srtools.htm: How to search the web, by fravia+ (¯`·.¸(¯`·.¸ software reversing tools ¸.·´¯)¸.·´¯)

~ Software reversing Tools ~

				SrTools

Version March 2001

[Back to the Searching tools]

Softwareversing tools

[Basic tools] [Hexeditors] [Text editors and seek & replaces]
[Disassemblers] [Debuggers] [Monitors] [Program killers] [Resource editors]
[Software Customizers]
My tools pages are not only a "swiss blades" repository for newbies that begin to grasp the powerful reversers' and seekers' lore... the tools I have gathered should be quite useful for anyone that happens to be "lost on an alien computer", miles from home and without his trusted own-made CDs. This happens to me often enough, hence I find myself these pages quite useful :-) You'll find here (I hope) all the necessary tools to survive, secure your current box, AND reverse everything in sight. Some of these tools will even allow you to retaliate and strike back, should anyone dare to annoy you! This section will always be "in fieri", but I'll slowly add all sort of useful applications (uncracked and "abandoned", of course). Note that for correctness, the most recent versions og any given application are NOT to be found here (unless given explicit permission by the Authors). But, see, I would like as well to demonstrate that you DO NOT need (far from it :-) the most recent version of a given software... once you know what you have to do, you may use a dos program as well as the most recent frilly windozian version, with the advantage (if you use older versions) that you'll at least be sure that the program you use are not trojaning your data somewhere everytime you connect to the web!

Main advice of my "Tools" section:

DO NOT UPDATE YOUR SOFTWARE...
...unless you know pretty well how to reverse - and modify - it!
As a (simplistic) rule: the older your version, the less likely it is that it will [malbehave] and spy on you...

Softwareversing tools

Basic tools
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

[hexchart] You'll use it again and again every time you sniff code :-)
[symdeb] symdeb.zip, 25398 bytes: symdeb M$ symbolic debug utility, version 4, when M$ was still able to program, old aber still useful :-)

Hexeditors
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

[psedit] psedit.zip, 64242 bytes: Parity Solutions' DOS powerful (and +ORC's preferred) hexeditor, old aber still useful :-)
[hexworkshop] hexwo210.zip, 0389618 bytes: Hex workshop version 2.10, by BreakPoint Software, the hexeditor for windoze, very powerful: you wont need more recent versions: this will cut all possible mustard :-)
[hexworkshop] hexwo250.zip, 1101082 bytes: Hex workshop version 2.50, by BreakPoint Software, the hexeditor for windoze, very powerful: they "upgraded" from 300000 to more than a million bytes :-( Maybe you should choose the OLDER version instead...
hiew
[winhex] winhex.zip, 606223 bytes, by Stefan Fleischmann
See http://www.winhex.com/winhex/forensics.html, a professional data recovery and computer investigation tool. WinHex is able to create true mirrors (including all slack space) of most media types. It incorporates sophisticated, flexible and lightning-fast search functions that you may use to scan entire media (or image files), including slack, for deleted files, hidden data and more. Via physical access, this can be accomplished even if a volume is undetectable by the operating system, because the file system is corrupt or unkown.
This toolz recognizes the type of unknown data when examining hard disk sectors, by sole use of visual representations!

Text editors and seek & replaces
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

[ultraedit] uedit310.zip, 574641 bytes: Ultraedit version 3.10, by Ian Mead: BEST texteditor for windoze, higly recommended, incredibly powerful, this is an old, yet powerful enough version, you may be interested to read a very old essay of mine on the limits of its [protection]
.
find & replace
byte movers

Disassemblers
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

Wdasm
(Still awaiting Peter Urbanik's permission to link to it, in the mean time you'll be able to find it all over the web with banal searches). If you start to use it for real, please do register it, I have seldom seen such an useful program around. In fact I paid for my copy of wdasm. This quick disassembler still beats ida when you want to defeat an easy protections or you need to perform some simple "on the fly" code-reversing investigations (i.e. 70% of times).

[IDA!] idafree.zip, 12.522.567 bytes... lotta bytes, biggest appz on my tools page... but WHAT for bytes!: IDA, Ilfak's masterpiece, version 3.85B, by Ilfak Guilfanov & Pierre Vandevenne: BEST disassembler around when you really need to work... read what Pierre says about this release (end december 2000):

 I've just made a new FREEWARE version of our IDA Pro disassembler 
 available. It is basically last year's 3.85B commercial release, 
 which means that it even supports FLIRT (Fasy Library Identification 
 and Recognition Technology). There is no catch : it is free, supports 
 the DOS / WIN 80x86 file formats we supported at that time and a couple 
 of other things as well, no size limit, no time limit and is even 
 somewhat supported (we'll fix reported bugs if practical).
 We are releasing it for tree reasons:
- we are a bit tired of seeing poorly cracked versions going around;
- we have made real progress with our new versions;
- we realize there is a need for a non pro to investigate potentially 
  hostile code on an amateur basis and that the budget for the full
  version shouldn't be an obstacle.
 The file can be found on our ftp idafree.zip @ datarescue
 Our ftp is a bit overloaded is now, redistribution of the file is ok,
 provided it is not altered.

So download it [here] (@ fravia's) and enjoy! This is a truly wondrous cadeau by Pierre and Ilfak for all present and future reversers entering the third Millennium! Note that there's a dedicated messageboard for IDA-matters, see [here].

NEW!: An average of ~300 copies downloaded daily... lotta future reversers, I hope!

