(By hoadongnoi+Merc+hacnho+trickyboy+haule_nth+lena+Mrangelx+Why not bar)
1. Breakpoint : hay còn được gọi là “điểm ngắt” - tức là ngắt (hay dừng) 1 tiến trình đang hoạt động tại 1 vị trí nào đó, từ đó có thể kết xuất giá trị của 1 vài hoặc tất cả các biến của chương trình. Điểm ngắt còn có thể được thiết lập bởi các lập trình viên như là một sự tương tác với công cụ gỡ rối. Nói chung điểm ngắt được sử dụng để dừng quá trình thực thi của một chương trình
2. OllDBG : là 1 chương trình dịch hợp ngữ 32-bit với mức là phân tích gỡ rối trên Windows. Nó phân tích mọi chương trình dưới dạng mã Assembler, với việc phân tích này khiến OllyDbg đặc biệt hữu ích trong các trường hợp chương trình ko có tệp tin nguồn . Nó còn cho ta thấy được giá trị của các thanh ghi, các thủ tục, lệnh gọi hàm API, các bảng, hằng số, chuỗi ký tự v.v… Ngoài ra ta còn có thể ghi chú thích tại các dòng lệnh . Nói chung đây là một công cụ phổ biến được các Crackers ưa dùng nhất. OllyDBG là 1 chương trình hoàn toàn miễn phí, bạn có thể download và sử dụng nó tại địa chỉ http://home.t-online.de/home/Ollydbg
5. PEiD: : Đây là loại công cụ có thể nhận biết được hầu hết các loại chương trình nén, mã hóa phổ biến. Hiện nay nó có thể nhận biết được hơn 600 dấu hiệu (signatures) khác nhau trong PE files.
Bài viết #1 của hacnho
2.Import REConstructor: This tool is designed to rebuild imports for protected/packed Win32 executables. It
reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII
module and function names. It can also inject into your output executable, a loader which
is able to fill the IAT with real pointers to API or a ripped code from the protector/packer
(very useful against emulated API in a thunk).
( Source: readme)
2.Import REConstructor: This tool is designed to rebuild imports for protected/packed Win32 executables. It
reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII
module and function names. It can also inject into your output executable, a loader which
is able to fill the IAT with real pointers to API or a ripped code from the protector/packer
(very useful against emulated API in a thunk).
( Source: readme)
T.Việt: Đây là công cụ phác thảo để xây dựng lại các hàm đầu vào cho 1 chương trình đã được bảo vệ hoặc nén trên Win32. Nó xây dựng lại một sự miêu tả ảnh nhập (IID) , mảng bảng nhập (IAT), tất cả các module và tên hàm. Nó cũng có thể xen vào trong đầu ra của chương trình của bạn, một chương trình nạp (loader) cũng có thể phủ đầy IAT với con trỏ thực tới hàm API hoặc 1 đoạn mã đã được cắt ra từ chương trình đã được bảo vệ hoặc nén
Bài viết #1 của Merc:
3. HIEW: Basically HIEW is a hex viewer for those who need to change some bytes in the
code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text,
hex, and Pentium(R) 4 disassembler mode.
3. HIEW: Basically HIEW is a hex viewer for those who need to change some bytes in the
code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text,
hex, and Pentium(R) 4 disassembler mode.
T.Việt: Đây là 1 công cụ dùng để chỉnh sửa chương trình dưới dạng hex (tức hệ thập lục phân) trong môi trường DOS, rất hữu ích cho những người muốn thay đổi 1 vài bytes trong đoạn mã của chương trình.
Features:
þ Text/hex mode editor
þ Built-in Pentium(R) 4 assembler
þ Physical & logical drive view & edit
þ Creating new files
þ Search and replace in blocks
þ Context help (however help file is not necessary for starting HIEW)
þ Search for assembler command wildcards
þ Keyboard macros
þ Built-in 64-bit calculator
Source (readme)
Features:
þ Text/hex mode editor
þ Built-in Pentium(R) 4 assembler
þ Physical & logical drive view & edit
þ Creating new files
þ Search and replace in blocks
þ Context help (however help file is not necessary for starting HIEW)
þ Search for assembler command wildcards
þ Keyboard macros
þ Built-in 64-bit calculator
Source (readme)
1.CFF Explorer
Quote:
This is PE Editor with full support for PE32/64. Special fields description and modification, utilities, rebuilder, hex editor. First PE Editor with support for .NET internal structures. Resource viewer (bitmaps, icons, cursors etc are all dumpable on disk) with support for .NET manifest resources (who are dumpable as well).
