ngắt được sử dụng để dừng quá trình thực thi của một chương trình 2. OllDBG : là 1 chương trình dịch hợp ngữ 32-bit với mức là phân tích gỡ rối trên Windows. Nó phân tích mọi chương trình dưới dạng mã Assembler, với việc phân tích này khiến OllyDbg đặc biệt hữu ích trong các trường hợp chương trình ko có tệp tin nguồn . Nó còn cho ta thấy được giá trị của các thanh ghi, các thủ tục, lệnh gọi hàm API, các bảng, hằng số, chuỗi ký tự v.v… Ngoài ra ta còn có thể ghi chú thích tại các dòng lệnh . Nói chung đây là một công cụ phổ biến được các Crackers ưa dùng nhất. OllyDBG là 1 chương trình hoàn toàn miễn phí, bạn có thể download và sử dụng nó tại địa chỉ http://home.t-online.de/home/Ollydbg 5. PEiD: : Đây là loại công cụ có thể nhận biết được hầu hết các loại chương trình nén, mã hóa phổ biến. Hiện nay nó có thể nhận biết được hơn 600 dấu hiệu (signatures) khác nhau trong PE files. Bài viết #1 của hacnho 2.Import REConstructor: This tool is designed to rebuild imports for protected/packed Win32 executables. It reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII module and function names. It can also inject into your output executable, a loader which is able to fill the IAT with real pointers to API or a ripped code from the protector/packer (very useful against emulated API in a thunk). ( Source: readme) T.Việt: Đây là công cụ phác thảo để xây dựng lại các hàm đầu vào cho 1 chương trình đã được bảo vệ hoặc nén trên Win32. Nó xây dựng lại một sự miêu tả ảnh nhập (IID) , mảng bảng nhập (IAT), tất cả các module và tên hàm. Nó cũng có thể xen vào trong đầu ra của chương trình của bạn, một chương trình nạp (loader) cũng có thể phủ đầy IAT với con trỏ thực tới hàm API hoặc 1 đoạn mã đã được cắt ra từ chương trình đã được bảo vệ hoặc nén Bài viết #1 của Merc: 3. HIEW: Basically HIEW is a hex viewer for those who need to change some bytes in the code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text, hex, and Pentium(R) 4 disassembler mode. T.Việt: Đây là 1 công cụ dùng để chỉnh sửa chương trình dưới dạng hex (tức hệ thập lục phân) trong môi trường DOS, rất hữu ích cho những người muốn thay đổi 1 vài bytes trong đoạn mã của chương trình. Features: þ Text/hex mode editor þ Built-in Pentium(R) 4 assembler þ Physical & logical drive view & edit þ Creating new files þ Search and replace in blocks þ Context help (however help file is not necessary for starting HIEW) þ Search for assembler command wildcards þ Keyboard macros þ Built-in 64-bit calculator Source (readme) 1.CFF Explorer Quote: This is PE Editor with full support for PE32/64. Special fields description and modification, utilities, rebuilder, hex editor. First PE Editor with support for .NET internal structures. Resource viewer (bitmaps, icons, cursors etc are all dumpable on disk) with support for .NET manifest resources (who are dumpable as well). Copyright (C) Ntoskrnl (Daniel Pistelli) (source from homepage:http://www.ntcore.com) 2.Hex Workshop Quote: This is a set of hexadecimal development tools for Windows 9x, NT, 2000, and XP. It combines advanced binary editing with the ease and flexibility of a word processor. With Hex Workshop you can edit, insert, delete, cut, copy, and paste hex, print high quality customizable hex dumps, and export to RTF or HTML for publishing. Additionally, you can goto, find, replace, compare, and calculate checksums within a file. Copyright (C) BreakPoint Software (source from readme) 3.LordPE Quote: It is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit, . Copyright (C) yoda (source from homepage:http://y0da.cjb.net/) 4.PEiD Quote: PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files. Copyright (C) snaker - Qwerton - Jibz (source from readme) 5.PE Explorer Quote: This is a multi-purpose PE (portable executable) file editor and binary header analysis tool for Windows developers. It tells you just about every little detail you could possibly want to know about a PE file (exe, dll, ActiveX, and several other executable formats). PE Explorer comes with a Visual Resource Editor, PE Header Viewer, Exported/Imported API Function Viewer, API Function Syntax Lookup, Dependency Scanner and Easy Disassembler. Copyright (C) Heaventools Software (source from readme) 6.PEQuake Quote: PEQuake is a win32 executable protector from China. It seems that it's modified from Hying's PE-Armor, has some excellent feature, can encrypt Import, special code and resources The soft is designed to protect your program, and the protected file will start up with a cool logo. Copyright (C) fORGAT (source from readme) 7.PE Tools Quote: Professional utility for the work with PE/PE+(.64bit) by files, that includes: editor PE is file, Task Viewer, optimizer Win32 PE is file, the detector of the compiler / packer and much other. Copyright (C) NEOx (source from homepage:http://neox.iatp.by/petools.html) 8.Quick Unpack Quote: The program is intended for fast (in 2 seconds) unpacking simple packers (UPX, ASPack, PE Diminisher, PECompact, PE-PACK, PackMan, WinUPack and many others). Quick Unpack tries to bypass all possible scramblers/obfuscators. From the version 1.0 the opportunity of unpacking dll is added. This opportunity makes Quick Unpack unique software product which has no similar analogues in the