Reverse-engineering is especially important with computer hardware and software. Programs are written in a language, say C++ or Java, that’s understandable by other programmers. But to run on a computer, they have to be translated by another program, called a compiler, into the ones and zeros of machine language. Compiled code is incomprehensible to most programmers, but there are ways to convert machine code back to a more human-friendly format, including a software tool called a decompiler.
Rehex is a cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else. This is a really great hex editor, great job! I've always wanted a hex editor that could do structures and highlight things! I've been reverse engineering a ton of file formats lately so a hex editor like this one will come in really handy! The only things I can think of to make it better is.
A Hex Editor for Reverse Engineers, Programmers and people that value their eye sight when working at 3 AM. Python reverse-engineering disassembler analyzer hex-editor dear-imgui ips dark-mode pattern-language ips32 pattern-highlighting mathematical-evaluator Updated 11 hours ago. README.md Reverse Engineers' Hex Editor A cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else.
Reverse-engineering is used for many purposes: as a learning tool; as a way to make new, compatible products that are cheaper than what’s currently on the market; for making software interoperate more effectively or to bridge data between different operating systems or databases; and to uncover the undocumented features of commercial products.
Reverse-engineering can also expose security flaws and questionable privacy practice.
With the help of Reverse Engineering we can modify a software at own way… Like we can change the name of Software, We can editing a software, We can convert Trial Software to License software… n many more.
So Reverse Engineering is a hacker friendly tool…. Use it n Enjoy..!!
Read Articles:
A multi-platform open source Binary Analysis and Reverse engineering Framework..
http://blog.hackersonlineclub.com/2016/12/barf-binary-analysis-and-reverse.html
Androguard- Reverse Engineering And Malware Analysis for Android Applications..
http://blog.hackersonlineclub.com/2016/12/androguard-reverse-engineering-and.html
Tools >>
CrowdRE – Crowdsourced Reverse Engineering:
The CrowdRE project aims to fill this gap. Rather than using a live distribution of changes to all clients, which has proven to fail in the past, it leverages from the architecture that is being used with success to organize source code repositories: a system that manages a history of change sets as commit messages.The CrowdRE client is now freely available as an IDA Pro plugin.
CrowdStrike maintains a central cloud for the community to share their commits amongst each other. This basic concept is sufficient for a collaborative workflow on a per-function basis for a shared binary. One exciting feature is a similarity hashing scheme that considers the basic block boundaries of a function. Each function is mapped on a similarity preserving hash of fixed size.
Visit: https://crowdre.crowdstrike.com/sign-in
OLLYDBG TOOL: Version 2.01 alpha 2
This tool is mostly used for REVERSE ENGINEERING.
We can make a own license key with the help of it, Any trial version will be a crack from this tool OLLYDBG. The most important novelty is that this version is compatible with Windows 7. I have tested it under Win7 Home Premium 32-bit.
Visit: http://www.ollydbg.de/odbg201b.zip
HEX WORKSHOP TOOL:
The Hex Workshop Hex Editor is a set of hexadecimal development tools for Microsoft Windows, combining advanced binary editing with the ease and flexibility of a word processor. With Hex Workshop you can edit, cut, copy, paste, insert, and delete hex, print customizable hex dumps, and export to RTF or HTML for publishing. Additionally you can goto, find, replace, compare, calculate checksums, add smart bookmarks, color map, and generate character distributions within a sector or file. Hex Workshop supports drag and drop and is integrated with the Windows operating system so you can quickly and easily hex edit from your most frequently used workspaces. The Data Inspector is perfect for interpreting, viewing, and editing decimal and binary values. Arithmetic, logical, ascii case, and bitwise operations can be used to help manipulation your data in place.
An Intergrated Structure Viewer allows you to view and edit data in the most intuitive and convenient way.The structure viewer supports nested structures, references to other structures, along with many atomic data types: char, byte, ubyte, word, uword, long, ulong, longlong, float, double, OLE Date/Time, DOSTIME, DOSDATE, FILETIME, and time_t.
Download Link: HexWorkshop.com
For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.
Every reverse engineer, malware analyst or simply a researcher eventually collects a set of software that they use on a daily basis to analyze, unpack, and crack other software.
This article will serve as an index of software I collected, you could need, so you don't have to hunt for them on your own. It will be useful to anyone who has not yet collected their own set of tools and is just starting to look at the subject or people who want to extend their current set of tools.
First, some Definitions and Clarifications:
Debugger:
A Debugger is a software tool which allows the user to view and change the running state of a program.