Copyright (C) Ntoskrnl (Daniel Pistelli) (source from homepage:http://www.ntcore.com) |
2.Hex Workshop
Quote:
This is a set of hexadecimal development tools for Windows 9x,
NT, 2000, and XP. It combines advanced binary editing with the ease and flexibility of a word processor. With Hex Workshop you can edit, insert, delete, cut, copy, and paste hex, print high quality customizable hex dumps, and export to RTF or HTML for publishing. Additionally, you can goto, find, replace, compare, and calculate checksums within a file. Copyright (C) BreakPoint Software (source from readme) |
3.LordPE
Quote:
It is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,... .
Copyright (C) yoda (source from homepage:http://y0da.cjb.net/) |
4.PEiD
Quote:
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.
Copyright (C) snaker - Qwerton - Jibz (source from readme) |
5.PE Explorer
Quote:
This is a multi-purpose PE (portable executable) file editor and binary header analysis tool for Windows developers. It tells you just about every little detail you could possibly want to know about a PE file (exe, dll, ActiveX, and several other executable formats). PE Explorer comes with a Visual Resource Editor, PE Header Viewer, Exported/Imported API Function Viewer, API Function Syntax Lookup, Dependency Scanner and Easy Disassembler.
Copyright (C) Heaventools Software (source from readme) |
6.PEQuake
Quote:
PEQuake is a win32 executable protector from
The soft is designed to protect your program, and the protected file will start up with a cool logo. Copyright (C) fORGAT (source from readme) |
7.PE Tools
Quote:
Professional utility for the work with PE/PE+(.64bit) by files, that includes: editor PE is file, Task Viewer, optimizer Win32 PE is file, the detector of the compiler / packer and much other.
Copyright (C) NEOx (source from homepage:http://neox.iatp.by/petools.html) |
8.Quick Unpack
Quote:
The program is intended for fast (in 2 seconds) unpacking simple packers (UPX,
Copyright (C) FEUERRADER [AHTeam] (source from readme) |
9.Resource Binder
Quote:
Program for restoring the section of resources after the removal of packer /protector. Program automatically creates at the end of the file the new section of resources and it completely reconstructs all resources into this section. Optionally it will be possible to after this reset to zero the old section of resources and optimize the file
Copyright (C) SetiSoft Team (source from readme) |
10.Trial-Reset
Quote:
This is an registry cleaning tool. The main function of Trial-Reset is remove the keys generated by commercial and freeware protector.
Trial-Reset not crack the program but only extend the Trial Period. Copyright (C) The Boss and All RSR Team (source from help file) |
11- IDA
Quote:
IDA is an interactive disassembler. It means that the user takes active participation in the disassembly process. IDA is not an automatic analyser of programs. IDA will hint you of suspicious instructions, unsolved problems etc. It is your job to inform IDA how to proceed.
