If you've ever wondered how a piece of software works on the inside, then you may have come across the term "reverse engineering." Reverse engineering refers to dismantling something and finding out how it works on the inside, and there are popular tools that anyone can use for free on a computer to get started. Tools like Ghidra, Process Hacker, and x64dbg are an excellent way to get started with reverse engineering, but are by no means the entire extent of a reverse engineer's arsenal.
In fact, getting started with reverse engineering may involve simply observing a program and how it functions in response to various inputs. For example, a program may take three inputs and give a specific output that changes depending on the input, and finding out how that input changes is also part of the reverse engineering process. This is a common way for people to start with any program, especially with web servers where the server is out of the researcher's control.
Reverse engineering requires a lot of observation, and as such, it's not suited to everyone. It's possible to learn the basics though, and we'll be going through some of the most popular entry-level tools to see what they do.
Why reverse engineer?
As a more in-depth explanation, reverse engineering can be done with a specific goal in mind. For example, there are many researchers who take apart programs and other software to figure out their inner workings in search of malware or other malicious activity. Others may do it to prove or disprove an allegation. For example, when Xiaomi was accused by the Lithuanian Cyber Security Centre of censoring on-device content, I delved into Xiaomi's applications and was able to disprove the allegations and show that it was being used for blocking inappropriate advertising.
Sometimes, though, people reverse engineer for fun, with nothing specific in mind. You can find anything if you go digging, and it's a great way to improve your technical skills. For example, this is one way that upcoming products from companies can be leaked, as people take apart existing applications used for pairing with devices and find references to new and upcoming products inside.
If you want to get to grips with reverse engineering, it's a long road, but it can be a fulfilling and interesting hobby. Here is just a taste of some of the most popular tools currently used today by hobbyists and professionals alike.
Ghidra
Take apart any program
Probably the best free tool in the business, Ghidra is a free and open-source tool developed by the National Security Agency in the United States. It's essentially a competitor to IDA Pro, which is a paid tool that can do a lot of what Ghidra does. On the surface, it looks simple enough, but it requires an understanding of computer science concepts and programming. You can see in the above screenshot the assembly of the program being decompiled, with C code representative of what Ghidra thinks the assembly is doing.
In the above case, Ghidra shows us that the corresponding assembly code invokes the string comparison function in the C standard library, comparing the first argument in the command line with a local variable. If the first command line argument matches the local variable, it passes, otherwise, it's the wrong password. You can also view more in-depth information about the program you're reverse engineering, such as looking at a function graph of how the program executes and moves between its functions.
In the above, you can see that there is a main entry function followed by an if/else block that changes the output. This allows you to easily visualize the program that you're analyzing and how it works, and search for strings that may be in the program's memory. The program I am analyzing in the above pictures is a basic program found on Crackmes, a website dedicated to helping people pick up reverse engineering skills.
If you want to learn more, there are a lot of tutorials online about Ghidra that can teach you more than just the basics. Poking around in it and stumbling upon features can be a great way to learn, but there are YouTubers like Stacksmashing (formerly Ghidra Ninja) that will go into the depths of reverse engineering with tools like these.
Process Hacker
Access a running program's memory
First and foremost, be careful with Process Hacker. Anticheat programs won't like it, and many, such as VAC and FaceIt will automatically flag it if it detects you accessing a protected game. Process Hacker allows you to view and modify the memory of a running program, including dumping all of the strings that are currently loaded in the memory of the application. This can include URLs, keys, and more. It's a great way to peek into the inner workings of a program, especially as a decompiled version may be obfuscated and make it harder to find what you're looking for.
Process Hacker is quite similar to ProcMon, a Microsoft tool short for Process Monitor, on the surface, but there are a few extra options Process Hacker has as well. It has a ton of graphs and stats along with extra features like executing an application as another user and modifying existing services.
While Process Hacker mostly encompasses these tools, Process Monitor and Process Explorer have been particularly pervasive in the reverse engineering community, meaning that there are scripts and plugins available for them that you can't get with Process Hacker. It's a trade-off, but it depends on what exactly you're looking to do.
x64dbg
Go through a program step by step
x64dbg is the most complicated program here, but it's an essential tool to anyone trying to reverse engineer a program. It allows you to go step by step through a program and see what's happening line by line. You can add what's known as a "breakpoint", a place to stop in the program, so that you can pause its execution before something happens. x64dbg is often used for malware analysis, but it can be used for practically any piece of software.
This is a more advanced tool in a reverse engineer's arsenal, but it's user-friendly comparatively when compared to other tools. It's also open source and one of the best 64-bit debuggers available. Many researchers will use this tool when trying to figure out why a program doesn't work, and Nathan Baggs has demonstrated its use to get the Windows 95 version of SimCity 2000 working on modern versions of Windows. In his video, you can see him combine the power of x64dbg with Ghidra and ProcMon to view the function that he needs to start with analyzing.
Start reverse engineering
If you want to get started with reverse engineering, there are so many resources available online for you to check out. Stacksmashing and LiveOverflow are two of my favorites, and Nathan Baggs has been producing excellent content walking through all of the steps he undertakes in researching older games and making them work on newer machines.
Of course, there are other tools too, and the likes of IDA Pro, Frida, CFF Explorer, and so many others. It's a big world out there, and if you have an inquisitive mind that's always looking for more, we highly recommend trying out some smaller problems on Crackmes or taking a look at CTF challenges first to see if it interests you.