Reverse engineering Academy
Project 1

~
Hexeditors reverse engineering
(and other tools of the trade)

Binary editors
Binary editors are usually refered to as a hexeditors. The main difference between a regular texteditor and a hexeditor is that a texteditor translates some bytes to tabs, linefeeds, carriage returns, etc or simply ignores them. A hexeditor does no such thing, instead it prints the hexadecimal value of the byte. Most hexeditors have a textfield as well, where you'll see all sorts of funny-looking faces and arrows.


We have decided to include in this project also all other essays related to important "tools of the trade", like IDA: Interactive disassembler, the most powerful disassembler around now (with its version 3.7).
IDA is an 'official +HCU tool' 1997!
official
Official +HCU tool
A very important project... hexeditors are the swiss knifes that we continuously use... +ORC seems to prefer good old psedit, and even if we still use it a lot, we use more and more hexworkshop, (cannot be wrong: version 2.1 has been cracked by +ORC himself in his lesson 9.3... as he explained the "dead listing" approach).

The +HCU has received various essays about hexeditors reverse engineering, and about other important tools for our trade... here are the best ones, stay tuned for more!
Project started 17 August 1997


PHASE 1 by Heres:

How to register HexWorkshop v2.52 (32bit), 03 June 1997
(the HEXWORKS.REG trick) - (heres1.htm: FVP01F01)

PHASE 2 by Aesculapius:

Hex Workshop 32 v. 2.53, 05 July 1997
(A weak protection scheme is worst than no protection scheme at all) - (aescul3.htm: FVP01F02)
STUPID
PHASE 3 by +daQ:

Hexpert32, Version 3.0.05, 06 August 1997
(Cracking the tools of the trade) - (daqtod.htm: FVP01F03)

PHASE 4 by x86:

Cracking HEdit 2.0, 19 August 1997
(using wdasm as a debugger) - (x861.htm: FVP01F04)
With an addition! 20 August 1997!

With an addition by itzMagik1, 4 January 1998
Cracking HEdit version 2.1.11
PHASE 5 by Aesculapius:

ULTRAEDIT-32 V. 4.40a, 21 August 1997
(Slight Variations of the Serial Number-based protection scheme) - (ueditcrk.htm: FVP01F05)

PHASE 6 by ReZiDeNt:

Reverse Engineering UltraEdit-32 4.40a, 22 August 1997
(Cracking "blacklisted" Hex/Text Editors) - (reziedi1.htm: FVP01F06)
Well two authors reverse engineering the same protection scheme on the same target at a day distance! Quite interesting isn't it? Read what Rezident and Aesculapius wrote each other here!
PHASE 7 by Quine:

Cracking THE tool of the trade (bye bye Wdasm), 19 October 1997
(Interactive Disassembler Pro v3.7) - (quine1.htm: FVP01F07)
advanced
Advanced cracking series

Well, this is SERIOUS ADVANCED CRACKING. You better read and UNDERSTAND each point of this beautiful essay by Quine, which shines methodologically and has a relevance that encompasses almost all fields of our trade. There are things inside here, like patching pointers and Boundchecker API-intercepting, wich clearly are NOT FOR NEWBYES, and the whole essay is GOLD worth for all serious reverse engineers. This essay has been added to the +HCU didactic material (pending Quine's authorization) and will from now on be distributed to all +HCUkers that begin the courses together with the other main files
PHASE 8 by Frog's Print:

SOURCER 7, 29 October 1997
(efficiency of a well positioned BPINT under DOS) - (sourcer7.htm: FVP01F08)
advanced
Advanced cracking series

