You are on page 1of 33

UNIT 3

Structure
30 . 31 . 32 . Introduction Objectives

REVERSE ENGINEERING

Reverse Engineering

What is Reverse Engineering?


3.2.1 3.2.2 Software Reverse Engineering Hardware Reverse Engineering

3.3 3.4 3.5 3.6 3.7

Need of Reverse Engineering Stages Involved in the Reverse Engineering Process Disassembly or Decompilation Cracking Software Protection Tools
3.7.1 3.7.2 3.7.3 3.7.4 3.7.5 3.7.6 3.7.7 3.7.8 3.7.9 Resource Hacker HEX Workshop IDA Pro PE Explorer Boomerang (Machine Decompiler) REC Decompiler Andromeda Decompiler Remotesoft .Net Explorer Spices .Net Decompiler

3.8 3.9

Let Us Sum Up Check Your Progress: The Key

3.0

INTRODUCTION

Reverse engineering is the general process of analyzing a technology specifically t a c r a n h w i w s d s g e o h w i o e a e . This kind of inquiry engages o seti, o t a eind r o t prts idvdas i a cntutv lann poes aot te oeain o sses ad niiul n osrcie erig rcs bu h prto f ytm n pout.Rvreegneiga amto,i ntcnie t aypriua proe rdcs ees niern s ehd s o ofnd o n atclr ups, Hwvr i i otn a iprat pr o te sinii mto ad tcnlgcl oee t s fe n motn at f h cetfc ehd n ehooia development. The process of taking something apart and revealing the way in wih i wrs i otn a e h c t o k s f e n ffective way to learn how to build a technology or make improvements to it. In this unit, you'll establish a thorough knowledge about te vros apcs o rvre egneig ad hw i i ueu i te tdy E h aiu set f ees niern n o s t sfl n h oa W ol. rd In day to day work, whether it's rebuilding a vehicle engine or rearrenging a sentence, people can learn about many things simply by taking them apart and putting them back together again. The concept behind everything is reverseengineering, which means breaking something down in order to understand it, bid a cp o ipoe i. ul oy r mrv t I ti Ui w'l udrtn te ky eeet ta cmrs a scesu rvre n hs nt el nesad h e lmns ht opie ucsfl ees engineering program and eventually apply those concepts for better productivity. Reverse-engineering is used for many purposes: as a learning tool; as a way to make new, c m a i l p o u t t a a e c e p r t a w a ' c r e t y o t e m r e ; optbe rdcs ht r hae hn hts urnl n h akt for making software interoperate more eff c i e y o t b i g d t b t e n d ff r n e t v l r o r d e a a e w e i eet operating systems or databases; and to uncover the undocumented features of commercial products.

69

Information Gathering

3.1

OBJECTIVES
Understand the importance of Reverse Engineering; Need of Reverse Engineering; Stages involved in the Reverse Engineering Process; What is a Disassembler?; How Software Protection could be cracked; and Make hands on various tools which are very important in reverse Engineering.

Atr gig truh ti Ui, yu sol b al t: fe on hog hs nt o hud e be o

3.2

WHAT IS REVERSE ENGINEERING?

Reverse Engineering is a process where, a researcher gathers the technical data necessary for the documentation of the operation of a technology or component of a sse. W ih te hl o ti rsac mto rsaces ae al t eaie ytm t h ep f hs eerh ehd eerhr r be o xmn tesrnt o tesfwrs apiain,ssesec adietf terwanse h tegh f h otae, plctos ytm t. n dniy hi ekess in terms of performance, security, a d i t r p r b l t The reverse engineering n n e o e a i i y. process allows researchers to understand both how a program works and also what aspects of the program contribute to its not working. Independent manufacturers can participate in a competitive market that rewards the improvements made on dominant products. For example, there are lot of vendors who does the security a d t l k e u i y S l t o s & Technologies, which allow users of software to uis ie Sdlt ouin better protect their systems and networks by revealing security flaws, which u t m t l r q i e r v r e e g n e i g The creation of better designs and the liaey eur ees niern. interoperability of existing products often begin with Reverse Engineering. Rvre egneig i tkn aat a ojc t se hw i wrs i odr t ees niern s aig pr n bet o e o t ok n re o dpiae o ehne te ojc. Te patc, tkn fo odr idsre, i nw ulct r nac h bet h rcie ae rm le nutis s o frequently used on computer hardware and software. Software reverse engineering ivle rvrigapormsmciecd (h srn o 0 ad1 ta aesn novs eesn rga' ahn oe te tig f s n s ht r et t te lgc poesr bc it te suc cd ta i ws witn i, uig o h oi rcso) ak no h ore oe ht t a rte n sn program language statements. Reverse engineering can be viewed as the process of analysing a system to: 1 Ietf te sse' cmoet ad ter itreainhp ) dniy h ytms opnns n hi nerltosis 2 Create representations of the system in another form or a higher level of ) asrcin btato 3 Cet te pyia rpeetto o ta sse ) rae h hscl ersnain f ht ytm There are two types of Reverse Engineering, which are mentioned as below: Software Reverse Engineering, Hardware Reverse Engineering.

3.2.1 Software Reverse Engineering


Sfwr rvreegneigi tepoest rtiv tesuc cd o aporm otae ees niern s h rcs o eree h ore oe f rga. I i a p o e s o r a i g t e s f w r s b n r c d t f n w a t e s f w r c n t s rcs f edn h otae iay oe o id ht h otae a make the computer do. It is the code that the computer reads and obeys, not the s u c c d . Though binary code is not easily read by humans, a representation in ore oe assembly-language mnemonics, as shown in a debugger, i e a t y e u v l n ( n s xcl qiaet o

70

al bt sm vr osue tertcl pit) t wa te cmue ras Ide, l u oe ey bcr hoeia ons o ht h optr ed. ned reverse engineering is essentially debugging in advance of having a bug to debug. The process is implemented in few of the scenarios like; I te suc cd i ls, f h ore oe s ot To study how the program performs certain operations, To improve the performance o a p o r m f rga, To fix a bug ( o r c a e r r i t e p o r m w e t e s u c c d i n t cret n ro n h rga hn h ore oe s o aalbe, vial) To i e t f m l c o s c n e t i a p o r m s c a a v r s o t a a t a p o r m dniy aiiu otn n rga uh s iu r o dp rga written for use with one microprocessor for use with another. Reverse engineering for the purpose of copying or duplicating programs may cnttt acprgtvoain I fc,i sm css telcne ueo sfwr osiue oyih ilto. n at n oe ae, h iesd s f otae seiial poiis rvre egneig pcfcly rhbt ees niern. Any researcher who is doing reverse engineering on software may use several tools to disassemble a program which are mentioned as below; Hexadecimal dumper: I p i t o d s l y t e b n r n m e s o a p o r m t rns r ipas h iay ubr f rga in hexadecimal format (which is easier to read than a binary format). By koig te bt pten ta rpeet te poesr isrcin a wl a nwn h i atrs ht ersn h rcso ntutos s el s te isrcin lnts te rvre egne cn ietf cran prin o a h ntuto egh, h ees nier a dniy eti otos f program to see how they work. Disassembler. T i i a o h r i p r a t t o w i h h l s t r a s t e b n r hs s nte motn ol hc ep o ed h iay c d a d t e d s l y e c e e u a l i s r c i n i t x f r . A disassembler oe n hn ipas ah xctbe ntuto n et om c n o t l t e d fference between an executable instruction and the data used ant el h i by the program so a debugger is used, which allows the disassembler to avoid disassembling the data portions of a program. These tools might be used by a cracker to modify code and gain entry to a computer system or cause other harm.

Reverse Engineering

3.2.2 Hardware Reverse Engineering


Hardware reverse engineering involves taking apart a device to see how it works. Reverse engineering at the hardware level involves taking the allegedly infringing product apart, determining what components are used in the product, and determining how the components are interconnected. For example, if a processor manufacturer wants to see how a competitor's processor works, he can purchase a competitor's processor, d s s e b e i , a d t e m k a p o e s r s m l r t i iasml t n hn ae rcso iia o t along with some modifications or by adding some new features. However, ti hs process is illegal in many countries. In general, hardware reverse engineering rqie a get da o eprie ad i qie epnie eurs ra el f xets n s ut xesv. I i o t n n t s ff c e t t r v r e e g n e a p o u t t t e c m o e t l v l i t s fe o u i i n o e e s n i e r rdc o h opnn ee n order to determine infringement. Many products incorporate microprocessors or m c o o t o l r i t e r d s g . A microprocessor or microcontroller operates in ircnrles n hi ein accordance with programming instructions programmed into a ROM, RAM, EPROM, or FLASH memory. To determine how the microcontroller or mcorcso oeae i i ncsayt rvreegne tesfwr o frwr irpoesr prts t s eesr o ees nier h otae r imae within the memory. This is not as easy as one might think. First, the program embodied by the firmware i sml acleto o bnr dgt (' ad0s.I odrt dcpe ti mcie s ipy olcin f iay iis 1s n ') n re o eihr hs ahn seii porm cd i i ncsay nt ol t cnet te bnr dt it a pcfc rga oe t s eesr o ny o ovr h iay aa no r a a l f r , b t t a s g m a i g t t e d t . Thus, reverse engineering of edbe om u o sin enn o h aa

