If you are considering studying or are just interested in advancing the art of software reverse engineering, then this guide below is for you. I'll outline here everything you need to know and do. If you are at all serious then you should take heed and download all of my recommended materials, time invested learning now will surely serve you well in the future.
It will also be worth your while to visit some of the other sites I've linked too on the web. After reading this document and attempting the small sample programs I've made available you'll know whether or not this really is the art for you.
Software reverse engineering is the art and process of understanding your own and commercial software at a lower level than the compiler. Many reversers focus in on protection schemes used by software writers to disable or otherwise prohibit the full use of their software. I have personally used the knowledge I have gained through 'reversing' to ameliorate existing tools as well as recover projects to which I did not possess the source code of.
Reverse Engineering is NOT cracking per se, although it is sometimes difficult to draw the fine line between them, and I deplore the tens of thousands of warez sites that waste good server space on the web, if you are looking for easy cracks, key generators or serial numbers then my site will NOT be for you, even though this information can be obtained with fairly minimal effort I expect most warez afficionado's will not find themselves reading this in the first place and certainly won't have a clue how to assemble and link a key generator.
By learning to reverse engineer yourself, you are gaining a set of valuable skills and distinguishing yourself from the many losers who would rather waste their time searching through pages of bloated graphics and commercial porn sponsors than learning anything themselves. You will also find over a period of time that reversing will aid immeasurably the debugging of your own programs, you'll probably focus less on protection schemes too.
Any reverser will tell you that you will only ever be as good as the tools you use and the competency with which you use and customise them. Your best weapons are your tools, invest the time learning how to use them. I suggest you obtain at the minimum the following (either download them from my tools page or locate them around the web using an ftp search).
- A Windows (preferably protected-mode) Debugger - The standard tool in this category is NuMega's SoftICE which is susceptible to very few anti-debugging tricks, you will not break some protections without it. Download the versions relevant to the platform you plan to investigate, better still download every version you can. (In most of my guides I use v3.2x/v4.0x for Windows 95/98). Pay a visit also to NuMega's web site to keep informed of any new developments, these guys really know how to produce useful tools (need I mention BoundsChecker & SmartCheck).
- A Disassembler - There are probably 2 main choices for this category, the quicker but less technical W32Dasm v8.9x from URSoftware and the slower more advanced Intelligent Disassembler Pro from Data Rescue. In most cases W32Dasm is good enough although for some applications you may consider using IDA. You might also care to investigate some of the older disassemblers such as Sourcer. The choice here is really a question of personal preference. Visual Basic v3 and v4 decompilers are also available, although I've never had a great deal of luck with the VB4 edition.
- A HEX Editor - In this category there at least a dozen choices, most reversers will however develop their favorite, mine being DOS Hiew. Conventional search engines will find at least 30 HEX editors (some better than others), of the many out there in the woods the following seem to be popular with reversers. Hex Workshop v2.54, UltraEdit v6.x, HEdit (you should of course learn how to reverse your tools first).
- Our Tools - Fairly recent progress has been made in this area, mainly as a result of several 'cracking' groups and the HCU. The 2 best developments of 1999 thus far have been IceDump v5.0 by The Owl & ProcDump v1.5 courtesy of G-RoM & Stone. Some tools for dongles have also made an appearance specifically generic HASP vxd's, although I think theres some work to be done yet. Much progress has also been made in the area of in-memory patching courtesy of Stone (visit his very good website at http://cracking.net). Some good 'home grown' protections (PE encryptors) have also appeared (if only software authors would use them).
- Support Tools, room must also be found in any reversers toolbox for the following tools :-
i) Registry Monitoring (RegMon).
ii) File Monitoring (FileMon).
iii) InstallShield script decompiling (isDCC, Wisdec).
iv) Installation Monitoring (CleanSweep).
The question most newer reversers ask is "do I need to know/learn how to program?", the answer is not easy to give. I would suggest that a basic knowledge of Intel Assembly language is a pre-requisite, the best source of information is currently Randall Hyde's superb Art of Assembler, you should download and peruse this guide in its entirety (especially as it has recently been converted into Adobe Acrobat pdf format), for quicker reference download HelpPC.
If you are unable to program consider learning a language, (when I have time I'll place my own basic C tutorials on this page), but in the interim you'll have to make do with web resources. Intel Win32 assembler, Pascal and C++/Java are all good languages to learn. To assemble and link any of the ASM source files on this site you will need a copy of Borland's TASM or with minor adjustments MASM, check that you know how to assemble and link a program by testing my 1Mb memory dump program.
