How do you locate your stack variables?
Do you care about what happens on the heap?
Have you ever seen overlapping instructions as part of local wildlife?
What is the strangest memory access scheme?
Did the compiler ever trick you?

This session is for anyone interested in analyzing binaries.

Here are some ideas for discussion ideas:

How to build the next multi-architecture disassembler.
Control flow reconstruction beyond if-then-else.
Is there dataflow beyond register, stack and heap?

Time and Place:

Day 3, 18:30, Meeting Point: Info-Desk
directly after Hacking Tamagotchis
Please call congress-2124 (DECT/GSM) and give me a hint about your attendance/interest.

Notes

Description	Do you stare at bytes? Reconstruct control flow? Recover datastructures? Let us have a chat about tools and methods!
Website(s)
Type	Discussion
Keyword(s)	hardware, software, embedded, hacking, security, safety, coding
Person organizing	Arnew
Language	en - English
	Other session... Privacy@bigdata; DIY ISP Gathering; Geeks & BDSM; Postmodernism, social systems and whistle-blowing; Der Kongress tanzt; … further results;

Hint: Use the "history" function to access older revisions.

Disassemblers & Debuggers

x86 only

Ollydbg http://www.ollydbg.de/

Easy to use
Free
Plugin support [1]

Immunity Debugger https://www.immunityinc.com/products-immdbg.shtml

Based on Ollydbg 1.10
"Cuts exploit development time by 50%"

Syser http://www.sysersoft.com/

Ring0 Debugger
SoftICE successor

GDB for Windows http://www.equation.com/servlet/equation.cmd?fa=gdb

x64

FDBG http://fdbg.x86asm.net/

Supported platforms:
- Windows XP - Windows 8 x64
- Linux x64
- UEFI x64

Nanomite https://github.com/zer0fl4g/Nanomite

Graphical Debugger for x64 and x86 on Windows
Open-Source

x64_dbg https://bitbucket.org/mrexodia/x64_dbg

x64 Windows Debugger
Disassembly powered by BeaEngine [2]

ArkDasm http://www.arkdasm.com/

64-bit interactive disassembler
Supported file types: PE64

VirtDbg https://code.google.com/p/virtdbg/

A kernel debugger based on hardware virtualization features
Currently in alpha stage

BugDbg http://pespin.w.interia.pl/

MDebug http://www.mdebug.org/

Visual DuxDebugger http://www.duxcore.com/index.php/prod/visual-duxdebugger/overview

PEBrowseDbg64 Interactive http://www.smidgeonsoft.prohosting.com/pebrowse-pro-interactive-debugger.html

Multi-Architecture

IDA Pro https://www.hex-rays.com/products/ida/

Interactive
Programmable

Hopper http://www.hopperapp.com/

Multi-Platform: Windows, Mac OS X, Linux
ARM, x86/x64

radare http://radare.org

Python -> Multi-platform
Reverse Engineering Framework
Debugger support
GUI: Bokken http://inguma.eu/projects/bokken

VDB http://visi.kenshoto.com/viki/Vdb

Cross-platform and Cross-architecture debugger
Uses Vtrace debugging API

Frida https://github.com/frida

Supports x86/x64
Diassembler & Interactive Reverse-Engineering Environment
Binaries: http://ospy.org/frida/

Online Disassembler (ODA) http://www.onlinedisassembler.com/odaweb/

MIPS, ARM, x86/x64

Java

Procyon https://bitbucket.org/mstrobel/procyon

Free GUIs:
- SecureTeam Java Decompiler http://www.secureteam.net/Java-Decompiler.aspx
- Luyten https://github.com/deathmarine/Luyten

Krakatau Bytecode Tools https://github.com/Storyyeller/Krakatau

Open-Source
Java decompiler, assembler, and disassembler
Requires Python 2.7

DJ Java Decompiler http://www.neshkov.com/

Decompiler and Disassembler
Windows-only
Commercial

reJ http://rejava.sourceforge.net/

Graphical tool for manipulation and inspection of .class files.

