Security Basics mailing list archives

RE: Hex editor

From: "Jordan, Jason" <Jordan_Jason () bah com>
Date: Wed, 25 Apr 2007 00:31:40 -0400

Thanks to everyone who responded.  I've downloaded some of the Hex
editors suggested, XVI32, HexWorkshop and HHD.  I also downloaded
Ollydbg.  Thanks again for all the great suggestions and I'm sure I'll
have more questions as I get into this.  

-----Original Message-----
From: Morgan Reed [mailto:morgan.s.reed () gmail com] 
Sent: Monday, April 23, 2007 7:16 PM
To: dallas jordan
Cc: security-basics () securityfocus com
Subject: Re: Hex editor

On 4/19/07, dallas jordan <dallas.jordan () gmail com> wrote:

I would like to start trying to do some reverse engineering of
malware, just for learning purposes and I'd like to get some opinions
on a good hex editor.  Preferably freeware and beginner friendly, if
there is such.  I have looked at a couple, but wasn't sure if one was
much better than another.  I wanted to get some more experienced
user's thoughts.  Anyone have any suggestions?  Thanks.


As many others have suggested you really need a debugger not a hex
editor (although hex editors do have their place), personally I use
OllyDbg for my dynamic code analysis, IDA Pro[1] *ROCKS* for static
code analysis (I haven't really explored the dynamic code debugging
features of it as I have a bunch of scripts and so on which depend on
OllyDbg (OllyScript also rocks) which I use a lot).

Something else you'll want to do is to study packers, 98% of all
malware you will find is packed to A) make the code smaller and B)
make analysis a little[2] more difficult, I'd recommend grabbing a few
of the easily available packers out there (UPX is probably a good
start, it is about the simplest packer out there.) and pack say
notepad.exe with them then figure out how to extract the original exe
from the packed file.

Other useful tools when it comes to malware analysis (particularly
when talking about unpacking) are LordPE Deluxe[3], and Import
Reconstructor (Google them)

[1] IIRC there used to be an evaluation version available which wasn't
excessively crippled.
[2] How much more difficult depends on the packer.
[3] LordPE Deluxe AFAICT was originally developed by software
crackers, when you Google it be careful which sites you go to as it
pops up in some pretty seedy parts of the web.

Morgan

Current thread:

Hex editor dallas jordan (Apr 18)
- RE: Hex editor Tony UcedaVelez (Apr 19)
- Re: Hex editor Daniel Coulbourne (Apr 19)
  - Re: Hex editor cc (Apr 20)
    - Re: Hex editor Boogiebruva (Apr 23)
- Re: Hex editor offset (Apr 19)
- Re: Hex editor dallas jordan (Apr 19)
- Re: Hex editor crazy frog crazy frog (Apr 19)
- Re: Hex editor Morgan Reed (Apr 24)
  - RE: Hex editor Jordan, Jason (Apr 25)