Assembly Language for Beginners

(Jeff_L) #1

7.2 Live analysis.


7.1.2 Decompilers.


There is only one known, publicly available, high-quality decompiler to C code:Hex-Rays:
hex-rays.com/products/decompiler/


Read more about it:11.8 on page 1006.


7.1.3 Patch comparison/diffing.


You may want to use it when you compare original version of some executable and patched one, in order
to find what has been patched and why.



  • (Free)zynamics BinDiff^10

  • (Free, open-source)Diaphora^11


7.2 Live analysis


Tools you use on a live system or during running of a process.


7.2.1 Debuggers.



  • (Free)OllyDbg. Very popular user-mode win32 debugger^12. Hot-keys cheatsheet:.6.2 on page 1044

  • (Free, open-source)GDB. Not quite popular debugger among reverse engineers, because it’s in-
    tended mostly for programmers. Some commands:.6.5 on page 1045. There is a visual interface for
    GDB, “GDB dashboard”^13.

  • (Free, open-source)LLDB^14.

  • WinDbg^15 : kernel debugger for Windows.

  • IDAhas internal debugger.

  • (Free, open-source)RadareAKArada.reAKAr2^16. A GUI also exists:ragui^17.

  • (Free, open-source)tracer. The author often usestracer^18 instead of a debugger.


The author of these lines stopped using a debugger eventually, since all he needs from it is to spot
function arguments while executing, or registers state at some point. Loading a debugger each time
istoo much, so asmall utility calledtracerwasborn. It worksfromcommand line, allows intercepting
function execution, setting breakpoints at arbitrary places, reading and changing registers state, etc.

N.B.: thetracerisn’t evolving, because it was developed as a demonstration tool for this book, not
as everyday tool.

7.2.2 Library calls tracing.


ltrace^19.


(^10) https://www.zynamics.com/software.html
(^11) https://github.com/joxeankoret/diaphora
(^12) ollydbg.de
(^13) https://github.com/cyrus-and/gdb-dashboard
(^14) http://lldb.llvm.org/
(^15) https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit
(^16) http://rada.re/r/
(^17) http://radare.org/ragui/
(^18) yurichev.com
(^19) http://www.ltrace.org/

Free download pdf