protection elements they have, and use this to decide if I want to try reverse engineering them. Maybe you want practice on timed nags? Serial boxes? Internet serial checks? Running the app quickly in a sandbox can give you a good idea of what protection schemes are used. Without a sandbox running, you would need to install all of these binaries on your system, frying your registry, start menu, and God knows what else.
Finding Specific Protections
Sandboxes make it very easy to check what kind of protector/packer has been used on a binary. The way I do this is to install the app through the sandbox, and then after it’s installed, I copy just the exe file from the sandbox onto my (real) desktop. I can now run this exe through any packer/protector detectors or PE editors and I know what I’m in store for. I can even load it in a disassembler and get a quick overview. Don’t like Themida? Find out quickly (and without installing the app) if it’s used. Want to learn more about ASProtect? This is a simple way to go through several binaries quickly looking for one using this packer.
Deciding If It’s Worth Cracking
Sometimes you need a specific type of program and you don’t necessarily want to pay for it . Well, sandboxes are a great (and fast) way to sift through downloaded binaries to see 1) if they’re even worth cracking and 2) how tough the cracking is going to be. I usually find that when I am looking for a specific type of program, I may as well pick one without any protection or that has a protector/protection scheme that I am good at (or maybe one I’m bad at to learn how to unpack it ) and also a program actually worth owning. I find that I will download 10 trial applications. 5 will be useless pieces of crap. 2 Will not even do what the app says it’s supposed to. And the last 3 will use varying degrees of protection schemes. If I’m in a hurry, I’ll pick the easiest. If I want a challenge, I’ll pick a harder one. Can you imagine going through this without a sandbox, installing 9 applications that you will immediately uninstall? Yikes.
I hope I have talked you into at least trying a sandbox. They have truly made my reverse engineering life easier.
Random