Well, back to DOS! Was about time! Contrarly to what some still choose to believe, dos reversing is far from being an obsolete activity: many very important programs are working under DOS, because Windoze simply does not give enough power, and as +ORC told us long ago in his tut, many of the older DOS protections are much more tougher and interesting than the banal cmp eax, 1 tricks inside "compiled" windoze targets...
There is another very nice lesson teached here by Frog's Pint: let's not be lazy! Almost anyone uses a "ready cracked" (read "stolen") Sourcer 7 version which comes with a pirated serial number inside it: the whole Web is polluted with all pirated versions of this important tool, and noone seems to care about the only thing that is really fascinating in our opinion: how to reverse this reverser program 'par excellence'. And Frog's Print does exactly this, and he writes:
As we are crackers, let's throw away this serial number and crack Sourcer 7.0

Right! And if you add to these 'strategic' thoughts the whole cursor bpinting, you'll agree with me that this essay deserves to be posistioned among the prestigious "Advanced cracking series". Enjoy!

PHASE 9 by Quine:

Interactive Disassembler Pro v3.7 Demo (II), 30 October 1997
(How to load the previous databases) - (quine_21.htm: FVP01F09)
advanced
Advanced cracking series

Well, this is SERIOUS ADVANCED CRACKING once more. Once more a fundamental tool of the trade (IDA). Once more a function reenabling work (the loading of the previous databases, i.e. one of the most important crippled functions of the crippled version: you do not want to start everything anew every time you use IDA, do you?). Once more something we all need: new knowledge that you can at once apply to other targets and reverse engineering endeavours.
Quine is getting us used to this kind of well-crafted essays. I'm afraid newbyes will not understand much here, please read the 'basic' essays first, and peruse the other +HCU page (where you'll find a lot of help for newbyes) before delving in this.
This said, here you have a real reverse engineering essay in all its glory... enjoy!

PHASE A by Aesculapius:

ULTRAEDIT 5.00 S/N Generator, 24 November 1997
(a very funny dynamic addressing process as copy procedure) - (aescune1.htm: FVP01F0A)

This good tool is everywhere to have, regged, for free. I think therefore that Aesculapius work, far from damaging him, can actually be USEFUL to Ultraedit's Author Ian Mead... here is the point he should take care of:
however, the program still has to read the registration file to 

gather its initiation values, so a bpx on readfile should be enough to find 

a fairly close entry point to it

Learn here from Aesculapius how this protection scheme works. It's interesting and the keygenerator in asm at the bottom can easily be modified for other targets. If you crack Ultraedit register it after 45 days, it deserves it (IMHO). Enjoy!
PHASE B by Little-John:

winrar 95 ver.2.0: the guts of a simple protection, 04 January 1998
(why keygenerating when you can patch them on the fly?) - (littlejo2.htm: FVP01F0B)

Well, an interesting little essay which deals with an utility by Eugene Roshal that is in my opinion injustely underestimated. Winrar should by all means be on your desktop: it has, on mine, taken the place of my Winzip 6.2 (it deals without problems with all zipped files as well), and that for many reasons, the more important one is that RARed archives are SMALLER than pkzipped archives!
No, I'm not speaking of the solid archive option (you don't know what 'solid' archiving is? Go and study winrar), I'm speaking of a normal, default rar archive: it's smaller than a zip!
I know that many don't even know it, and I myself am still compelled to use the zip format when I dump something on the web 'because everybody zips'. Yet I myself, for myself, on my own harddisks, use only RAR, because with the monstruous overbloated programs we are dealing with 'every spared byte counts'... and you'll spare a lot of bytes in comparison with zipped files if you rar. You still don't believe me? Well, read, enjoy and then go and download winrar... you'll be surprised seeing how GOOD this tool is.!

The essays of +HCU's project 1 will continue after Quine's explanations about IDA.

Some explanations on IDA, by Quine, 6 November 1997

  Dear fravia+,



	I'm very pleased to see people using IDA.  I really, you know,

think of it as a dear friend now (I know this sounds sick :-).  Just

thought I'd clear up a few points from Snatch's and zeezee's essays.



From Snatch's essay:



	The 'aThelab' that Snatch finds is the name of a location in the

data section, a location that contains the ASCII string "The lab....".

Just double click on 'aThelab' and you'll jump right there.  I was a

little confused by your reference to Smartcheck regarding this.

