Debuggers allow users to trace through a program while it is running (this
is also known as single-stepping). Tracing means the program executes one
line of code and then freezes, allowing the user to observe or even alter the
program’s state. The user can then execute the next line and repeat the process.
This allows developers to view the exact flow of a program at a pace more
appropriate for human comprehension, which is about a billion times slower
than the pace the program usually runs in.
By installing breakpoints and tracing through programs, developers can
watch a program closely as it executes a problematic section of code and try to
determine the source of the problem. Because developers have access to the
source code of their program, debuggers present the program in source-code
form, and allow developers to set breakpoints and trace through source
lines, even though the debugger is actually working with the machine code
underneath.
For a reverser, the debugger is almost as important as it is to a software
developer, but for slightly different reasons. First and foremost, reversers use
debuggers in disassembly mode. In disassembly mode, a debugger uses a
built-in disassembler to disassemble object code on the fly. Reversers can step
through the disassembled code and essentially “watch” the CPU as it’s run-
ning the program one instruction at a time. Just as with the source-level
debugging performed by software developers, reversers can install break-
points in locations of interest in the disassembled code and then examine the
state of the program. For some reversing tasks, the only thing you are going to
need is a good debugger with good built-in disassembly capabilities. Being
able to step through the code and watch as it is executed is really an invaluable
element in the reversing process.Decompilers
Decompilers are the next step up from disassemblers. A decompiler takes an
executable binary file and attempts to produce readable high-level language
code from it. The idea is to try and reverse the compilation process, to obtain
the original source file or something similar to it. On the vast majority of plat-
forms, actual recovery of the original source code isn’t really possible. There
are significant elements in most high-level languages that are just omitted dur-
ing the compilation process and are impossible to recover. Still, decompilers
are powerful tools that in some situations and environments can reconstruct a
highly readable source code from a program binary. Chapter 13 discusses the
process of decompilation and its limitations, and demonstrates just how effec-
tive it can be.16 Chapter 1