Disassembler

1. Radare2 r2 cutter
2. Interactive Disassembler IDA
3. WinDebug
4. ninja
5. OllDbg 32bit

Reverse engineer needs the right disassembler.

Disassembler can generate assembly language source code from machine-executable code.

1 Radare2 r2 cutter

Radare2 is new portable set of libraries and tools to work with binary files. Started as a forensics tool, a CLI hexa editor able to open disk files; Later add support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc.

cutter is GUI for radare2.

1.1 installation and package management

### Install or update r2
sys/install.sh
# sys/user.sh
### Remove r2
make uninstall
make purge
make system-purge
### Package
r2pm init
r2pm update
r2pm install [pkg name]
### Language bindings
r2pm install lang-python3
r2pm install r2api-python
r2pm install r2pipe-py

1.2 assembly language

x86 assembly cheatsheet x86 assembly guide x86 assembly wiki instruction list

1.3 Approaches of Reverse-Engineering

reverse analyzing

modify executable files

1
2
3

r2 -w crackme0x00
### If file aleady opened
eval cfg.write=true

vulnerabilities

scanf, strcpy – stack buffer overflow – exploit¹^,²

fuzzy

afl, libFuzzer

1.4 Demo

crackme files link

radare2 startup³
crackme⁴^,⁵

1.5 Usage

binary info extrator

rabin2 -S crackme0x00
r2 crackme0x00
### ? without blank after command display help
## seek addr/func/var
s section..comment
ps 128

analyse all and print disassembled functions

r2 crackme0x00
aa
pdf
pdf@sym.main

Visual View of program

VV
p/P toggle graph mode
: r2 commands
! for debug

Forms of variables

### all forms of var
? 0x149a
### var type
ps @ addr
px size @ addr/func

Project for reverse-engineer

P
Po ioli00
Ps ioli00
s main
afv
afvn input local_4h
afv- local_4h_2

1.6 Utils

rasm2 disassembling

1
2
3

rasm2 -a x86 -b 32 -d "0x740e"
### Reverse
rasm2 -a x86 -b 32 "jmp 0x10"

rax2 x

1
2
3

### rax2 s hexstr to raw
rax2 -s 414243
rax2 0x149a

rabin2 binary

1
2
3

rabin2 -z crackme0x00
rabin2 -I crackme0x00
rabin2 -l crackme0x00

rahash2 hash

1	rahash2 -a md5 -s string

2 Interactive Disassembler IDA

Latest full version of IDA Pro is commercial, while an earlier and less capable version is available for download and free⁶.

3 WinDebug

Microsoft's bebugger.

4 ninja

5 OllDbg 32bit

A 32-bit assembler level analysing debugger for windows, latest version 2.0.1h updated at [2013-09-27 Fri]. 64-bit OllyDbg 64 is promised and updated at [2014-02-05 Wed].

Footnotes:

https://www.jianshu.com/p/58d03dd3680a

https://www.cnblogs.com/pannengzhi/p/exploit-the-stack.html

https://www.cnblogs.com/pannengzhi/p/play-with-radare2.html

⁴

https://www.cnblogs.com/pannengzhi/p/2018-02-11-ioli-crackme1-5.html

⁵

https://www.cnblogs.com/pannengzhi/p/2018-03-10-ioli-crackme6-9.html

⁶

http://www.hex-rays.com/idapro/idadownfreeware.html

Table of Contents