71

Information Gathering

microcontroller software or firmware requires program disassembly via a disassembler or decompiler. Rvre egneig eals te dpiain o a eitn pr b cpuig te ees niern nbe h ulcto f n xsig at y atrn h component's physical dimensions, features, and material properties. Before atmtn rvreegneig awl-lne lf-yl aayi adcs/eei tepig ees niern, elpand iecce nlss n otbnft aayi sol b cnutd t jsiy te rvre egneig poet. Rvre nlss hud e odce o utf h ees niern rjcs ees egneig i tpcly cs e etv ol i te ies t b rvre egnee n i e r n s y i a l o t ff c i e n y f h t m o e e e s n i e r d reflect a high investment or will be reproduced in large quantities. Reverse e g n e i g o a p r m y b a t m t d e e i i i n t c s e etv, i te pr i n i e r n f a t a e t e p e v n f t s o o t ff c i e f h a t s asltl rqie ad i msinciia t a sse. bouey eurd n s iso-rtcl o ytm Any researcher who is doing reverse engineering on hardware may use several tools to disassemble a product which are mentioned as below; REFAB (Reverse Engineering - Feature Based): T i t o u e a l s r hs ol ss ae dgtzrt sa tepr,adteaayi sfwr te aaye tesaeo iiie o cn h at n h nlss otae hn nlss h hp f te pr, uig faue wih ae bsd o tpcl mciig oeain, t h at sn etrs hc r ae n yia ahnn prtos o generate a computerized manufacturing description which can be displayed, used to copy the product, or produce new products using the design. PRINTED CIRCUIT BOARDS (PCBS): Computer vision has been widely used to scan PCBs for quality control and inspection purposes, and based on ti,teeaeanme o mcievso fraayigadrvreegneig hs hr r ubr f ahn iin o nlsn n ees niern PCBs. INTEGRATED CIRCUIT (IC) COMPONENTS: T e f r t s e i t g t h is tp s o e truhteecpuaigmtra it tepoutisl,b ceia ecig hog h nasltn aeil no h rdc tef y hmcl thn or grinding. Once at the chip surface, each layer of components is photographed, then ground away to reveal the layer below.T i p o e s r v a s hs rcs eel te srcue o te ci. A t o g t e e p o e s s c n r v a t e s r c u e o h tutr f h hp l h u h h s r c s e a e e l h t u t r f t e c i , t e d n t i d c t t e v l a e a e c p i t H w v r, i t e c i h h p h y o o n i a e h o t g s t a h o n . o e e f h hp is undamaged, voltage contrast electron microscopy can be used to scan the c i i u e a d w t h t e v l a e l v l c a g o e t m . These processes hp n s, n ac h otg ee hne vr ie ae gnrly rfre t a tipn o eln te ci. r eeal eerd o s srpig r peig h hp

3.3

NEED OF REVERSE ENGINEERING

Reverse engineering is very common in such diverse fields as software engineering, entertainment, automotive, consumer products, microchips, chemicals, electronics, and mechanical designs. For example, when a new machine comes to market, competing manufacturers may buy one machine and disassemble it to learn how it w s b i t a d h w i w r s A chemical company may use reverse engineering to a ul n o t ok. dfa aptn o acmeio' mnfcuigpoes I cvlegneig big eet aet n opttrs auatrn rcs. n ii niern, rde and building designs are copied from past successes so there will be less chance o ctsrpi fiue I sfwr egneig go suc cd i otnavrain f aatohc alr. n otae niern, od ore oe s fe aito of other good source code. Another reason for reverse engineering is to compress product development times. In the intensely competitive global market, manufacturers are constantly seeking new ways to shorten lead-times to market a new product. Rapid product development (RPD) refers to recently developed technologies and techniques that assist manufacturers and designers in meeting the demands of reduced product development time. For example, injection-moulding companies must drastically reduce the tool and die development times. By using reverse engineering, a threedimensional product or model can be quickly captured in digital form, re-modelled, and exported for rapid prototyping/tooling or rapid manufacturing. 72

Software developers often use reverse engineering techniques to better understand sseswt wihtersfwr wl itrc. I adto,dvlpr uervre ytm ih hc hi otae il neat n diin eeoes s ees engineering to learn the ideas behind other developers' successful techniques. Most commercial software packages are distributed to customers in machine language. Therefore, humans must disassemble programs, translating them from machine language to assembly language, in order to better understand the ideas on which te ae bsd hy r ae. It is not possible to reconstruct the original sequence of a program or the programmers' comments and annotations which are usually a part of high-level language programs, but through disassembly, programmers can gain insight into the way a program functions and how it can interface with other software and hardware. There are various important factors which influence the Reverse Engineering which are mentioned as below: Itrprblt: Itrprblt i a poet o a pout o sse, woe neoeaiiy neoeaiiy s rpry f rdc r ytm hs interfaces are completely understood, to work with other products or systems, p e e t o f t r , w t o t a y r s r c e a c s o i p e e t t o . G n r l y, rsn r uue ihu n etitd ces r mlmnain eeal interoperability allows technologies to work together when they use the same ipt adcet tesm otus Frcmues itrprblt i teaiiy nus n rae h ae upt. o optr, neoeaiiy s h blt of programs and systems running on various kinds of software and hardware to communicate with each other. St n a d f s e i t r p r b l t b e s r n t a a l g o p i p e e t n t e adrs otr neoeaiiy y nuig ht l rus mlmnig h s a d r i t r r t i t e s m w y, s t a t e t c n l g p o u e c n i t n tnad nepe t h ae a o ht h ehooy rdcs osset performance regardless of the individual brand or model. By contrast, a lack o sadrsmasta prisms rvreegne tetcnlg t ahee f tnad en ht ate ut ees nier h ehooy o civ interoperability. Moreover, owners of proprietary, non-standardized technologies retain control over upgrades and developments to those tcnlge,admycag te a wl,dsutn teitrprblt wt ehoois n a hne hm t il irpig h neoeaiiy ih ohr tcnlge. te ehoois Lost documentation: Reverse engineering often is done because the documentation of a particular device has been lost or was never written, and tepro wobiti i n lne aalbe Itgae crut otnse t h esn h ul t s o ogr vial. nertd icis fe em o have been designed on obsolete, proprietary systems, which means that the ol wy t icroae te fntoaiy it nw tcnlg i t rvre ny a o noprt h ucinlt no e ehooy s o eesegne te eitn ci ad te r-ein i. nier h xsig hp n hn edsg t Product analysis: To examine how a product works, what components it cnit o, etmt css ad ietf ptnil ptn ifigmn. osss f siae ot, n dniy oeta aet nrneet Digital update/ correction: To update the digital version (e.g. 3D/CAD model) o a ojc t mth a sbit cniin f n bet o ac n a-ul odto. Security Auditing: To d t r i e w e h r v l e a i i i s e i t i a p o u t o eemn hte unrblte xs n rdc r nt o. Learning: learn from others' mistakes. Do not make the same mistakes that others have already made and subsequently corrected. Acquiring sensitive data by disassembling and analysing the design of a system component. Military or commercial espionage. Learning about an enemy's or competitor's lts rsac b seln o cpuig a pooye ad dsatig i. aet eerh y taig r atrn rttp n imnln t Removal of copy protection, circumvention of access restrictions or creation of unlicensed/unapproved duplicates.

Reverse Engineering

73

Information Gathering

Determining whether an application contains any undocumented functionality. Another reason for reverse engineering is to compress product development times. In the intensely competitive global market, manufacturers are constantly seeking new ways to shorten lead-times to market a new product. Rapid product development (RPD) refers to recently developed technologies and techniques that assist manufacturers and designers in meeting the demands of reduced product development time. For example, injection-molding companies must drastically reduce the tool and die development times. By using reverse engineering, a threedimensional product or model can be quickly captured in digital form, re-modelled, and exported for rapid prototyping/tooling or rapid manufacturing. Rvre egneig eals te dpiain o a eitn pr b cpuig te ees niern nbe h ulcto f n xsig at y atrn h component's physical dimensions, features, and material properties. Before atmtn rvreegneig awl-lne lf-yl aayi adcs/eei tepig ees niern, elpand iecce nlss n otbnft aayi sol b cnutd t jsiy te rvre egneig poet. Rvre nlss hud e odce o utf h ees niern rjcs ees egneig i tpcly cs e etv ol i te ies t b rvre egnee n i e r n s y i a l o t ff c i e n y f h t m o e e e s n i e r d reflect a high investment or will be reproduced in large quantities. Reverse e g n e i g o a p r m y b a t m t d e e i i i n t c s e etv, i te pr i n i e r n f a t a e t e p e v n f t s o o t ff c i e f h a t s asltl rqie ad i msinciia t a sse. bouey eurd n s iso-rtcl o ytm Check Your Progress 1 Note: a Space is given below for writing your answer. ) b Compare your answer with the one given at the end of the Unit. ) What is the importance of reverse engineering? W a i t e n e o i ? ht s h ed f t .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. ..................................................................

