KEMBAR78
Reverse Engineers Toolbox | PDF | Computer Engineering | Digital Technology
0% found this document useful (0 votes)
325 views10 pages

Reverse Engineers Toolbox

This document provides a list and descriptions of tools that the author considers important for reverse engineering and cracking software. It is arranged by frequency of use and experience level needed to use each tool, and provides links to download tools. The most important daily tools are OllyDBG debugger, OllyDBG plugins, and packer/protector identifiers. Other notable weekly and occasional use tools include API guides, hex editors, a Delphi disassembler, and a Visual Basic disassembler. The goal is to help beginners get started in reverse engineering by understanding essential tools.

Uploaded by

tahirmfarooq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
325 views10 pages

Reverse Engineers Toolbox

This document provides a list and descriptions of tools that the author considers important for reverse engineering and cracking software. It is arranged by frequency of use and experience level needed to use each tool, and provides links to download tools. The most important daily tools are OllyDBG debugger, OllyDBG plugins, and packer/protector identifiers. Other notable weekly and occasional use tools include API guides, hex editors, a Delphi disassembler, and a Visual Basic disassembler. The goal is to help beginners get started in reverse engineering by understanding essential tools.

Uploaded by

tahirmfarooq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

The Reverse Engineers Toolkit The Legend Of Random

The Legend Of Random


Home

Tutorials

Tools

Programming and Reverse Engineering

Contact

The Reverse Engineers Toolkit


by R4ndom on May.31, 2012, under Reverse Engineering, Tools, Tutorials

I remember when I first got started in reverse engineering. Well, lets be honest. It was cracking commercial
software. but I digress. Anyway, when one first starts getting introduced to this world, it doesnt take long to
learn a very important tenet: Tools are King. Most budding young crackers start getting the tool-bug and
start amassing as many tools as possible; it doesnt matter that you dont know what most of them do (or that
half are actually viruses), just that it felt like the more tools one had, the better potential cracker they would be.
After the initial tool-buzz wears off you soon learn that most of those tools (and viruses) you amassed really
arent that pivotal in day-to-day cracking (if there is such a thing). Hell, most of them you never really learn
what the heck they do anyway! In fact, after youve been reverse engineering as long as I have (much longer
than I like to admit) you eventually learn that you really only use a small subset of all the tools out there.
Some you use regularly, some semi-regularly, and some rarely, tho all of the ones you use have a purpose.
It can be hard for a beginner to learn even what tools are out there, much less the tools that are really
important and which arent. In order to help those who are interested in getting into reverse engineering (and
yes, sigh, cracking) I have put together a list of what I consider the most important tools for really getting
involved in RCE. I have arranged the list by several qualities, first of which is how often you would use them,
followed by their importance and experience needed to use them, and finally where you can get them. If they
are tough to find, I am hosting on this site so you can download them here. I have also included a description
of what the tool does. And just because everything sounds cooler as an anagram, I am calling it

R4ndoms Reverse Engineering And Cracking Tools Of Note or R.E.A.


C.T.I.O.N.
I know it doesnt change anything, but damn, it sounds cool!!!!
Now, before you begin flaming me with your How could you not include tool X!!! and Tool Y SUCKS!!!,
please keep in mind that these are tools ordered by importance for *ME*. I know that everyone will not share
my same viewpoints, but I hope to at least get the beginner started. And my ratings may be a little loose.

http://thelegendofrandom.com/blog/archives/175 (1 of 12) [5/31/2012 1:53:15 PM]

Search keywords
Submit Query

The Reverse Engineers Toolkit The Legend Of Random

And lastly, dont get me wrong, I still get excited when I learn of a new tool, even if it was programmed in
1997, Norton wont even let me open it, its packed with Themida, and its called BackOrifice. Just the idea
that it might be that long lost secret program that lets you unpack, un-protect, disassemble into proper
English, debug and remove all copy-protection with the click of a single button, well, you never know. Some
dreams you just dont get over.

DAILY
OllyDBG
Importance: 10
Experience Needed: 6
Where can you get it: www.ollydbg.de/
If reverse engineers were fish, Olly Debugger pronounced Ollydebug and always spelled OllyDBG) would be
the water, the tank, the miniature sunken ship, and the fish food. Every reverse engineer at some point
(usually first) gets acquainted with Olly. If I was on a deserted island and could only bring one tool (besides
matches, flint, a knife, a flare gun, a stove, a cell-phone, or a yacht) it would be Olly.

