This is my latest papers, related to Revesing in Linux. This is brief description of tools and utilities which can be used to apply Reversing with Linux.
Radare is name of a Reverse Engineering Framework with full-featured tools, libraries which aims to create a completely reverse engineering environment for Reversers at any platform. I saw many members of MMD research group was using stuffs in this framework. and they’re really powerful. I think that in future, radare will be the most commonly used toolkit in Reverse Engineering.
Homepage: http://www.radare.org/
Features: Multi-architecture and multi-platform
GNU/Linux, Android, *BSD, OSX, iPhoneOS, Windows{32,64} and Solaris
i8080, 8051, x86{16,32,64}, avr, arc{4,compact}, arm{thumb,neon,aarch64}, c55x+, dalvik, ebc, gb, java, sparc, mips, nios2, powerpc, whitespace, brainfuck, malbolge, z80, psosvm, m68k, msil, sh, snes, gb, dcpu16, csr, arc
pe{32,64}, te, [fat]mach0{32,64}, elf{32,64}, bios/uefi, dex and java classes Highly scriptable
Vala, Go, Python, Guile, Ruby, Perl, Lua, Java, JavaScript, sh, ..
batch mode and native plugins with full internal API access
native scripting based in mnemonic commands and macros Hexadecimal editor
64bit offset support with virtual addressing and section maps
Assemble and disassemble from/to many architectures
colorizes opcodes, bytes and debug register changes
print data in various formats (int, float, disasm, timestamp, ..)
search multiple patterns or keywords with binary mask support
checksumming and data analysis of byte blocks IO is wrapped
support Files, disks, processes and streams
virtual addressing with sections and multiple file mapping
handles gdb:// and rap:// remote protocols
Filesystems support
allows to mount ext2, vfat, ntfs, and many others
support partition types (gpt, msdos, ..) Debugger support
gdb remote and brainfuck debugger support
software and hardware breakpoints
tracing and logging facilities
Diffing between two functions or binaries
graphviz friendly code analysis graphs
colorize nodes and edges
Code analysis at opcode, basicblock, function levels
embedded simple virtual machine to emulate code
keep track of code and data references
function calls and syscall decompilation
function description, comments and library signatures
And more…
This is my small tool coded in Free Pascal/Lazarus for Linux Platform, that i’ve made a demonstration video before, you can view it here. I planned to make it public long time ago, but due to some issues in code makes it become non-stable. Nothing special, just some dummy lines of code, and now i fixed (a bit) about memory consumption when displaying the result in memobox. Changed from TMemo to TSynMemo and added a timer to avoid the delay. Take a look at this screenshot:
Click on the picture to view full image
I captured that picture on my Arch KDE desktop, and the project was built using Qt (Created by Lazarus-qt version0. In order to make it working properly, we MUST HAVE binutils installed (which contains objdump – the most important tool)
The source code is a archive of whole my Lazarus Project. Just download the archive, extract and open project in Lazarus, and then compile it. It’s ready to use :). And if you don’t know how to use, just watch my demonstration video (link above).
This is an old decompiler, but great one, created by yck1509 (aka Ki, author of Confuser and ConfuserEx). This one was released in couple of years before, and i was lost the download link. But right now i can find a working link to download, so I posted it here. The most interesting features of this decompiler comes from the ability to display all the metadata streams in main window and it has a built-in hex editor. Moreover, it can displays MSIL opcode directly in decompile window (if you use IL mode). Look the picture below:
The idea is simple. This small tool adds an entry named “de4dotShell” to context menus of .exe and dll files. From there you can interact with de4dot easily. It also has textboxes to input specific parameters to control de4dot’s works as you want.
To use it, first copy the de4dotShell.exe to de4dot’s root folder (which contains de4dot.exe), and then run de4dotShell.exe, check the box “Register Shell Extension” and voila!
Thanks for Yashar Mahmoudnia for his great idea about de4dotUI. Let make this de4dotShell as a modification of de4dotUI, so nothing special, feel free to use it and all credits go to Yashar Mahmoudnia.
Detect it Easy (aka DiE) is a packer indentifier like PEiD or exeinfoPE. Good sign is, now it supports Windows, Linux and MacOS.
Here is the picture captured from my running Linux:
Working smoothly and many more features are waiting for you to discover.
Sorry I’m testing it so i can not write a review article now, hope that i can write soon :).
For more Information and downlaod link, please go here:
FileInsight is a free hex editor from McAfee Labs that runs on Microsoft Windows. As expected, it can perform standard hex editor duties, such as viewing and editing file contents in a hex form, but it also does more than that.
