An Introduction to Reverse Engineering
In the Coding Corner of this issue of Hugi, a new series starts: Reverse Engineering. What's that? Reverse Engineering is the process of searching for program protections by a disassembling the executable (exe) files of program. The purpose of RE is to show to the software developers how bad their program protections are. In this series I shall try to elucidate the most important questions concerning this subject. We shall talk about what tools should be used in order to search for copy protections, how to use most important of them, and by means of a few examples we shall discuss various types of program protection.
In order to follow these articles, you will need basic knowledge about Assembler. I hope this section will match your taste (and you will motivate me to write new articles). For any question that comes up while you're dealing with Reverse Engineering, contact me via e-mail.
So, we'll begin with the most simple things: what tools we'll use for research. All tools belong to one of the following main groups: debuggers, disassemblers, unpackers, detectors, hex-editors, resource editors, scanners and dumpers. All tools can be found on the Internet. Now I briefly shall tell about each group.
In short, debuggers are good for trials because you see the reaction of the program to the change of its code at once. Most of the time you will be using debuggers. Among the most popular debuggers with a very rich functionality are SoftIce and TRW2000. Without hesistating a single moment, I can tell you at once that SoftIce is the better one.
Here almost all is simple. These tools simply translate executable files to Assembly code and show links between separate parts of the program, which appears very useful for research. In addition, they link the initial code to strings which are present in the program (menus, dialogs, etc.). The most outstanding representatives of this family are IDA and W32Dasm. For decompiling programs written on Delphi, it is very convenient to use DeDe (we will use it many times). There are utilities of this kind for a wide range of programming languages. In most cases the tools listed above will be enough for you.
Unpackers and detectors
Unpackers are necessary for decompressing exe-files packed with programs such as AsPack, AsProtect or UPX. Sometimes we also need detectors in order to identify the packer that was used as well as its version. Some detectors even extract information on the programming language the program was originally written in. To my mind, the best detector I know is PeiD. Regarding unpackers, there are really lots of them. You may select them according to your preference - choose the ones that are most pleasant to you.
Scanners and dumpers
When reverse-engineering a program, you usually have to scan the executable for calls to other programs and dynamic link libraries, commands for access to external files and code that reads from or modifies the registry. Much of this can be done automatically using a scanner. In this way it is easily possible to reveal the name of the file or the key in the registry into which the program writes the registration data. In my opinion, the best scanners are RegMon and FileMon. I guess their names suffice to tell you what they are for.
Dumpers are necessary in order to edit the addresses of sections of the program (about which I shall write more in the next Hugi issue) and for the creation of a dump (snapshot of the memory at run-time). Dumpers are frequently used for manual unpacking of a compressed or otherwise encoded exe-file.
This is the first time that I am writing an article for Hugi, so please don't blame me for having written this little. This shall be steadily improved in the next issues.
In the next part of this series the following themes will be elucidated:
Usage of SoftIce
Brief information on the structure of an exe-file
How the protection of some sample shareware programs works
In order to get prepared for the next issue, get all the tools about which I've talked above. Oh, and I've almost forgotten: also take a few brains along.
If you have a program about which you want to know more, write to me. Report the name of the program, for what it's used and where it can be downloaded - I shall try to help you.
Yudin Max a.k.a. |re|-action ... Moscow, Russia.