Debuggers
If you don't know what these tools are for, nor what astounding deeds they can perform in our more and more "softwarocentric" world, be prepared to be amazed by the sheer cosmic power they will almost immediately grant you. Indeed the following tools are powerful weapons, as you'll learn as soon as you begin using them...

...a good software reverser that knows how to use his softice can sign the fate of a smart "billion-dollar" industry...
[Neue Zürcher Zeitung], January 2001

SOFTICE!!! Softice aka Winice aka sice aka SI aka cutter aka (for older versions) memphis
MUST HAVE TOOL FOR ANY REVERSER!!
search the web for it, 'trial', 'regged' and 'cracked' versions are to be find literally everywhere (everywhere software reversing activities are seriously performed, that's it), this target's names will mostly emerge like si405wi95.zip, SI405_9x.zip... that's for version 4.05... you get the idea... or try good ftp searches for subdirectories named sice or Softice or siw... and so on, if you'r serious about reversing software buy it (one of the VERY FEW pieces of software that deserves it in spades) @ Numega's (as long as they will be allowed to sell such a powerful software weapon.
This is the most hated tool by those (bastards) that get the creeps seeing the [GNU/Free software] movement and ideas applied to the windoze world.
There are two older sice versions for dos: sice 2.6 (this version snaps in memory!) and sice 2.8 (alas! This version doesn't snap in memory). You'll find them 'searching the archies' and/or perusing older alleys of the web and/or once you will have found the mythical "ORCpaks".

Microsoft's one (IWINDEBUG)
Useful if you want to quickly disass a piece of simple software that has too many anti-softice tricks inside you would bother to deactivate...

Ollydbg by Oleh Yuschuk (thanks Oleh!)
v.1.0 november 2000 [ollydbg.zip] : 299786 bytes
v.1.01 january 2001 [odbg101.zip] : 325994 bytes
v.1.02 March 2001 [odbg102.zip] : 440558 bytes
This version includes decoding of Windows messages, better code analysis with register tracing, extended API data base, extended support for debugging information in Borland format, transparent processing of single-step traps set by debugged program, support for console applications, possibility to attach external API help file, more consistent user interface (Oleh)
see http://home.t-online.de/home/Ollydbg/ for details
OllyDbg 1.01 is a 32-bit code level debugger for Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable... as Oleh points out ;-)

TRW2000 for Win95/98
v.1.23 january 2001 [trw2000.zip] : 336060 bytes
The chinese alternative to softice... by LiuTaoTao & ZhuNanHao
Powerful Windows9x system debugger, traces DOS COM, DOS EXE,DPMI, 16bit NE,32bit PE programs, ring0 VxDs. It traces from Ring0 and supports complex breakpoints

GoVest
v. 0.9b-1 November 2000 [govest.zip] : 1164370 bytes
Win32 debugger and disassembler, by Ansgar Trimborn
A debugger that _Mammon suggested. It is capabable of using source code information in COFF, PDB and VOM format

You may also wish to read this snippet by Dindon on how to debug a debugger...
Finally, don't forget that wdasm -see "disassemblers", above- has also an useful and quite powerful (if somehow messy) debugger functionality inside itself...

Monitors
Either you know what you use these tools for or you search & learn or just try and find out :-)
"Probieren geht über studieren"

Filemon: [filesrc.zip] : 323906 bytes
Mark Russinovich & Bryce Cogswell, @ [sysinternals] deserve the reversing Nobel

API monitors: [apispy32.zip] : 209035 bytes
Yariv's clever tool for API monitoring (and yes, of course I asked his permission before posting it here). You'll have to edit your preferred APIs inside the text file C:\windows\APISpy32.api of course (see help-documentation). I don't believe YOU'll believe the many useful purposes this beautiful tool can be used for... version 3 will arrive next month :-)

Program killers
With a buggy operating system like windoze you'll need pview running all the time

Pview: [pview.zip] : only 23404 bytes, but what for bytes!
"Never again without pview" said fravia+ debugging a friend's continuously crashing computer

Resource editors
Quite some tools... :-)

Borland resourse workshop, version 4.5: [brw45.zip] : 2443613 bytes, but such a reversing wizard power!
Ok, admittedly, old, obsolete, slow, whatever... but they don't do this kind of mighty tools anymore (actually they are trying to ban such tools... USE it and then let me know!
You may want to read my old [ultrae2.htm] essay to understand what this (now abandonedware and public domain) tool can eventually do...

Software customizers
If you wish to kill ads, tweak whatever or re-enable some grayed options
customiz.zip ~ 653537 bytes customiz.zip
[The customizer per anthonomasia, version 1.10]
You'll find this even more useful than poledit when your system administrator or your software programmer has chosen to 'disable' some options... :-)
See for instance how you can modify on the fly the webferret bot in this essay. See also another interesting use of the customizer (tweaking EULAs) in this [conference of mine]
customiz.exe ~ 692224 bytes: this is customiz.zip version 1.10 autoextracting as exe
very useful when you need to perform some quick tweakings from -say- a web-café ;-)

cust115.zip ~ 272528 bytes: cust115.zip
[The customizer per anthonomasia, version 1.15]
A ridicolous time check protection... any kid could set all FOUR occurrences of 000007D1 (if you have installed it in 2001) to -say- 00000BB9 with the result that the program will expire in 3001. (And if that's not enough... set all four to 00000FA1 :-) Maybe the good people at wanga should learn [some better tricks] to protect this most useful appz.

(c) III Millennium: [fravia+], all rights reserved