Reverse Code Engineering
56 files
-
Hacker School - Sapheads
By Teddy Rogers
An introduction to the reverse engineering field in the style of a comic book. Originally presented at the final of Defcon CTF 2009.
114 downloads
0 comments
Submitted
-
HDSpoof Reversing
By Teddy Rogers
What's happening under the covers when you launch an executable on your Windows system? These days, malicious activity--viruses, worms, spyware--caused by seemingly innocent programs and attachments makes the question extremely important. Even if you are confident that you could debug (or reverse-engineer) a suspicious program, what if you encounter a program designed to frustrate your analysis attempts? There are tricks and traps that can thwart your best intentions. This article will examine some of these and introduce you to topics such as code obfuscation and protection and anti-reverse-
engineering.
A while back I needed to find out what an executable named HDSPOOF.EXE was doing to my system. Starting the program from the command line produced the display seen in Figure 1 (HDSpoof.BMP). The only visible result was the creation of a configuration file with the name of HDSPOOF.INI in the program's installation directory. But a proprietary hardware identification driver and test program I had written for a client now generated different results after executing this program. Clearly something on my system had changed. A little bit of investigation revealed that this program had created and started a dynamic driver on the system and was trying to hide its presence. The driver was visible with a random name in my utility, NTDevices (available at my website, www.smidgeonsoft.com--look for an entry in the index minus the .SYS file extension), but the file for the driver had been deleted from my hard drive. Deleting the configuration file would not restore the expected results. There were still entries present in the system registry for the driver but under a key with a name different than the display name. Rebooting the system and rerunning the program created a driver with a new random name
and with new entries in the system registry but would still "spoof" the hardware identification program. Time to fire up a static analyzer program and then the debugger!
Note: this article is based upon an early version of the program found in the WinRAR file. An updated version is available at www.taurine.game-deception.com as hwspoofv2.1.rar. The points and code fragments noted throughout this discussion are the same; only the addresses have changed in the newer version.
104 downloads
0 comments
Submitted
-
Cracking the MSI Files
By Teddy Rogers
Today, we are discussing how to bypass serial number protections built in to windows binary installer files (.msi). Commonly, registration number protections are embedded within an InstallShield script, so we are going to make sure this is not the case before we delve into the .msi file.
304 downloads
0 comments
Submitted
-
Definitive Guide To Exploring File Formats
By Teddy Rogers
Computer games are vast and many, however most computer games have something in common - they need a place to store all their important files like images, movies, and sounds. To do this, computer game developers typically store their data into a big archive file.
There are many reasons for storing all your data files in one big archive, some reasons include reducing the number of files on a CD, hiding the data files to stop people hacking the game, and so that all data files can be accessed using a single data stream.
However, the bad news for gamers is that there are almost as many different archives as there are different computer games - every game developer creates their own archive formats, and they even change their formats between games or departments in the company.
This brings us to the focus of the tutorial - how to explore the archives and grab the files from within them. This tutorial will attempt to make it easy for anyone to explore a new format, with the aim of promoting game modifications and enhancements by the community.
In the following pages, we will discuss the terms Game Resource Archives (GRAs) and Game Resource Archive Formats (GRAFs), common data types, and other definitions. From there, we will explain the fundamentals of cracking a file format, including the tools you use, and the patterns to look out for.
Thanks for reading our guide; we wish you the best of luck in your exploration.
150 downloads
0 comments
Submitted
-
Dealing With Funny Checksum
By Teddy Rogers
After a while, I've decided to write about something interesting which I've found while unpacking one protection, and it will be also nice introduction to one of my tools which I have wrote for fun of it.
However, I won't mention application name here, but to demonstrate checksum check which I have found I will be using one test application, thus you will get idea what happened, and how checksum is defeated. I will also introduce one tool I wrote, which served me well in this particular case. Tool should come with this document, thus I won't describe tool, and it's internals as source code should be well commented.
107 downloads
0 comments
Submitted
-
CrackMe3 Hellsp@wn Solution
By Teddy Rogers
This tutorial doesn't want to describe the methods I used to reverse this crackme, but rather the questions born in the mind of novel reverser like me … . So, you will ask: "Why did you choose this crackme" The answer is simple: THE CHALLENGE! The name of Hellsp@wn (coauthor of the principal Ollydbg's hide plugin: Phantom) and a crackme of level 5, dated 2006 and not yet resolved, are the right mix to test my abilities; indeed, the possibility to discover a new anti debug technique is behind the corner so good lecture and, as always, sorry for my poor English.
110 downloads
0 comments
Submitted
-
Download Statistics