Olly Plugins
Importance: 10
Experience Needed: 3
Where can you get it: On my tools page.
The second most important thing behind OllyDBG are the plugins for OllDBG. There are many, and without
them, the reversers life would be miserable. Anything from automatically finding the Original Entry Point in a
packed binary, to thwarting pretty much every anti-debugging trick invented, the plugins are a must have.
(See my guide to Olly plugins for specific information on some of the most important one).

Packer/Protector Identifiers
Importance: 9.5
Experience Needed: 2
Where can you get it: On my tools page.

http://thelegendofrandom.com/blog/archives/175 (2 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

Almost all binaries now-a-days are packed with some sort of protection software, sometimes to make the
binary much smaller, but, more importantly, to keep people like us doing what we do. The first offense in
overcoming these hurdles are knowing which of the dozens of packers the binary in question is packed with.
These programs automatically identify not only a packer or protector, but also what language they were
written in, and some even suggest an appropriate script or un-packer to use to get rid of it! Also, in this field,
you can never have enough when it comes to identifiers. The most stable (and the ones I use religiously) are
PEid, DIE, eXeInfoPE and RDG Packer Detector. Get them on my tools page.

ImpREC
Importance: 9.5
Experience Needed: 8
Where can you get it: on my tools page
Import REConstructor is an invaluable tool for rebuilding binaries that have been mangled by packers and
protectors. Generally, you start using this tool after you have gained some experience in reverse engineering,
as it involves some pretty detailed areas. But for what it does, theres nothing else like it.

A Good Text Editor


Importance: 9
Experience Needed: 8
Where can you get it: notepad-plus-plus.org/
Sometimes its the small things that make the biggest differences. A good text editor is one of them. You will
use it often, between reading readmes, taking notes, quickly looking at source code, you name it. I use
Notepad++, but any text editor developed with programmers in mind would work.

PE Viewers/Editors
Importance: 8.5
Experience Needed: 8
Where can you get it:www.ntcore.com/
At some point or another, no matter how much you push it off, as a reverse engineer you are going to have to
tackle the PE header. Sure, you can create your own PE viewer in assembly language just for the heck of it,
but fortunately, there are also a lot of progs out there that make it a lot easier. My first choice is CFFExplorer
Suite. I think it has a nice set of options and allows a lot of editing. PEBrowse is also good in that it is almost
a full disassembler. There is also PEditor and PEView, just to name a few. It doesnt really matter which tool,
just as long as you can view and edit PE information. For CFFExplorer, follow the link above. All of the others
are on my tools page.
http://thelegendofrandom.com/blog/archives/175 (3 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

zip/rar file packers/unpackers


Importance: 8
Experience Needed: 1
Where can you get it: www.7-zip.org/
This is one of those tools you take for granted. Try and see how many of the tools in this list you can run
without a zip/rar un-packerNeed I say more?

Notes Software
Importance: 6
Experience Needed: 3
Where can you get it: www.mytreedb.com/
This one is more for the professional reverse engineer, though I think it should be used by everyone. I cant
tell you how many times I had to search and search for a specific piece of information before I started using a
note-taking app. TreeDBNotes is more than simple note-taking, it also allows you to embed pictures, media
files, clippings and link between the various pages. Heres an example; I have folders for every packer I have
dealt with. In each folder is a link to the packer, tutorials I have collected for that packer, lists of scripts and
plugins that I have had success with, options that can be selected on that packer and how to defeat them, as
well as code snippets to show how it does it. Its hard to start, but after using it for a while, it will become
invaluable.

WEEKLY
API guide
Importance: 8
Experience Needed: 4
Lets face it- APIs are hard to remember (pop quiz: what is the fourth parameter passed to
CreateWindowEx?) Add to that that there are literally thousands of them and you got a serious problem.
Finally, how are you supposed to reverse engineer a program when, half way through a very important
function, the app calls SetImageConfigInformation? Answer: you cant. But there is help. There are
downloadable API Help files, books, references, and the most elegant solution, adding an API help file
http://thelegendofrandom.com/blog/archives/175 (4 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

directly into Olly

Hex Editors
Importance: 6
Experience Needed: 6
Where can you get it: www.hhdsoftware.com/hex-editor
Hex editors are extremely important in reverse engineering. The options for using a hex editor are vast
(patches, PE header viewers, finding code caves). The choice is really a personal one. I prefer HHD Hex
Editor, and not just because its free. Its just simple and gets the job done. I would list other options, but
frankly, there are hundreds, so some experimentation would help. I think that once you get to the point that
you need a hex editor, it will be more obvious which one is for you.

