srtools.htm: How to search the web, by fravia+ (¯`·.¸(¯`·.¸ software reversing tools ¸.·´¯)¸.·´¯)

~ Software reversing Tools ~

				SrTools

Last update: June 2005

[Back to the Searching tools]

Softwareversing tools

[Basic tools] [Hexeditors] [Text editors and seek & replaces]
[Disassemblers] [Debuggers] [Monitors] [Program killers] [Resource editors]
[Software Customizers]
My tools pages are not only a "swiss blades" repository for newbies that begin to grasp the powerful reversers' and seekers' lore... the tools I have gathered should be quite useful for anyone that happens to be "lost on an alien computer", miles from home and without his trusted own-made CDs. This happens to me often enough, hence I find myself these pages quite useful :-) You'll find here (I hope) all the necessary tools to survive, secure your current box, AND reverse everything in sight. Some of these tools will even allow you to retaliate and strike back, should anyone dare to annoy you! This section will always be "in fieri", but I'll slowly add all sort of useful applications (uncracked and "abandoned", of course). Note that for correctness, the most recent versions og any given application are NOT to be found here (unless given explicit permission by the Authors). But, see, I would like as well to demonstrate that you DO NOT need (far from it :-) the most recent version of a given software... once you know what you have to do, you may use a dos program as well as the most recent frilly windozian version, with the advantage (if you use older versions) that you'll at least be sure that the program you use are not trojaning your data somewhere everytime you connect to the web!

Main advice of my "Tools" section:

DO NOT UPDATE YOUR SOFTWARE...
...unless you know pretty well how to reverse - and modify - it!
As a (simplistic) rule: the older your version, the less likely it is that it will [malbehave] and spy on you...

Softwareversing tools

Basic tools
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

[hexchart] You'll use it again and again every time you sniff code :-)
[symdeb] symdeb.zip, 25398 bytes: symdeb M$ symbolic debug utility, version 4, when M$ was still able to program, old aber still useful :-)

Hexeditors
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

[psedit] psedit.zip, 64242 bytes: Parity Solutions' DOS powerful (and +ORC's preferred) hexeditor, old aber still useful :-)
[hexworkshop] hexwo210.zip, 0389618 bytes: Hex workshop version 2.10, by BreakPoint Software, the hexeditor for windoze, very powerful: you wont need more recent versions: this will cut all possible mustard :-)
[hexworkshop] hexwo250.zip, 1101082 bytes: Hex workshop version 2.50, by BreakPoint Software, the hexeditor for windoze, very powerful: they "upgraded" from 300000 to more than a million bytes :-( Maybe you should choose the OLDER version instead...
hiew (easy to find on the web)
[winhex] winhex.zip, 606223 bytes, by Stefan Fleischmann
See http://www.winhex.com/winhex/forensics.html, a professional data recovery and computer investigation tool. WinHex is able to create true mirrors (including all slack space) of most media types. It incorporates sophisticated, flexible and lightning-fast search functions that you may use to scan entire media (or image files), including slack, for deleted files, hidden data and more. Via physical access, this can be accomplished even if a volume is undetectable by the operating system, because the file system is corrupt or unkown.
This toolz recognizes the type of unknown data when examining hard disk sectors, by sole use of visual representations!

Text editors and seek & replaces
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

[ultraedit] uedit310.zip, 574641 bytes: Ultraedit version 3.10, by Ian Mead: BEST texteditor for windoze, higly recommended, incredibly powerful, this is an old, yet powerful enough version, you may be interested to read a very old essay of mine on the limits of its [protection]
.
find & replace
byte movers

Disassemblers
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über

[IDA!] idafree.zip, 12.522.567 bytes... lotta bytes, biggest appz on my tools page... but WHAT for bytes!: IDA, Ilfak's masterpiece, version 3.85B, is a truly MAGICAL ITEM, kindly offered by Ilfak Guilfanov & Pierre Vandevenne: BEST disassembler around when you really need to work... read what Pierre says about this release (end december 2000):

 I've just made a new FREEWARE version of our IDA Pro 
 disassembler available. It is basically last year's 3.85B 
 commercial release, which means that it even supports FLIRT 
 (Fasy Library Identification and Recognition Technology). 
 There is no catch : it is free, supports the DOS / WIN 80x86 
 file formats we supported at that time and a couple of other 
 things as well, no size limit, no time limit and is even 
 somewhat supported (we'll fix reported bugs if practical).
 We are releasing it for tree reasons:
- we are a bit tired of seeing poorly cracked versions going 
  around;
- we have made real progress with our new versions;
- we realize there is a need for a non pro to investigate 
  potentially hostile code on an amateur basis and that 
  the budget for the full version shouldn't be an obstacle.
 The file can be found on our ftp idafree.zip @ datarescue
 Our ftp is a bit overloaded is now, redistribution of the file 
 is ok, provided it is not altered.