JSwat https://code.google.com/p/jswat/

Java debugger GUI
Based on NetBeans

Dr. Garbage Tools http://www.drgarbage.com/index.html

Eclipse Plugin Suite
- Bytecode Visualizer
- Sourcecode Visualizer
- Control Flow Graph Factory

JD-GUI http://jd.benow.ca/

Free Decompiler

Fernflower

Free Decompiler
Part of minecraft Mod Coder Pack ( http://mcp.ocean-labs.de/ )

JAD http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

Free Decompiler
Very old, but works

dirtyJOE http://dirty-joe.com/

Java Overall Editor
Editor and viewer for compiled Java binaries (.class files)

Linux

Affinic Debugger GUI for GDB http://www.affinic.com/?page_id=48

ADG for GDB is available on Linux/Windows/Mac OSX
Commercial

Voltron https://github.com/snarez/voltron

GUI for GDB v6/7 & LLDB
Screenshot: [3]

SchemDbg https://github.com/hexgolems/schem

GUI for GDB
Screenshot: [4]

Evan's Debugger http://codef00.com/projects

Supports x86/x64
Similar to Ollydbg - Screenshot: [5]

UndoDB http://undo-software.com/

"The high-performance reversible debugging tool for Linux"
Commercial
Support for ARM v5/6/7 & Android

Rdis https://github.com/endeav0r/rdis

Disassembler: Save/Load progress to JSON, x86/x64
Interactive control flow graphs
Lua scripting support

LLDB http://lldb.llvm.org/

High-performance debugger
Runs on Linux, FreeBSD, Mac OS X
Supports ELF & Mach-O (x86/x64)

Disassembler Libraries/Frameworks

BeaEngine http://www.beaengine.org/

diStorm https://code.google.com/p/distorm/

winSRDF https://github.com/AmrThabet/winSRDF

Capstone http://www.capstone-engine.org/index.html

Udis86 http://udis86.sourceforge.net/

Decompilers

Retargetable Decompiler http://decompiler.fit.vutbr.cz/index.php

MIPS, ARM, and Intel x86
Online

C4Decompiler http://www.c4decompiler.com

Windows x64 Binaries only

SmartDec decompiler http://decompilation.info/

Username: guest Password: guest for download page: http://decompilation.info/downloads
Windows x86/x64 standalone Binaries + IDA Pro 6.1 Plugin

REC Studio 4 http://www.backerstreet.com/rec/rec.htm

Runs on Windows XP/Vista/7, Ubuntu Linux, Mac OS X
Supports PE, ELF, Mach-O binaries (x86/x64)

dotNET / .NET Framework Decompilers

List of .Net Decompilers: https://code.google.com/p/facile-api/wiki/ListOfDotNetDecompilers

Miscellaneous Tools

Apimonitor http://www.rohitab.com/apimonitor

Features: Monitor &Control API Calls, Breakpoints, 64-bit Support

IDA Plugins

IDC Bytecode Disassembler [6]
- An IDA Pro extension for easier (malware) reverse engineering
efl32mod http://deroko.phearless.org/rce.html
- IDA Loader plugin to properly load corrupted ELF files (no Section header,etc.)
IDACompare https://github.com/dzzie/IDACompare
- Find patches and modifications between malware variants
IDA Toolbag [7]
IDAscope [8]

Insight http://www.bttr-software.de/products/insight/

Real-mode DOS debugger

Malwasm https://code.google.com/p/malwasm/

Offline debugger for malware's reverse engineering
Based on Cuckoo Sandbox

pev http://pev.sourceforge.net/

PE file analysis toolkit
Multi-Platform: Linux, Windows, Mac OS X
Features: PE Header view, Disassembler, DEP/ASLR/SEH check

mona.py http://redmine.corelan.be/projects/mona

Exploit Development Swiss Army Knife
Python plugin for WinDBG & ImmunityDebugger
Automatically finds ROP gadgets
Heap Layout Visualization [9]