3.4

STAGES INVOLVED IN THE REVERSE ENGINEERING PROCESS

Since the Reverse Engineering process can be time-consuming and expensive, rvreEgnesgnrlycnie wehrtefnnilrs o sc a edaor ees nier eeal osdr hte h iaca ik f uh n nevu is preferable to purchasing or licensing the information from the original manufacturer, i p s i l . f osbe In order to Reverse Engineer, a product or component of a system, engineers and rsaces gnrly flo te floig fu sae poes e e r h r e e a l o l w h o l w n o r- t g r c s : 1 Identifying the product or component which will be reverse engineered. ) 74

2 Observing or disassembling the information documenting how the original ) product works. 3 Implementing the technical data generated by reverse engineering in a replica ) o mdfe vrin o te oiia. r oiid eso f h rgnl 4 Cetn a nw pout (n, pras itouig i it te mre) ) raig e rdc ad ehp, nrdcn t no h akt. I tefrtsae tepoes smtmscle r-cenn, RvreEgnes n h is tg, h rcs, oeie ald pesreig ees nier dtrie te cniae pout fr ter poet Ptnil cniae fr sc a eemn h addt rdc o hi rjc. oeta addts o uh project include singular items, parts, components, units, subassemblies, some of which may contain many smaller parts sold as a single entity.The second stage, disassembly or decompilation of the original product, is the most time-consuming apc o te poet I ti sae Rvre Egnes atmt t cntut a set f h rjc. n hs tg, ees nier tep o osrc characterization of the system by accumulating all of the technical data and instructions of how the product works. In the third stage of Reverse Engineering, Reverse Engineers try to verify that the data generated by disassembly or dcmiaini a acrt rcntuto o teoiia sse.Egnesvrf eoplto s n cuae eosrcin f h rgnl ytm nier eiy teacrc advldt o terdsgsb tsigtesse,cetn pooye, h cuay n aiiy f hi ein y etn h ytm raig rttps ad eprmnig wt te rsls n xeietn ih h eut. The final stage of the Reverse Engineering process is the introduction of a new p o u t i t t e m r e p a e These new products are often innovations of the rdc no h aktlc. o i i a p o u t w t c m e i i e d s g s f a u e , o c p b l t e . These products rgnl rdc ih opttv ein, etrs r aaiiis myas b aattoso teoiia poutfruewt ohritgae sses a lo e dpain f h rgnl rdc o s ih te nertd ytm, s c a d fferent platforms of computer operating systems. Often diff r n g o p uh s i eet rus of engineers perform each step separately, using only documents to exchange the ifrain land a ec se. Ti i t peet dpiain o te oiia nomto ere t ah tp hs s o rvn ulcto f h rgnl technology, which may violate copyright. By contrast, Reverse Engineering creates a dfferent implementation with the same functionality. i

Reverse Engineering

3.5

DISASSEMBLY OR DECOMPILATION

In the development of software, the source code in which programmers originally w i e i t a s a e i t o j c ( i a y c d . The translation is done with a computer rt s rnltd no bet bnr) oe program called an assembler or compiler, depending on the source code's language, such as Java, C++, or assembly.A g e t d a o t e o i i a p o r m e ' ra el f h rgnl rgamrs instructions, including commentary, n t t o s a d s e i i a i n , a e n t i c u e oain, n pcfctos r o nldd in the translation from source to object code (the assembly or compilation). Disassembly or decompilation reverses this process by reading the object code of the program and translating them into source code. By presenting the information in a computer language that a software programmer can understand, the reverse egne cn aaye te srcue o te porm ad ietf hw i oeae. nier a nlz h tutr f h rga n dniy o t prts The data generated in the disassembly of a typical computer program is one to many files with thousands of lines of computer code. Because much of the original programmer's commentary, n t t o s a d s e i i a i n a e n t r t i e i t e oain, n pcfctos r o eand n h ojc cd, te rvre egnee cd cnttts ol a pr o te porm bet oe h ees nierd oe osiue ny at f h rga information included in the original source code. Engineers must interpret the rsligsuc cd uigkoldeadepriet rcet tedt srcue eutn ore oe sn nweg n xets o erae h aa tutrs o teoiia pormadudrtn teoealdsg rtoaeo tesse. f h rgnl rga n nesad h vrl ein ainl f h ytm Nt al rvre egneig e o l e e s n i e r n fforts require decompilation of software. Some black box reverse engineering is done by characterizing software through observation of its interaction with system components, other software, and other (external) systems through networks.

75

Information Gathering

Source Code and Object Code Suc cd i tectgr o cmue lnug isrcin ta i ms feunl ore oe s h aeoy f optr agae ntutos ht s ot rqety written and read by software programmers. A computer cannot generally run a program in source code form though. T e s u c c d i t a s a e , w t t e u e h ore oe s rnltd ih h s of an assembler or compiler, i t a l n u g f r t a c n a n i s r c i n t t e no agae om ht otis ntutos o h computer known as object code. Object code consists of numeric codes specifying each of the computer instructions that must be executed, as well as the locations in memory of the data on which the i s r c i n a e t o e a e While source code and object code are commonly ntutos r o prt. r f r e t a d ff r n c a s s o c m u e l n u g , t e e t r s a t a l d s r b eerd o s i e e t l s e f o p t r a g a e h s e m c u l y e c i e the series of transformations a program goes through when being converted from a higher level language more easily comprehensible to humans to the lower level language of computer operations. Check Your Progress 2 Notes: a Space is given below for writing your answer. ) b Compare your answer with the one given at the end of the Unit. ) Which stage is the most time-consuming aspect of the project in the reverse engineering? Explain. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. ..................................................................

3.6

CRACKING SOFTWARE PROTECTION

76

The most common software crack is the modification of an application's binary to cause or prevent a specific key branch in the program's execution. T i i hs s accomplished by reverse engineering the compiled program code using a debugger until the software cracker reaches the subroutine that contains the primary method o poetn te sfwr o b dssebig a eeual fl. Te bnr i f rtcig h otae r y iasmln n xctbe ie h iay s te mdfe uigtedbge o ahxeio i amne ta rpae apir hn oiid sn h eugr r e dtr n anr ht elcs ro branching opcode with its complement or a NOP opcode so the key branch will e t e a w y e e u e a s e i i s b o t n o s i o e i . Almost all common ihr las xct pcfc uruie r kp vr t sfwr cak ae a vrain o ti tp. Poreay sfwr dvlpr ae otae rcs r aito f hs ye rpitr otae eeoes r constantly developing techniques such as code obfuscation, encryption, and selfmodifying code to make this modification increasingly diff c l . E e w t t e e iut vn ih hs measures being taken, developers struggle to combat software cracking. T i i hs s because it's very common for a professional to publicly release a simple cracked EXE or Retrium Installer for public download, eliminating the need for inexperienced users to crack the software themselves.

Aseii eapeo ti tcnqei acakta rmvsteeprto pro pcfc xml f hs ehiu s rc ht eoe h xiain eid f o a t m - i i e t i l o a a p i a i n These cracks are usually programs that rm ielmtd ra f n plcto. pthtepormeeual adsmtmste.l o .olne t teapiain ac h rga xctbe n oeie h dl r s ikd o h plcto. S m l r c a k a e a a l b e f r s f w r t a r q i e a h r w r d n l . A company iia rcs r vial o otae ht eurs adae oge can also break the copy protection of programs that they have legally purchased bt ta ae lcne t priua hrwr, s ta tee i n rs o dwtm u ht r iesd o atclr adae o ht hr s o ik f onie de t hrwr fiue (n, o cus, n ne t rsrc oeef t rnig te u o adae alr ad f ore o ed o etit nsl o unn h software on bought hardware only). Another method is the use of special software such as CloneCD to scan for the use of a commercial copy protection application. After discovering the software used to protect the application, another tool may be used to remove the copy protection from the software on the CD or DVD. This may enable another program s c a Alcohol 120%, CloneDVD, Game Jackal, or Daemon To l t c p t e uh s os o oy h protected software to a user's hard disk. Popular commercial copy protection applications which may be scanned for include SafeDisc and St r o c . aFre Check Your Progress 3 Notes: a Space is given below for writing your answer. ) b Compare your answer with the one given at the end of this Unit. ) How the developers struggle to combat software cracking? .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. ..................................................................

Reverse Engineering

3.7

TOOLS

3.7.1 Resource Hacker


R s u c H c e i a u i i y t v e modify, a d r n m a d d l t r s u c s i eore akr s t l t o i w, d, eae n eee eore n W indows executable and resource files. Furthermore, Resource Hacker also includes an integrated resource compiler and decompiler. H r a e s m k y f a u e o ee r oe e etrs f Resource Hacker: I hlst ve rsucsi W i3 eeual fls(.x,*dl *cl *ox t ep o iw eore n n2 xctbe ie *ee .l, .p, .c) ad i W i 3 r s u c f l s ( . e ) i b t t e r c m i e a d d c m i e n n n2 eore ie *rs n oh hi opld n eopld fras omt. I hls t etat (ae rsucs t fl i: *rs fra; a a bnr; o a t ep o xrc sv) eore o ie n .e omt s iay r s decompiled resource scripts or images. 77

Information Gathering

Icons, bitmaps, cursors, menus, dialogs, string tables, message tables, a c l r t r , B r a d f r s a d v r i n i f r s u c s c n be fully decompiled ceeaos oln om n eso no eore a it ter rsetv fras wehr a iae fls o *r tx fls no hi epcie omt, hte s mg ie r .c et ie. I hls t Mdf (eae o rpae rsucs i eeual fls Iae t ep o oiy rnm r elc) eore n xctbe ie. mg resources (icons, cursors and bitmaps) can be replaced with an image from a c r e p n i g i a e f l ( . c , * c r, * b p , a * r s f l o e e a o h r orsodn mg ie *io .u .m) .e ie r vn nte *ee fl. .x ie Daos mns srn tbe, aclrtr ad msae tbe rsuc srps ilg, eu, tig als ceeaos n esg al eore cit (and also Borland forms) can be edited and recompiled using the internal rsuc srp eio e o r e c i t d t r. Rsucscnas b rpae wt rsucsfo a*rsfl a ln a te eore a lo e elcd ih eore rm .e ie s og s h replacement resource is of the same type and has the same name. Adnwrsucst eeual fls I ealsapormt spotmlil d e eore o xctbe ie. t nbe rga o upr utpe languages, or add a custom icon or bitmap (company logo etc) to a program's dao. ilg Delete resources. Most compilers add resources into applications which are never used by the application. Removing these unused resources can reduce a apiains sz. n plcto' ie 32bit Resource Files (*.res) can now also be viewed and edited. Added support for the following Dialog extended style flags: WS_EX_LAYERED,WS_EX_NOINHERITLAY O U T,WS_EX_ LAY O U T RTL a d WS_EX_NOACTIVATE. n All resource language ids (except those for cursors and icons) can now be easily changed. Bug Fix: LBS_NOINTEGRALHEIGHT and LBS_MULTICOLUMN listbox style flags in dialogs previously could not be combined.

