Jump to content
Tuts 4 You

Some general advice needed


kutkloon7

Recommended Posts

First: Hi, this is my first post here and I will tell a little bit about myself. I am 20 years old and studying computer science. I've discovered reverse engineering a few months ago.

I've found this site while I was searching for information about reverse engineering, and I've found it to be the best site on reversing I've came across.

I've mainly followed the first tutorials from Lena151 and some from r4ndom. I run a windows 7 64-bit, but I use ollydbg on windows xp 32-bit via oracle vm virtualbox (it crashes if i tun olly outside virtualbox).

Since I haven't had any contact with (other) reversers (don't know if I should call myself a reverser), I'm unsure what to do next. The lena151 serie is great to learn, but all applications used are 32-bit and old. Further, I've ran into some problems with the tutorials lately (the gui from the arty program in tutorial 8 looks skewed, and I can't get programs to run 'inside' numega smartcheck, which is used in tutorials 9 and 10).

It bugs me that I'm not able to patch x64 programs, so I really want to look into that, but I have no idea where to start. Before I did a clean install of windows on my machine, I had IDA Pro running, but I couldn't get the debugger to work, so I pretty much gave up on that. Sadly I don't know any other tools that I would seriously consider to use for x64 reversing. A simple user-mode debugger like olly would be a nice thing to have for x64 binaries.

Should I focus and try to get ida (or are there perhaps better tools for x64 reversing?) working again, or would it be better to put my efforts in, for example, finishing the beginner series from lena151? Other suggestions and tips are welcome too, of course!

Goodnight!

Link to comment

My first impression is that you are not willing to solve actual problems. Olly crashes on x64 - you give up. Smartcheck doesn't work - you give up. IDA debugger doesn't work - you give up. All these issues are nothing new, they have been discussed on this forum numerous times. Search and you shall find the solution.

Reversing x64 programs is even harder than reversing 32bit programs. Existing tools are user unfriendly, there are almost no tutorials and you'll have to find solutions of your own. So, I would suggest that you finish Lenas tutorials to learn basic 32bit stuff before you jump into x64 world.

As for x64 tools - IDA is probably the most user-friendly of available debuggers. WinDbg is less friendly and FDBG... well, screenshot speaks for itself.. http://fdbg.x86asm.n..._screenshot.png

Good luck!

Link to comment

Well, I have tried a lot of stuff to get olly working in windows 7 x64, but I just didn't manage to do it. I googled a lot, never searched on tuts4you specificly, but when I do (I just did), I can't find any good advice. Some posts hint to plugins that help olly run on x64, I can find a couple of plugins (is stealth64 what I'm looking for?). I did some effort, but found that olly works fine in virtualbox, so I used that.

And about IDA, I'm asking here if it's worth the trouble to try to get it to work, so indeed I haven't really tried hard. For smartcheck I've googled a lot, but found nothing (I'm now searching on tuts4you).

I've tried FDBG, and the only thing I really didn't like was that you can't use a colour scheme like in olly. But you were quite clear, I probably should get a bit better in 32-bit reversing.

Thanks for your answer! I will try to come here more often, as it looks like a great source of information to me :).

Link to comment

(is stealth64 what I'm looking for?)

yes. It`s still a better idea to use a VM.

- For ida you have to install the windows debugging tools, afaik.

- forget smartcheck.

I probably should get a bit better in 32-bit reversing.

indeed. :)

Link to comment

To give you more specific ideas for search:

* Olly 1.10 on x64 - some plugins are incompatible with x64, you're better off starting with clean Olly install. There's a plugin from waliedassar which fixes some issues on x64. IIRC, Stealth64 is only to hide Olly debugger from programs, it doesn't fix crashes and compatibility issues.

* SmartCheck needs specific version of MSVBVM60.DLL. I remember seeing here a package (tutorial? link to tutorial?) bundled with proper DLL. According to R4ndom, Smartcheck won't work on Win7 (http://thelegendofrandom.com/blog/archives/2044). Haven't tried myself.

* IIRC, IDA remote debugging needs either MS Debugging Tools or IDAs remote debugger server running. Local debugger should work out of the box, I could test it tomorrow, if necessary.

* VirtualBox has (had?) certain issues with hardware breakpoints, see https://www.virtualb...rg/ticket/10377 and https://www.virtualb...77��There's a reason why most people prefer VMWare or MS VirtualPC for reversing.. ;)

EDIT: update about Smartcheck.

Edited by kao
Link to comment

Stealth64 works fine for me, even with protection systems that employ lots of anti-debug. May need some time to find the right settings. What concerns IDA: Remote debugging for x64 works as well. You will need to start a remote debugger like kao pointed out, as x64 is not available as local debugger.

Link to comment

Thanks for the replies! IDA works fine, I haven't tried to debug an x64 program yet, but I'll look into it soon (perhaps this weekend, I'm pretty busy with my study now).

Link to comment

Stealth64 worked for me, too.

Virtualbox HWBP issues have been fixed since.

as x64 is not available as local debugger.

Hold on, are you saying i cannot debug my rin3 apps locally using IDA?

I dont have a x64 system for testing atm, but i can hardly believe that...

Link to comment

Yes you can. You'd just have to start the remote server on your local box and connect to it. At least it's been like this the last time I was confronted with an x64 binary.

Link to comment

Yes you can. You'd just have to start the remote server on your local box and connect to it. At least it's been like this the last time I was confronted with an x64 binary.

I don't know what I was doing the last time. Works like a charm! Graph view ftw!

Only things I don't like about IDA are the loading times and the fact that you can't assemble lines as easy as in olly.

Link to comment
  • 1 month later...

Only use IDA+windbg, or else add excess years to learning when you want to do more than shareware grade PE protectors. Antis are just sloppy use of API and generic encryption.

One of the most important things to note: All dissasemblers are broken and always will be, check against hex..

Edited by chickenbutt
Link to comment
  • 2 weeks later...

Again, thanks for the replies! I haven't done much reversing/cracking lately, but a while ago I cracked sublime text. I'm thinking about buying it though, I really like it ;)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...