world! Copyright (C) FEUERRADER [AHTeam] (source from readme) 9.Resource Binder Quote: Program for restoring the section of resources after the removal of packer /protector. Program automatically creates at the end of the file the new section of resources and it completely reconstructs all resources into this section. Optionally it will be possible to after this reset to zero the old section of resources and optimize the file Copyright (C) SetiSoft Team (source from readme) 10.Trial-Reset Quote: This is an registry cleaning tool. The main function of Trial-Reset is remove the keys generated by commercial and freeware protector. Trial-Reset not crack the program but only extend the Trial Period. Copyright (C) The Boss and All RSR Team (source from help file) 11- IDA Quote: IDA is an interactive disassembler. It means that the user takes active participation in the disassembly process. IDA is not an automatic analyser of programs. IDA will hint you of suspicious instructions, unsolved problems etc. It is your job to inform IDA how to proceed. (readme) Quote: The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, muti-processor disassembler hosted on the Windows platform.Universally acclaimed as the best disassembler money can buy, IDA Pro has become the de-facto standard for the analysis of hostile code and is quickly establishing itself as a major tool in the field of vulnerability research {hacnho tut :D) 12- ABEL Quote: ABEL is loader generator tool, that allows you to generate loaders. And ABEL means: A ny B uild E nabled L oader (readme) 13- Dede Quote: DeDe is a very fast program that can analyze executables compiled with Delphi 2,3,4,5 and Builder and give you the following: - All dfm files of the target. You will be able to open and edit them with Delphi. - All published methods in well commented ASM code with references to strings, imported function calls, classes methods calls, components in the unit,Try-Except and Try-Finally blocks. (By default DeDe retrieves only the published methods sources, but you may also process another procedure in a executable if you know the RVA offset using the Tools|Disassemble Proc menu.) - A lot of additional information. - You can create a Delphi project folder with all dfm, pas, dpr files. Note: pas files contains the mentioned above well commented ASM code. They can not be recompiled ! You can also: - View the PE Header of all PE Files and change/edit the sections flags. - Use the opcode-to-asm tool for translating intel opcode to assembler. - Use RVA-to-PhysOffset tool for fast converting physical and RVA addresses. - Use the DCU Dumper (view dcu2int.txt for more details) to retrieve near to pascal code of your DCU files. - Use BPL(DPL) Dumper to see BPL exports and create symbol files to use with DeDe disassembler. - Disassemble a target EXE directly from memory in case of a packed exe. (readme) 14- Resource Hacker Quote: Resource Hacker is a program has been designed to: 1. View resources in Win32 executable files (*.exe, *.dll, *.cpl, *.ocx) and in Win32 resource files (*.res) in both their compiled and decompiled formats. 2. Extract (save) resources to file in (*.res) format, as a binary, or as decompiled resource scripts or images. Icons, bitmaps, cursors, menus, dialogs, string tables, message tables, accelerators, Borland forms and version info resources can be fully decompiled into their respective formats, whether as image files or *.rc text files. 3. Modify (rename or replace) resources in executables or resource files. Image resources (icons, cursors and bitmaps) can be replaced with an image from a corresponding image file (*.ico, *.cur, *.bmp), a *.res file or even another *.exe file. Dialogs, menus, stringtables, accelerators and messagetable resource scripts (and also Borland forms) can be edited and recompiled using the internal resource script editor. Resources can also be replaced with resources from a *.res file as long as the replacement resource is of the same type and has the same name. 4. Add new resources to executables or resource files. Enable a program to support multiple languages, or add a custom icon or bitmap (company logo etc) to a program’s dialog. 5. Delete resources. Most compilers add resources into applications which are never used by the application. Removing these unused resources can reduce an application’s size. (readme) 15- .NET Reflector Quote: Reflector is a class browser for .NET components. It allows browsing and searching the meta data, IL instructions, resources and XML documentation stored in a .NET assembly. (readme) 16- dUP Quote: dUP(diablo2oo2's Universal Patcher) is a powerfull multiple file patchengine (readme) 17- aPE . phổ biến được các Crackers ưa dùng nhất. OllyDBG là 1 chương trình hoàn toàn miễn phí, bạn có thể download và sử dụng nó tại địa chỉ http://home.t-online.de/home/Ollydbg 5. PEiD: : Đây là. trình nén, mã hóa phổ biến. Hiện nay nó có thể nhận biết được hơn 600 dấu hiệu (signatures) khác nhau trong PE files. Bài viết #1 của hacnho 2.Import REConstructor: This tool is designed to. 2.Hex Workshop Quote: This is a set of hexadecimal development tools for Windows 9x, NT, 200 0, and XP. It combines advanced binary editing with the ease and flexibility of a word processor.