Reverse engineering Academy
Project 1
~
Hexeditors reverse engineering
(and other tools of the trade)
Binary editors
Binary editors are usually refered to as a hexeditors. The main
difference between a regular texteditor and a hexeditor is that a texteditor
translates some bytes to tabs, linefeeds, carriage returns, etc or simply
ignores them. A hexeditor does no such thing, instead it prints the
hexadecimal value of the byte. Most hexeditors have a textfield as well, where
you'll see all sorts of funny-looking faces and arrows.
We have decided to include in this project also all other essays related to important
"tools of the trade", like IDA: Interactive disassembler, the most powerful
disassembler around now (with its version 3.7).
IDA is an 'official +HCU tool' 1997!
Official +HCU tool
A very important project... hexeditors are the swiss knifes that we continuously
use... +ORC seems to prefer good old psedit, and even
if we still use it a lot, we use more and more hexworkshop,
(cannot be wrong: version 2.1 has been cracked by +ORC himself in his lesson 9.3...
as he explained the "dead listing" approach).
The +HCU has received various essays about hexeditors reverse engineering, and about other
important tools for our trade... here are
the best ones, stay tuned for more!
Project started 17 August 1997
PHASE 1 by Heres:
How to register HexWorkshop v2.52 (32bit),
03 June 1997
(the HEXWORKS.REG trick) - (heres1.htm: FVP01F01)
PHASE 2 by Aesculapius:
Hex Workshop 32 v. 2.53, 05 July
1997
(A weak protection scheme is worst than no protection scheme at all) -
(aescul3.htm: FVP01F02)
PHASE 3 by +daQ:
Hexpert32, Version 3.0.05, 06 August 1997
(Cracking the tools of the trade) - (daqtod.htm: FVP01F03)
PHASE 4 by x86:
Cracking HEdit 2.0, 19 August 1997
(using wdasm as a debugger) - (x861.htm: FVP01F04)
With an addition! 20 August 1997!
With an addition by itzMagik1, 4 January 1998
Cracking HEdit version 2.1.11
PHASE 5 by Aesculapius:
ULTRAEDIT-32 V. 4.40a, 21 August 1997
(Slight Variations of the Serial Number-based protection scheme) -
(ueditcrk.htm: FVP01F05)
PHASE 6 by ReZiDeNt:
Reverse Engineering UltraEdit-32 4.40a, 22 August 1997
(Cracking "blacklisted" Hex/Text Editors) -
(reziedi1.htm: FVP01F06)
Well two authors reverse engineering the same protection scheme on the same
target at a day distance! Quite interesting isn't it? Read what Rezident and
Aesculapius wrote
each other here!
PHASE 7 by Quine:
Cracking THE tool of the trade (bye bye Wdasm), 19 October 1997
(Interactive Disassembler Pro v3.7) -
(quine1.htm: FVP01F07)
Advanced cracking series
Well, this is SERIOUS ADVANCED CRACKING. You better read and UNDERSTAND each point of this
beautiful essay by Quine, which shines methodologically and has a relevance that encompasses
almost all fields of our trade. There are things inside here, like patching pointers and
Boundchecker API-intercepting,
wich clearly are NOT FOR NEWBYES, and the whole essay is GOLD worth
for all serious reverse engineers. This essay has been added to the +HCU didactic material
(pending Quine's authorization) and will from now on be distributed to all
+HCUkers that begin the courses together with the other main files
PHASE 8 by Frog's Print:
SOURCER 7, 29 October 1997
(efficiency of a well
positioned BPINT under DOS) -
(sourcer7.htm: FVP01F08)
Advanced cracking series
Well, back to DOS! Was about time! Contrarly to what some
still choose to
believe, dos reversing is far from being an obsolete activity: many very important
programs are working under DOS, because Windoze simply does not give enough
power, and as +ORC told us long ago in his tut, many of the older DOS protections
are much more tougher and interesting than the banal cmp eax, 1 tricks inside
"compiled" windoze targets...