Disassembler:
A disassembler is a software tool which converts binary to assembler which is a bit more human-readable code.
Decompiler:
A Decompiler is a software tool which reverses the operations of a compiler and converts binary or intermediate code to the (near) original source code.
Debugging the assembly code output of a Disassembler is the answer to everything (Besides 42). By debugging the assembly you are able to reverse engineer EVERY program there is because you can see exactly what the CPU is going to do. No matter how well obfuscated it is or if it's an Interpreter, Jiter or Compiler language.
Debugging the output of a Decompiler on the other hand is mostly specialized on one specific programming language or framework which makes them not the answer to everything and that is why i gave them their own section.
I also put Debuggers and Disassemblers / Debuggers and Decompilers in the same section because most disassemblers and decompilers also include a debugger - So I don't see a point in splitting these up for this list.
With that out of the way.. Lets get into the List.
Debuggers / DisassemblersX64dbg
X64dbg was a much-needed innovation. It's pretty easy to use, and the features were worth a wait. It has been the strongest tool on the market in the Debugging Department. This is a new debugger with a decent user interface, a worthy successor to the older OllyDbg that everyone used before. It supports both architectures (x64 and x86) and there are lots of useful plugins available.
Granted, it's got its downsides, since there may be some bugs. But it is being actively developed and supported. Of course, because the debugger operates in user mode, it is vulnerable to a wide variety of anti-debugging techniques. However, this is partially compensated by the availability of several different debugger hiding plugins.
X64dbg also provides a built-in decompiler and import reconstructor (both x64 and x86), supports code graphic visualization and read/write/execute/access breakpoints.
IDA Disassembler
The IDA Pro disassembler is a de facto standard in antivirus laboratories.
There are two versions of IDA, a paid Pro version and a free Starter version. The free version is limited to x86 and does not support plugins. The Pro version offers full functionality with many supported processor architectures and plugin support.
IDA has a built-in debugger with rather basic functionality and can also be augmented with the Hex-Rays add-on, a decompiler of application source code into C code. This is very useful as it really speeds up program analysis.
Overall, IDA is a very strong and polished tool with a long history of development. Unfortunately, the paid edition costs between $365 - 2000+ depending on the type of license, and they don't sell it to everyone.
Qira
Qira is a timeless debugger made by the ever-popular or hated (whatever site you're on) geohot who is quite famous for jail breaking the iPhone and PlayStation 3 and then getting into legal trouble for it.
What made this debugger special when it came out is the way you could reverse your steps if you did something wrong.
Other debuggers also had that option, but they did it 'wrong' because the program wasn't exactly the same as before your steps and programs were able to detect that.
Qira changed this by using a similar strategy Git uses. It saves the steps you did in a tree like structure, and if you want to reverse a step, it loads an older 'save file' of the program. Saving all of these save states takes a lot of computing power, of course, but modern computers are so powerful that it really should not be a problem.
This tool is open source and actively being worked on, but due to its 'young” age and it being less popular, which leads to fewer people working on it, it can have quite a lot of bugs.
The debugger itself runs in a browser which makes this program available on Windows, Linux and Mac.
Ghidra
More 'recently' (since 2019) Ghidra, a NSA suite of tools (So not only a Debugger), has been released. Yes, THE NSA. They even got a GitHub Profile.
It's being actively developed and probably even used in house by the NSA because the version you can download is known as the 'public' version - that is why there's probably a 'private' version as well.
Ghidra is able to disassemble, assemble, decompile, graph, support Java/Python plug-ins and/or scripts, has an auto-analysis feature (which can sometimes be very slow) that could certainly help you with your work, currently supports more than 30 types of processors, plus hundreds of other features.
If you're used to IDA or the like, it might take you some time to get used to Ghidra, but when you get used to it, it will become very useful in your toolkit, despite the initial bugs it has due to its younger age.
You can get Ghidra from the NSA’s official page for Ghidra here or get the whole source code from their GitHub here.
Debuggers / Decompilers.NETdnSpy
dnSpy is a tool to reverse engineer .NET assemblies. It includes a decompiler, a debugger and an assembly editor, and more and can even be extended by writing your own extension.
dnSpy does not output assembly code and does not Support all programming Languages Like the X64dbg I talked about above.
It only focuses and outputs .NET Programming Languages like C#, F# or Visual Basic.
That makes it not so useful for most viruses and the like but a lot of more user oriented desktop Programs that are written in C#, which makes it quite useful for those.
