I wanted to mention a tool that has helped me in cracking a great deal, but one that may not be associated with cracking per se – a sandbox. A sandbox, for those that don’t know, is a ‘virtual’ area set up on a computer to run apps in. This virtual area is separated from the system, meaning nothing done in a sandbox can effect your system, even though the program running in the sandbox doesn’t know this; it thinks it has full control over your system. The nice thing about a sandbox is that you can install and run an app, play with it, and after you’re done you can simply ‘empty the sandbox’ and there will be no remnants left on your computer. Sandboxes also add other features, like surfing the web and being able to delete all traces when you’re done, and opening malicious looking emails.

I personally use Sandboxie , though there are others . Sandboxie is free, though after a month displays a timed nag and only allows one virtual box at a time, but I don’t suppose too many of you reading this will have to worry about that ;) . Sandboxes are generally used in virus and malware research in order to protect your system from the virus changing anything or doing any damage. In this regard, a sandbox is similar to a virtual machine.

You may wonder what a sandbox has to do with reverse engineering binaries other than malware. Let me give you a couple examples:

Looking for Targets

When learning reverse engineering, you need to do a lot of experimenting. In order to experiment, you need binaries. After downloading several potential targets, I use Sandboxie to quickly install them, see what kind of protection elements they have, and use this to decide if I want to try reverse engineering them. Maybe you want practice on timed nags? Serial boxes? Internet serial checks? Running the app quickly in a sandbox can give you a good idea of what protection schemes are used. Without a sandbox running, you would need to install all of these binaries on your system, frying your registry, start menu, and God knows what else.

Finding Specific Protections

Sandboxes make it very easy to check what kind of protector/packer has been used on a binary. The way I do this is to install the app through the sandbox, and then after it’s installed, I copy just the exe file from the sandbox onto my (real) desktop. I can now run this exe through any packer/protector detectors or PE editors and I know what I’m in store for. I can even load it in a disassembler and get a quick overview. Don’t like Themida? Find out quickly (and without installing the app) if it’s used. Want to learn more about ASProtect? This is a simple way to go through several binaries quickly looking for one using this packer.

Deciding If It’s Worth Cracking

Sometimes you need a specific type of program and you don’t necessarily want to pay for it ;) . Well, sandboxes are a great (and fast) way to sift through downloaded binaries to see 1) if they’re even worth cracking and 2) how tough the cracking is going to be. I usually find that when I am looking for a specific type of program, I may as well pick one without any protection or that has a protector/protection scheme that I am good at (or maybe one I’m bad at to learn how to unpack it :) ) and also a program actually worth owning. I find that I will download 10 trial applications. 5 will be useless pieces of crap. 2 Will not even do what the app says it’s supposed to. And the last 3 will use varying degrees of protection schemes. If I’m in a hurry, I’ll pick the easiest. If I want a challenge, I’ll pick a harder one. Can you imagine going through this without a sandbox, installing 9 applications that you will immediately uninstall? Yikes.

 

I hope I have talked you into at least trying a sandbox. They have truly made my reverse engineering life easier.

Random