3.7.3 Hex Workshop


The Hex W orkshop Hex Editor by BreakPoint Software is a complete set of hexadecimal development tools for Microsoft W indows 2000 and later. Hex W orkshop integrates advanced binary editing and data interpretation and v s a i a i n w t t e e s a d f e i i i y o a m d r w r p o e s r.W i h t e iulzto ih h ae n lxblt f oen od rcso t h Hex W o k h p y u c n e i , c t c p p s e i s r , f l a d d l t b n r d t . r s o , o a d t u , o y, a t , n e t i l n e e e i a y a a You can also work with data in its native structure and data types using our integrated structure viewer and smart bookmarks. Data editing is quick and easy wt or etnie faue ta alw yu t: jm t fl o sco lcto, fn ih u xesv etrs ht lo o o up o ie r etr oain id o rpaedt,promaihei,btie adlgcloeain,bnr cmae r elc aa efr rtmtc iws, n oia prtos iay opr fls gnrt cekusaddgss ve caatrdsrbtosadepr dt ie, eeae hcsm n iet, iw hrce itiuin n xot aa t RTF or HTML f r p b i h n . o o ulsig Hex W orkshop includes a Sector Editor with disk imaging tools, a Base Converter for converting between hex, decimal and binary data types, a Hex Calculator supporting arithmetic and bitwise operations, an expression calculator supporting vrals cniinl, ieain ad aihei ad btie oeain, ad a dt aibe, odtoas trto n rtmtc n iws prtos n aa vsaie dsge t hl yuvsal ietf pten aditrsigdt fo iulzr eind o ep o iuly dniy atrs n neetn aa rm rendered images. Also included is our Data Inspector that allows you to quickly ei ad ve dt i dcml fotn pit o tm ad dt rpeettos dt n iw aa n eia, laig on r ie n ae ersnain. 78

Reverse Engineering

Fig. 1

Key Features: Rich Feature Set Highly Customizable User Interface Data Interpretation and Parsing Integrated Binary Comparison

3.7.3 IDA Pro


IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plug-in programming environment. IDA Pro is a disassembler As a disassembler, IDA Pro explores binary programs, for which source code isnt always available, to create maps of their execution. T e r a i t r s o a h el neet f dssebe i ta i sos te isrcin ta ae atal eeue b te iasmlr s ht t hw h ntutos ht r culy xctd y h poesr i a smoi rpeetto cle asml lnug. I te finl rcso n yblc ersnain ald seby agae f h redy screen saver you have just installed is spying on your E-Banking session or logging your E-Mails, a disassembler can reveal it. However, a s m l l n u g i h r t seby agae s ad o make sense of. T a s why advanced techniques have been implemented into IDA ht Po t mk ta cd mr raal, i sm css qie coe t te oiia r o ae ht oe oe edbe n oe ae, ut ls o h rgnl source code that produced the binary program. The map of the program's code te i ps-rcse fr frhr ivsiain. Sm pol hv ue i a te hn s otpoesd o ute netgtos oe epe ae sd t s h r o o a g n m c c a s f c t o o Vi u e . o t f e o i l s i i a i n f rss IDA Pro is a debugger B t i r a l f , t i g a e t a w y s m l . H s i e c d u u l y d e n t c u, n el ie hns rn las ipe otl oe sal os o o o e a e w t t e a a y t Vi u e , W orms and Trojans are often armoured and prt ih h nls. rss obfuscated. More powerful tools are required. The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing singling step through the code being investigated, the 79

Information Gathering

debugger often bypasses the obfuscation and helps obtain data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on various platforms, including the ubiquitous 8 x 6 ( y i a l W indows/Linux) and the ARM platform (typically W indows CE 08 tpcly PDAs) and other platforms. Remote debuggers are very useful when one wants to safely dissect potentially harmful programs. Some of IDA debuggers can run the application in a virtual environment: this makes Malware analysis even safer. IDA Pro is programmable IDA Pro contains a complete development environment that consists of a very powerful macro-like language that can be used to automate simple to medium complexity tasks. For more advanced tasks, our open plugin Architecture puts no limits on what external developers can do to enhance IDA P o f n t o a i y. O e r s u c i n l t n could, for example, extend IDA Pro with a MP3 player and make Malware sing. However, we suspect our Governmental customers are involved in more serious poet. rjcs

Fig. 2

3.7.4 PE Explorer
PE Explorer is the most feature-packed program for inspecting the inner workings of your own software, and more importantly, t i d p r y W indows applications hr at and libraries for which you do not have source code. PE Explorer lets you open, v e a d e i a v r e y o d ff r n 3 - i W i d w e e u a l f l t p s ( l o iw n dt a i t f i eet 2bt nos xctbe ie ye as called PE files) ranging from the common, such as EXE, DLL a d ActiveX Controls, n t tels fmla tps sc a SR(cenaes,CL (oto Pnl Apes, o h es aiir ye, uh s C Sresvr) P Cnrl ae plt) SYS, MSSTYLES, BPL, DPL and more (including executable files that run on MS W indows Mobile platform). PE Explorer gives you the power to look inside these PE binary files, perform sai aayi, rva a lt o ifrain aot te fnto o te eeual, ttc nlss eel o f nomto bu h ucin f h xctbe and collect as much information about the executable file as possible, without executing it. PE Explorer leaves you with only minimal work to do in order to get a aayi o a pee o sfwr. Oc yu hv slce te fl yu ws t n nlss f ic f otae ne o ae eetd h ie o ih o examine, PE Explorer will analyze the file and display a summary of the PE header ifrain ad al o te rsucs cnand i te P fl. Fo hr, te to nomto, n l f h eore otie n h E ie rm ee h ol alw yu t epoe te seii eeet wti a eeual fl. los o o xlr h pcfc lmns ihn n xctbe ie

80

Besides being an effective Resource Editor, PE Explorer also provides several t o s t a e e a e i t P w r C d r s a u : a API Function Syntax Lookup, ol ht lvt t o oe oe tts n Dependency Scanner, S c i n E i o UPX Unpacker, a d a p w r u y t e s - o e t o d t r, n oefl e aytuse Disassembler.W ith PE Explorer you can view and inspect unknown binaries, examine and edit the properties of EXE and DLL files, and correct and repair the itra srcue o ayP (otbeeeual)flswt teciko abto. nenl tutrs f n E pral xctbe ie ih h lc f utn PE Explorer is intended to be used in various scenarios such as software development, Forensics practice, Reverse Engineering extensive binary security aayi ad bnr adtn poess nlss n iay uiig rcse. With PE Explorer You Can See whats i s d a e e u a l a d w a i d e nie n xctbe n ht t os Change and customize the GUI elements of your W indows programs Track down what a program accesses and which DLLs are called Understand the way a program works, behaves, and interacts with others Ve i y t e p b i h r a d t e i t g i y o t e s g e e e u a l f l s rf h ulse n h nert f h ind xctbe ie S y g o b e t d g i g t r u h b o t d h l f l s j s t h s o t a API a od y o ign hog lae ep ie ut o ah u n rfrne eeec Open UPX-, Upack- and NsPack-compressed files seamlessly in PE Explorer, without long workarounds Seil spot fr Dlh apiain pca upr o epi plctos Viewing and Editing Portable Executable (PE) Files W orking with 32-bit PE files such as .EXE, .DLL, Device Drivers (.SYS, .ACM), ActiveX Controls (.OCX), Borland Libraries (.DPL and .BPL), XP Vi u l St l s s a ye (.MSSTYLES), Control Panel Extensions (.CPL), Screen Savers (.SCR) and any other win32 executables. W orking with damaged files: PE Explorer opens broken or packed files in Safe mode. P fls itgiy vrfcto. E ie nert eiiain Checksum computing and modification. Entry Point value modification. Modification of EXE and DLL file poete. rpris

Reverse Engineering

Fig. 3

UPX Unpacker. UPack Unpacker. NSPack Unpacker. Support for custom plug-ins to perform any startup processing. PE Header Viewer PE Explorer makes it easy to analyze PE file structure, correct errors, fix compilation bugs, repair damaged resources or modify the internal arrangements o P fls W i h P E p o e f l h a e s d t d r c o i s s c i n h a e s a d f E ie. t E xlrr ie edr, aa ietre, eto edr n export tables are ready and waiting for your command. Use it for serious development projects, for restoring lost information, for keeping damaged files itc,t rvreegne poet wt msigsuc cd,o t ve teiprs nat o ees nier rjcs ih isn ore oe r o iw h mot/ exports of the standard DLL's.

81

Information Gathering

Viewers Headers Info Viewer displays the EXE header information contained in the P fl hae E i e e d r. D t D r c o i s Vi w r t v e a d e i D t D r c o i s aa ietre ee o iw n dt aa ietre. Sections Header Viewer to view, e t a t r c l u a e o d l t s c i n f o xrc, eaclt r eee etos rm the program body. Export, Import and Delay Import Vi w r . ees Function Syntax Vi w r d s l y t e c l i g s n a f r f n t o s ee ipas h aln ytx o ucin. D g t l S g a u e Vi w r t v l d t t e d g t l s g a u e o a P f l . iia intr ee o aiae h iia intr f E ie Dependency Scanner traces the dependency chain for the program's libraries. Relocation Vi w r t v e c n e t o t e b s r l c t o t b e ee o iw otns f h ae eoain al. Debug Information Viewer displays the debug information contained in the fl. ie Resource Vi w r t b o s , d l t s o e t a t n a l e e y t p o r s u c s ee o rwe eee, r xrcs ery vr ye f eore.