DEDE : The Delphi Disassembler


Importance: 5
Experience Needed: 5
Where can you get it: www.softpedia.com/
Delphi creates its own set of challenges when reverse engineering and DEDE is a lifesaver. It allows you to
take a binary compiled in Delphi, disassemble it, view all of the forms, buttons, function calls and so forth,
and even export a MAP file that can be imported into Olly to help with the naming of functions. I dont even
consider attempting to disassemble a Delphi binary without it.

P32DASM
Importance: 5
Experience Needed: 5
Where can you get it: www.woodmann.com/
What I said above can also be said for binaries compiled with Visual Basic. VB can be even worse due to the
fact that 99% of the code is run in the VB run-time library. It is a complete mess when trying to reverse
engineer. P32Dasm is similar to DEDE in that it allows you to see the binary in a much more user-friendly
view. It also allows MAP files to be exported (and imported into Olly), and also includes a complete
disassembler. You can technically reverse engineer (and patch) the program from start to finish in P32Dasm
if so inclined.

IDA Pro
Importance: 4
Experience Needed: 8
http://thelegendofrandom.com/blog/archives/175 (5 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

I already know Im going to take major hell over this, but before you start inundating me with hate mail, let me
say this: Generally, reverse engineers use a static disassembler or a dynamic disassembler, but not both,
and it comes down to personal choice and what you learned on. For years I have used Olly and I rarely use
IDA, and seeing as this is *my* toolbox, I put IDA down on the list. That being said, IDA is the best static
disassembler out there, and if you are one of the reverse engineers who use it primarily as your disassembly
tool, the importance of this tool would be a 10. Even if Olly is your -go-to- tool, IDA can help immensely in decompiling binaries. It is a hugely intricate program with a staggering amount of options, and if the time is
spent really learning it, its awe inspiring to watch. Even if you start with Olly, take the time to at least mess
with IDA and see what it has to offer.

dUP2 Universal Patcher


Importance: 4
Experience Needed: 7
Where can you get it: on my tools page.
Youve just figured out what line to patch in that super-duper app and can make it run without that horribly
annoying nag screen! Now what? Run Olly every time you want to run the app, patch that line, and hit run?
No. You can go into a hex editor and change it in the binary, but what if you want to share it? Now you have
to send the huge exe file with the installer. And what happens when theres a version upgrade? Enter the
patcher. It allows you to create a stand-alone program that will dynamically apply patches to a binary. dUP2
offers many ways of doing this (as well as making a loader) and the new one (v2) is even more powerful.
Definitely a must for any reverse engineer that wishes to share his booty.

OllyDBG 2.0
Importance: 4
Experience Needed: 6
Where can you get it: www.ollydbg.de/
I put this under weekly instead of daily because 1) its hard to give up tools you know so well (Olly V1.10) and
2) not all plugins have been ported to ver.2 yet. That being said, this version rocks. There have been a lot of
major enhancements, it works on x64 machines, and there have been a lot of bug fixes. Im sure, over time,
this version will replace the old one and will become the new tool of choice.

LordPE
Importance: 3
Experience Needed: 6
Where can you get it: On my tools page.
http://thelegendofrandom.com/blog/archives/175 (6 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

I put LordPE as an importance of 3 only because I dont personally use it that often, but I know of a lot of
engineers out there who do, so for them Im sure it would be much higher. Personally, I have other tools that
Im just more familiar with that do the same thing. That being said, LordPE allows for editing PE Headers,
dumping processes from memory, analyzing binaries, viewing tasks, and a PE builder. The one thing I do use
this tool for regularly is its PE file checker: after you rebuild IATs and ditch unused thunks, its good to
validate them.

