Difference between revisions of "Reverse-Engineering"

From YobiWiki
Jump to navigation Jump to search
Line 27: Line 27:
   
 
===Hex-Rays===
 
===Hex-Rays===
The most powerful IDA Pro plugin is the [https://www.hex-rays.com/products/decompiler/index.shtml Hex-Rays decompiler]
+
The most <strike>expensive</strike>powerful IDA Pro plugin is the [https://www.hex-rays.com/products/decompiler/index.shtml Hex-Rays decompiler]
 
* x86 and ARM
 
* x86 and ARM
 
* decompiler
 
* decompiler

Revision as of 15:56, 4 October 2013

You'll find a lot of (moderate) reverse-engineering in this wiki but this page aims at providing a list of useful resources.

Books

Resources

Tools

IDA Pro

IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.

Hex-Rays

The most expensivepowerful IDA Pro plugin is the Hex-Rays decompiler

  • x86 and ARM
  • decompiler

Limitations specific to ARM:

  • floating point instructions are not supported
  • VFP/SIMD/Neon/... instructions are not supported
  • functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)

Intel PIN tools

  • Official page
  • Windows, Linux, Mac OS X, Android
  • x86-32, x86-64 (only Intel platforms obviously)
  • binary instrumentation

The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another. In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).