Description Do you stare at bytes? Reconstruct control flow? Recover datastructures?

Let us have a chat about tools and methods!

Website(s)
Type Discussion
Keyword(s) hardware, software, embedded, hacking, security, safety, coding
Person organizing Arnew
Language en - English
Other session...

  • How do you locate your stack variables?
  • Do you care about what happens on the heap?
  • Have you ever seen overlapping instructions as part of local wildlife?
  • What is the strangest memory access scheme?
  • Did the compiler ever trick you?

This session is for anyone interested in analyzing binaries.

Here are some ideas for discussion ideas:

  • How to build the next multi-architecture disassembler.
  • Control flow reconstruction beyond if-then-else.
  • Is there dataflow beyond register, stack and heap?

Time and Place:

  • Day 3, 18:30, Meeting Point: Info-Desk
  • directly after Hacking Tamagotchis
  • Please call congress-2124 (DECT/GSM) and give me a hint about your attendance/interest.


Notes

Hint: Use the "history" function to access older revisions.

Disassemblers & Debuggers

x86 only

Ollydbg http://www.ollydbg.de/

  • Easy to use
  • Free
  • Plugin support [1]

Immunity Debugger https://www.immunityinc.com/products-immdbg.shtml

  • Based on Ollydbg 1.10
  • "Cuts exploit development time by 50%"

Syser http://www.sysersoft.com/

  • Ring0 Debugger
  • SoftICE successor

GDB for Windows http://www.equation.com/servlet/equation.cmd?fa=gdb


x64

FDBG http://fdbg.x86asm.net/

  • Supported platforms:
    • Windows XP - Windows 8 x64
    • Linux x64
    • UEFI x64

Nanomite https://github.com/zer0fl4g/Nanomite

  • Graphical Debugger for x64 and x86 on Windows
  • Open-Source

x64_dbg https://bitbucket.org/mrexodia/x64_dbg

  • x64 Windows Debugger
  • Disassembly powered by BeaEngine [2]

ArkDasm http://www.arkdasm.com/

  • 64-bit interactive disassembler
  • Supported file types: PE64

VirtDbg https://code.google.com/p/virtdbg/

  • A kernel debugger based on hardware virtualization features
  • Currently in alpha stage

BugDbg http://pespin.w.interia.pl/

MDebug http://www.mdebug.org/

Visual DuxDebugger http://www.duxcore.com/index.php/prod/visual-duxdebugger/overview

PEBrowseDbg64 Interactive http://www.smidgeonsoft.prohosting.com/pebrowse-pro-interactive-debugger.html


Multi-Architecture

IDA Pro https://www.hex-rays.com/products/ida/

  • Interactive
  • Programmable

Hopper http://www.hopperapp.com/

  • Multi-Platform: Windows, Mac OS X, Linux
  • ARM, x86/x64

radare http://radare.org

VDB http://visi.kenshoto.com/viki/Vdb

  • Cross-platform and Cross-architecture debugger
  • Uses Vtrace debugging API

Frida https://github.com/frida

Online Disassembler (ODA) http://www.onlinedisassembler.com/odaweb/

  • MIPS, ARM, x86/x64


Java

Procyon https://bitbucket.org/mstrobel/procyon

Krakatau Bytecode Tools https://github.com/Storyyeller/Krakatau

  • Open-Source
  • Java decompiler, assembler, and disassembler
  • Requires Python 2.7

DJ Java Decompiler http://www.neshkov.com/

  • Decompiler and Disassembler
  • Windows-only
  • Commercial

reJ http://rejava.sourceforge.net/

  • Graphical tool for manipulation and inspection of .class files.