There is another very nice lesson teached here by Frog's Pint: let's not
be lazy! Almost anyone uses a "ready cracked" (read "stolen") Sourcer 7 version which comes with
a pirated serial number inside it: the
whole Web is polluted with all pirated versions of this important tool, and
noone seems to care about the only thing that is really
fascinating in our opinion: how to reverse this reverser program
'par excellence'. And Frog's Print does exactly this, and he writes:
As we are crackers, let's throw away this serial number and
crack Sourcer 7.0
Right! And if you add to
these 'strategic' thoughts the whole cursor bpinting, you'll agree with me that this
essay deserves to be posistioned among the prestigious
"Advanced cracking series". Enjoy!
PHASE 9 by Quine:
Interactive Disassembler Pro v3.7 Demo (II), 30 October 1997
(How to load the previous databases) -
(quine_21.htm: FVP01F09)
Advanced cracking series
Well, this is SERIOUS ADVANCED CRACKING once more. Once more a fundamental tool of the
trade (IDA). Once more a function reenabling work (the loading of the previous databases, i.e.
one of the most important crippled functions of the crippled version: you do not want to
start everything anew every time you use IDA, do you?). Once more something
we all need: new knowledge that you can at once apply to other targets and reverse
engineering endeavours.
Quine is getting us used to
this kind of well-crafted essays. I'm afraid newbyes will not understand much here,
please read the 'basic' essays first, and peruse the other
+HCU page (where you'll find a lot of help for newbyes) before delving in this.
This said, here you have a real reverse engineering essay in all its glory... enjoy!
PHASE A by Aesculapius:
ULTRAEDIT 5.00 S/N Generator, 24 November 1997
(a very funny dynamic addressing process as copy procedure) -
(aescune1.htm: FVP01F0A)
This good tool is everywhere to have, regged, for free. I think therefore that
Aesculapius work, far from damaging him, can actually be USEFUL to Ultraedit's Author Ian Mead... here is the point he
should take care of:however, the program still has to read the registration file to
gather its initiation values, so a bpx on readfile should be enough to find
a fairly close entry point to it
Learn here
from Aesculapius how this protection scheme works. It's interesting and the keygenerator in asm at the
bottom can easily be modified for other targets. If you crack Ultraedit register it
after 45 days, it deserves it (IMHO). Enjoy!
PHASE B by Little-John:
winrar 95 ver.2.0: the guts of a simple protection, 04 January 1998
(why keygenerating when you can patch them on the fly?) -
(littlejo2.htm: FVP01F0B)
Well, an interesting little essay which deals with an utility by Eugene
Roshal that is in my opinion injustely underestimated. Winrar should by all
means be on your desktop: it has, on mine, taken the place of my
Winzip 6.2 (it deals without problems with all zipped files as well),
and that for many reasons, the more important one is that RARed archives are
SMALLER than pkzipped archives!
No, I'm not speaking of the solid archive
option (you don't know what 'solid' archiving is? Go and study winrar), I'm
speaking of a normal, default rar archive: it's smaller than a zip!
I know that many don't even know it, and I
myself am still compelled to use the zip format when I dump something on
the web 'because everybody zips'. Yet I myself, for myself, on my own harddisks,
use only RAR, because with the monstruous overbloated programs we are
dealing with 'every spared byte counts'... and you'll spare a lot of bytes
in comparison with zipped files if you rar. You still don't believe me? Well,
read, enjoy and then go and download winrar... you'll be surprised seeing
how GOOD this tool is.!
The essays of +HCU's project 1 will continue after
Quine's explanations about IDA.
Some explanations on IDA, by Quine, 6 November 1997
Dear fravia+,
I'm very pleased to see people using IDA. I really, you know,
think of it as a dear friend now (I know this sounds sick :-). Just
thought I'd clear up a few points from Snatch's and zeezee's essays.
From Snatch's essay:
The 'aThelab' that Snatch finds is the name of a location in the
data section, a location that contains the ASCII string "The lab....".
Just double click on 'aThelab' and you'll jump right there. I was a
little confused by your reference to Smartcheck regarding this.