(readme) |
Quote:
The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, muti-processor disassembler hosted on the Windows platform.Universally acclaimed as the best disassembler money can buy, IDA Pro has become the de-facto standard for the analysis of hostile code and is quickly establishing itself as a major tool in the field of vulnerability research
{hacnho tut :D) |
12- ABEL
Quote:
ABEL is loader generator tool, that allows you to generate loaders. And ABEL means:
A ny B uild E nabled L oader (readme) |
13- Dede
Quote:
DeDe is a very fast program that can analyze executables compiled with
- All dfm files of the target. You will be able to open and edit them with - All published methods in well commented ASM code with references to strings, imported function calls, classes methods calls, components in the unit,Try-Except and Try-Finally blocks. (By default DeDe retrieves only the published methods sources, but you may also process another procedure in a executable if you know the RVA offset using the Tools|Disassemble Proc menu.) - A lot of additional information. - You can create a pas, dpr files. Note: pas files contains the mentioned above well commented ASM code. They can not be recompiled ! You can also: - View the PE Header of all PE Files and change/edit the sections flags. - Use the opcode-to-asm tool for translating intel opcode to assembler. - Use RVA-to-PhysOffset tool for fast converting physical and RVA addresses. - Use the DCU Dumper (view dcu2int.txt for more details) to retrieve near to pascal code of your DCU files. - Use BPL(DPL) Dumper to see BPL exports and create symbol files to use with DeDe disassembler. - Disassemble a target EXE directly from memory in case of a packed exe. (readme) |
14- Resource Hacker
Quote:
Resource Hacker is a program has been designed to:
1. View resources in Win32 executable files (*.exe, *.dll, *.cpl, *.ocx) and in Win32 resource files (*.res) in both their compiled and decompiled formats. 2. Extract (save) resources to file in (*.res) format, as a binary, or as decompiled resource scripts or images. Icons, bitmaps, cursors, menus, dialogs, string tables, message tables, accelerators, Borland forms and version info resources can be fully decompiled into their respective formats, whether as image files or *.rc text files. 3. Modify (rename or replace) resources in executables or resource files. Image resources (icons, cursors and bitmaps) can be replaced with an image from a corresponding image file (*.ico, *.cur, *.bmp), a *.res file or even another *.exe file. Dialogs, menus, stringtables, accelerators and messagetable resource scripts (and also Borland forms) can be edited and recompiled using the internal resource script editor. Resources can also be replaced with resources from a *.res file as long as the replacement resource is of the same type and has the same name. 4. Add new resources to executables or resource files. Enable a program to support multiple languages, or add a custom icon or bitmap (company logo etc) to a program’s dialog. 5. Delete resources. Most compilers add resources into applications which are never used by the application. Removing these unused resources can reduce an application’s size. (readme) |
15- .NET Reflector
Quote:
Reflector is a class browser for .NET components. It allows browsing and searching the meta data, IL instructions, resources and XML documentation stored in a .NET assembly.
(readme) |
16- dUP
Quote:
dUP(diablo2oo2's Universal Patcher) is a powerfull multiple file patchengine
(readme) |
17- aPE
Quote:
The aPE is a patcher program that can be used to patch packed/protected executable files. This is done by code insertion in packer/protector code so that the program can be patched normaly without the unpacking of the packed file. This means that you can now make smaller patches for packed executables [but you will still need to unpack the target and find bytes you want to patch]. There is no more need for distribution of larger unpacked files... The aPE can patch them while they are still packed!
(readme) |
18- FSG
Quote:
FSG is perfect compressor for small exes, eg. 4k,64kb intros, asm appz etc.(upx sux). FSG means:
F[ast] S[mall] G[ood] (readme) |
19- ICE Licsence
Quote:
ICE License v2.0 is a new & innovative licensing protection solution designed to provide a high level of security. ICE License protects your application the executable file by code encryption to provide a strong protection, ICE License add high security level to turn your software in Full Version, user need ActiveKey to unlock it, else nobody can unlock.
With ICE License it's easy to turn your application in "try-before-you-buy" versions with little effort, offering everything to guarantee a maximum protection. If you want to protect your investiments ICE License is designed specifically for you. The software developer looking for powerful, flexible protection, license management tools to get your software product into the hands of customers. (readme) |
20- yoda's Crypter
Quote:
This is a small PE crypter with some nice protection options.
(readme) |
21- Yoda's Protector
Quote:
Yoda's Protector is an EXE packer and protector with some special features for Microsoft Windows?. It also supports Dynamic Link Libraries (DLL), OLE-ActiveX Controls (OCX), Screen Savers (SCR). It is based on assembly source of yoda's Crypter by Danilo Bzdok. It packs sections of portable executable file by compression source from LZO library by Markus F.X.J. Oberhumer& L?l??ln?/A> and aPLib compression library by Joergen Ibsen
(readme) |
22- OllyScript
Quote:
OllyScript is a plugin for OllyDbg, which is, in my opinion,
the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. OllyScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. (readme) |
23- RSA
Quote:
In 1976 three researchers at M.I.T. (Ron Rivest, Adi Shamir and Les Adleman) introduced this public key cryptosystem, prior to this only private key cryptosystems had been used.
