in addition to my previous post, let's add more info regarding reverse engineering tools. so far you have read about what the categories of reverse engineering tools are. before digging into the heart of the matter and introduce some tools of each section, let's take a look at a comprehensive reverse engineering process.
you can comprehend how the flow goes from the beginning step ( having an executable ).
hex editors:
hex editors as we mentioned earlier, give you this ability to make some changes to executables and DLL files. they mainly come handy when you need to change a specific piece of instruction or a string. for instance, you might want to change messageBox call to No-OP ( no operation ) - more info. for understanding these functions or System API such as messageBox if you wonder how you can find them, you need to check some references out to get some information about these APIs. most of these functions are located in Native DLLs such as kernel32.dll or USER32.dll.
an advanced hex editor which is worthy to know is WinHex, as you can see in the following figure, hexadecimal and ASCII equivalents of a sample binary program are displayed.
however, another Hex editor named Hex workshop is out there which is capable of doing some mathematical operations. the aforementioned editor is able to interpret little-endian(intel x86) and big-endian (power PC) and has some features such as character distribution and data visualizer as well.
Debugger / Disassembler:
many believe that most two well-known programs in this category are OllyDbg and IDA pro. OllyDbg is an application-level debugger which is used mainly on different versions of windows operation systems. it is hard to mention all of its features but some of the most frequent ones are disassembly section, hex dump, stack window and the lovely CPU register window. OllyDbg supports for setting conditional breakpoint, memory dumping and bypassing the IsDebuggerPresent API. on the other side, IDA Pro provides accurate analyzes, disassembling of the binary program in color-coded. well-organized and easy-to-read way and like Ollydbg, it can give you some common options such as import and export viewing, hex editting, string extraction.
even so, they are some other debuggers or disassemblers which can be found as a good choice sometimes such as SoftIce, TRW or some language-specific debuggers like DeDe, VBReFormer.
Decompiler:
decompilers are so fancy because they open the doors of fortunate to you in a second without any efforts. as a first example, JAD is a java decompiler which is written in C++ but it has its own drawbacks while decompilation process. the second example is JODE which sometimes it performs better than JAD on java files. we just covered some decompilers related to JAVA language but you can find many on the internet regarding other languages to help you to get the main source code if everything is not meant to stop you.
source code obfuscators:
when you send your source-code to an obfuscator, mostly obfuscator gives back an obfuscated output of your file. clearly, you should do this when you want to give a compiled version of your binary file to a customer. in a simple obfuscation process, they would change variable and function names to something very short or meaningless. you previous indentation and space will be removed to make your code less readable in case of decompilation. as an example, PreEmptive solutions offers obfuscator for both dot.NET and Java languages.
some binary obfuscators which frequently used encryption and packing, they add a decryption routine to the executable to achieve decryption at run time. at the moment, the pure binary is visible in the memory and this is a good chance to manipulate the binary on the fly or clone it somewhere on your hard drive. as an example, ASProtect uses a technique called stolen bytes. Stolen bytes refers to an anti-memory dumping technique that requires the deletion of a section of code quickly after it is executed
No comments:
Post a Comment