Anyway, IDA names every location that it can in the data section (and
everywhere else for that matter) and it uses the 'a'+beginning of
string for ASCII strings. Admittedly, it does not have that nice
dialog box that w32dasm has that lists all the strings (or are they
ALL the strings in w32dasm? No! Just the ones directly referenced in
the code), but zeezee's Alt-B searches work just fine.
From zeezee's essay:
Zeezee has obviously spent some time with IDA and all of his tips
are quite sound. Just as a matter of style, I prefer to keep the
crossrefernces at about 10 -- you can always use
View-->Crossreferences to see the rest. This keeps screen clutter
down. IDA's 'automagically' finding the names is of course its
library recognition function (one of its MOST powerful features).
Keep in mind that there may be more names to be found than what it
automatically does. Often, at the beginning of the status window it
recommends optional libraries to check for. Most commonly if yuo have
a M$ compiled file, it is poosible that it uses MFC linked statically
(ie, not in a dll). IDA cannot always be sure of this, so try
applying the MFC library recognition (View-->Signatures). You'll be
amazed at the wealth of information.
Regarding IDA's weaknesses, yes the help is a little cumbersome,
but as zeezee says, it is all there. The resource problem is a
problem, but only temporarily. Look at the file resource.idc in the
idc directory (in fact, look at and study everything in that
directory). It is a file for sorting out resources in NE files (a
remnant of the horrible days of Win16-- among other things the ugliest
OS ever). What needs to be done is someone needs to write a really
idc script/macro/program to sort out PE resources. I have plans to do
this, but who knows when that will happen. In general, people need to
study the idc language. Its power is amazing given that it's solely
done for IDA.
Oh, one last thing. Go through the ida.cfg file and above all
else, change the window size. Until I figured out how to do this, I
found IDA impossible to use. Make it big. I have mine set at 132x64.
Anyway, you need a big space to work in.
Hope this helps.
Quine
PHASE C by +Alt-F4:
Cracking Wingdis 2.12, 11 January 1998
(Preparing ourselves for 'real' Java cracking) -
(altF4j_a.htm: FVP01F0C)
Well, Alt-F4 is an incredibly interesting +cracker that works a lot with
Java, he's
the Author of a FONDAMENTAL essay for all java
reversers: Cracking (black and blue)
Java Workshop 2.0, a program that you should by all means study and use ~ alternatively, you may
have found on some CD-ROM for free Symantec Visual cafÈ trial version 1.0,
and you could in that case enjoy A+heist's essay
a very silly protection scheme on a very interesting target
Therefore it suits us all A LOT that +ALT-F4 shows here the
(incredibly simple) way to reverse the main Java disassembler: Wingdis.
In fact, after the sad demise of the clever Author of
the mocha disassembler (hope he'll enjoy some reversing possibilities
wherever he did
land after having left us :-) Wingdis will be one of the
main tools we all will have to use in the next months That said, we'll
use Wingdis until
our own
+HCU '98 tools will be ready -at the moment they seem still "under
development" :-( Anyway all these java essays are GOOD NEWS! Java is
coming! Die Gates die in flames, you horrible slimy bloated bane! Die die die with
all your useless overbloated applications! :-) So I'm happy
to host another fine "Java" +HCU essay, coming to you from mighty
+ALT-F4 pen (and brain). Enjoy!
Hey buds! Feel free to reverse engineer whatever
hexeditor or tool of the trade you can put your hands on, even if it
uses very stupid protection schemes!
(This is the only project where we'll in fact accept essays about
stupid and boring protection schemes... yet, please, try at least to
find some other interesting "finding" inside the code of these targets
if the protection scheme is too stupid and too boring, else even a good
tool wont be interesting for anyone :-)
homepage
links
anonymity
+ORC
students' essays
academy database
tools
counter measures
cocktails
antismut
search_forms
mail_fravia+
Is reverse engineering legal?
(c)
Fravia 1995, 1996, 1997, 1998. All rights reversed
|