Introduction to reverse analysis tools

2.1 Introduction to reverse analysis tools

In binary code analysis, reverse analysis tools must be used. These software tools can be divided
2.1 system monitoring tools,
2.2 anti-assembler,
2.3 Debugger
2.4 and anti-compiler.

System Monitoring tools for monitoring, research and analysis
The program to be reversed. This is because the communication between the program and the outside world must go through the operating system, and the system monitoring tool can
To monitor network activities, file access, registry access, and a series of software operation activities. The anti-assembler is sufficient.
The executable binary code of the program is the input to generate the assembly code text file that contains the whole or part of the program
.

Disassembly is a processing process related to the processor. The reassembler generally supports multiple CPU configuration and disassembly.
But the excellent anti-assembler can more accurately identify binary code and improve the reverse score.
Analysis efficiency.

A debugger is a program that allows software developers to observe programs while running programs. Its
Two basic features are breakpoint settings and code tracking. Breakpoint allows users to select a row in any position in the program
Code. Once the program runs in this line, it instructs the debugger to pause the program and display the current
Status. Code tracing allows you to track the execution of a program while it is running. Tracing means that every execution of a program
Compile the code, pause it, and allow the user to observe or even change the state of the program. Through breakpoint settings and code tracking,
Users can carefully observe the Code while executing problematic code in the program, and determine the location of the problem.

The anti-compiler function goes further than the anti-assembler. The anti-compiler accepts executable binary files and tries
Generate readable high-level program language code. The idea is to try the reverse compilation process to obtain the initial
Source code files or files close to the original source code. However, for programs developed by most people in C and C ++,
It is unrealistic to restore the initial source file.

We use a large number of auxiliary software in reverse analysis.
Analysis has important functions, and can also be expanded to play an indispensable role in establishing a general analysis method.
.
Analysis tools are classified into five categories. The following tools are software running on Windows.
(1) Disassembly tool
The Disassembly tool is the most important tool in reverse analysis. It not only supports the. Binary generation of executable files
Code Conversion into assembly code, and can also identify the structure of the software based on the Inter-call Relationship Analysis Software

Function call of the software. As the processor in the early stage of reverse analysis, the Disassembly tool can greatly reduce labor
Work. Our main disassembly tools include:

Ollydbg L.10 (Free Software, powerful analyzer combined with static disassembly and dynamic debugging)
Win32dasml (Free Software, static analysis tool)
Ida pr0 5.0 (commercial software, the most powerful static Disassembly tool)
(2) dynamic debugging tools
Dynamic debugging tools are the main tools used in manual reverse analysis.
We can get people's software information, but the behavior and many details of the software must be in the running process.
Therefore, we need to use dynamic debugging for analysis. We mainly use dynamic debugging
Tools:
Ollydbg L.10 (Free Software, powerful analyzer combined with static disassembly and dynamic debugging)
Windbg 6.7 [8] (Free Software, Microsoft kernel-level debugging tool)

(3) Software Information Identification and modification tools
Software Information Identification and modification tools are important auxiliary tools for software information analysis.
This helps us to easily obtain the internal resource information of the Software. You can also modify the details of a release to facilitate debugging.
Our software information identification and modification tools in Changzhou include:
Hedit l.0 (shared software, hexadecimal editor)
Peid 0.94 (free comparison, software information and language analysis tools)
(4) system monitoring tools
As an important auxiliary tool for black box analysis, tools for monitoring various aspects of software are indispensable.
, We divide it into network monitoring, process monitoring, file monitoring and registry monitoring network:
Wireshark l.0 (free software, network monitoring and packet analysis software)
Outpost firewall 4.01 (shared software, Windows Firewall Using Hook Technology)
Procexp 10.21 (Free Software, strong human process analysis software)
Filemon 7.04 (Free Software, powerful file read/write monitoring software)
Regmon 7.04 (Free Software, powerful registry read/write monitoring software)
(5) dedicated anti-protection tools
Lordpe (Win32 PE file modification, transfer tool)
Importrec (Win32 PE file structure repair software)
AIl versions ASPack unpacker (Free Software, ASPack compression shell shelling tool)
Unpecompact2.02 [19] (Free Software, pecompact compression shell shelling tool)
UPX 3.0 [20] (Free Software, UPX compression shell shelling and shelling tools)

Refer:
Research on the reverse analysis technology of fgsoftware. Doc

Powered by zoundry