If you’ve been wondering about all the main tools that are used by a modern software reverse, you’re in luck because this article will be going over them.
So, if you’re someone who is familiar with network interaction principles, Assembler language, and have some level of experience related to Windows programming using API functions, you should keep reading.
Understanding the Need for Software Reverse Engineering Tools.
There are countless software applications in the kind of world we live in, with new ones being created every day. Also, most of them have their source code hidden which kind of leads to more work when trying to understand the specifics, algorithms, etc. of the said software. This is also where software reverse engineering tools come in.
There are many such tools to choose from and trying to crown one of the best can be quite tough. Let’s go over the applications that are also used frequently.
Software Reverse Engineering Tools.
1. IDA-Pro, Hex-Rays.
It’s an interactive disassembler and has an inbuilt command language or IDC. It also supports a variety of executables, operating systems, and more. You can use this tool to build diagrams, change the names of markers, and do a whole lot more. An Assembler Code can be decompiled through the Hex-Rays Decompiler plug-in.
2. CFF Explorer.
This one includes Resource editor, PE, and HEX editor, Signature scanner, Import editor, Address converter, a Disassembler, and a Dependency Analyzer.
3. API Monitor.
It intercepts API function calls and can also display output and input data.
It can display codes of software files, something that a simple text editor can’t do.
This is a binary files editor who focuses on work using code. It also features a built-in disassembler. You can use it to view and edit logical as well as physical drives. It also has tools for creating custom plugins.
This is a proxy operating with traffic between a remote server and the computer. It can work with both HTTPS and HTTP.
It enables you to leave a running application process. You can restore an import table and run the application.
7. Relocation Section Editor.
This one helps you to remove the Relocation table’s values.
It’s considered as one of the best tools for detecting the packer.
How to Use Software Reverse Engineering Tools?
Let’s go over how to use some of the software reverse engineering tools that were mentioned.
1. Using IDA-Pro to Open Researched Executable.
After downloading a test application to IDA Pro, press ‘OK.’ You’ll see that the import table is close to being empty. If you think that the application is packed, you can use PEiD to help detect the packer used.
2. Using PEiD for Packer Information.
Load the application and consider running a scan by going to Options and choosing ‘Hardcore scan.’ Now, select the folder containing the application you’re working on. This will show you the packer that was used.
3. Using CFF Explore for Unpacking.
Go to the UPX Utility Page and simple press the ‘Unpack’ button. Once that’s done, you can upload the application to IDA Pro to restore the assembler code. Download it again to IDA Pro. Agree when asked whether symbols from the server are to be uploaded.
You’ll get to see code, an import table, and some functions in the application. Now, using IDA Pro, run and debug the application by selecting Debugger > Select Debugger > Local Win32 debugger>F9.
It’s time for you to get rid of the fact about how a debugger was detected by the application. Click the NtQueryInformation Process to get a list of xref functions. Click on it to see the third parameter which is for output. If it’s equal to 1, it means the debugger is attached to the application. However, it’s equal to 0 it means the application doesn’t have a debugger attached.
3. Modifying Executed Statements in Hiew.
You’ll need to upload the application and consider switching to the Decode Mode. You can enter the Edit Mode by pressing F3 followed by F2. You can press F9 to save the application.
4. Deleting a Relocation Table’s value using a Relocation Section Editor.
If a crash occurs after using a Relocation Section Editor, you’ll need to use CFF Explorer.
5. Modifying a Relocation Table’s value using a CFF Explorer.
Simply open the application on CFF Explorer and replace the required value.
6. API Monitor.
You can use API Monitor for monitoring a number of functions. You can also go ahead and add functions if you prefer. API Monitor will help you see the parameters that were passed to the said function.
7. Using WinHex for Detection.
It’s recommended to detect the binary file’s type before exploration. You can use WinHex to do so. Take note that the MZ signature at zero offsets happens to correspond to the PE-format files. That’s why it’s an exe file or dll.
8. Using Scylla.
You can use Scylla to create a memory dump of a packed app to run it. You are to open the packed executable file in IDA Pro. Use the ‘pusha’ command for saving general-purpose registers to the stack. You can make an application dump and restore the import table as well by opening Scylla without closing IDA Pro. Remove the Relocation Table if the application crashes.
Wrapping It Up.
As mentioned, there are numerous Software Reverse Engineering tools available. Feel free to test them out and see which ones suit you the best for coding, unpacking, and more.