Download the documentation for SoftICE, both the Command Reference and Users Manual are available at NuMega's public ftp. There are many tutorials on how to use and customise SoftICE, including mine which forms part of the 1st tutorial. The most common problems with SoftICE relate to the configuration file winice.dat, download Mammon_'s superb guide on all aspects of SoftICE configuration.
Whilst at Greythorne's site, download all of the +ORC teachings which have the added advantage of including the relevant files. Even though the +ORC programs are fairly old, read the texts very carefully indeed, I have found them useful on many occasions. If you already have some Windows programming knowledge then you will most likely already possess a Windows 32 API guide, otherwise locate the pertinenent help file and download it (all C compilers that I know of carry the guide), for DOS programming, Ralph Brown's Interrupt List is a must-have reference guide.
As a reverse engineer you will encounter several protectionist strategies, a brief appraisal of the most common schemes are listed below.
1. Serial Number/Password protections - These type of schemes are ubiquitous, just look around the web at the serial number lists available for losers. Usually the protection of choice for cheaper software, you'll usually find only variations upon a very simple scheme, maybe some interesting mathematical manipulations, however you should not dismiss programs using these schemes, some such as ACDSee or WinRAR will prove more than enough challenge to the casual reverser.
2. Time trials - With the explosion in magazine cover CD-ROM's, 30 day trials or 'cinderellas' are also common, although Microsoft prefers to allow you 60 or even 90 days to try their software. Time trials are also fairly easy because the amount of tricks a programmer can use is so limited. On smaller software be aware that the authors often change the version fairly regularly so reversing a 30-day trial may not even be necessary.
3. Function Disabled - These are becoming less common now, a program author will lock out certain operations (most commonly Save and Print) allowing you to trial his crippled software. In marketing terms disabled software is less likely to encourage potential buyers to try the software, who will spend 2hrs constructing a work of art which cannot be saved.
Disabled software is either reversable or unreversable depending on whether the program author just locked out the functionality or removed the code altogether. I've seen instances of where reversers have actually added back in the relevant code as required, although this usually requires advanced knowledge of the file format used by the particular program and one doubts whether this was achieved without having the full program to refer too.
4. Commercial protection schemes - Now becoming more common as the capitalists seek to market web-ready software, you'll almost certainly run into SalesAgent from Release Software & VBox v4.x from Preview Systems, the latter is a pathetic protection which will require no more than 30 seconds SoftICE work, the former is somewhat trickier. Packers such as ASPack, Petite, Shrinker are also becoming more common, but you'll need to read more about these elsewhere.
5. Hardware/Dongle Protections - Termed as hardware protection, a dongle is a small device that is usually connected to the parallel port of the computer. The strength of any dongle protection will be influenced a lot by the quality of the implementation, a lot of them are fairly weak. If you have the actual dongle then reversing it will obviously be a lot easier as you can just examine the relevant INs and OUTs.
As with any protection, information is power so always identify what flavour of dongle you are dealing with and visit the relevant manufacturers web sites, often you'll be able to download full API sources. In some instances, if you do not have the dongle you may have to pray, although no dongle is unreversable, some of the wrappers incorporate sophisticated encryption, anti-SoftICE tricks and self-modifying code, so in some cases you would be well-advised to leave the dongle code as it is and patch the application side. The 2 most common dongles are HASP & Sentinel, which I personally have studied a lot.
Although I disagree with the concept of making ready-made patches for software I recognise that in certain circumstances it can be beneficial for reversers to publish examples of their work. Pages which just distribute lamer cracks are wasted space, hence why I mostly avoid including a patch file leaving you to probe on your own. Anyhow, this inevitably raises the question of whether you should use 1 of the existing patching engines or code your own.
For ease of use I recommend Jes's GPatch (tutorial included here), which generates 4-5k COM files. You may like to examine the source code to a very quick C patcher which I wrote fairly hastily, cranking up the compiler options may well reduce the file size. Pascal guru's (I am not one) may like to use/modify MisterE's pascal patcher. There are many other patchers available, those written in ASM usually produce the smallest file size, although with the size of modern day HD clusters I doubt this is a real consideration.
Windows patchers and generators are also available, RTPatch and WinPatch are 2 that I know of and which are used by some fairly high profile software companies. For those of you who insist on complete optimisation I recommend PCOM, although you might have to invest a little time getting to know it.
Well, if you've downloaded all of the tools and documentation I recommended and perhaps invested a few days internally digesting all that information, then you might be ready to attempt your first and second projects, both linked here.
Start Menu Cleaner v1.2 (1) & Teleport Pro v1.29 (2)