This thread will contain information, stories, and generally everything about Reverse engineering, be it .NET programs, C++ or Java.
All non warez subjects welcome here, including keylogger decompiling.
Resoures:
C# -
[url]http://www.reflector.net/[/url]
[url]http://wiki.sharpdevelop.net/ilspy.ashx[/url] - Free alternative to .NET Reflector
[url]https://github.com/0xd4d/de4dot/[/url] - Free .NET deobfuscator
[url]http://code.google.com/p/simple-assembly-explorer/[/url]
Java -
[url]http://members.fortunecity.com/neshkov/dj.html[/url]
C++ -
[url]http://boomerang.sourceforge.net/[/url] (work in progress)
[url]http://www.ollydbg.de/[/url] - Popular debugging/reverse engineering tool
[url]http://www.hex-rays.com/products/ida/index.shtml[/url] IDA
[url]http://www.rohitab.com/apimonitor[/url]
Overall:
[url]http://www.sandboxie.com/[/url]
[url]http://anubis.iseclab.org/[/url]
Wireshark - [url]http://www.wireshark.org/[/url]
Charles (If it's an HTTP/HTTPS API/whatever) - [url]http://www.charlesproxy.com/[/url]
[url]http://www.fiddler2.com/fiddler2/[/url] if you're using Windows. It's free, and can do most of the things Charles can do.
[url]http://www.ntcore.com/exsuite.php[/url] CFF Explorer can edit PE and .NET headers, disassemble x86 (16bit), x86, x64 and MSIL, realign files, edit signatures and debug info, find dependencies, edit resources and imports and also is a hex editor.
[url]http://www.fiddler2.com/fiddler2/[/url] if you're using Windows. It's free, and can do most of the things Charles can do.
Anubis is great if you want to easily see what a program does when its run. It logs things like network traffic, registry edits, file edits, etc. Only downside is that if the virus has a messagebox before continuing you wont see everything. Also .net is not supported.
[url]http://anubis.iseclab.org[/url]
Here is an example
[url]http://anubis.iseclab.org/?action=result&task_id=170290d3e25661164c59287b50959feba&format=html[/url]
As you can see it does a dns query for phillerp.no-ip.biz. Its a rat so aside from that you wont get too much (emails, etc).
I think I will go over setting up a malware VM later. Anubis is nice but its better to setup a VM to more easily monitor/analyze malware.
[url]http://www.sandboxie.com/[/url]
might be useful if you want to run a program safely. Don't take my word for it though.
[QUOTE=Darwin226;34960628][url]http://www.sandboxie.com/[/url]
might be useful if you want to run a program safely. Don't take my word for it though.[/QUOTE]
I use a full vm with a setup of windows in it, copy the hd, try an executable on that. Safest way to do so.
Add these to OP:
[url]http://wiki.sharpdevelop.net/ilspy.ashx[/url] - Free alternative to .NET Reflector
[url]https://github.com/0xd4d/de4dot/[/url] - Free .NET deobfuscator
[url]http://www.ollydbg.de/[/url] - Popular debugging/reverse engineering tool
[QUOTE=Darwin226;34960628][url]http://www.sandboxie.com/[/url]
might be useful if you want to run a program safely. Don't take my word for it though.[/QUOTE]
Sandboxie is fine. Just make sure to configure it correctly. As with the default configs if you run some malware that steals accounts, it can do that. By default sandboxie allows programs to read any file and access the internet.
[QUOTE=Simspelaaja;34960669]Add these to OP:
[url]http://wiki.sharpdevelop.net/ilspy.ashx[/url] - Free alternative to .NET Reflector
[url]https://github.com/0xd4d/de4dot/[/url] - Free .NET deobfuscator
[url]http://www.ollydbg.de/[/url] - Popular debugging/reverse engineering tool[/QUOTE]
I have added this!
[editline]2nd March 2012[/editline]
[QUOTE=high;34960697]Sandboxie is fine. Just make sure to configure it correctly. As with the default configs if you run some malware that steals accounts, it can do that. By default sandboxie allows programs to read any file and access the internet.[/QUOTE]
This is why I fill my vm with some honeypot accounts, (ie yahoo, email, etc accounts that i never use, but I watch for activity)
[QUOTE=nekosune;34960810]I have added this!
[editline]2nd March 2012[/editline]
This is why I fill my vm with some honeypot accounts, (ie yahoo, email, etc accounts that i never use, but I watch for activity)[/QUOTE]
why would you do that when you shouldn't need to let the malware run in the first place
Yeah, There are alot of Sandboxie bypasses. Cybergate has it...
[QUOTE=Soda;34961091]why would you do that when you shouldn't need to let the malware run in the first place[/QUOTE]
Curiousity as to what it will do when is in a safe enviroment for wrong, Anti virus researches often use a similar technique when investigating viruses, the VM I use logs all attempted internet use and when i allow it to use internet, I use wireshark to watch.
[QUOTE=nekosune;34961650]Curiousity as to what it will do when is in a safe enviroment for wrong, Anti virus researches often use a similar technique when investigating viruses, the VM I use logs all attempted internet use and when i allow it to use internet, I use wireshark to watch.[/QUOTE]
alternatively, open it in IDA or similar and you'll know straight away what it does? this is what a real researcher would do, and it'd provide far more information.
there isn't an instance where running it and monitoring it would be better.
[QUOTE=Soda;34961730]alternatively, open it in IDA or similar and you'll know straight away what it does? this is what a real researcher would do, and it'd provide far more information.
there isn't an instance where running it and monitoring it would be better.[/QUOTE]
And that must be why more and more virii and trojans, check for virtual machines now, because no researches EVER use them to help work out what they do.