JSwat https://code.google.com/p/jswat/

  • Java debugger GUI
  • Based on NetBeans

Dr. Garbage Tools http://www.drgarbage.com/index.html

  • Eclipse Plugin Suite
    • Bytecode Visualizer
    • Sourcecode Visualizer
    • Control Flow Graph Factory

JD-GUI http://jd.benow.ca/

  • Free Decompiler

Fernflower

JAD http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

  • Free Decompiler
  • Very old, but works

dirtyJOE http://dirty-joe.com/

  • Java Overall Editor
  • Editor and viewer for compiled Java binaries (.class files)


Linux

Affinic Debugger GUI for GDB http://www.affinic.com/?page_id=48

  • ADG for GDB is available on Linux/Windows/Mac OSX
  • Commercial

Voltron https://github.com/snarez/voltron

  • GUI for GDB v6/7 & LLDB
  • Screenshot: [3]

SchemDbg https://github.com/hexgolems/schem

  • GUI for GDB
  • Screenshot: [4]

Evan's Debugger http://codef00.com/projects

  • Supports x86/x64
  • Similar to Ollydbg - Screenshot: [5]

UndoDB http://undo-software.com/

  • "The high-performance reversible debugging tool for Linux"
  • Commercial
  • Support for ARM v5/6/7 & Android

Rdis https://github.com/endeav0r/rdis

  • Disassembler: Save/Load progress to JSON, x86/x64
  • Interactive control flow graphs
  • Lua scripting support

LLDB http://lldb.llvm.org/

  • High-performance debugger
  • Runs on Linux, FreeBSD, Mac OS X
  • Supports ELF & Mach-O (x86/x64)


Disassembler Libraries/Frameworks

BeaEngine http://www.beaengine.org/

diStorm https://code.google.com/p/distorm/

winSRDF https://github.com/AmrThabet/winSRDF

Capstone http://www.capstone-engine.org/index.html

Udis86 http://udis86.sourceforge.net/

Decompilers

Retargetable Decompiler http://decompiler.fit.vutbr.cz/index.php

  • MIPS, ARM, and Intel x86
  • Online

C4Decompiler http://www.c4decompiler.com

  • Windows x64 Binaries only

SmartDec decompiler http://decompilation.info/

REC Studio 4 http://www.backerstreet.com/rec/rec.htm

  • Runs on Windows XP/Vista/7, Ubuntu Linux, Mac OS X
  • Supports PE, ELF, Mach-O binaries (x86/x64)


dotNET / .NET Framework Decompilers

List of .Net Decompilers: https://code.google.com/p/facile-api/wiki/ListOfDotNetDecompilers

Miscellaneous Tools

Apimonitor http://www.rohitab.com/apimonitor

  • Features: Monitor &Control API Calls, Breakpoints, 64-bit Support

IDA Plugins

Insight http://www.bttr-software.de/products/insight/

  • Real-mode DOS debugger

Malwasm https://code.google.com/p/malwasm/

  • Offline debugger for malware's reverse engineering
  • Based on Cuckoo Sandbox

pev http://pev.sourceforge.net/

  • PE file analysis toolkit
  • Multi-Platform: Linux, Windows, Mac OS X
  • Features: PE Header view, Disassembler, DEP/ASLR/SEH check

mona.py http://redmine.corelan.be/projects/mona

  • Exploit Development Swiss Army Knife
  • Python plugin for WinDBG & ImmunityDebugger
  • Automatically finds ROP gadgets
  • Heap Layout Visualization [9]

Binary Manipulation Frameworks

Metasm http://metasm.cr0.org/

  • x86/x64, MIPS, PPC
  • "Assembly manipulation suite"
  • Supported formats: PE/COFF, ELF and Mach-O

Radare http://radare.org/y/

Vivisect http://visi.kenshoto.com/viki/Vivisect

  • Python based static analysis and emulation framework
  • Supports PE, PE32+, ELF and Mach-O

