The Legend Of Random

I remember when I first got started in reverse engineering. Well, let’s be honest. It was cracking commercial software. but I digress. Anyway, when one first starts getting introduced to this world, it doesn’t take long to learn a very important tenet: Tools are King. Most budding young crackers start getting the ‘tool-bug’ and start amassing as many tools as possible; it doesn’t matter that you don’t know what most of them do (or that half are actually viruses), just that it felt like the more tools one had, the better potential cracker they would be.

After the initial tool-buzz wears off you soon learn that most of those tools (and viruses) you amassed really aren’t that pivotal in day-to-day cracking (if there is such a thing). Hell, most of them you never really learn what the heck they do anyway! In fact, after you’ve been reverse engineering as long as I have (much longer than I like to admit) you eventually learn that you really only use a small subset of all the tools out there. Some you use regularly, some semi-regularly, and some rarely, tho all of the ones you use have a purpose.

It can be hard for a beginner to learn even what tools are out there, much less the tools that are really important and which aren’t. In order to help those who are interested in getting into reverse engineering (and yes, sigh, cracking) I have put together a list of what I consider the most important tools for really getting involved in RCE. I have arranged the list by several qualities, first of which is how often you would use them, followed by their importance and experience needed to use them, and finally where you can get them. If they are tough to find, I am hosting on this site so you can download them here. I have also included a description of what the tool does. And just because everything sounds cooler as an anagram, I am calling it

R4ndom’s “Reverse Engineering And Cracking Tools Of Note” or R.E.A.C.T.I.O.N.

I know it doesn’t change anything, but damn, it sounds cool!!!!

Now, before you begin flaming me with your “How could you not include tool X!!!” and “Tool Y SUCKS!!!”, please keep in mind that these are tools ordered by importance for *ME*. I know that everyone will not share my same viewpoints, but I hope to at least get the beginner started. And my ratings may be a little ‘loose’.

And lastly, don’t get me wrong, I still get excited when I learn of a new tool, even if it was programmed in 1997,  Norton won’t even let me open it, it’s packed with Themida, and it’s called BackOrifice. Just the idea that it might be that long lost ‘secret’ program that let’s you unpack, un-protect, disassemble into proper English, debug and remove all copy-protection with the click of a single button, well, you never know. Some dreams you just don’t get over.

(continue reading…)

In this tutorial, I will attempt to introduce you to using OllyDBG. Olly has many functions and the only way to truly learn them all is to experiment and practice. That being said, this tutorial will give you a brief overview. Additional topics not covered in this tutorial will be discussed in later tutorials, so that by the end, you should have a pretty good grasp of Olly.

I am including some files in this tutorial. You can download the files and PDF version of this tutorial on the tutorials page. They include a simple binary that we will be using in olly, an Olly cheat sheet, my version of Olly with some cosmetic changes, and a new ini file that you can replace Olly’s default init file with that will help with new users (thanks go out to the immortal Lena151 for this). They can be downloaded directly here or from the tutorials page. If you would rather use the original Olly, you can download it here .

(continue reading…)

I have compiled a list of what I consider to be the most important Olly plugins for reverse engineering. Every one of these will be used at some point in my tutorials. Of course, this list is nowhere near exhaustive (for that I would go to Tuts4You ), and I’m sure there are plenty that I am missing that some would consider ‘vital’. Mostly, I have listed these here for convenience for people going through my tutorials. I have included the name, the latest version that I could find, the author, and a quick outline of what they do.  All of these can be downloaded from my tools page.

(continue reading…)

I wanted to mention a tool that has helped me in cracking a great deal, but one that may not be associated with cracking per se – a sandbox. A sandbox, for those that don’t know, is a ‘virtual’ area set up on a computer to run apps in. This virtual area is separated from the system, meaning nothing done in a sandbox can effect your system, even though the program running in the sandbox doesn’t know this; it thinks it has full control over your system. The nice thing about a sandbox is that you can install and run an app, play with it, and after you’re done you can simply ‘empty the sandbox’ and there will be no remnants left on your computer. Sandboxes also add other features, like surfing the web and being able to delete all traces when you’re done, and opening malicious looking emails.

I personally use Sandboxie , though there are others . Sandboxie is free, though after a month displays a timed nag and only allows one virtual box at a time, but I don’t suppose too many of you reading this will have to worry about that . Sandboxes are generally used in virus and malware research in order to protect your system from the virus changing anything or doing any damage. In this regard, a sandbox is similar to a virtual machine.

You may wonder what a sandbox has to do with reverse engineering binaries other than malware. Let me give you a couple examples:

Looking for Targets

When learning reverse engineering, you need to do a lot of experimenting. In order to experiment, you need binaries. After downloading several potential targets, I use Sandboxie to quickly install them, see what kind of protection elements they have, and use this to decide if I want to try reverse engineering them. Maybe you want practice on timed nags? Serial boxes? Internet serial checks? Running the app quickly in a sandbox can give you a good idea of what protection schemes are used. Without a sandbox running, you would need to install all of these binaries on your system, frying your registry, start menu, and God knows what else.

Finding Specific Protections

Sandboxes make it very easy to check what kind of protector/packer has been used on a binary. The way I do this is to install the app through the sandbox, and then after it’s installed, I copy just the exe file from the sandbox onto my (real) desktop. I can now run this exe through any packer/protector detectors or PE editors and I know what I’m in store for. I can even load it in a disassembler and get a quick overview. Don’t like Themida? Find out quickly (and without installing the app) if it’s used. Want to learn more about ASProtect? This is a simple way to go through several binaries quickly looking for one using this packer.

Deciding If It’s Worth Cracking

Sometimes you need a specific type of program and you don’t necessarily want to pay for it . Well, sandboxes are a great (and fast) way to sift through downloaded binaries to see 1) if they’re even worth cracking and 2) how tough the cracking is going to be. I usually find that when I am looking for a specific type of program, I may as well pick one without any protection or that has a protector/protection scheme that I am good at (or maybe one I’m bad at to learn how to unpack it ) and also a program actually worth owning. I find that I will download 10 trial applications. 5 will be useless pieces of crap. 2 Will not even do what the app says it’s supposed to. And the last 3 will use varying degrees of protection schemes. If I’m in a hurry, I’ll pick the easiest. If I want a challenge, I’ll pick a harder one. Can you imagine going through this without a sandbox, installing 9 applications that you will immediately uninstall? Yikes.

I hope I have talked you into at least trying a sandbox. They have truly made my reverse engineering life easier.

Random

What is Olly Debugger?

From the author, Oleh Yuschuk, “OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. ” Olly is also a “dynamic” debugger, meaning it allows the user to change quite a few things as the program is running. This is very important when experimenting with a binary, trying to figure out how it works. Olly has many, many great features, and that is why it is probably the number one debugger used for reverse engineering (at least in ring 3, but we’ll get to that later.)

(continue reading…)

What is reverse engineering?

Reverse engineering is the process of taking a compiled binary and attempting to recreate (or simply understand) the original way the program works. A programmer initially writes a program, usually in a high-level language such as C++ or Visual Basic (or God forbid, Delphi). Because the computer does not inherently speak these languages, the code that the programmer wrote is assembled into a more machine specific format, one to which a computer does speak. This code is called, originally enough, machine language. This code is not very human friendly,  and often times requires a great deal of brain power to figure out exactly what the programmer had in mind.

(continue reading…)

Welcome to The Legend Of Random. I am starting this blog because, frankly, there just aren’t enough blogs out there.

Really, I am starting this blog to create a central repository for people interested in Reverse Engineering, Cracking, and low level programming in general.