Fig. 4

PE Explorer provides important information about entry points, numbers, names and calling syntax of exported functions. Now, when reviewing functions with the Import and Export Vi w r , b c i k n a f n t o e t y i s a t y d s l y t e ees y lcig ucin nr ntnl ipas h calling syntax for that function PE Explorer knows about and allows you to expand te sna dtbs wt yu on dfntos Prmtr, rtr vle, clig h ytx aaae ih or w eiiin. aaees eun aus aln conventions are conveniently displayed for you in the window below.

82

Fig. 5

The Dependency Scanner tool allows you to recursively scan all modules linked t b a priua P fl. Ue te Dpnec Sanr t mk i cytl cer o y atclr E ie s h eedny cne o ae t rsa la which libraries an application depends on, so you know exactly which files you need to package into your applications i s a l t o p o r m O w i h f l s t ntlain rga. r hc ie o rd copy when moving a 3 party application from one computer to another. Dependency Scanner also detects delay-load dependencies. Editors Rsuc Eio t ei o rpae nal eey tp o rsucs eore dtr o dt r elc ery vr ye f eore. Application Manifest W i a d f r a d n t e m n f s r s u c i t e i t n zr o dig h aiet eore no xsig apiain admrigapiain wt arqetdeeuinlvlt tl plctos n akn plctos ih euse xcto ee o el Vi t t r n t e a p i a i n e e a e . sa o u h plctos lvtd Characteristics Editor to view or set flag bits in the PE file header Caatrsis fed hrceitc il. S c i n E i o t c a g a l t e f e d i t e s c i n h a e o rpi ad e t o d t r o h n e l h i l s n h e t o e d r, r e a r n rsoe te dmgd scin haes stig. etr h aae eto edr etns Syntax Description Editor for adding custom comments, altering values or cetn nw lbay dsrpin. raig e irr ecitos Debug Information and Relocations Removal To l os Time Date Stamp A j s e t m d f a l t e t m s a p i t e P f l h a e dutr o oiy l h ietms n h E ie edr to one uniform value.

Reverse Engineering

Fig. 6

PE Explorer offers one of the most convenient and easy-to-use resource editors a a l b e f r W indows. Visual editing features let you quickly browse and modify vial o eeual fl rsucs fo wti te fl. Dao bxs mns srn tbe, xctbe ie eore rm ihn h ie ilg oe, eu, tig als ios btas mnfss ad mr ae rgt a yu fnetp. cn, imp, aiet n oe r ih t or igris 83

Information Gathering

Disassembler It Supports the Intel 80x86, Pentium family, a d o h r c m a i l p o e s r . n te optbe rcsos IT has X86 instruction sets and extensions (MMX, SSE, SSE2 and SSE3), AMD K6-2 3D-Now! extensions. It provides easy browsing using Found Data panes, search options and address/ o s t j m s h s o y. ff e u p i t r I pls A C I t x s r n s a d V C L O j c s o t t e d t p r i n o t e f l . t ul S I e t t i g n bet u h aa oto f h ie I svsadlastedssebylsigadaltecagsmd t cniu t ae n od h iasml itn n l h hne ae o otne o l t r. n ae

Fig. 7

PE Explorer Disassembler utilizes a qualitative algorithm designed to reconstruct the assembly language source code of target binary win32 PE files (EXE, DLL, OCX) with the highest degree of accuracy possible. Disassemble an application or l b a y t f g r o t i s e a t i n r w r i g . While as powerful as the more irr o iue u t xc ne okns epniedssebes P Epoe fcsso es o ue caiyadnvgto. xesv iasmlr, E xlrr oue n ae f s, lrt n aiain Whenever possible, the disassembly will show descriptive names extracted from rnie tp ifrain soe isd te eeual fl. utm ye nomto trd nie h xctbe ie

3.7.5 Boomerang (Machine Decompiler)


Boomerang is an attempt to develop a real decompiler for machine code programs through the open source community.A decompiler takes as input an executable fl, ad atmt t cet a hg lvl cmlal, psil ee mitial ie n teps o rae ih ee, opibe osby vn ananbe suc fl ta de te sm tig I i teeoe te opst o a cmie ore ie ht os h ae hn. t s hrfr h poie f o p l r, which takes a source file and makes an executable. However, a g n r l d c m i e eea eoplr de ntatmtt rvreeeyato o tedcmie;rte i tasom te os o tep o ees vr cin f h eoplr ahr t rnfrs h ipt porm rpael utl te rsl i hg lvl suc cd. I teeoe nu rga eetdy ni h eut s ih ee ore oe t hrfr

84

wnt rcet te oiia suc fl; poal ntig lk i. I de nt mte o' erae h rgnl ore ie rbby ohn ie t t os o atr i te eeual fl hs smos o nt o ws cmie fo ay priua f h xctbe ie a ybl r o, r a opld rm n atclr language. Te itn i t cet a r-a h net s o rae e t rgetable decompiler (i.e. one that can decompile dfferent types of machine code files with modest effort, e.g. X86-windows, sparci s l r s e c . I w s a s i t n e t b h g l m d l r, s t a d ff r n p r s o o a i , t ) t a l o n e d d o e i h y o u a o ht i e e t a t f the decompiler can be replaced with experimental modules. It was intended to eventually become interactive, because some things (not just variable names and comments, though these are obviously very important) require expert intervention. Wehr te itrciiy blns i te dcmie o i a sprt to rmis hte h neatvt eog n h eoplr r n eaae ol ean u c e r. nla

Reverse Engineering

Fig.8

85

Information Gathering

What Boomerang can do? An attempt has been made to line up equivalent original source, binary, a d n decompiled source code lines; this is not always possible. Comments in red are nt gnrtd b te dcmie; toe i bak ae o eeae y h eoplr hs n lc r. Original source code #include <stdio.h> it a1] = {, 2 3 n [0 1 , , 4 5 6 7 8 9 1} , , , , , , 0; Disassembled binary code 8049460 01000000 02000000 03000000 04000000 8049470 05000000 06000000 07000000 08000000 8049480 09000000 0a000000 8048328: push 8048329: mov %esp,%ebp 804832b: sub $0x8,%esp 804832e: and $0xff f f f f f0,%esp 8048331: mov $0x0,%eax 8048336: sub %eax,%esp %ebp Decompiled source code it a1] = { 1 2 3 4 n [0 , , , , 5 6 7 8 9 1 } , , , , , 0 ;

it mi( { n an)

it mi(n a c n a n i t rg, ca* a h r * rgv, c a * hr* envp) { it lcl; / mr80 n oa1 / [2{} - 8 / sm ] / u it lcl; / mr80 n oa2 / [2{} - 1] / i 2 /

it sm = 0 n u ; iti n ; fr (=; i < 1; i+ o i0 0 +) {

8048338: movl $0x0,0xff f f f f fc(%ebp) 804833f: movl $0x0,0xff f f f f f8(%ebp) 8048346: cmpl $0x9,0xff f f f f f8(%ebp) 843a 084: je l 804834e <main+0x26> 804834c: jmp 8048364 <main+0x3c> 804834e: mov 0 ff f f x f f f8(%ebp),%eax 8048351: mov 0x8049460(,%eax,4),%edx 8438 085: la e 0 ff f f x f f fc(%ebp),%eax 804835b: add %edx,(%eax) 843d 085: la e 0 ff f f x f f f8(%ebp),%eax 8430 086: ic nl (%eax) 8048362: jmp 8048346 <main+0x1e>

lcl = 0 oa1 ; lcl = 0 oa2 ; wie (oa2 < 9 hl lcl = ) {

sm + ai; u = []

local1 += alcl] [oa2; ai []

/ sm + / u =

lcl+; oa2+ i++

/ /

} 86

pit(Sm i rnf"u s %d\n", sum);

8048364: sub $0x8,%esp 8048367: pushl 0 ff f f x f f fc(%ebp) 804836a: push $0x804842c 843f 086: cl al 8048268 <printf@plt> 8048374: add $0x10,%esp 8048377: mov $0x0,%eax 804837c: leave 843d 087: rt e 804842c 53756d20 69732025 Sum is % 8048434 600 4a0 d. .

pit(Sm i rnf"u s %\" lcl) dn, oa1;

Reverse Engineering

rtr 0 eun ;

rtr 0 eun ; }

This example shows: S u c t a i f i l r a a l , c m i e w t n w r i g a d r n c r e t y. ore ht s ary edbe opls ih o anns n us orcl Cneso o sak lctos t lcl vrals ovrin f tc oain o oa aibe Dtcin dcaain ue ad iiilsto o a ary eeto, elrto, s, n ntaiain f n ra Cret hnln o a C srn truh te ue o te srn a a prmtr t orc adig f tig hog h s f h tig s aaee o a lbay fnto irr ucin The output from sumarray-O4 (same program compiled with -O4 optimisation) looks much the same (as of September 2004), except that the pretested while lo i rpae b a pstse d wie lo. op s elcd y otetd o hl op Original source code void main() { Disassembled binary code 164 sv 08: ae 112, %sp %p s, Decompiled source code it mi(n a c ca n a n i t rg , h r *a * rgv, c a * e v ) hr *np { it lcl7 n oa1; / / a rgc{37} it lcl8 n oa1; / / a rgc{73} / "l a / od " it lcl9 n oa1; / / local18{73} /a / a c=0 rg ; / Cmie rue a c / o p l r e s s rg fr a o lcl9 = a c oa1 rg; d { o lcl8 = lcl9 oa1 oa1; pit(% " lcl8 + rnf"d , oa1 1; ) 87

it a x n ,;

a=0 ; d { o a = a1 +; x=a ; pit(% " a; rnf"d , )