FileInsight is able to parse the structure of compiled Windows executables (PE files) and binary Microsoft Office (OLE) documents.Furthermore, the tool has a built-in x86 disassembler: simply point the cursor at the area of the file you want to treat as code, and the tools will show you the corresponding assembly instructions. The disassembler is especially helpful when looking at shellcode embedded in malicious files.
FileInsightincludes numerous other analyst-friendly features, such as the ability to import data structure declarations, HTML syntax highlighting, and tools for decoding various data obfuscation methods (xor, add, shift, Base64, etc.).FileInsight also allows you to automate actions using JavaScript and Python. Nick Harbour wrote several Python plugins for FileInsight, which you candownload from his website.
The tool’s biggest weakness is, perhaps, its inability to open very large files. For instance, when attempting to load a 512MB file, FileInsight produced a “Failed to open document” error. Also, FileInsight does not support searching for Unicode-encoded strings that look like ASCII strings.
This is another tool to help you Decompile .NET assembly ( same as .NET Reflector, but it’s free), named JustDecompile. It’s developed by Telerik (A commercial Company), so it’s well developed and very stable. This tool is not new, but I think this is a good replacement of .NET Reflector. Just download, install it and enjoy! 🙂
Let’s see what Softpedia said:
JustDecompile description
Decompile your applications with ease
JustDecompile is a productivity tool for developers designed to enable easy .NET assembly decompiling and browsing.
JustDecompile builds on years of experience in code analysis and development productivity originally created for JustCode, Telerik’s Visual Studio productivity add-in. JustDecompile lets you effortlessly explore and analyze compiled .NET assemblies, decompiling code with the simple click of a button.
Here are some key features of “JustDecompile”:
Innovative Code Navigation and Analysis:
Telerik JustDecompile offers the industry’s leading code search and navigation features enabling you to quickly locate and navigate to different parts of your code. All loaded assemblies can be effortlessly browsed by type, method or member, results appear on-the-fly as you type and can be navigated effortlessly. JustDecompile also benefits from one-click load of all system libraries for each framework and trim. Developers can also create their own custom assembly lists and load them at the click of a button.
Side-by-side Assembly Loading:
Telerik’s stand-alone free decompiling tool allows the concurrent load of a broad range of .NET framework version systems (1.1, 2.0….4.0, Silverlight and Compact Framework). This capability enables references to be resolved correctly, results in the seamless navigation through any given framework version system library, and eliminates the need for jumping across version boundaries.
Better Decompiling Accuracy:
Not all decompiling is created equal. JustDecompile goes beyond existing decompiling tools by better decompiling language features like lambda expressions, generics, yield statements, and auto-generated properties. Decompiling speed and accuracy will continue to improve during the BETA.
Powerful Free Tool by a Leading Commercial Vendor:
Unlike Open Source alternatives, Telerik JustDecompile benefits from a dedicated development team, which is focused on continuously improving the product in line with your feedback. Telerik is recognized as one of the leading providers of .NET development tools and JustDecompile will benefit from our years of experience in the field.
Auto-updating and Regular Updates:
JustDecompile is evolving quickly. Thankfully, from day one JustDecompile ships with built-in support for auto-updating when new versions are available. JustDecompile will be updated frequently during the BETA, and will receive 3 major updates per year. Stop settling for stale tools, and always work with JustDecompile, a decompiling tool that is evolving and has the latest and greatest features.
Professional Support:
Getting started and resolving any issues that you might face is easy with Telerik’s Forums. In addition to tips and tricks by one of the largest and most passionate .NET communities out there, you will benefit from professional support by the very same developers who created JustDecompile. They frequent the forums to ensure no question is left unanswered and no issue left unaddressed.
This is handy tool for who want to keygenning. I have to say that it’s a complete suite for keygenner with many fomula, calculator added. also included crypto/hash generator.
It’s great tool. All credits goes to Mr.Paradox (AT4RE team).
Thank for mr.Paradox for this amazing tool.
AT4RE Homepage:
About Keygenner Assistant( quote from author):
Keygener Assistant is a good tool that combines several functions
to facilitate the task and save time during the analysis of an algorithm
What’s New in version v 2.0
—————————————-
– Added BigFloat Calculator
– Update BigNumber Calculator
– Update Convertor,
– Added Instant Base Convertor between(2,10,16,32,64,256)
– Added more Encryption :
2DDES
2DES
3DDES
3TDES
3Way
GOST
NewDES
Q128
SAFER
Sapphire
SCOP
Shark
Square
– Added ActiveProcess in System Tab
– All Bugs reported are Fixed
– Added File Encrypt Possibility
– Update Skins
—–
Image:
Link download( nothing better than direct link from theis official site, right?): DIRECT DOWNLOAD LINK
Levis's Little Blog about Reverse Code Engineering (RCE) 