For software reversal, there are well-known tools that often get twice the result with half the effort. Here is a brief list of some commonly used tools without a detailed introduction, which is a guide for beginners to get started.
IDA is the first static analysis tool, and other disassembly tools are basically useless with it.
Dynamic debugging tools include OD and windbg. Both debuggers can be used to debug application layer programs. Because OD is mainly reverse-oriented, the window layout is more reasonable and intuitive, and there are many plug-ins, so OD is generally preferred. Windbg is not so convenient. Most operations are carried out by commands, but it It also has its advantages, various commands (built-in commands, meta-commands and extended commands) provide powerful control and analysis capabilities, so windbg is sometimes used. If you want to debug kernel programs or modules, then OD can't do anything. Windbg can be said to be the only choice. There used to be softice, but softice has stopped updating and supporting, and it is useless now.
The shell detection tool generally uses PEid, and other tools also exist, which are not listed here. PEid has powerful functions, but it is often inaccurate in analysis, and its results cannot be trusted too much. Mainly through their own analysis to judge.
For unpacking, there are also many automatic unpacking tools or scripts for a certain kind of shell on the Internet. The tools here are not used very much, and it is not recommended. For newbies who want to learn more about reverse engineering, I still recommend trying to unpack them manually. Shell, don't be despised script kids. As for the dump program, we can use LordPE or ollydump. After the dump is complete, we may need to import the table repair tool importREC, etc. This is only an ideal situation, and sometimes you have to do some analysis and repair manually by yourself.
For reverse engineers, binary editing tools and comparison tools are indispensable. The editing tools are mainly UltraEdit, Hex Workshop and WinHex. They have their own advantages and disadvantages, and you can choose according to your own preferences. The comparison tool that I personally feel is better is Beyond Compare. I haven't used other tools much, so I don't recommend it.
When it comes to reverse engineering, many people think that white-box analysis must be performed on the program. In fact, if the black-box analysis can be done faster, there is no need to analyze the assembly code of the program so laboriously. Even if you have to analyze the code, it is helpful to observe its input and output before or during the analysis. The commonly used auxiliary analysis tools are as follows:
Network packet capture and analysis tools, Wireshark and Iris are mostly used in this regard. Wireshark is a free tool from Microsoft and Iris is a paid software with powerful functions.
File and registry monitoring tools generally use process monitor. In the past, Filemon was used to monitor files, and Regmon was used to monitor the registry. Now process monitor can monitor two operations. In fact, these tools were written by the same person, and now the two tools are merged into one. As a digression, this author is the author of "In-depth Analysis of the Windows Operating System". The authoritativeness of this book can be said that everyone who is engaged in the development of the Windows kernel knows about it. It is also necessary to read this book in reverse. Book.
In addition, there are virtual machines vmware and virtual pc. There are many advantages to installing virtual machines. For kernel debugging, it is possible to debug the kernel on a single physical PC, and the virtual machine can crash and restart quickly.
For kernel code reversal, tools in DDK/WDK can also be used in combination, such as viewing the object winobj and viewing the dev tree of the device stack. Observe IRP with IRPtrace. There are many tools, so I won't list them all here. After all, most of the reverses are application layer reverses.
This is the end of the list, I hope it will be helpful to those who read this article. In my opinion, the use of tools is only a skill, and the algorithm theory contained in software protection and reverse engineering is the Tao. Only by mastering the Tao can we go further. This is true of reverse and other things.
For software reversal, there are well-known tools that often get twice the result with half the effort. Here is a brief list of some commonly used tools without a detailed introduction, which is a guide for beginners to get started.
IDA is the first static analysis tool, and other disassembly tools are basically useless with it.
Dynamic debugging tools include OD and windbg. Both debuggers can be used to debug application layer programs. Because OD is mainly reverse-oriented, the window layout is more reasonable and intuitive, and there are many plug-ins, so OD is generally preferred. Windbg is not so convenient. Most operations are carried out by commands, but it It also has its advantages, various commands (built-in commands, meta-commands and extended commands) provide powerful control and analysis capabilities, so windbg is sometimes used. If you want to debug kernel programs or modules, then OD can't do anything. Windbg can be said to be the only choice. There used to be softice, but softice has stopped updating and supporting, and it is useless now.
The shell detection tool generally uses PEid, and other tools also exist, which are not listed here. PEid has powerful functions, but it is often inaccurate in analysis, and its results cannot be trusted too much. Mainly through their own analysis to judge.
For unpacking, there are also many automatic unpacking tools or scripts for a certain kind of shell on the Internet. The tools here are not used very much, and it is not recommended. For newbies who want to learn more about reverse engineering, I still recommend trying to unpack them manually. Shell, don't be despised script kids. As for the dump program, we can use LordPE or ollydump. After the dump is complete, we may need to import the table repair tool importREC, etc. This is only an ideal situation, and sometimes you have to do some analysis and repair manually by yourself.
For reverse engineers, binary editing tools and comparison tools are indispensable. The editing tools are mainly UltraEdit, Hex Workshop and WinHex. They have their own advantages and disadvantages, and you can choose according to your own preferences. The comparison tool that I personally feel is better is Beyond Compare. I haven't used other tools much, so I don't recommend it.
When it comes to reverse engineering, many people think that white-box analysis must be performed on the program. In fact, if the black-box analysis can be done faster, there is no need to analyze the assembly code of the program so laboriously. Even if you have to analyze the code, it is helpful to observe its input and output before or during the analysis. The commonly used auxiliary analysis tools are as follows:
Network packet capture and analysis tools, Wireshark and Iris are mostly used in this regard. Wireshark is a free tool from Microsoft and Iris is a paid software with powerful functions.
File and registry monitoring tools generally use process monitor. In the past, Filemon was used to monitor files, and Regmon was used to monitor the registry. Now process monitor can monitor two operations. In fact, these tools were written by the same person, and now the two tools are merged into one. As a digression, this author is the author of "In-depth Analysis of the Windows Operating System". The authoritativeness of this book can be said that everyone who is engaged in the development of the Windows kernel knows about it. It is also necessary to read this book in reverse. Book.
In addition, there are virtual machines vmware and virtual pc. There are many advantages to installing virtual machines. For kernel debugging, it is possible to debug the kernel on a single physical PC, and the virtual machine can crash and restart quickly.
For kernel code reversal, tools in DDK/WDK can also be used in combination, such as viewing the object winobj and viewing the dev tree of the device stack. Observe IRP with IRPtrace. There are many tools, so I won't list them all here. After all, most of the reverses are application layer reverses.
This is the end of the list, I hope it will be helpful to those who read this article. In my opinion, the use of tools is only a skill, and the algorithm theory contained in software protection and reverse engineering is the Tao. Only by mastering the Tao can we go further. This is true of reverse and other things.