168 cr 08: l

%0 o

16c sti 08: eh %hi(0x10400), %l0 160 ad 09: d %0 1 o, , %i0 164 o 09: r %0 l, 872, %o0 168 cl 09: al pit rnf 1069c: mov %i0, %o1

Information Gathering

} wie ( < 1) hl a 0;

160 cp 0a: m 106a4: ble 0x10690 168 mv 0a: o %o0 16c sti 0a: eh %hi(0x10400), 106b0: mov %o1 106b4: mov %o2 168 cl 0b: al 16c o 0b: r 880, %o0

%0 9 i,

%0 i,

lcl7 = lcl8 + 1 oa1 oa1 ; lcl9 = lcl7 oa1 oa1; } wie (oa1 + 1 hl lcl8 < 9; = ) pit(a i %, x i rnf" s d s %d\n", local18 + 1, lcl8 + 1; oa1 )

pit(a i %, x i rnf" s d s %\" a x; dn, , ) rtr 0 eun ;

%g1 %i0, %i0, pit rnf %1 g,

160 rt 0c: e 164 rsoe %0 0 0c: etr g, , %o0

rtr 0 eun ; }

This example shows: Boomerang can decompile SPARC binary programs Copes with SPARC "register windows" Utnlste"ea so"isrcin (fe eeycl adbac isrcin nage h dly lt ntutos atr vr al n rnh ntuto) local19 had to be generated as a result of transforming out of SSA form too many local variables

3.7.6 REC Decompiler


REC is invoked with the following command line syntax: rc [+-otonm .. ee_ie e {|}pinae .] xcfl To a t v t a o t o , p e e e i s n m w t a + ( l s s g . To d s b e a o t o , ciae n pin rcd t ae ih pu) in ial n pin p e e e i w t a - ( i u ) s g . To g t t e l s o a l t e o t o s a d t e r c r e t rcd t ih mns in e h it f l h pin n hi urn vle tp: au, ye rc +ep e hl The minimum input to REC is the binary executable file. For example: rc fl.x e ieee I fl.x i i oeo tercgie fras i wl b ra,adafl.e wl b f ieee s n n f h eonzd omt, t il e ed n ierc il e poue uig te dfut otos wtot frhr itreto fo te ue r d c d s n h e a l p i n , i h u u t e n e v n i n r m h s r. REC can operate in three modes: Batch mode: By default, the user must provide an executable or command file name when invoking REC. This file will be opened and analyzed, and an otu fl wt tesm nm a teiptfl adetnin.e i poue, upt ie ih h ae ae s h nu ie n xeso rc s rdcd wtot frhr itreto b te ue i h u u t e n e v n i n y h s r. Full screen interactive mode: I t i m d , t e u e c n i t r c i e y a a y e n hs oe h sr a neatvl nlz the input file by disassembling or decompiling individual procedures. The

88

user has also access to a hexadecimal viewer, and he or she can view some of t e d t t a R C u e i t r a l sc a tels o srns lbl,poeue h a a h t E s s n e n l y, u h s h i t f t i g , a e s r c d r s etc. REC enters interactive mode when invoked from the command line with te +neatv oto. h itrcie pin HTML generation mode: In this mode REC reads the standard input for commands, and generates an HTML page as the result of each command typed. This mode is used on UNIX to allow a web browser like Netscape to act as te ue itrae o te dcmie h s r n e f c f h e o p l r. A proxy program is needed to translate the browser's requests into REC's standard input commands. Check the HTTP Server setup page for a description of how to use this mode. REC uses HTML generation mode when invoked from the command line with the +html option. T e o h r o t o s a e u e t d b g t e p o r m o t t n i s o t u . A complete h te pin r sd o eu h rga, r o ue t upt ls o te otos rqie a udrtnig o te agrtm ad pae ta it f h pin eurs n nesadn f h loihs n hss ht REC performs to transform an executable file in a source file. If you don't know the meaning of one option, you can experiment by enabling it and check if the o t u i c e r r. N t t a s m o t o i o l v l d i a o h r o t o i e a l d upt s lae oe ht oe pin s ny ai f nte pin s nbe. Te sm st o otos i aalbe rgrls o te hs/a h a e e f p i n s v i a l e a d e s f h o t t rget combination. Interactive mode Interactive mode is used to analyze the program being decompiled. This mode is useful to access the hexadecimal viewer, a d t i s e t m n o t e i t r a l s s n o npc ay f h nenl it mitie b RC sc a te srns ls, te lbl ls, ec anand y E, uh s h tig it h aes it t. To use REC in interactive mode, the user must invoke it with the following command line: rc +neatv fl.x e itrcie ieee RC wl sat aayig fl.x t fn wih ae cnan srns cd ad E il tr nlzn ieee o id hc ra otis tig, oe n dt. I wl as bid te ls o lbl ad bace, ad te wl ty t bid a aa t il lo ul h it f aes n rnhs n hn il r o ul ls o te poeue cnand i te porm it f h rcdrs otie n h rga. After this phase, the main menu will be presented: Reverse Engineering Compiler 1.4 (C) Giampiero Caprino (Nov. 1 1 9 ) 5 98 r : so rgos hw ein d : dump regions l : so lbl hw aes b : show branches j : so jm tbe hw up als s : so srns hw tig y : show symbols p : show procedures o : show options D : hexdump file Q : quit program

Reverse Engineering

89

Information Gathering

R C s u e i t r a e i b s d o a s m l l s b o s r. The user can type the E' sr nefc s ae n ipe it rwe floig ky wie i te ls bosr olwn es hl n h it rwe: Up arrow or BS key : moves the cursor one line up Down arrow or Enter key : moves the cursor one line down Page Up or Ctrl-B key : shows the previous page Page Down or Ctrl-F key : shows the next page Right arrow when cursor is on a highlighted word: executes the command associated wt te wr. I tee i a mn, tpn ay hglgtd lte fo te mn ih h od f hr s eu yig n ihihe etr rm h eu executes the command associated with the letter. L f a r w o or ESC key et ro r Q e i s t e c r e t s r e a d r t r s t t e p e i u s r e . The exclamation mark xt h urn cen n eun o h rvos cen i ue t rqet te eauto o nmrc epesos ! s sd o eus h vlain f uei xrsin. T e f r a d s a h c a a t r i u e t s a c a s r n i t e c r e t l s . The h o w r l s / hrce s sd o erh tig n h urn it question mark ? c a a t r s a c e a s r n b c w r s T e c a a t r r p a s hrce erhs tig akad. h n hrce eet te ls sac i te sm drcin Te '' caatr rpas te ls sac i h at erh n h ae ieto. h N hrce eet h at erh n te opst drcin h poie ieto. Region List T e r g o l s s o s h w t e i p t f l i o a i e . St u t r d f l s f r a s l k h e i n i t h w o h n u i e s rg n z d rcue ie omt, ie COFF and ELF have separate areas for code, data and auxiliary information. The region list shows which area REC will consider for decompilation (marked with t e t x t p ) a d w i h a e s w l b s a c e f r ASCII strings (marked with h et ye, n hc ra il e erhd o te dt tp) h aa ye. The user can force REC to consider a file region to be text or data via the command file region: command. Labels List Te lbl ls sos al te adess ta ae te dsiain o a bac o cl h aes it hw l h drse ht r h etnto f rnh r al isrcin T i l s i u e w e b i d n t e p o e u e l s . I R C i c r e t y ntuto. h s i t s s d h n u l i g h r c d r i t f E n o r c l tet a dt ae a a tx ae, i cn cet lbl ta ae nt pr o ay tx ras aa ra s et ra t a rae aes ht r o at f n et r g o . T i u u l y c u e a i c r e t p o e u e l s . The user can then change ein h s s a l a s s n n o r c r c d r i t te rgo ls utl al icret lbl ae eiiae. h ein it ni l norc aes r lmntd Branch List Tebac ls sosalteadessta hv abac,cl o rtr isrcin h rnh it hw l h drse ht ae rnh al r eun ntuto. Ti ls i ue we bidn tepoeuels. I RCicretytet adt hs it s sd hn ulig h rcdr it f E norcl ras aa ae a atx ae,i cncet bace woedsiaini ntpr o aytx ra s et ra t a rae rnhs hs etnto s o at f n et r g o . T i u u l y c u e a i c r e t p o e u e l s . The user can then change ein h s s a l a s s n n o r c r c d r i t te rgo ls utl al icret bace ae eiiae. h ein it ni l norc rnhs r lmntd Jump Table List Te jm tbe ls sos al toe aes ta my cnan a tbe o adess h up al it hw l hs ra ht a oti al f drse i s d a t x r g o . These are usually generated when compiling switch() nie et ein saeet. I i iprat ta RC rcgie tee tbe bcue te cnrl ttmns t s motn ht E eonzs hs als eas h oto fo aaye dpns o ti dt t ietf al te isrcin o a poeue lw nlzr eed n hs aa o dniy l h ntutos f rcdr, ad as t aod tetn dt bts a isrcin. n lo o vi raig aa ye s ntutos Strings List T e s r n l s s o s t o e p r i n o d t r g o s t a m y h v ASCII strings. h tig it hw hs otos f aa ein ht a ae Teesrnswl te b ue a prmtrt fntoslk pit( adsrp(, hs tig il hn e sd s aaee o ucin ie rnf) n tcy) among the others.

