Comments on: thc-Amap – Application Protocol Detection & Fingerprinting

By: Jinesh Doshi

Jinesh Doshi — Mon, 26 May 2008 08:06:13 +0000

Thanks for the update Darknet.

By: Darknet

Darknet — Sat, 24 May 2008 19:19:19 +0000

Yah it hasn’t been updated for a while, but nor have many tools and it’s still very relevant. Like I said a few posts ago I’ll be going through my toolkit and posting those tools I’ve missed out along the way. They will still be useful to many people and excellent as learning tools.

By: Jinesh Doshi

Jinesh Doshi — Sat, 24 May 2008 18:19:58 +0000

@matt and all others,

Guys i am aware that THC-Amap cannot be used for rev-engg this question is not related to the post. I just asked it bcos i believe that some real intelligent people read these posts (i am not counting myself). Thank you so much for your comments. :)

By: macdaddy

macdaddy — Sat, 24 May 2008 12:59:53 +0000

Compiles on Ubuntu Hardy. Though seems like it out dated, as people above have said.

By: matt

matt — Fri, 23 May 2008 21:21:00 +0000

I would have to agree with Tyler that this tool is not next-generation. However, it seems Darknet just forgot to put quotes on what was taken from the Introduction of the THC-Amap Docs (http://freeworld.thc.org/thc-amap/).

This tool seems like it could come in handy at some point. Good idea from the THC group.

@Doshi
If you want to get into RevEng on windows, get yourself a copy of OllyDebug or WinDasm32 and then figure out why I told you to get one of those. Also, this tool can’t really be used for RevEng (unless I am completely missing something). It actually requires Packet Analysis (which, I guess, could probably be confused with RevEng) before even using it. So really, it does what it says…compares signatures with already analyzed network communication, then guesses as to what is running on the server.

By: poweruser

poweruser — Fri, 23 May 2008 19:58:46 +0000

There’s actually an easy to use tool called ResHacker that can be used to deconstruct DLLs to change values. I once used it to remove the ads from Windows Live Messenger, along with some of the phone-home stuff.

By: Bogwitch

Bogwitch — Fri, 23 May 2008 18:09:36 +0000

Jinesh,

THC-Amap cannot be used for reverse engineering at all.

To view the source code of a Windows DLL, you need to download the source code. If the author is not distributing the source code, you cannot view it. You may be able to ascertain the functionality of a DLL by using a debugger, but if you think that THC Amap can be used for ‘reverse engineering’ I doubt you would be proficient in driving a decompilation tool.

By: lol

lol — Fri, 23 May 2008 15:06:01 +0000

Woah time warp

By: Tyler

Tyler — Fri, 23 May 2008 12:49:14 +0000

amap is hardly a “next generation” scanning tool. With a last release two years ago, it is clearly “previous generation”.

By: Jinesh Doshi

Jinesh Doshi — Fri, 23 May 2008 09:55:00 +0000

This can be misused for reverse engineering. Does anyone know how to view and modify source code of a windows dll?