Binary Analysis Platforms

DECAF https://code.google.com/p/decaf-platform/

  • Based on QEMU
  • Supports x86/ARM
  • Runs on Windows & Linux

BitBlaze http://bitblaze.cs.berkeley.edu/

  • Fusion of static and dynamic analysis techniques

BAP http://bap.ece.cmu.edu/#home

  • Converts Disssembly -> Intemediate Language BIL
  • x86/x64

Deobfuscation/Unpacking

IDA Plugins http://tuts4you.com/download.php?list.77

Olly Unpacking Scripts & Plugins

Packer/Obfuscator/Protection Detectors


Online Tools

Opticode http://opticode.coseinc.com/

  • Universal deobfuscation
  • Details (PDF): [12]


dotNET / .NET

de4dot https://bitbucket.org/0xd4d/de4dot

  • Deobfuscates SmartAssembly, Dotfuscator, .NET Reactor, +16 more
  • Features a generic unpacker for unknown Obfuscators

iMPROVE .NET Deobfuscator http://sourceforge.net/projects/improvenetdeobf/

  • Deobfuscator for packers/obfuscators that de4dot can't unpack
  • E.g.: netshrink, NetZ .NET Packer, RPX

NETDeob https://netdeob0.codeplex.com/

  • Unpacks additional (uncommon) obfuscators
  • E.g.: Phoenix Protector, Obfusasm, CodeWall


Generic Standalone/Static Unpackers

QuickUnpack http://qunpack.ahteam.org/

wsunpacker https://code.google.com/p/wsunpacker/

  • Supports ASPack, ASProtect, NsPack, RLPack, PESpin

VMUnpacker https://www.google.com/search?q=VMUnpacker

  • Supports ASPack, RLPack, UPack, tElock

fuu - [F]aster [U]niversal [U]npacker https://code.google.com/p/fuu/

  • Supports FSG, ASPack, nPack

Exidous' Unpackers https://github.com/Exidous/Unpackers

  • Collection of Compressor and Crypter unpackers
  • Supports FSG, PECompact, MPRESS


Papers/Articles

Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation http://recon.cx/2008/a/eric_d_lapse/Deobfuscator_RECON2008.ppt

Analyzing Assembler To Eliminate Dead Functions: https://cs.uwaterloo.ca/~ijdavis/deadcode-2012-01-26.pdf

Semantic Code Analysis for Malware Code Deobfuscation http://blog.sei.cmu.edu/post.cfm/semantic-code-analysis-for-malware-code-deobfuscation

Cryptography

Aligot https://code.google.com/p/aligot/

  • Cryptographic function identification in obfuscated programs
  • Recon 2012 Presentation [13]

Hash & Crypto Detector V1.4 http://www.woodmann.com/collaborative/tools/index.php/Hash_&_Crypto_Detector

  • HCD detectsHash & crypto Algorithmes for PE files.
  • It can currently detect more than 90 different signatures .

Visualization

Contor.Dust https://sites.google.com/site/xxcantorxdustxx/

Zynamics BinNavi http://www.zynamics.com/software.html

  • Graph-visualization
  • x86, ARM, PowerPC, and MIPS

Anti-Debugging / Anti-Reversing

Windows Packer/Protector/Obfuscator (Open-Source only)

x86-virtualizer https://code.google.com/p/x86-virtualizer/

  • Simple PE protector (x86) based on VM

Hyperion http://nullsecurity.net/tools/binary.html

  • Runtime Crypter for 32-bit PEs


Frameworks/Tools

AntiRE https://bitbucket.org/fkie_cd_dare/simplifire.antire

  • An Executable Collection of Anti-Reversing Techniques

A.R.F. - Anti-Reversing Framework http://www.anti-reversing.com/

  • C++ Framework providing lots of Anti-Debugging/Anti-Reversing tricks


LINKS

http://www.woodmann.com/collaborative/tools/index.php/Category:RCE_Tools

http://www.tuts4you.com

http://www.reddit.com/r/ReverseEngineering/

http://www.openrce.org

http://www.kernelmode.info/forum/

https://github.com/turnersr/turnersr.github.io/blob/master/technology_review/Technology_Survey.md

  • Excellent collection of Tools/Papers/etc. related to Reverse Engineering
  • We should consider merging our wikis :-)

http://pythonarsenal.erpscan.com/

  • Python Arsenal for Reverse Engineering
  • Great source for RE tools

Summary

We all hope for a multiplatform/multiarchitecture reverse engineering platform!

Thank you for attending! Sorry for not having booked a proper room, will do so next year.