Hi all!

It pleases me to see there's already some real cool activity on this part of the forum.
This time I'd like to share with you my recommendations regarding reversing tools.

I'd like to select my tools depending on various aspects like: simplicity, size and the readability of the output.

For all newbies I'll try to explain what the purpose of the program is and where you can get it:

Disassembler
Name: W32Dasm
Location: ht*p://protools.cjb.net
Purpose: A disassembler takes an executable file (or library) and dissects it into assembly code. Good disassemblers also create string references which is usually a list of text-strings which are used from certain locations in the program. This is very handy to use when a string is displayed in the program like for example: 'Invalid serial-number'. When you know where the location is where the string is displayed it's easy to backtrace into the source-code where the validation is done.

Debugger
Name: TRW2000
Location: ht*p://www.protools.cjb.net
Purpose: I'm sure I will get some flames on this one . Most people will reference to SoftIce when it comes to a debugger, but as I've said before one of my criteria is size and TRW is VERY small and uses almost the same instruction set as SoftIce. The only drawback is that TRW runs only under Win9x. Another advantage of TRW is that it can be loaded and unloaded, so you can load it once the anti-debugger code has passed .
Anyway, a debugger is used to take a look inside a running program. You can halt execution of a certain program on any point and take a look at what's inside certian memory locations. This way you can for example 'sniff' serials. In many programs there's a location where the given serial is compared to a generated one (based on for example a username). With a debugger you can step through the code untill you arive on the comparison of the serials and 'sniff' the right serial (pretty cool huh?).

Registry Monitor
Name: Regmon
Location: ht*tp://www.sysinternals.com
Purpose: Well, I assume that most people know what the registry is... The registry is a centralised location where programs put information about their functionality (program settings, window-settings, encrypted registration info etc.). The registry consists of two files located in the windows dir (user.dat and system.dat). RegMon provides a live view on registry activity. So when a program tries for example to read a registration key from the registry you'll see it on the moment it occurs in RegMon.

(Message continues in reply due to exceeding of message size)

(Continued message)

File Monitor
Name: FileMon
Location: ht*tp://www.sysinternals.com
Purpose: Besides getting registration information from the registy another trick from programs is to hide it in other files usually with strange filenames and located in system directories (like windows\system). YOu can also use this program to view dependancies. For example; when a program has a serial-validation routine but you can't find it in the disassembly of the main program it could be located in an external library (dll or vxd). With filemon you can check which files are 'connected' to the main program and from where they are used (off course you can also check the disassembly and locate the dependancies).

Api Monitor
Name: Api Monitor
Location: ht*tp://www.rohitab.com/apimonitor
Purpose: Windows programs are usually build with building blocks. Why should every programmer reinvent the wheel? This is why windows uses an API (Application Programming Interface). This means that dll's and vxd's (external 'programs' without startup-code) contain functions available to use for everyone. When a program needs to access the registry for example it can 'call' a function of the Windows-API which does all the dirty work without having the programmer to know the inner workings.
This API monitor displays when and which calls are made to the API. So it actually explains what a program is doing at a certian moment. Since API-calls usually have descriptive names you can learn a lot from this.
For example a function like StrCmpA (String Compare) might be a serial validation part.

Hex Editor
Name: UltraEdit
Location: ht*p://www.ultraedit.com (crack on ht*p://astalavista.box.sk)
Purpose: I will probably also get some flames on this one, because msot people will use a dedicated hex-editor (like hiew or IMHO better, Biew, both available on ht*p://protools.cjb.net) but I prefer this one (despite it's large size) since it integrates in windows (right click on a file and choose 'ultra-edit') and it supports all kinds of files. I use it for my programming exercises and for patching of files. Another nice thing is that it creates backups of edited files.

Scratch Pad
Name: Notepad
Location: Your windows directory
Purpose: Within no-time you'll find yourself making notes everywhere about certain locations, calculations and other stuff. Maybe even better than Notepad is to use just plain paper and a pencil.

Time Tool
Name: Watch
Location: Usually on your wrist
Purpose: Cracking sometimes takes a lot of time and dedication. Always keep in mind that tomorrow there's another day. You'll often find that after a night of sleep you'll suddenly get past the location where you were stuck the night before.


This is only a basic list which will be usable to reverse most programs. Once you're getting more experienced other tools might be usefull like ProcDump, IDA and other stuff. Though I suggest working with the above tools to learn the basics.

Play with these tools, take some simple programs and notice what's going on behind the scenes.

I wish you good luck and if there are any questions don't hesitate to contact me.


Cheers,


RalDnoR.

Hi Raldnor,

I tried to mail u, but the mail got returned....mail me at jcferret at yahoo dot com, so we can bounce a few ideas around OK?

As for the post.....good going. Some people may stumble across this place and want to give it a shot, but not know what to use or how to use it...good thinking.

As for the possibility of being flamed for suggestingTRW? Not going to flame, but simply point out that 50% or so of the people I know that have tried it can't get it to run at all.....Win 9x or not ( would be pretty frustrating for a "complete newbie" to try to install suggested software & find he/she can't use it ;-))

Thank you for saying what the debugger does when disassebling programs. That is a handy tool then...it would greatly simplify the project I'm doing right now where I'm trying to crack a dongle (the dongle doesn't execute instructions, it's just there).

Hey ?ferret!

Thanx for the reply! The best email address to use to mail me is: raldnor(at)crosswinds.net. Is seems that the other account of mine had indeed some problems.
I'll mail you tonight (I'm working right now).

About TRW: it's quite simple... In the distribution (a zip-file if I'm correct) there are two files, an exe- and a vxd-file. The exe functions as a loader, the vxd is the actual debugger.
To load TRW simply start the executable and enter a program in the textbox (you can also browse for a program). The press ok and the program will be started. To pop the debugger up press ctrl-n. To quit the debugger simply close the loader (so when you are debugging always keep the loader minimized).

Hope this helps dude

Cheers,

RalDnoR.

I have used the first version of TRW2000 and it worked well, but was slightly unstable and buggy. Now isn't the version you are recommending shareware? It keeps popping up with a registration message during use, like the Nigel nag. Does it need a RE solution or are you recommending buying this app as a matter of course? Is their a later version that is not crippled?

Thanks
Bytesniper

That choice is ultimately up to you, but if you find it to be a good proggy and continue using it (and can afford to)....by all means buy it. Programmers deserve to make a living (they have families too ;-))