Windows Reverse Engineering - History of RCE, Reversing Tools
(Page 2 of 9 )
“Modern” RCE started with programmers who circumvented copy protection on classic computer games, such as those written for the Apple II in the early 1980s. Although this trend quickly became a way to distribute pirated computer software, a core of experts remained who developed the RCE field purely for academic reasons.
One of the legendary figures of those heady days was the Old Red Cracker, (+ORC). Not only was +ORC a genius software reverser, he was a prolific author and teacher of the subject. His classic texts are still considered mandatory reading for RCE students.
In order to further RCE research, +ORC founded the High Cracking University, or +HCU. The “+” sign next to a nickname, or “handle,” designated members of the +HCU. The +HCU students included the most elite Windows reversers in the world. Each year the +HCU published a new reverse engineering challenge, and the authors of a handful of the best written responses were invited as students for the new school year.
One of the professors, known as +Fravia, maintained a motley web site known as “+Fravia’s Pages of Reverse Engineering.” In this forum +Fravia not only challenged programmers, but society itself to “reverse engineer” the brainwashing of a corrupt and rampant materialism. At one point +Fravia’s site was receiving millions of traffic hits per year, and its influence was widespread.
Today, most of the old +HCU has left Windows for the less occult Linux platform; only a few, such as +Tsehp, have remained to reverse Windows software. A new generation of reversers has rediscovered the ancient texts and begun to advance the science once again. Meanwhile, +Fravia himself can still be found wandering his endless library at http://www.searchlores.org.
Reversing Tools As a software reverse engineer, you are only as good as your tools. Before diving into practical examples later in the chapter, we first review some of the classic Windows RCE tools. Some you can learn in a day, while others may take years to master.
Hex Editors To edit binaries in hexadecimal (or opcode patching), you need a good hex editor. One of the best is Ultra Edit, by Ian Meade (http://www.ultraedit.com/), shown in Figure 2-1.
Disassemblers A disassembler attempts to dissect a binary executable into human-readable assembly language. The disassembler software reads the raw byte stream output from the processor and parses it into groups of instructions. These instructions are then translated into assembly language instructions. The disassembler makes a best guess at the assembly language code, often with variable results. Nevertheless, it is the most essential tool for a software cracker.
A popular disassembler, and one that is the tool of choice for many expert reverse engineers, is IDA Pro. IDA (http://www.datarescue.com) is a multiprocessor, multioperatingsystem, interactive disassembler. It has won numerous accolades, not the least being chosen as the official disassembler of the +HCU in 1997.
Figure 2-1
IDA treats an executable file as a structured object that has been created from a database representing the source code. In other words, it attempts to re-create viable source code (as opposed to W32DASM, which only displays the code it thinks is important).
One of the most powerful features of IDA is the use of FLIRT signatures. FLIRT stands for Fast Library Identification and Recognition Technology. This means that IDA uses a proprietary algorithm to attempt to recognize compiler-specific library functions.
Mastering IDA takes considerable time and effort. The company admits in the user’s manual that IDA is difficult to understand. However, once you have mastered IDA, you’ll probably prefer it to the combination of W32DASM + SoftICE (discussed next). This (next) section walks you through a few basic IDA configuration and manipulation steps.
 | If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Visit the O'Reilly Network http://www.oreillynet.com for more online content. |
Next: Basic IDA Configuration and Manipulation Steps >>
More Windows Security Articles
More By O'Reilly Media
/ 23 