The RSA cryptosystem is based on modular exponentiation modulo the product of 2 large primes. Each individual has an encrypting key consisting of a modulus n = pq, where p & q are large primes, say with 200 digits each, and an exponent e that is relatively prime to (p-1)(q-1). To produce a usable key, 2 large primes must be found (this can be done quickly on a computer using probabilistic primality tests). However the product of these primes n = pq, with approximately 400 digits, cannot be factored in a reasonable length of time. (In a RSA tut that has unknown author) |
24- MD5
Quote:
Developed in 1994, MD5 is a one-way hash algorithm that takes any length of data and produces a 128 bit "fingerprint" or "message digest". This fingerprint is "non-reversible", it is computationally infeasible to determine the file based on the fingerprint. This means someone cannot figure out your data based on its MD5 fingerprint.
(Tut by Lance Spitzner) |
25- SmartCheck
Quote:
SmartCheck (SC) is a program for Automatic Run-Time Error Diagnosis for Visual Basic programs. With other words, SC is a tool for VB debugging and, if it is properly configured, for reversing of VB appz.
(Tut by Palaryel) |
26- Opcode
Quote:
Opcodes are the instructions for the processor. Opcodes are actually "readable text"-versions of the raw hex codes. Because of this, assembler is the lowest level of programming languages, everything in asm is directly converted to hexcodes. In other words, you don't have a compiler-fase that converts a high-level language to low-level, the assembler only converts assembler codes to raw data.
(Tut by Mad Wizard - Thomas Bleeker) |
27- Assembly
Quote:
Assembly language is created as replacement for the raw binary code that the processor understands. A long time ago, when there were no high-level programming languages yet, programs were created in assembly. Assembly codes directly represent instructions the processor can execute.
(Tut by Mad Wizard - Thomas Bleeker) |
28- API
Quote:
The fundamental of programming in windows lies in the windows API, Application Programming Interface. This is a set of functies supplied by the operating system. Every windows program uses these functions. These functions are in the system dll's like kernel, user, gdi, shell, advapi, etc.
(Tut by Mad Wizard - Thomas Bleeker) |
29 - Stack
Quote:
The Stack is a part in memory where you can store different things for later use. See t as a pile of books in a chest where the last put in is the first to grab out. Or imagine the stack as a paper basket where you put in sheets. The basket is the stack and a sheet is a memory address (indicated by the stack pointer) in that stack segment. Remember following rule: the last sheet of paper you put in the stack, is the first one you'll take out! The command 'push' saves the contents of a register onto the stack. The command 'pop' grabs the last saved contents of a register from the stack and puts it in a specific register.
(Tut by lena) |
30- Flag
Quote:
Flags are single bits which indicate the status of something. The flag register on modern 32bit CPUs is 32bit large. There are 32 different flags, but don't worry. You will mostly only need 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'.
The Z-Flag: The Z-Flag (zero flag) is the most useful flag for cracking. It is used in about 90% of all cases. It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "CMP" (more on this later) could set the zero flag, because it compares something - how can the result of the comparison be 0? The answer on this comes later ;) The O-Flag: The O-Flag (overflow flag) is used in about 4% of all cracking attempts. It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it. The C-Flag: The C-Flag (Carry flag) is used in about 1% of all cracking attempts. It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0. (Tut by lena) |
31- REA
Quote:
REA (Reverse Engineer Association) is a name of a famous cracker team in
Their homepage: www.reaonline.net (my idead) |
32- Cracker
Quote:
Cracker is a person who illegally finds a way of looking at or stealing information on sb else’s computer system
( |
33- Newbie
Quote:
Newbie is a person who is new and has little experience in doing sth, especially in using computers
{ |
34- Patch
Quote:
[noun]
Patch is a small piece of code (= instructions that a computer can understand) which can be added to a computer program to improve it or to correct a fault [verb] To repair sth especially in a temporary way by adding a new piece of material or a patch {Oxford dic) |
35- PE
Quote:
PE stands for Portable Executable. It's the native file format of Win32. Its specification is derived somewhat from the Unix Coff (common object file format). The meaning of "portable executable" is that the file format is universal across win32 platform: the PE loader of every win32 platform recognizes and uses this file format even when Windows is running on CPU platforms other than Intel. It doesn't mean your PE executables would be able to port to other CPU platforms without change. Every win32 executable (except VxDs and 16-bit Dlls) uses PE file format. Even NT's kernel mode drivers use PE file format.