Anyway, IDA names every location that it can in the data section (and

everywhere else for that matter) and it uses the 'a'+beginning of

string for ASCII strings.  Admittedly, it does not have that nice

dialog box that w32dasm has that lists all the strings (or are they

ALL the strings in w32dasm?  No! Just the ones directly referenced in

the code), but zeezee's Alt-B searches work just fine.



From zeezee's essay:



	Zeezee has obviously spent some time with IDA and all of his tips

are quite sound.  Just as a matter of style, I prefer to keep the

crossrefernces at about 10 -- you can always use

View-->Crossreferences to see the rest.  This keeps screen clutter

down.  IDA's 'automagically' finding the names is of course its

library recognition function (one of its MOST powerful features).

Keep in mind that there may be more names to be found than what it

automatically does.  Often, at the beginning of the status window it

recommends optional libraries to check for.  Most commonly if yuo have

a M$ compiled file, it is poosible that it uses MFC linked statically

(ie, not in a dll).  IDA cannot always be sure of this, so try

applying the MFC library recognition (View-->Signatures).  You'll be

amazed at the wealth of information.

	Regarding IDA's weaknesses, yes the help is a little cumbersome,

but as zeezee says, it is all there.  The resource problem is a

problem, but only temporarily.  Look at the file resource.idc in the

idc directory (in fact, look at and study everything in that

directory).  It is a file for sorting out resources in NE files (a

remnant of the horrible days of Win16-- among other things the ugliest

OS ever).  What needs to be done is someone needs to write a really

idc script/macro/program to sort out PE resources.  I have plans to do

this, but who knows when that will happen.  In general, people need to

study the idc language.  Its power is amazing given that it's solely

done for IDA.



	Oh, one last thing.  Go through the ida.cfg file and above all

else, change the window size.  Until I figured out how to do this, I

found IDA impossible to use.  Make it big.  I have mine set at 132x64.

Anyway, you need a big space to work in.



Hope this helps.



Quine

PHASE C by +Alt-F4:

Cracking Wingdis 2.12, 11 January 1998
(Preparing ourselves for 'real' Java cracking) - (altF4j_a.htm: FVP01F0C)

Well, Alt-F4 is an incredibly interesting +cracker that works a lot with Java, he's the Author of a FONDAMENTAL essay for all java reversers: Cracking (black and blue) Java Workshop 2.0, a program that you should by all means study and use ~ alternatively, you may have found on some CD-ROM for free Symantec Visual cafÈ trial version 1.0, and you could in that case enjoy A+heist's essay a very silly protection scheme on a very interesting target
Therefore it suits us all A LOT that +ALT-F4 shows here the (incredibly simple) way to reverse the main Java disassembler: Wingdis.
In fact, after the sad demise of the clever Author of the mocha disassembler (hope he'll enjoy some reversing possibilities wherever he did land after having left us :-) Wingdis will be one of the main tools we all will have to use in the next months
That said, we'll use Wingdis until our own +HCU '98 tools will be ready -at the moment they seem still "under development" :-(
Anyway all these java essays are GOOD NEWS!
Java is coming! Die Gates die in flames, you horrible slimy bloated bane! Die die die with all your useless overbloated applications! :-)
So I'm happy to host another fine "Java" +HCU essay, coming to you from mighty +ALT-F4 pen (and brain). Enjoy!

Hey buds! Feel free to reverse engineer whatever hexeditor or tool of the trade you can put your hands on,
even if it uses very stupid protection schemes!
(This is the only project where we'll in fact accept essays about stupid and boring protection schemes... yet, please, try at least to find some other interesting "finding" inside the code of these targets if the protection scheme is too stupid and too boring, else even a good tool wont be interesting for anyone :-)

homepage links red anonymity +ORC students' essays academy database
tools counter measures cocktails antismut search_forms mail_fravia+
Is reverse engineering legal?

red(c) Fravia 1995, 1996, 1997, 1998. All rights reversed