7.2 Live analysis.
7.1.2 Decompilers.
There is only one known, publicly available, high-quality decompiler to C code:Hex-Rays:
hex-rays.com/products/decompiler/
Read more about it:11.8 on page 1006.
7.1.3 Patch comparison/diffing.
You may want to use it when you compare original version of some executable and patched one, in order
to find what has been patched and why.
- (Free)zynamics BinDiff^10
- (Free, open-source)Diaphora^11
7.2 Live analysis
Tools you use on a live system or during running of a process.
7.2.1 Debuggers.
- (Free)OllyDbg. Very popular user-mode win32 debugger^12. Hot-keys cheatsheet:.6.2 on page 1044
- (Free, open-source)GDB. Not quite popular debugger among reverse engineers, because it’s in-
tended mostly for programmers. Some commands:.6.5 on page 1045. There is a visual interface for
GDB, “GDB dashboard”^13. - (Free, open-source)LLDB^14.
- WinDbg^15 : kernel debugger for Windows.
- IDAhas internal debugger.
- (Free, open-source)RadareAKArada.reAKAr2^16. A GUI also exists:ragui^17.
- (Free, open-source)tracer. The author often usestracer^18 instead of a debugger.
The author of these lines stopped using a debugger eventually, since all he needs from it is to spot
function arguments while executing, or registers state at some point. Loading a debugger each time
istoo much, so asmall utility calledtracerwasborn. It worksfromcommand line, allows intercepting
function execution, setting breakpoints at arbitrary places, reading and changing registers state, etc.N.B.: thetracerisn’t evolving, because it was developed as a demonstration tool for this book, not
as everyday tool.7.2.2 Library calls tracing.
ltrace^19.
(^10) https://www.zynamics.com/software.html
(^11) https://github.com/joxeankoret/diaphora
(^12) ollydbg.de
(^13) https://github.com/cyrus-and/gdb-dashboard
(^14) http://lldb.llvm.org/
(^15) https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit
(^16) http://rada.re/r/
(^17) http://radare.org/ragui/
(^18) yurichev.com
(^19) http://www.ltrace.org/