So download it [here] (@ fravia's) and enjoy! This is a truly wondrous cadeau by Pierre and Ilfak for all present and future reversers entering the third Millennium! Note that there's a dedicated messageboard for IDA-matters, see [here].

NEW!: An average of ~300 copies downloaded daily... lotta future reversers, I hope! Maybe with their help we'll even be able to win our [GNU powered] battles for free knowledge against the evil forces of commercial darkness!

Magical
Item

Wdasm (easy to find on the web)
(You will have to find it ojn the web by yourself: I'm still awaiting Peter Urbanik's permission to link to it, in the mean time you'll be able to find it all over the web with banal searches). If you start to use it for real, please do register it, I have seldom seen such an useful program around. In fact I paid for my copy of wdasm. This quick disassembler still beats ida when you want to defeat an easy protections or you need to perform some simple "on the fly" code-reversing investigations (i.e. 70% of times).

Precious
Item

Debuggers
If you don't know what these tools are for, nor what astounding deeds they can perform in our more and more "softwarocentric" world, be prepared to be amazed by the sheer cosmic power they will almost immediately grant you. Indeed the following tools are powerful weapons, as you'll learn as soon as you begin using them...

...a good software reverser that knows how to use his softice can easily nuke many a smart "billion-dollar" dot industry...
[Neue Zürcher Zeitung], January 2001

SOFTICE!!! Softice aka Winice aka sice aka SI aka cutter aka (for older versions) memphis
MUST HAVE TOOL FOR ANY REVERSER (easy to find on the web)
search the web for it, 'trial', 'regged' and 'cracked' versions are to be find literally everywhere (everywhere software reversing activities are seriously performed, that's it), this target's names will mostly emerge like si405wi95.zip, SI405_9x.zip... that's for version 4.05... you get the idea... or try good ftp searches for subdirectories named sice or Softice or siw... and so on, if you'r serious about reversing software buy it (one of the VERY FEW pieces of software that deserves it in spades) @ Numega's (as long as they will be allowed to sell such a powerful software weapon.
This is the most hated tool by those (bastards) that get the creeps seeing the [GNU/Free software] movement and ideas applied to the windoze world.

Ancient History
There were two older sice versions for dos: sice 2.6 (this version snaps in memory) and sice 2.8 (this version doesn't snap in memory). You'll find them 'searching the archies' and/or perusing older alleys of the web and/or once you will have found the ancient mythical "ORCpaks".

Magical
Item

Microsoft's one (IWINDEBUG)
Useful if you want to quickly disass a piece of simple software that has too many anti-softice tricks inside you would bother to deactivate...

Borland Turbo Debugger,
Turbo Debugger is a powerful stand-alone debugging tool for use with the free Borland C++ Compiler. Turbo Debugger can be used to control 32-bit Windows application execution and to view the different aspects of the application (including program output, source code, data structures, and program values) at runtime.

http://www.borland.com/products/downloads/

Ollydbg (Olly debug) by Oleh Yuschuk (thanks Oleh!)
v.1.09d (2005) [odbg109d.zip] : 1076224 bytes
Oleh Yuschuk keeps improving his wondrous debugger. Now with SSE support, powerful run trace, improved code analysis, new search options or customizable user interface.

see http://home.t-online.de/home/Ollydbg/ for details
OllyDbg is a 32-bit code level debugger for Windows. Emphasis on binary code analysis makes it particularly useful in all those cases where source code is unavailable... as Oleh points out ;-)

A list of discussion for OllyDbg users, moderated by TBD is at http://www.ollydbg.f2s.com; another messageboard, in spanish, is at http://ollydbg.cjb.net/.

Please note that OllyDbg is free!
Oleh (Ollydbg{ALT+64}t-online{POINT}de) is a great soul and has no intention to make OllyDbg commercial. The program is rated as a shareware only for copyright reasons. Moreover Oleh plans to release the source of his disassembler under GPL!