(Tut of Iczelion) |
36- Dongle
Quote:
Dongle is a device or code that is needed in order to use protected software
{ |
37- SHA
Quote:
The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions. The most commonly used function in the family, SHA-1, is employed in a large variety of popular security applications and protocols, including TLS, SSL, PGP, SSH, S/MIME, and IPSec. SHA-1 is considered to be the successor to MD5, an earlier, widely-used hash function. Both are reportedly compromised. In some circles, it is suggested that SHA-256 or greater be used for critical technology. The SHA algorithms were designed by the National Security Agency (NSA) and published as a
The first member of the family, published in 1993, is officially called SHA; however, it is often called SHA-0 to avoid confusion with its successors. Two years later, SHA-1, the first successor to SHA, was published. Four more variants have since been issued with increased output ranges and a slightly different design: SHA-224, SHA-256, SHA-384, and SHA-512 — sometimes collectively referred to as SHA-2. Attacks have been found for both SHA-0 and SHA-1. No attacks have yet been reported on the SHA-2 variants, but since they are similar to SHA-1, researchers are worried, and are developing candidates for a new, better hashing standard. {http://en.wikipedia.org/wiki/SHA) |
38- PRCEdit
Quote:
PRC edit is a HEX editor and Ascii viewer in one. You can open a PRC with corresponding disassembled source file in the editor.
{readme) |
39- Olly ToolBar Manager
Quote:
Olly ToolBar Manager is the plugin which allows you to add custom buttons on Olly tool bar.
{readme) |
40- NonaWrite
Quote:
NonaWrite is a plugin for OllyDbg that helps you write code injection.
{readme) |
bài viết #1 của mrangelx
41-BIEW
Quote:
BIEW (Binary vIEW) is a free, portable, advanced file viewer with
built-in editor for binary, hexadecimal and disassembler modes. (readme) |
42-UPX
Quote:
UPX is a portable, extendable, high-performance executable packer for
several different executable formats. It achieves an excellent compression ratio and offers **very** fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported. (readme) |
43-ARM
Quote:
ARM Protector is a Windows Portable Executable (PE) file protector and cryptor
against reverse engineering (cracking, debugging and other illegal modifications). It has some nice protection options (i'll keep adding them as much as i can) (readme) |
44-Upack
Quote:
Upack is a packer that can compress Windows PE file,
which can be run without decompressing manually. (readme) |
45-ArmaInline
Quote:
ArmInline is an Armadillo unpacking tool designed specifically
to deal with the 'Strategic Code-Splicing' antidump feature available with private builds of Armadillo 3.x-4.x. It 'revirgin's the spliced code by recursively identifying and removing the redundant opcodes, rather than dumping and patching in a VirtualAlloc, and so it adds nothing to the size of your dump. (readme) |
46-GetDlgItem
Quote:
The GetDlgItem function retrieves the handle of a control in the specified
dialog box. (win32.hlp file) |
47-MessageBox
Quote:
The MessageBox function creates, displays, and operates a message box.
The message box contains an application-defined message and title, plus any combination of predefined icons and push buttons (win32.hlp file) |
48-RegCreateKeyEx
Quote:
The RegCreateKeyEx function creates the specified key.
If the key already exists in the registry, the function opens it. (win32.hlp file) |
49-RegQueryValueEx
Quote:
The RegQueryValueEx function retrieves the type and data for a
specified value name associated with an open registry key. (win32.hlp file) |
50-GetPrivateProfileString
Quote:
The GetPrivateProfileString function retrieves a string from the
specified section in an initialization file. This function is provided for compatibility with 16-bit Windows-based applications (win32.hlp file) |
51-Packer là trình nén và mã hoá các File Exe, Dll. Có nhiều loại Packer khác nhau, có loại chỉ có nhiệm vị nén cho dung lượng nhỏ như: UPX, ASpack, NSpack, WinUpack....Còn có loại vừa nén vừa mã hoá file như: Asprotect, Armadillo, Execryptor, ENIGMA protector , Acprotect....có quá chời loại packer nên cần dùng tools với các chữ ký của từng loại packer để xác định coi nó thuộc dạng nào. PEiD và RDG là 2 công cụ thực hiện công việc trênd. Theo hình trên thì em có thể đoán là có thể là PE-Armor, ENIGMA protector hoặc WinUpack. Tốt nhất bác cho link Target bác đang xử để bít chính xác hơn.
(why not bar)
In bài này
Đặt làm trang chủ