Below, we overview the nine main tools used for reverse engineering by Apriorit researchers:. IDA Pro is one of the best and most popular reverse engineering software tools. The main advantage of IDA Pro is that it allows you to interactively change any element of the displayed data:. This plugin can turn native processor code into a more readable, C-like version.
The Hex-Rays Decompiler produces rather accurate C code comparable to that produced by a human reverse engineer. However, Hex-Rays Decompiler might have issues with processing complex assembler code, where the original code was specifically modified by adding the inline assembler or some manual optimization was made.
This plugin enables you to mark the execution path within the disassembler. As a result, you can understand which pieces of code are taking part in the execution and if they are involved in some algorithm or feature. Basically, this plugin loads reports of code coverage tools into the IDA database and marks pieces of code depending on how many times they were executed. This makes it clear which part of the code is worth your attention while browsing the disassembly. This plugin is intended to be used on binaries built by Visual Studio and searches for RTTI information stored in the data section of the executable file.
Also, ClassInformer can present you with a list of found classes. This tool uses the IDA engine to compare binaries as assembler code instead of a stream of bytes.
BinDiff can pinpoint differences in the code of two versions of the same program down to changes in a specific function as a list of instructions which were added, removed, or replaced. Changes can also be represented as code flow graphs. This plugin analyzes imported functions and functions that call them and then groups them by tags: cryptography-related, registry-related, network-related, etc.
Such grouping makes it easier to find the part of the code responsible for specific operations. This plugin emulates the execution of disassembled code without the need to run the application under analysis in a debugger. Using this plugin, you can emulate the result of executing any piece of code without the risk of modifying something in the system. All you need to do is specify the start values of CPU registers.
Then you can do a step-by-step execution. This tool can also display input and output data. WinHex is a hex editor that provides a rich set of features and development tools for Windows. WinHex can display checksums or code of software files, which is something a regular text editor is unable to do. Hiew is a binary file editor focused on working with code.
It has a built-in disassembler for x86, x, and ARM as well as an assembler for x86 and x You can also add plugins e. Fiddler has a built-in hex editor and can generate requests based on a selected request or create a custom request. In addition, the Request to Code plugin allows you to get ready code that executes requests in C , Visual Basic, or Python. Scylla is an application for dumping a running application process and restoring the PE import table.
With its help, you can get a totally restored PE file that can be run by the operating system. Screenshot 7. Scylla interface. Image credit: Stack Exchange. Relocation Section Editor is an application used for editing the relocation table in PE files. The main purpose of this tool is to modify the relocation table in case of patching relocatable pieces of code. A protected file actually contains the relocation table for the unpacker code only.
The relocation table for the real code is usually hidden within the unpacker data. Thus, in case a dump is being recovered, there are two ways to restore the missing relocation table for the real code:. PEiD is one of the best reverse engineering tools to detect the packer.
By analyzing entropy, PEiD can detect whether an application is packed. There are also various useful plugins that help to analyze PE files. These are the nine tools that reverse engineers at Apriorit often turn to when working on Windows reversing projects. As you can see, each of these pieces of software for reverse engineering solves a very unique, specific set of tasks. In the next section, we provide practical examples that display the role and importance of each of these tools in Windows reversing.
As an example, we are going to use a test application that you can download and analyze on your own. At this point, we only need to press the OK button. Once we do that, IDA Pro provides us with the following results of application analysis:.
As you can see, the import table is almost empty. Its upper part shows that it was possible to detect a small piece of code the blue part , and the left part shows which functions were detected in our case, very few.
There is also a set of undetected bytes above the start function. We suppose that the application is packed by means of some packer. PEiD will help us determine which packer was used.
To start the scanning process, go to Options , choose Hardcore Scan , and click Save :. Next, select the folder where the application is located. After scanning is complete, we receive the following result:. As you can see from Screenshot 15, the application is packed using the UPX tool. To unpack it, we are going to use CFF Explorer. After that, we can upload the already unpacked application to IDA Pro and restore the assembler code.
We upload our application to IDA Pro once more, and when the system asks us whether to upload symbols from the server, we agree. Here is the result of application analysis in IDA Pro:. You can see in Screenshot 17 that we now have some readable code, more detected functions, and an import table Screenshot This is currently the most up-to-date and powerful kernel code debugger.
WinDbg supports remote debugging and can download debug symbols directly from Microsoft servers. Reverse engineering cannot exist without static code analysis tools.
The current selection of disassemblers is not much better than that of debuggers, but there we still have some favorites. The IDA Pro disassembler is a de facto standard in antivirus labs. The free version is limited to x86 and does not support plugins. The Pro version offers full functionality with a large number of supported processor architectures and plugin support.
IDA does have a built-in debugger with rather basic functionality, but its unconventional interface takes some time to get used to. IDA can also be augmented with the Hex-Rays addon, a decompiler of application source code into C code.
This is very useful as it really speeds up program analysis. Overall, IDA is a very powerful and polished tool with a long development history. So we have to make do with other options. Radare2 was initially conceived as a simple hex editor but grew into a full framework able to debug and disassemble all types of code including firmware, viruses and cracks.
Radare is a set of console tools including a debugger, disassembler, decompiler, hex editor, its own compiler, utility for comparing binary files and much more. The framework supports a large number of processors and platforms, which enables it to compete with products like IDA Pro.
Another big advantage of Radare is that it is an open source, free and community-driven project. We have covered the main tools, but reverse engineering also needs packer identifiers, network monitors, hex editors and many other utilities. This is a great packer identifier with a large number of useful functions. For example, it allows you to view file section entropy, which facilitates visual identification of encryption.
It also has a resource viewer with a dump-to-disk feature. DiE enables you to easily access the import table and add plugins and scripts, configure signature scanning methods and view file headers. There is only one problem with this program: a slow update cycle, although it has not been abandoned.
In fact, a new version was released recently! Cracking a custom packer based on GlobeImposter 2. This is another packer and protector detector. On the other hand, the program is frequently updated, offers numerous interesting functions and user-friendly tips for unpacking. Overall, I would recommend it to beginners. ExeInfoPE has a number of automatic unpackers and will tell you which tool to use to crack a bolt-on protection system.
Of course, the program also offers the full set of standard features including a file header viewer, section viewer, hex viewer and even a number of built-in mini-utilities like TerminateProcess and more. Most Popular. New Releases. Desktop Enhancements.
Networking Software. Trending from CNET. Build highly sophisticated applications, applets, and components using the Java programming language. Build applications, applets, and components using the Java programming language. VB Decompiler Free to try. NET programs. ProblemTracker Free to try. Keep track of business issues and automatically manage them to resolution.
Intel Thread Checker Free to try. Look RS Free to try. Test your RS communications port. View, log, and analyze serial port activities.
Charles Web Debugging 32 bit Free to try. Develop web debugging proxy application. LuaEdit Free. Debug and modify scripts on your Lua application. DebugView Free.
0コメント