90

Symbols List This list shows every symbolic name associated with addresses. These are usually names of procedures (belonging to a text region) or names of global variables ( e o g n t a d t r g o ) The symbol names and addresses are taken from the blnig o aa ein. fl' smo tbe i aalbe T e s m o l s a s s o s t e l s o i p r e ies ybl al, f vial. h y b l i t l o h w h i t f m o t d smos (rm a tps o pooye fl) ad te ls o ue seiid smos ybl fo ye: r rttp ie, n h it f sr pcfe ybl (entered via the symbol: command in a .cmd file). Procedure List The procedure list shows all the addresses where REC has identified a user procedure. Some of these addresses may come from the Symbols List, in which cs te nm o te poeue i as son Fr sai fntos ad fr fls ae h ae f h rcdr s lo hw. o ttc ucin n o ie wtot a smo tbe te ety pit o te poeue i ue a is nm. ihu ybl al, h nr on f h rcdr s sd s t ae Options List Teoto ls alw teue t eal o dsbeec oto.Sm otosae h pin it los h sr o nbe r ial ah pin oe pin r ue t poue a bte otu, sm t eal atraie aayi agrtm, sd o rdc etr upt oe o nbe lentv nlss loihs and some enable internal debugging features. Hexdump Viewer The hexdump viewer shows the content of the input file in hexadecimal, one page a a t m . The usual cursor movement characters can be used to navigate through t ie t e d m . This mode is very useful to look at areas that REC has not recognized h up a cd o dt. s oe r aa

Reverse Engineering

3.7.7 Andromeda Decompiler


Andromeda Decompiler (AD) - is an attempt to create the universal interactive program environment for Reverse Engineering, two main features of which are: Research and investigation of binary modules at a level of source codes; Pril o fl ter rsoain u t r-oplbe frs ata r ul hi etrto p o ecmial om;

Fig. 9

91

Information Gathering

A peet te poet i i sae o dvlpet ad is apiain i lmtd t t rsn h rjc s n tgs f eeomn n t plcto s iie o the purposes of demonstration and estimation. Universality of the AD means; its a i i y t p r e v i p t f l s f o v r o s t rg t p a f r s a d t g v o t a s u c blt o ecie nu ie rm aiu a e ltom n o ie u ore c d i d s r b e l n u g o a h g l v l Though at present the program is intended oe n eial agae f ih ee. only for 32-bit Intel x86-compatible frontend and C/C++ backend, its kernel is developed with this opportunity in mind. AD is an interactive decompiler. I m a s t en t a t e u e t k s a t v p r i i a i n i t e d c m i a i n p o e s AD is not an ht h sr ae cie atcpto n h eoplto rcs. automatic analyzer of programs. A w l h n y u o s s i i u s t a i n , u s l e D il it o f upcos iutos novd p o l m e c I i y u j b t i f r AD how to proceed. All the changes made rbes t. t s or o o nom b y u a e s v d t d s . When you start AD again all the information about the y o r ae o ik file being decompiled is read from disk and you can continue your work.

3.7.8 Remotesoft .NET Explorer


Remotesoft .NET Explorer is a generic object browser and MSIL disassembler wt poesoa lo ad fe. I o i h r f s i n l o k n e l t ffers the same functionality as Microsoft ILDASM disassembler utility, plus low level viewing of metadata and PE format. Remotesoft .NET Explorer works together with our decompiler and obfuscator, ad at a a cnoe fr es nvgto ad pwru cd eiig ad pitn. n cs s osl o ay aiain n oefl oe dtn n rnig Ti to cnb ue a asuc cd eio adi hsapwru sna clrn h s o l a e s d s o r e o e d t r, n t a oefl ytx ooig system that recognizes many popular source files, including IL, C#, C/C++, VB, ASP, J AVA, HTML, FORTRAN, PHP,ec t. New features: .NET Framework 2.0 support. Vi u l Studio .NET Addin - launch from Tools > Remotesoft .NET E p o e sa xlrr Launch from right click an EXE or DLL file Managed resources view. MSIL Linker - combing assemblies/modules together (need to purchase the Lne pout. ikr rdc) Dependency walker, u d r t n a p e e c n i f l . nesad p.x.ofg ie Tool tips for metadata viewer for displaying symbol names. Highly accurate disassembly output, which can be re-assembled using ILASM. Upcoming features: Unmanaged resources view Comprehensive documentation with Microsoft .NET Spec x86 native disassembler Ese nvgto. air aiain 1) Disassembler Remotesoft .NET Explorer provides built in support for IL disassembling. It generates very accurate MSIL code that can be used as input for Microsoft ILASM assembler.The following is a screen shot of .NET E p o e T e l f p n l i t e x l r r. h e t a e s h ILDASM-like class tree of an assembly, w i e t e r g t p n l s o s t e I c d hl h ih ae hw h L oe o te slce cas f h eetd ls. 92

Reverse Engineering

Fig. 10

2) Decompiler Remotesoft .NET Explorer can be integrated with our decompiler for easy access to any methods of any assemblies. The following is a screen shot with the decompiler enabled. The left panel is the ILDASM-like class tree of an assembly, wie te rgt pnl sos te C cd o te slce cas hl h ih ae hw h # oe f h eetd ls.

Fig. 11

3) Metadata Viewer Remotesoft .NET Explorer has built-in support for viewing low level .NET mtdt. Tefloigi asre so ta sostesrn ha o teslce eaaa h olwn s cen ht ht hw h tig ep f h eetd assembly.A h x d m o t e f l i d s l y i t e l w r r g t p n . e up f h ie s ipa n h oe ih ae

93

Information Gathering

Fig. 12

4) PE Format Explorer Remotesoft .NET Explorer has built-in support for viewing low level PE (Portable Executable) format. It recognizes both .NET images and native images that are compiling from C/C++. The following is a screen shot shows the CLI header of the selected assembly.A h x d m o t e f l i d s l y d i t e l w r r g t p n . e up f h ie s ipae n h oe ih ae

Fig. 13

5) Resource viewer Remotesoft .NET Explorer has built-in support for viewing managed resources. When a managed resource is double clicked, an external viewer will be launched. A managed resource can also be saved into a file. Shown below is a screen shot ta ilsrt te faue. Spot fr umngd rsucs wl b gauly ht lutae h etrs upr o naae eore il e rdal add it te pout de no h rdc.

94

Reverse Engineering

Fig. 14

6) Dependency Walker Remotesoft .NET Explorer has built-in support for viewing all dependencies of an assembly, including managed assembly/module references, unmanaged DLLs and ms fl rfrne.Sonblwaetosre sosta ilsrt tefaue. ic ie eeecs hw eo r w cen ht ht lutae h etrs Dependencies can be viewed in a controlled manner: you can show only the managed references, or all dependencies recursively. Apiain cniue fl, apeecni, we eitd i pre t lct plcto ofgr ie p.x.ofg hn xse, s asd o oae dependencies. A reference, such as unmanaged DLL, can easily be loaded into the .NET Explorer for browsing and exploring. Dependencies of unmanaged DLL can be examined, including its import fntos ad epr tbe. ucin n xot als

Fig. 15

95

Information Gathering

Fig. 16

7) Integrating With Decompiler, Obfuscator, Protector and Linker Remotesoft .NET Explorer is the common GUI to interact with our other products. Through the same interfaces, you can perform linking, obfuscation, protection and mini deployment. Yo c n i m d a e y t s t e e e t v n s o y u c d p o e t o u a m e i t l e t h ff c i e e s f o r o e r t c i n by disassembling and decompiling the resulting assemblies within the same GUI. The integration works only when you purchase the other products.

3.7.9 Spices .NET Decompiler


Sie.e i a st o .E cd scrt ad cd poeto, sfwr lfcce pcsNt s e f NT oe euiy n oe rtcin otae ieyl management tools for .NET developers, including .Net obfuscation, tamper defence tools, tools to recover source code and convert binaries to c# and VB.Net, documentation services, analysis and modelling tools in one environment that cntnl o es nw psiiiis o s a t y ff r e o s b l t e . Programming in Microsoft's .NET Framework platform gives additional horizons i raiain o vros ies wt a etnie st o faue. n elzto f aiu da ih n xesv e f etrs Spices.Net next generation set of tools that helps .NET developers increase .NET ? d s c r t s f t a d p o u t v t qaiy ad e o e e u i y, a e y n r d c i i y, u l t n fficiency of .NET s f w r , otae ta cnius t o h t o t n e o ffer wide range of features for developers and many more new psiiiis osblte. 96 Now Spices.Net Suite includes following highly integrated modules:

Spices.Net Obfuscator Provides solutions to increase .NET code security and protect your .NET code and make it tamper resistant, localization, analysis and software lifecycle management tos ad srie. Mk sr t ke yu itleta poete scr! Uig ol n evcs ae ue o ep or nelcul rpris eue sn the Spices.Net Obfuscator, y u c n p t y u c d w t i a c n e t i a l p o e t v o a u or oe ihn ocnrcly rtcie bl o scrt M s n o m t o , b i d a l y t a l a t d a e d , a d o t s e t f e u i y. i i f r a i n l n l e s h t e d o e d n s n b u e g b e i h w l g e t t e h c e and send them packing for greener pastures. i b r s i l r e h a k r,

Reverse Engineering

Fig. 17

Spices.Net Decompiler P o i e t o s t r c v r s u c c d a d c n e t b n r e t c , VB.Net, J#, rvds ol o eoe ore oe n ovr iais o # Delphi.Net and managed C++, code flow visual representation tools. Spices.Modeler Provides modelling and diagramming tools to visually represent various types of .NET code and assembly members relationship and structure.