Binary Manipulation Frameworks

Metasm http://metasm.cr0.org/

x86/x64, MIPS, PPC
"Assembly manipulation suite"
Supported formats: PE/COFF, ELF and Mach-O

Radare http://radare.org/y/

Python -> Multi-platform
Reverse Engineering Framework
Debugger support
GUI: Bokken http://inguma.eu/projects/bokken

Vivisect http://visi.kenshoto.com/viki/Vivisect

Python based static analysis and emulation framework
Supports PE, PE32+, ELF and Mach-O

Binary Analysis Platforms

DECAF https://code.google.com/p/decaf-platform/

Based on QEMU
Supports x86/ARM
Runs on Windows & Linux

BitBlaze http://bitblaze.cs.berkeley.edu/

Fusion of static and dynamic analysis techniques

BAP http://bap.ece.cmu.edu/#home

Converts Disssembly -> Intemediate Language BIL
x86/x64

Deobfuscation/Unpacking

IDA Plugins http://tuts4you.com/download.php?list.77

IDA Deobfuscator 0.76b [10]
IDA Stealth 1.3.3 [11]
Optimice https://code.google.com/p/optimice/
- Features:
  - Dead code removal
  - Pattern based deobfuscations
  - JMP merging

Olly Unpacking Scripts & Plugins

Scripts: http://tuts4you.com/download.php?list.53
- ASPack, Armadillo, Themida. VMProtect, Enigma Protector
VMSweeper http://tuts4you.com/download.php?view.3059
- OllyDbg 1.10 Plugin
- Decompiles functions, virtualized in: Code Virtualizer & VMProtect

Packer/Obfuscator/Protection Detectors

RDG Packer Detector http://www.rdgsoft.8k.com/
Detect it Easy (DiE) http://ntinfo.biz/index.php/detect-it-easy
ExeInfoPE http://exeinfo.atwebpages.com/

Online Tools

Opticode http://opticode.coseinc.com/

Universal deobfuscation
Details (PDF): [12]

dotNET / .NET

de4dot https://bitbucket.org/0xd4d/de4dot

Deobfuscates SmartAssembly, Dotfuscator, .NET Reactor, +16 more
Features a generic unpacker for unknown Obfuscators

iMPROVE .NET Deobfuscator http://sourceforge.net/projects/improvenetdeobf/

Deobfuscator for packers/obfuscators that de4dot can't unpack
E.g.: netshrink, NetZ .NET Packer, RPX

NETDeob https://netdeob0.codeplex.com/

Unpacks additional (uncommon) obfuscators
E.g.: Phoenix Protector, Obfusasm, CodeWall

Generic Standalone/Static Unpackers

QuickUnpack http://qunpack.ahteam.org/

wsunpacker https://code.google.com/p/wsunpacker/

Supports ASPack, ASProtect, NsPack, RLPack, PESpin

VMUnpacker https://www.google.com/search?q=VMUnpacker

Supports ASPack, RLPack, UPack, tElock

fuu - [F]aster [U]niversal [U]npacker https://code.google.com/p/fuu/

Supports FSG, ASPack, nPack

Exidous' Unpackers https://github.com/Exidous/Unpackers

Collection of Compressor and Crypter unpackers
Supports FSG, PECompact, MPRESS

Papers/Articles

Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation http://recon.cx/2008/a/eric_d_lapse/Deobfuscator_RECON2008.ppt

Analyzing Assembler To Eliminate Dead Functions: https://cs.uwaterloo.ca/~ijdavis/deadcode-2012-01-26.pdf

Semantic Code Analysis for Malware Code Deobfuscation http://blog.sei.cmu.edu/post.cfm/semantic-code-analysis-for-malware-code-deobfuscation