Precious
Item

TRW2000 for Win95/98
v.1.23 january 2001 [trw2000.zip] : 336060 bytes
The chinese alternative to softice... by LiuTaoTao & ZhuNanHao
Powerful Windows9x system debugger, traces DOS COM, DOS EXE,DPMI, 16bit NE,32bit PE programs, ring0 VxDs. It traces from Ring0 and supports complex breakpoints

GoVest
v. 0.9b-1 November 2000 [govest.zip] : 1164370 bytes
Win32 debugger and disassembler, by Ansgar Trimborn
A debugger that _Mammon suggested. It is capabable of using source code information in COFF, PDB and VOM format

You may also wish to read this snippet by Dindon on how to debug a debugger...
Finally, don't forget that wdasm -see "disassemblers", above- has also an useful and quite powerful (if somehow messy) debugger functionality inside itself...

Monitors
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

Filemon: [filesrc.zip] : 323906 bytes
Mark Russinovich & Bryce Cogswell, @ [sysinternals] deserve the reversing Nobel, and more for their fabulous tools... (Process Explorer, Filemon, Regmon, and PsTools).

Precious
Item

API monitors: [apispy32.zip] : 209035 bytes
Yariv's clever tool for API monitoring, here with source code (and yes, of course I asked his permission before posting it here). You'll have to edit your preferred APIs inside the text file C:\windows\APISpy32.api of course (see help-documentation). I don't believe YOU'll believe the many useful purposes this beautiful tool can be used for... version 3 will ever arrive?

Program killers
With a buggy operating system like windoze you'll need pview running all the time

Pview: [pview.zip]: only 23404 bytes, but what for bytes!
"Never again without pview" said fravia+ debugging a friend's continuously crashing computer

Process viewer: [PrcView.zip], version 3.7.2.5: 94612 bytes, The new pview! By Igor Nys (packed with a command line versioin for your own scripts)
(Click 'show module usage' and gasp at the messyness of windoze)

Handleex [handleex40.zip] by Mark Russinovich
On Windows NT/2K, you must have the DEBUG and LOAD DRIVER privileges to run HandleEx (administrator accounts have these privileges by default). HandleEx runs on Win9x/Me, Windows NT 4, and Win2K.
Performs even better than pview, but has problems in killing itself (pview does it better)

Resource editors
Quite some tools in order to fiddle around and ameliorate buggy applications you do not happen to posses the source code of, you mighty reverser, you brave opensourcer... :-)

Borland resourse workshop, version 4.5: [brw45.zip] : 2443613 bytes, but such a reversing wizard power!
Ok, admittedly, old, obsolete, slow, whatever... but they don't do this kind of mighty tools anymore (actually they are trying to ban such tools... USE it and then let me know!
You may want to read my old [ultrae2.htm] essay to understand what this (now abandonedware and public domain) tool can eventually do...

Resource hacker: [reshack.zip] by Angus Johnson: 542549 bytes, mighty wizardish power for your software fiddling and reversing wishes!
Thanks fake faulty: indeed it looks like Angus decided to develop good old borland trw! Vielen Dank Angus! :-)
Ahem... let's see if you understand what the following words (could) mean... "Resources can be added to an executable as long as no resource of the same type, name and language id already exists. Select Action | Add a New Resource ... from the menu".
Eh? :-)
And do you grasp what the following words (could) mean?... "New controls can also be added. The Control Editor supports virtually all Microsoft’s currently defined standard and common control classes. User defined custom classes can also be added to the predefined list of classes by carefully editing the “dialog.def” text file which can be found in the same folder as Resource Hacker"
Eheh :-)

Precious
Item

Software customizers
If you wish to kill ads, tweak whatever or re-enable some grayed options

customiz.zip ~ 653537 bytes customiz.zip
[The customizer per anthonomasia, version 1.10]
You'll find this even more useful than poledit when your system administrator or your software programmer has chosen to 'disable' some options... :-)
See for instance how you can modify on the fly the webferret bot in this essay. See also another interesting use of the customizer (tweaking EULAs) in this [conference of mine]

customiz.exe ~ 692224 bytes: this is customiz.zip version 1.10 autoextracting as exe
very useful when you need to perform some quick tweakings from -say- a web-café ;-)

cust115.zip ~ 272528 bytes: cust115.zip
[The customizer per anthonomasia, version 1.15]
A ridicolous time check protection... any kid could set all FOUR occurrences of 000007D1 (if you have installed it in 2001) to -say- 00000BB9 with the result that the program will expire in 3001. (And if that's not enough... set all four to 00000FA1 :-) Maybe the good people at wanga should learn [some better tricks] to protect this most useful appz.

Precious
Items