[editline]2nd March 2012[/editline]
[url]http://www.thesecurityblog.com/2011/11/mac-trojan-flashback-b-checks-for-vm/[/url]
[quote]VMware-aware malware (say that ten times fast!) is a common anti-research technique used within the Windows ecosystem[/quote]
[editline]2nd March 2012[/editline]
also
[url]http://www.f-secure.com/weblog/archives/00002251.html[/url]
So F-secure, the professionals, are saying that anti virtualization is "a common anti-research" technique.
[QUOTE=windwakr;34962114]Can you provide links to any of those bypasses? And not PoCs from years ago that have been patched.
I also can't find anything about Cybergate bypassing Sandboxie. I see that it has an "Anti-Sandboxie" feature, but as far as I can tell that just detects Sandboxie and refuses to run when it's sandboxed.[/QUOTE]
Detecting it and doing that can be just as bad, as some woukld have some BS message like "We have detected that the anti hacking program sandboxie is in use, for this hack to work, it needs to be disabled" and sadly, that would catch some people
[QUOTE=nekosune;34961800]And that must be why more and more virii and trojans, check for virtual machines now, because no researches EVER use them to help work out what they do.
[editline]2nd March 2012[/editline]
[url]http://www.thesecurityblog.com/2011/11/mac-trojan-flashback-b-checks-for-vm/[/url]
[editline]2nd March 2012[/editline]
also
[url]http://www.f-secure.com/weblog/archives/00002251.html[/url]
So F-secure, the professionals, are saying that anti virtualization is "a common anti-research" technique.[/QUOTE]
the only reason large companies use VMs in this manner is to process a large amount of suspected malware, to see if it does anything. a single user doesn't need to do this, hence it being unnecessary. are you writing your own AV? no. you're trying to extract any information you can from the program. you're not running a virtual machine farm and delivering batch jobs to them to process a set of binaries.
[QUOTE=Soda;34962182]the only reason large companies use VMs in this manner is to process a large amount of suspected malware, to see if it does anything. a single user doesn't need to do this, hence it being unnecessary. are you writing your own AV? no. you're trying to extract any information you can from the program. you're not running a virtual machine farm and delivering batch jobs to them to process a set of binaries.[/QUOTE]
All your posts in this thread in a nutshell: "NO, YOU ARE WRONG! Do things MY way."
If he wants to run sandboxie or a VM or have some fake fucking emails as honeypots, let him do it. HE is conducting his own research, and you are not involved in it. Get out of your ass.
Seems a lot of work instead of downloading the source code.
[QUOTE=Soda;34962182]the only reason large companies use VMs in this manner is to process a large amount of suspected malware, to see if it does anything. a single user doesn't need to do this, hence it being unnecessary. are you writing your own AV? no. you're trying to extract any information you can from the program. you're not running a virtual machine farm and delivering batch jobs to them to process a set of binaries.[/QUOTE]
I would have thought that monitoring the network to see where the passwords are sent is much faster than stepping through assembly.
[QUOTE=Darwin226;34962551]I would have thought that monitoring the network to see where the passwords are sent is much faster than stepping through assembly.[/QUOTE]
Ahh but you see, that's too hackforum like for him, you need to actually do everything the way they don't to be considered serious!
It's funny how often I see a link I think is really useful only to discover I already have it bookmarked...
[QUOTE=Fox-Face;34962354]All your posts in this thread in a nutshell: "NO, YOU ARE WRONG! Do things MY way."
If he wants to run sandboxie or a VM or have some fake fucking emails as honeypots, let him do it. HE is conducting his own research, and you are not involved in it. Get out of your ass.[/QUOTE]
he is posting it on facepunch, a peer-reviewed scientific forum. anyone posting here is subject to correction.
[QUOTE=Darwin226;34962551]I would have thought that monitoring the network to see where the passwords are sent is much faster than stepping through assembly.[/QUOTE]
uploading it to a free sandbox VM tracing service like anubis or that other one would be even faster and less resource-intensive, if your only intent is to find out the address of the receiver. which really isn't that important.
Do you really hate this forum so much or what?
Saying that we're "finally showing that we're just another hack-forum" is as frustrated as someone gets.
The things some people made on here are pretty amazing, and a huge majority has nothing to do with reverse engeneering or "hacking" of any kind.
And I don't get what you have against people decompiling random VB keyloggers and screwing with the people who made them. It's fun, it's useful (arguably) and in some cases challenging.
[QUOTE=Soda;34964765]he is posting it on facepunch, a peer-reviewed scientific forum. anyone posting here is subject to correction.[/QUOTE]
Except you are not giving an advice or correcting him, you are shoving things up his throat without any argument that makes sense.
You know what the best idea would be?
Ignore Soda. If nobody replies to anything he says then there's no way he can start any more arguments.
IDA totally trumps ollydbg, anyone that disagrees is a fag
Add this to OP
[url]http://code.google.com/p/simple-assembly-explorer/[/url]
[QUOTE=Hayburner;34967342]IDA totally trumps ollydbg, anyone that disagrees is a fag[/QUOTE]
except searching for anything being far far slower. patching being more labor intensive. both are completely situational, and what you use depends on what you want to do.
-snip-
[url]http://www.rohitab.com/apimonitor[/url]
[editline]3rd March 2012[/editline]
Maybe we should make some reverse engineering Challenges, they would be pretty easy to make and fun to do.
[QUOTE=OldFusion;34971904]Maybe we should make some reverse engineering Challenges, they would be pretty easy to make and fun to do.[/QUOTE]
Great idea, I'd love to participate in this.
Sorry, you need to Log In to post a reply to this thread.