There are also tons of other .NET decompilers like JustDecompile or dotPeek, but they don't let you edit the code right there, they just let you see it - that is why all in all, dnSpy has been my go-to for .NET programs (If you want to find out if a .exe is even a .NET file, read further and ill talk about a program that is able to do that)
Hex Editor For Reverse Engineering DesignNetworkingFiddler
Telerik's Fiddler is a web debugging proxy application that logs all HTTP(S) traffic between your computer and the Internet.
This may be useful if you want to see if a Virus/Program connects to a certain website or similar, to send data that you may be able to inspect, intercept, alter or otherwise fiddle around with.
Fiddler provides an easy-to-use interface that makes it clear where your requests need to be entered, as well as the request body and authentication information (among other things). It's also very convenient to see your past requests and past results.
They're all present on the same page, which is good because you don't have to navigate to different pages or similar.
But its capabilities are very limited. It doesn't have a lot of features outside of basic REST requests that run one at a time. You will need to manually type all REST requests with the exact perfect syntax instead of having them done in a more automatic way.
But in general, this is one of the most valuable tools for any hacker.
TCPView
Microsoft’s TCPView would be a lightweight alternative to Fiddler - It is a very limited but also very lightweight (< 300KB) network monitoring software that is also part of the SysinternalsSuite.
You can see process identifiers, the ports it accesses, protocols and packet counters.
Postman
This is again an alternative to Fiddler and TCPView, but it specializes in websites and your browser instead of all programs on your computer.
![]()
I still included it in this list because you might be trying to reverse engineer some web app, or your desktop app might interact with some web API you found using Fiddler or TCPView, and now you need to reverse engineer that.
Postman is a browser add-on (currently only available for Chrome) that, along with the desktop app, allows you to intercept, save and filter requests with your cookies to be inspected and sent later.
This way, you can quickly reverse engineer an API to see how it functions and how you can control it.
It's mostly focused on developers and not hackers, but it has still become a commonly used tool in my toolkit whenever I need to check out an API.
Wireshark
Wireshark is a free network analysis software that was created as an Ethereal fork in 2006 that lets you see what applications send and receive from the Internet, monitor network activity, find hidden communication channels and more.
It's probably the most powerful network analysis tool, and it's a real Swiss Army knife - It captures all kinds of packet data of the network, displays packet direction and path, displays errors and issues below the HTTP protocol, and has a great filter and search function.
Unfortunately, it misses the ability to change and manipulate things on the network and can sometimes show too much information that can overwhelm you (which could be fixed by a better UI?).
Packer DetectorExeInfoPE
While conducting malware analysis, I considered Exeinfo PE to be an invaluable tool. Exeinfo PE is a lightweight packer and protector detector.
Exeinfo PE has an unorthodox interface that is not to everyone's tastes, but is somewhat reminiscent of the now unsupported PEiD that many analysts still use, but unlike PEiD, Exeinfo PE is actively developed and maintained.
Exeinfo PE is good at telling you most of the information you care about up front, and it also tells you what you should do next, including telling you to use another detector, run an advanced scan, use Ida, use OllyDbg, and so on, and has most of the features analysts are asking for.
However, just like other analysis tools, Exeinfo PE has its downsides. It's not going to be your one-stop file analysis tool - I don't think there's any tool ever going to be, at least for malware. ⠀
One place where Exeinfo PE fails is not detecting older packers and protectors, as the author notes on their website, but you could use PEiD for this task.
Detect it Easy (DiE)
This is a great packer identifier with a variety of useful functions and is designed with an open signature architecture and allows you to build and incorporate your own detection algorithms.
It also allows you to access the entropy portion of the file, which enables the visual recognition of encryption.
It also has a resource viewer with a dump-to-disc functionality. DiE allows you to quickly access the import table and add plugins and scripts, customize signature scanning methods, and view file headers. It completely supports both PE and PE+.
Pestudio
PEstudio is a very interesting tool. In addition to bringing the basic features you would expect from a PE analysis tool, PEstudio also attempts to decide if a file is malicious on the basis of some indicators it might have and automatically scans file samples with VirusTotal, provides an interesting view of the import table functions of the analyzed program, displays the application's viral markers, used libraries and PE file header info.
Hex Editor For Reverse Engineering Software
To give you an idea of how these indicators operate, assume, for example, that a file you are monitoring contains version information relevant to a Microsoft file. However, the same file is obviously not from Microsoft, so PEstudio will let you know about this difference.
The details given by the indicators can often be useful if you are already suspicious of a file. In certain cases, the knowledge you get is sufficient to solve your issue, but in any case, it will give you a good starting point.