Fig. 18

97

Information Gathering

Spices.Investigator Provides .NET metadata and assembly structure browsing tools to get detailed ifrain aot ay ie a lw lvl nomto bu n tm t o ee. Spices.Informer Provides detailed context information about any assembly member. Visual Studio Integration Package (VSIP) Special module that deeply integrates Spices.Net tools with Microsoft's Vi u l sa Studio IDE, MSBuild and NAnt build environments. T i p c a e d l v r f l s t o S i e . e f a u e i t M c o o t Vi u l St d o hs akg eies ul e f pcsNt etrs np irsf sa ui and expand Vi u l Studio development environment functionality. sa Spices.VSIP o e s i t g a i n w t M c o o t Vi u l Studio 2003/2005/2008 and ff r n e r t o i h i r s f sa 2010 and MSBuild build environments.

Fig. 19

Spices.Decompiler features the unique functionality that lets you easily see how your code is working. Code Flow diagrams give you the complete picture of how this or that method is cle o ue. ald r sd Check Your Progress 4 Notes: a Space is given below for writing your answer. ) b Compare your answer with the one given at the end of this Unit. ) L s 5 t o s u e f r r v r e e g n e i g Which tool is the most feature-packed it ol sd o ees niern? program for inspecting the inner workings of your software? Explain the working o ta to. f ht ol .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. .................................................................. 98 .................................................................. ..................................................................

3.8

LET US SUM UP

Reverse Engineering

Ti ui das wt te cnet o 'Rvre Egneig wih i te gnrl hs nt el ih h ocp f 'ees niern" hc s h eea process of analyzing a technology specifically to ascertain how it was designed or hwi oeae. Ti kn o iqiyeggsidvdasi acntutv lann o t prts hs id f nur nae niiul n osrcie erig process about the operation of systems and products. Reverse engineering as a mto i ntcnie t aypriua proe bti otna ipratpr o ehd s o ofnd o n atclr ups, u s fe n motn at f the scientific method and technological development. The process of taking something apart and revealing the way in which it works is often an effective way to learn how to build a technology or make improvements to it. There are two types of reverse engineering i.e. Software Reverse Engineering and Hardware Reverse Engineering. Software reverse engineering is done to retrieve the source code of a program because the source code was lost, to study how the program performs certain operations, to improve the performance of a program. Hardware reverse engineering involves taking apart a device to see how it works. In order to Reverse Engineer, a product or component of a system, engineers and researchers generally follow the four-stage process: 1.Identifying the product.2.Observing or disassembling the information 3.Implementing the technical data 4.Creating a new product. This section deals with the disassembling. In the development of software, the suc cd i wihpormesoiial wiei tasae it ojc (iay ore oe n hc rgamr rgnly rt s rnltd no bet bnr) cd. A o h r c n e t i s f w r c a k I i t e m d f c t o o a a p i a i n s oe n t e o c p s o t a e r c . t s h o i i a i n f n p l c t o ' bnr t cue o peet a seii ky bac i te porms eeuin Ti iay o as r rvn pcfc e rnh n h rga' xcto. hs is accomplished by reverse engineering the compiled program code using a debugger until the software cracker reaches the subroutine that contains the primary method o poetn te sfwr o b dssebig a eeual fl. f rtcig h otae r y iasmln n xctbe ie Moreover, various tools are explained thoroughly which are used to perform the rvre egneig ees niern.

3.9 CHECK YOUR PROGRESS: THE KEY


1 Rvre egneig i tkn aat a ojc t se hw i wrs i odr t ) ees niern s aig pr n bet o e o t ok n re o dpiaeo ehneteojc.otaervreegneigivle rvrig ulct r nac h betSfwr ees niern novs eesn a porms mcie cd (h srn o 0 ad 1 ta ae sn t te lgc rga' ahn oe te tig f s n s ht r et o h oi poesr bc it te suc cd ta i ws witn i, uig porm rcso) ak no h ore oe ht t a rte n sn rga language statements. Reverse engineering can be viewed as the process of analyzing a system to: i Ietf te sse' cmoet ad ter itreainhp ) dniy h ytms opnns n hi nerltosis i) C e t r p e e t t o s o t e s s e i a o h r f r o a h g e l v l o rae ersnain f h ytm n nte om r ihr ee f asrcin btato i Cet te pyia rpeetto o ta sse i rae h hscl ersnain f ht ytm i) The need of reverse engineering: Interoperability: I t r p r b l t i a p o e t o a p o u t o s s e , neoeaiiy s rpry f rdc r ytm whose interfaces are completely understood, to work with other products or systems, present or future, without any restricted access or implementation. Lost documentation: Reverse engineering often is done because the dcmnain o a priua dvc hs be ls o ws nvr witn ouetto f atclr eie a en ot r a ee rte, adtepro wobiti i n lne aalbe Itgae crut otn n h esn h ul t s o ogr vial. nertd icis fe

99

Information Gathering

seem to have been designed on obsolete, proprietary systems, which means ta te ol wy t icroae te fntoaiy it nw tcnlg i ht h ny a o noprt h ucinlt no e ehooy s t rvreegne te eitn ci ad te r-ein i. o ees-nier h xsig hp n hn edsg t Product analysis: To examine how a product works, what components it cnit o, etmt css ad ietf ptnil ptn ifigmn. osss f siae ot, n dniy oeta aet nrneet Digital update/correction: To update the digital version (e.g. 3D/CAD mdl o a ojc t mth a sbit cniin oe) f n bet o ac n a-ul odto. Security auditing: D t r i i g w e h r v l e a i i i s e i t i a p o u t eemnn hte unrblte xs n rdc Learning: learn from others mistakes. Do not make the same mistakes that others have already made and subsequently corrected. 2 The second stage, disassembly or decompilation of the original product, is the ) most time-consuming aspect of the project. In this stage, Reverse Engineers atmt t cntut a caatrzto o te sse b acmltn al o tep o osrc hrceiain f h ytm y cuuaig l f te tcncl dt ad isrcin o hw te pout wrs I te tid h ehia aa n ntutos f o h rdc ok. n h hr sae o Rvre Egneig Rvre Egnes ty t vrf ta te dt tg f ees niern, ees nier r o eiy ht h aa generated by disassembly or decompilation is an accurate reconstruction of teoiia sse.Egnesvrf teacrc advldt o terdsgs h rgnl ytm nier eiy h cuay n aiiy f hi ein b tsigtesse,cetn pooye,adeprmnigwt tersls y etn h ytm raig rttps n xeietn ih h eut. 3 Proprietary software developers are constantly developing techniques such as ) code obfuscation, encryption, and self-modifying code to make this m d f c t o i c e s n l d fficult. Even with these measures being taken, oiiain nraigy i developers struggle to combat software cracking. T i i b c u e i ' v r hs s eas ts ey common for a professional to publicly release a simple cracked EXE or Retrium Isalrfrpbi dwla,eiiaigtene frieprecduest ntle o ulc onod lmntn h ed o nxeine sr o crack the software themselves. 4 Te fv tos ue fr rvre egneig ae ) h ie ol s o ees niern r: i ) IDA Pro

i Spices .NET Decompiler i ) i) Remotesoft .NET Explorer i i i) PE Explorer v v REC Decompiler ) PE Explorer is the most feature-packed program for inspecting the inner workings of your own software, and more importantly, t i d p r y W indows applications hr at and libraries for which you do not have source code. PE Explorer lets you open, v e a d e i a v r e y o d ff r n 3 - i W i d w e e u a l f l t p s ( l o iw n dt a i t f i eet 2bt nos xctbe ie ye as called PE files) ranging from the common, such as EXE, DLL a d ActiveX Controls, n t tels fmla tps sc a SR(cenaes,CL (oto Pnl Apes, o h es aiir ye, uh s C Sresvr) P Cnrl ae plt) SYS, MSSTYLES, BPL, DPL and more (including executable files that run on MS W indows Mobile platform). PE Explorer gives you the power to look inside these PE binary files, perform sai aayi, rva a lt o ifrain aot te fnto o te eeual, ttc nlss eel o f nomto bu h ucin f h xctbe and collect as much information about the executable file as possible, without executing it. PE Explorer leaves you with only minimal work to do in order to get a aayi o a pee o sfwr. Oc yu hv slce te fl yu ws t n nlss f ic f otae ne o ae eetd h ie o ih o examine, PE Explorer will analyze the file and display a summary of the PE header ifrain ad al o te rsucs cnand i te P fl. Fo hr, te to nomto, n l f h eore otie n h E ie rm ee h ol alw yu t epoe te seii eeet wti a eeual fl. los o o xlr h pcfc lmns ihn n xctbe ie 100

Besides being an effective Resource Editor, PE Explorer also provides several t o s t a e e a e i t P w r C d r s a u : a API Function Syntax Lookup, ol ht lvt t o oe oe tts n Dependency Scanner, S c i n E i o UPX Unpacker, a d a p w r u y t e s - o e t o d t r, n oefl e aytuse Disassembler.W ith PE Explorer you can view and inspect unknown binaries, examine and edit the properties of EXE and DLL files, and correct and repair the itra srcue o ayP (otbeeeual)flswt teciko abto. nenl tutrs f n E pral xctbe ie ih h lc f utn PE Explorer is intended to be used in various scenarios such as software development, Forensics practice, Reverse Engineering extensive binary security aayi ad bnr adtn poess nlss n iay uiig rcse. With PE Explorer You Can See what's inside an executable and what it does Change and customize the GUI elements of your W indows programs Track down what a program accesses and which DLLs are called Understand the way a program works, behaves, and interacts with others Ve i y t e p b i h r a d t e i t g i y o t e s g e e e u a l f l s rf h ulse n h nert f h ind xctbe ie S y g o b e t d g i g t r u h b o t d h l f l s j s t h s o t a API a od y o ign hog lae ep ie ut o ah u n rfrne eeec Open UPX-, Upack- and NsPack-compressed files seamlessly in PE Explorer, without long workarounds Seil spot fr Dlh apiain pca upr o epi plctos

Reverse Engineering

101