Olly Scripts
Importance: 3
Experience Needed: 3
Where can you get it: Everywhere.
At a certain point, it becomes a little monotonous performing the same actions over and over. Fortunately,
Olly has a complete scripting language, and the RE community has certainly used it!. Scripts allow every
conceivable version of every possible packer to be automatically unpacked, OEPs found, code caves
populated, stolen bytes un-stolen, you name it. Of course the hard part is finding the right one, what with so
many to choose from

Sandboxie
Importance: 3
Experience Needed: 2
Where can you get it: www.sandboxie.com/
You can read my blog on using Sandboxie in cracking, but to re-iterate, its a lifesaver with finding apps to
learn to reverse engineer; you can install the app and find out what packer it is packed in, what language it
was compiled in, even check it for viruses, all without making a single change to your system.

ShowString
Importance: 2
Experience Needed: 1
Where can you get it: On my tools page.
I am really sorry to the author of this app, but I cannot remember where I got it. It is a simple app with a
simple objective: show me all the ASCII strings in an app. Now, many tools on this list will do just that, some
even better than ShowString, but for ease of use and when you dont feel like running a big tool just to check
strings, it comes in handy. You can also port the output, which I like.
http://thelegendofrandom.com/blog/archives/175 (7 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

Unpackers
Importance: 2
Experience Needed: 5
Where can you get it: Many places
For those reverse engineers who didnt pay attention in these tutorials (or any other tutorials for that matter),
there are unpackers out there that will unpack packed binaries. Of course, lazy engineers are not the only
ones who use these, I use them sometimes because its faster than going through the whole rigamarole of
unpacking a binary with a packer you have unpacked 10,000 times. Ok, its because Im lazy. But if youre
just starting out, please, please, please skip these and learn how to unpack binaries manually. Youll be
happy you did.

MONTHLY
Kernel Debuggers
Importance: 9
Experience Needed: 10
Where can you get it: Windows SDK
Though used more for malware research, sometimes a ring 0 kernel debugger can come in handy. If the
protection scheme uses multiple mutexes spawning multiple threads, a kernel debugger is the tool to use.
Among the choices are WinDBG from Microsoft and SoftIce. SoftIce is a little old but allows you to debug on
the same computer you are debugging on. WinDBG requires a different computer (or you can run it in a VM).

Handle
Importance: 6
Experience Needed: 5
Where can you get it: Sysintenrnals
Sometimes a protection scheme uses some sort of file open or registry key mechanism to keep you from
terminating a thread. Usually this thread is keeping you from changing the main thread that needs to be
patched. Handle shows all of the handles a program is currently holding, so you can track down exactly
which process is keeping you from terminating a thread.
http://thelegendofrandom.com/blog/archives/175 (8 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

WinASM
Importance: 5
Experience Needed: 3
Where can you get it: www.winasm.net/
Occasionally you need to write assembly code to inject as a DLL or to hook an API. There are several
assembler IDEs out there, and WinAsm is a little dated, but it just works (and its free). Though you need to
download MASM, it is still a very easy install.

Denabler
Importance: 3
Experience Needed: 3
Where can you get it: www.secforce.com/
Every once in a while you have a feature disabled in some way as part of the protection scheme, for instance
the Save button is greyed out until you purchase the product. Denabler can help in this case by allowing
you to attach to a window and enable any resource in it. It also allows you to do more such as adding menu
options and changing resources, but mostly I use it to enable disabled buttons.

Dependency Walker
Importance: 2
Experience Needed: 3
Where can you get it:www.dependencywalker.com/
Sometimes it gets a little confusing trying to figure out which DLL requires which function from another DLL
(confused yet?) Dependecy Walker helps by showing all of the imported (and exported) functions in a binary
and exactly which ones depend on others.

System Monitors
Importance: 1.5
Experience Needed: 1
Where can you get it: Many places
http://thelegendofrandom.com/blog/archives/175 (9 of 12) [5/31/2012 1:53:15 PM]

The Reverse Engineers Toolkit The Legend Of Random

Very occasionally (mostly when Im being lazy) I will run an app and I dont feel like tracing through all of the
code to see what registry key or init file was modified. There are several system monitor apps out there that
can keep track of this: RegShot takes a system snapshot before and after running an app and tells you every
change that was made, Process Monitor tells you every process that was started and stopped while the
binary ran, and API monitor tells you every API that was called. Again, not used very often, but helpful none
the less.

Guide, Olly, ollydbg, Tools

Leave a Reply
Name

Mail (will not be published)

Website

RSS feed for this post (comments)


TrackBack URI

RSS Feed

http://thelegendofrandom.com/blog/archives/175 (10 of 12) [5/31/2012 1:53:15 PM]

You might also like