Tuesday, September 21, 2004

ExeInfo PE

ExeInfo PE have some same features with PEiD but with some extra function to make it more easier and faster to access such as

Main interfaces is very similar to PEiD but with some great functionalities. 

With Rip button all resources can be extracted at once and saved into current directory.

With tools menu user can get a lot of information inside PE files such as registry key, OEP, save resource section, XoR permutator (easy to reverse any reversed string such as ROT13) and many more.

File Menu offer to you multiple options about taking action to your analyzed file. WYSIWYG.

EXEInfo PE can be downloaded from:

PEiD - PE Identifier

This small tools have a big features for those who want to extract information from PE files.

PEiD have its own special features:
1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.

Well, I use it for long time and this is the great and fast tools for getting PE information without need to install anything.

PEiD can be downloaded from here:

Sunday, September 19, 2004

Explorer Suite

This one of most advanced freeware tools for Reverse Code Engineer. Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

- Explorer Suite (Multi-Platform Version, Recommended)
- Explorer Suite (x86 Version)
- CFF Explorer (x86 Version, stand-alone, Zip Archive)

- CFF Explorer Extensions Repository 

The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. 


  • Process Viewer
  • Windows Viewer
  • PE and Memory Dumper
  • Full support for PE32/64
  • Special fields description and modification (.NET supported)
  • PE Utilities
  • PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
  • View and modification of .NET internal structures
  • Resource Editor (full support for Windows Vista icons)
  • Support in the Resource Editor for .NET resources (dumpable as well)
  • Hex Editor
  • Import Adder
  • PE integrity checks
  • Extension support
  • Visual Studio Extensions Wizard
  • Powerful scripting language
  • Dependency Walker
  • Quick Disassembler (x86, x64, MSIL)
  • Name Unmangler
  • Extension support
  • File Scanner
  • Directory Scanner
  • Deep Scan method
  • Recursive Scan method
  • Multiple results
  • Report generation
  • Signatures Manager
  • Signatures Updater
  • Signatures Collisions Checker
  • Signatures Retriever

TrID - File Identifier

TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded rules, TriID has no such rules. Instead, it is extensible and can be trained to recognize new formats in a fast and automatic way.
TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc.
TrID uses a database of definitions which describe recurring patterns for supported file types. As this is subject to very frequent update, it's made available as a separate package. Just download both TrID and this archive and unpack in the same folder.

The database of definitions is constantly expanding; the more that are available, the more accurate an analysis of an unknown file can be. You can help! Use the program to both recognize unknown file types and develop new definitions that can be added to the library. See the TrIDScan page for information about how you can help. Just run the TrIDScan module against a number of files of a given type. The program will do the rest.
Because TrID uses an expandable database it will never be out of date. As new file types become available you can run the scan module against them and help keep the program up to date. Other people around the world will be doing the same thing making the database a dynamic and living thing. If you have special file formats that only you use, you can also add them to your local database, making their identification easier.
To get you started, the current library of definitions is up to 3833 file types and growing fast.
TrID is simple to use. Just run TrID and point it to the file to be analyzed. The file will be read and compared with the definitions in the database. Results are presented in order of highest probability.

For more information and download click here.

OllyDump for OllyDebugger

OllyDump is one of advanced memory dumping tools. It is easy to use with OllyDbg as a plugin. Once the process is being debugged at runtime, it will be automatically search for PE section. But this tools does not give you automatically an OEP for any compressed PE file. You still have to find their OEP offset manually and write down the offset to the OllyDump window. The picture below show you how the OllyDump plugin works for dumping UPX packed file.

Just simply add your founded OEP to the Modify box and hit Dump button to save as a dumped file. You can edit the listed section for your own usages. You can easily dumping PE file without need to highlight all the debugged code and choose 'Follow in Dump > Selection'. This way sometime does not produce an accurate result.

You can find OllyDump here or here.

LordPE Deluxe

LordPE Deluxe is one of the greatest tools for making process dump on memory for along time. It was developed by yoda. Here it is what this tools can do:

+ Dump process from memory and save as file.
+ Dump process module
+ Get Basic information about PE header.
+ Rebuild any PE file (realign, wipe relocation, rebuild import table, etc)

Author website can be reach at http://y0da.cjb.net but it no longer exist I guess. You can try get it from here.

Friday, August 13, 2004

iHack2010 - Challenge #6

Challenge #6 is more on pcap analysis but no worries. This quite confuse or tough for someone. Simply download the pcap here. Open it with Wireshark tool. If you scroll down one by one you'll see a few conversation that mentioned to send a file. Its fairly simple to do this since this pcap does not mixes with other garbage data. If you keep focus on IP address you'll see some base64 encoded being transfered.

Simply right click on encoded data and choose Follow TCP  Stream. You will see new window open up. Click Save As button and save it with whatever filename like anything.txt.

Then just decode it using this online tools: http://www.motobit.com/util/base64-decoder-encoder.asp and save it as anything.jpg.

Open up the picture you'll see a guy talking to you.

There is some clue on the picture beside that lets try strings em'. Inside there you can find a unicode string that might interesting.


At first impression you might think it is decimal but once you try to decrypt it you'll find that it is garbage data. Lets take a look at the picture. There's might be a hint. Lets try Google Translate it from English to Malay.

You will noticed that there is two word that cannot translate properly. If you translate the 'Anesthetic' word it will come up with 'Ubat Bius' but we need the Bius word (Ubat mean Vaccine). But then search for PoKLey word on Google, you might not find any interesting. At this point I spend a lot of time to figure out. Try to combine the word that we found and you'll get 'PoKLeyBius'. There is  something here. Let use uncle Google to find out. Walla, you will see there is the answer in there. If you familiar with encode/decode thing, you will know you to find this cipher.

Using this online tools http://www.braingle.com/brainteasers/codes/polybius.php decrypt this cipher and you'll get the answer.