Tải bản đầy đủ (.pdf) (7 trang)

Cracker Handbook 1.0 part 5 potx

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (121.27 KB, 7 trang )

ngắt được sử dụng để dừng quá trình thực thi của một chương trình

2. OllDBG : là 1 chương trình dịch hợp ngữ 32-bit với mức là phân tích gỡ rối trên
Windows. Nó phân tích mọi chương trình dưới dạng mã Assembler, với việc phân
tích này khiến OllyDbg đặc biệt hữu ích trong các trường hợp chương trình ko có
tệp tin nguồn . Nó còn cho ta thấy được giá trị của các thanh ghi, các thủ tục, lệnh
gọi hàm API, các bảng, hằng số, chuỗi ký tự v.v… Ngoài ra ta còn có thể ghi chú
thích tại các dòng lệnh . Nói chung đây là một công cụ phổ biến được các Crackers
ưa dùng nhất. OllyDBG là 1 chương trình hoàn toàn miễn phí, bạn có thể
download và sử dụng nó tại địa chỉ


5. PEiD: : Đây là loại công cụ có thể nhận biết được hầu hết các loại chương trình
nén, mã hóa phổ biến. Hiện nay nó có thể nhận biết được hơn 600 dấu hiệu
(signatures) khác nhau trong PE files.

Bài viết #1 của hacnho

2.Import REConstructor: This tool is designed to rebuild imports for
protected/packed Win32 executables. It
reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and
all ASCII
module and function names. It can also inject into your output executable, a loader
which
is able to fill the IAT with real pointers to API or a ripped code from the
protector/packer
(very useful against emulated API in a thunk).

( Source: readme)
T.Việt: Đây là công cụ phác thảo để xây dựng lại các hàm đầu vào cho 1 chương
trình đã được bảo vệ hoặc nén trên Win32. Nó xây dựng lại một sự miêu tả ảnh


nhập (IID) , mảng bảng nhập (IAT), tất cả các module và tên hàm. Nó cũng có thể
xen vào trong đầu ra của chương trình của bạn, một chương trình nạp (loader) cũng
có thể phủ đầy IAT với con trỏ thực tới hàm API hoặc 1 đoạn mã đã được cắt ra từ
chương trình đã được bảo vệ hoặc nén


Bài viết #1 của Merc:

3. HIEW: Basically HIEW is a hex viewer for those who need to change some
bytes in the
code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text,
hex, and Pentium(R) 4 disassembler mode.

T.Việt: Đây là 1 công cụ dùng để chỉnh sửa chương trình dưới dạng hex (tức hệ
thập lục phân) trong môi trường DOS, rất hữu ích cho những người muốn thay đổi
1 vài bytes trong đoạn mã của chương trình.

Features:

þ Text/hex mode editor
þ Built-in Pentium(R) 4 assembler
þ Physical & logical drive view & edit
þ Creating new files
þ Search and replace in blocks
þ Context help (however help file is not necessary for starting HIEW)
þ Search for assembler command wildcards
þ Keyboard macros
þ Built-in 64-bit calculator

Source (readme)



1.CFF Explorer
Quote:
This is PE Editor with full support for PE32/64. Special fields description and
modification, utilities, rebuilder, hex editor. First PE Editor with support for .NET
internal structures. Resource viewer (bitmaps, icons, cursors etc are all dumpable
on disk) with support for .NET manifest resources (who are dumpable as well).

Copyright (C) Ntoskrnl (Daniel Pistelli)
(source from homepage:)
2.Hex Workshop
Quote:
This is a set of hexadecimal development tools for Windows 9x,
NT, 2000, and XP. It combines advanced binary editing with the ease and
flexibility of a word processor. With Hex Workshop you can edit, insert,
delete, cut, copy, and paste hex, print high quality customizable hex
dumps, and export to RTF or HTML for publishing. Additionally, you can
goto, find, replace, compare, and calculate checksums within a file.

Copyright (C) BreakPoint Software
(source from readme)
3.LordPE
Quote:
It is a tool e.g. for system programmers which is able to edit/view many parts of
PE (Portable Executable) files, dump them from memory, optimize them, validate,
analyze, edit, .

Copyright (C) yoda
(source from homepage:

4.PEiD
Quote:
PEiD detects most common packers, cryptors and compilers for PE files. It can
currently detect more than 600 different signatures in PE files.

Copyright (C) snaker - Qwerton - Jibz
(source from readme)
5.PE Explorer
Quote:
This is a multi-purpose PE (portable executable) file editor and binary header
analysis tool for Windows developers. It tells you just about every little detail you
could possibly want to know about a PE file (exe, dll, ActiveX, and several other
executable formats). PE Explorer comes with a Visual Resource Editor, PE Header
Viewer, Exported/Imported API Function Viewer, API Function Syntax Lookup,
Dependency Scanner and Easy Disassembler.

Copyright (C) Heaventools Software
(source from readme)
6.PEQuake
Quote:
PEQuake is a win32 executable protector from China. It seems that it's modified
from Hying's PE-Armor, has some excellent feature, can encrypt Import, special
code and resources
The soft is designed to protect your program, and the protected file will start up
with a cool logo.