While PEstudio is a great program, the GUI is a tad empty, and sometimes the indicators are of limited use when dealing with specially designed binaries. However, if your final target is a program that works hard to classify a file as potentially malicious, PEstudio is a powerful antivirus tool for initial sample review.
File ViewersHxD
Sometimes you may need to access HDD, memory or applications in binary mode.
This is where hex editors such as HxD come in handy which is free of charge for private and commercial use.
Often updated, this program is a Windows hex editor that can handle files of any size, can be used as a RAW disk editor and RAM editor, supports common formats, and provides a user-friendly UI.
There are other features that are well executed, such as the ability to remotely clear files (zero fill), checksums, exporting, insert byte patterns, file splitting, statistics etc.
![]()
If you don't want or can't install this application on your machine, there's also a portable version that's always handy.
LTFViewr5u
This is another tool where you might argue that it doesn't belong to this list, but I'm still adding it here because it's very useful, and it took me a week to find it when I needed it initially.
The Large Text File Viewer is designed to view verrryyy large text files. It uses little memory and is able to open very large files (>5GB) instantly. Background file indexing makes searching easier. It also helps the user to do a high-speed, complex text search using plain text or regular expression.
If you've ever tried to open large text files, you'll probably reach the limits of the standard Windows Editor fairly quick, and if you've ever tried to open very very large files, you'll probably also find the limits of Notepad++.
I tried multiple of those supposedly 'Large Text File Viewers' but most of them had a cap of 1 GB or 5 GB or something like that - LTFViewr5u, on the other hand, had no problem opening my 9 GB text file, and if I had a larger text file, it would probably have no problem opening it.
Resource Hacker
Resource Hacker is both a resource compiler (for .rc files) and a decompiler - allowing to access and modify resources in executables (.exe, .dll, etc) and compiled resource libraries.
It's very popular for editing resources, including manifests, text dialog lines, icons, cursor data, etc. You're not going to need this tool very often, but when you do, this is probably the best tool for the job.
Virtualization
Your reverse engineering job may require you to run some unknown, potentially hazardous code, such as malware. That's why you need a second PC or a Virtual Machine to not be afraid of damaging your PC.
Sandboxie
Sandboxie (or Sandboxie-Plus) is a sandbox-based isolation software for Windows. It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying local & mapped drives or the Windows registry. An isolated virtual environment allows for controlled testing of untrusted programs and web surfing.
Normally, if you want to test a program quickly, you need to start a virtual machine which can take time and resources. Sandboxie lets you run just a program in a virtual environment.
You can do this by right-clicking on the EXE and clicking on 'Open with Sandboxie' - This is quite useful for programs that you trust enough not to be a harmful virus which could break out of the Virtual Environment, but you still don't want to be running on your actual PC.
Just a few months ago, Sandboxie became Open Source, even though it's been tough since 2004, and it's split in two. There's a classic build with an old MFC UI (The one you can see in the screenshot above) and a new shiny Sandboxie Plus with a new Q't based UI.
Because Sandboxie just became Open Source so recently and is still VERY ACTIVE (the last commit was 10 minutes ago at the time of writing this, so that should say something), they still welcome new Volunteers. So if you want to work on some very well-known project for fun, or for your CV, this is your chance...
OtherProcessExplorer
ProcessExplorer is known as the “better Task-Manager” - you can even make ProcessExplorer replace the normal Task Manager by following this Guide. It shows all processes in a hierarchical tree view, so you can quickly see their spawning order.
You can also see which application has a specific file or directory open, the libraries they use, as well as their priority, processor usage, digital signatures, and more.
RegShot
Regshot is a great utility that you can use to compare the number of registry entries that have been changed during installation or updates to your device settings.
RegShot takes snapshots of the registry before and after you make any changes to the system or through some potently malicious software you are trying to analyse.
Hex Editor For Reverse EngineeringScylla
Scylla (Named probably after the legendary Greek monster)allows you to dump the process memory of a running application to a file which lets you see the unpacked version of a programs memory and enables you to do some more 'juicy' (I read this exact wording on some forum a while ago) stuff with the program.
Furthermore, Scylla also integrates with x64dbg where it can be directly launched by clicking Plugins => Scylla, so it could be that you already heard and used Scylla.
Hex Editor For Reverse Engineering PdfHex Editor For Reverse Engineering PdfSysinternalsSuite
The SysinternalsSuite is, as its name might already tell you, a suite of different tools (I partially already covered above) that are a must-have for any hacker.
I'm not going to go into the specifics of all the 70+ tools that it contains, but you can just download them and check them out or read about them here, where all the tools with additional information are listed, and find out which of them may be useful to you.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |