A list of some hacking resources, mostly Windows oriented

I always see questions on here about good starting resources. So here is a list that I've compiled from my browser bookmarks that I've found helpful in the past, mostly related to old Windows game hacking, so that when I see those questions I can link them back to here.

If any of these links are not acceptable to post here for whatever reason then let me know and I can edit them out to leave the rest.

Tools

• Cheat Engine: it may sound silly, but using Cheat Engine to hack games can teach you a lot of the basic concepts of debugging an executable at a little bit lower level.
• HxD: this is a basic hex editor. You can use it to edit binary files, similar to how you would use a text editor to edit text files. It's split into two columns: a hexadecimal representation and a text representation (which shows what the file would look like interpreted as text.)
  • Some tips: HxD also has a built in memory viewer which you can use to view of memory of a process without needing to attach to it as a debugger, which is quite useful for searching for strings in protected executables that detect when a debugger is attached. You can also use HxD to open very large text files (GB's in size) instantly and without any lag, as long as you don't mind the lack of newlines!
• CFF Explorer: you'll want to become deeply familiar with the Portable Executable (PE) file format used by Windows EXE and DLL files, and CFF Explorer allows you to poke around, view what the headers look like, and edit them. It even includes some more advanced utilities like an Import Adder, to add DLL imports to an executable.
• Ghidra or IDA: I mention both because they fill similar roles. They are static analysis tools which can be used to examine a compiled executable to get some guess of what the original source code sort of looked like, without needing to actually run the executable. Ghidra is free/open source and IDA is an expensive commercial software, each with their own features and tradeoffs. I see Ghidra being used more and more often but IDA is still definitely holding on.
• x64dbg or Ollydbg: again, these are similar tools - x64dbg is meant to be a modern successor of sorts, but some hackers still swear on Ollydbg with plugins to iron out some of the bugs on newer Windows versions. These are dynamic analysis tools: you can actually run the code and step through it as it is running to see what it is doing, what values are in memory, in the CPU registers, and so on. Often times both static and dynamic analysis need to be combined to get a fuller picture and you'll need to learn which one is more useful for figuring out the thing you want to know.
• ScyllaHide: because x64dbg allows you to see what a program is doing in great detail, it is in the best interest of malware creators to prevent you from using it and exposing how their program works. This is the world of "anti-debug" techniques: methods of discreetly detecting if a debugger is running, and either stopping or changing how the program operates if there is in order to hinder your progress. ScyllaHide attempts to make the debugger stealthier, in order to prevent the debugged program from finding out that you are investigating its inner workings.
• Olly Advanced: a classic plugin for Ollydbg that fixes some of its bugs and provides more anti-debugging workarounds. A must have if you use Ollydbg.
• LordPE: a classic executable memory dumper. This is used to turn a currently running process back into an executable file. Why would you want to do this? Well, oftentimes programs will be "packed," meaning that the executable file for them is compressed or encrypted. By running the executable, it will decompress/decrypt itself, and then the process can be dumped in its uncompressed/unencrypted state, allowing you to more easily analyze the code within.
  • Of note: LordPE doesn't work very well on modern Windows versions, since the list of processes caps out at a small number (I think 50,) and it only works for 32-bit processes. I don't know of a better modern alternative though - I've tried some, but haven't found one that is reliable for 64-bit processes. Maybe someone in replies can tell me.
• Scylla or ImpREC: import rebuilders. Much like with x64dbg and Ollydbg, Scylla is the modern, open source implementation, and ImpREC is the original classic. Windows programs use DLL libraries in order to interact with the system. For example, the MessageBoxA function in USER32.DLL allows a program to display the built in Windows message box with an icon and OK/Cancel buttons. Usually, programs have an Import Address Table (or IAT for short) which specifes which imports the program uses. However, a very common trick to make dumping a process (such as with LordPE) difficult is to intentionally forego the Import Table, instead using the GetProcAddress function to populate a "fake IAT." This means that when the process is dumped, the imports will be random pointers into non-existent memory. Scylla and ImpREC are import rebuilders, which search for such a fake IAT and attempt to build a real IAT from them.
• Process Monitor: allows you to see all the files and registry keys being accessed by a process. You can even right click on an entry to view the program's call stack when the file or registry key was accessed. This is great if you want a sort of overview or summary of what the process is doing if you don't know where to begin looking.
• Luke Stackwalker: a profiler that can be used on processes even if you do not have symbols for the executable, to see where the most processing time is being spent.
• Fiddler: allows you to see all HTTP (and HTTPS, with a bit of setup) requests being made by any running program on the current machine, including their headers and contents. Very useful if you want to find out why a program needs to connect online. There is also Wireshark for lower level network stuff (unpopular opinion: it lowkey it kind of sucks and I rarely use it)
• Resource Hacker: for viewing and replacing executable resources. This tool is not generally useful for changing the behaviour of an executable, only aesthetic things like its icon and text strings, but it can still reveal useful information on occasion.

YouTube

• Stephen Chapman: great Cheat Engine tutorials. This is how I got started.
• LiveOverflow: more Linux focused, but nonetheless essential. I watch every new video from this channel.
• Give Academy: tutorials for x64dbg and Ollydbg.
• Guided Hacking: focused on writing code for hacking Windows games.
• Null Byte: exploits, network hacking stuff.
• OALabs: IDA malware reverse engineering and debugger fundamentals, in a livestream format.
• Nathan Baggs: new, smaller channel, retro game hacking.
• John Hammond: mostly focused on reversing obfuscated malware VBScript, JavaScript, Python scripts.

Links

• Tuts4you: https://tuts4you.com/
• Tuts4you Collection 2011: https://forum.tuts4you.com/files/file/1865-tuts-4-you-collection-2011/
• Exetools: https://forum.exetools.com/
• Reversing Technology Network: https://www.rtn-team.cc/
• OpenRCE: http://www.openrce.org/
• ARTeam Downloads: https://web.archive.org/web/20160319173353/http://www.accessroot.com/arteam/site/download.php?list.9
• PE Format: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
• Peering Inside the PE: A Tour of the Win32 Portable Executable File Format: https://learn.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10))
• An In-Depth Look into the Win32 Portable Executable File Format: https://learn.microsoft.com/en-us/archive/msdn-magazine/2002/february/inside-windows-win32-portable-executable-file-format-in-detail
• An In-Depth Look into the Win32 Portable Executable File Format, Part 2: https://docs.microsoft.com/en-us/archive/msdn-magazine/2002/march/inside-windows-an-in-depth-look-into-the-win32-portable-executable-file-format-part-2
• PE.wiki: https://code.google.com/archive/p/corkami/wikis/PE.wiki
• What implications has the low alignment mode of a PE file: https://reverseengineering.stackexchange.com/questions/4457/what-implications-has-the-low-alignment-mode-of-a-pe-file
• Abusing undocumented features to spoof PE section headers: https://secret.club/2023/06/05/spoof-pe-sections.html
• PE Format Poster: http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf
• RVA and Import Table: https://web.archive.org/web/20091018065536/http://www.sunshine2k.de/Tuts/tut_rvait.htm
• Iczelion Import Table Tutorial: https://web.archive.org/web/20190722112910/http://win32assembly.programminghorizon.com/pe-tut6.html
• Iczelion Debug API Tutorial: https://web.archive.org/web/20181230093912/http://www.programminghorizon.com/win32assembly/tut28.html
• What triggers RIP_EVENT: https://reverseengineering.stackexchange.com/questions/31965/what-triggers-rip-event/
• A Crash Course on the Depths of Win32 Structured Exception Handling: https://web.archive.org/web/20180115191634/http://www.microsoft.com:80/msj/0197/exception/exception.aspx
• Custom SEH handler with /SAFESEH: https://stackoverflow.com/questions/12019689/custom-seh-handler-with-safeseh/12025795#12025795
• The "Ultimate" Anti-Debugging Reference by Peter Ferrie: https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf
• What Happens Before main(): https://www.bigmessowires.com/2015/10/02/what-happens-before-main/
• Floating Points, PE headers and libcmt.lib: https://www.unknowncheats.me/forum/c-and-c/68525-floating-points-pe-headers-and-libcmt-lib.html
• Enigma Virtual Box: https://enigmaprotector.com/en/aboutvb.html
• How to find simple stuff: https://web.archive.org/web/20111108004750/http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/260952-tutorial-how-find-simple-stuff.html
• Stephen Chapman Cheat Engine Tutorials: https://www.youtube.com/watch?v=XJpNn2GyrNc&list=PLNffuWEygffbbT9Vz-Y1NXQxv2m6mrmHr
• Reversing Wannacry: https://www.youtube.com/watch?v=Sv8yu12y5zM&list=PLniOzp3l9V83Yf52IXJTvW9rjstdqkduP&index=1
• Anti-Debug Tricks: https://anti-debug.checkpoint.com/
• LOLBAS: https://lolbas-project.github.io/
• Delcert: https://forum.xda-developers.com/t/delcert-sign-strip-tool.416175/
• The faker's guide to reading (x86) assembly language: https://www.timdbg.com/posts/fakers-guide-to-assembly/
• x86 Assembly Wikibooks: https://en.wikibooks.org/wiki/X86_Assembly/Print_Version
• Redundancy of x86 Machine Code: https://www.strchr.com/machine_code_redundancy
• Intel x86 JMP Quick Reference: http://unixwiz.net/techtips/x86-jumps.html
• How To Write Your Own Packer by BigBoote: http://www.stonedcoder.org/~kd/lib/61-267-1-PB.pdf
• ActiveMARK on Exetools: https://forum.exetools.com/showthread.php?s=e6c2daf4d87acfae28339dbbc29df9e6&t=7013&page=2
• ActiveMARK on XeNTaX: https://forum.xentax.com/viewtopic.php?p=30424
• Armadillo v3 + Debug Blocker: https://web.archive.org/web/20100329151017/http://www.absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html
• Armadillo 3.70 with Import Elimination: https://web.archive.org/web/20220226230917/http://www.reversing.be/article.php?story=20050929211351407
• SafeDiscShim: https://github.com/RibShark/SafeDiscShim
• deroko: http://deroko.phearless.org/ring0.html
• Luigi Auriemma: http://aluigi.altervista.org/
• Virtools Deobfuscator: https://github.com/BearKidsTeam/VirtoolsScriptDeobfuscation
• Themida Unlicense: https://github.com/ergrelet/unlicense
• MagicMida: https://github.com/Hendi48/Magicmida
• C++ STL Types: https://research.openanalysis.net/cpp/stl/types/tooling/2022/11/06/cpp_stl.html
• Introduction to Reversing C++ Binaries: https://flagbot.ch/lesson6.pdf
• Dumping Memory: https://www.unknowncheats.me/forum/c-and-c-/112421-dump-memory-process-fixing-pe-sections.html
• Block Cipher Structures Ranked: https://soatok.blog/2021/01/11/block-cipher-structures-ranked/?amp=1
• Mr. Exodia: https://exetools.live/?p=174

submitted by /u/tomysshadow
[link] [comments]

from hacking: security in practice https://ift.tt/rZV32C0