Copyright (C) fORGAT
(source from readme)
7.PE Tools
Quote:

Professional utility for the work with PE/PE+(.64bit) by files, that includes: editor
PE is file, Task Viewer, optimizer Win32 PE is file, the detector of the compiler /
packer and much other.

Copyright (C) NEOx
(source from homepage:
8.Quick Unpack
Quote:
The program is intended for fast (in 2 seconds) unpacking simple packers (UPX,
ASPack, PE Diminisher, PECompact, PE-PACK, PackMan, WinUPack and many
others). Quick Unpack tries to bypass all possible scramblers/obfuscators. From
the version 1.0 the opportunity of unpacking dll is added. This opportunity makes
Quick Unpack unique software product which has no similar analogues in the
world!

Copyright (C) FEUERRADER [AHTeam]
(source from readme)
9.Resource Binder
Quote:
Program for restoring the section of resources after the removal of packer
/protector. Program automatically creates at the end of the file the new section of
resources and it completely reconstructs all resources into this section. Optionally
it will be possible to after this reset to zero the old section of resources and
optimize the file

Copyright (C) SetiSoft Team
(source from readme)
10.Trial-Reset
Quote:
This is an registry cleaning tool. The main function of Trial-Reset is remove the

keys generated by commercial and freeware protector.
Trial-Reset not crack the program but only extend the Trial Period.

Copyright (C) The Boss and All RSR Team
(source from help file)

11- IDA
Quote:
IDA is an interactive disassembler. It means that the user takes active participation
in the disassembly process. IDA is not an automatic analyser of programs. IDA
will hint you of suspicious instructions, unsolved problems etc. It is your job to
inform IDA how to proceed.
(readme)
Quote:
The IDA Pro Disassembler and Debugger is an interactive, programmable,
extendible, muti-processor disassembler hosted on the Windows
platform.Universally acclaimed as the best disassembler money can buy, IDA Pro
has become the de-facto standard for the analysis of hostile code and is quickly
establishing itself as a major tool in the field of vulnerability research
{hacnho tut :D)
12- ABEL
Quote:
ABEL is loader generator tool, that allows you to generate loaders. And ABEL
means:
A ny
B uild
E nabled
L oader
(readme)
13- Dede

Quote:
DeDe is a very fast program that can analyze executables compiled with Delphi
2,3,4,5 and Builder and give you the following:
- All dfm files of the target. You will be able to open and edit them with Delphi.
- All published methods in well commented ASM code with references to strings,
imported function calls, classes methods calls, components in the unit,Try-Except
and Try-Finally blocks.
(By default DeDe retrieves only the published methods sources,
but you may also process another procedure in a executable
if you know the RVA offset using the Tools|Disassemble Proc menu.)
- A lot of additional information.
- You can create a Delphi project folder with all dfm,
pas, dpr files. Note: pas files contains the mentioned
above well commented ASM code.
They can not be recompiled !
You can also:
- View the PE Header of all PE Files and change/edit the sections flags.
- Use the opcode-to-asm tool for translating intel opcode to assembler.
- Use RVA-to-PhysOffset tool for fast converting physical and RVA addresses.
- Use the DCU Dumper (view dcu2int.txt for more details) to retrieve near to
pascal code of your DCU files.
- Use BPL(DPL) Dumper to see BPL exports and create symbol files to use with
DeDe disassembler.
- Disassemble a target EXE directly from memory in case of a packed exe.
(readme)
14- Resource Hacker
Quote:
Resource Hacker is a program has been designed to:

1. View resources in Win32 executable files (*.exe, *.dll, *.cpl, *.ocx) and in

Win32 resource files (*.res) in both their compiled and decompiled formats.

2. Extract (save) resources to file in (*.res) format, as a binary, or as decompiled
resource scripts or images.
Icons, bitmaps, cursors, menus, dialogs, string tables, message tables, accelerators,
Borland forms and version info resources can be fully decompiled into their
respective formats, whether as image files or *.rc text files.

3. Modify (rename or replace) resources in executables or resource files.
Image resources (icons, cursors and bitmaps) can be replaced with an image from a
corresponding image file (*.ico, *.cur, *.bmp), a *.res file or even another *.exe
file.
Dialogs, menus, stringtables, accelerators and messagetable resource scripts (and
also Borland forms) can be edited and recompiled using the internal resource script
editor.
Resources can also be replaced with resources from a *.res file as long as the
replacement resource is of the same type and has the same name.

4. Add new resources to executables or resource files.
Enable a program to support multiple languages, or add a custom icon or bitmap
(company logo etc) to a program’s dialog.

5. Delete resources. Most compilers add resources into applications which are
never used by the application. Removing these unused resources can reduce an
application’s size.
(readme)
15- .NET Reflector
Quote:
Reflector is a class browser for .NET components. It allows browsing and
searching the meta data, IL instructions, resources and XML documentation stored

in a .NET assembly.
(readme)
16- dUP
Quote:
dUP(diablo2oo2's Universal Patcher) is a powerfull multiple file patchengine
(readme)
17- aPE

×