Tag: Tools

Radare – A Modern Reverse Engineering Framework

Radare is name of a Reverse Engineering Framework with full-featured tools, libraries which aims to create a completely reverse engineering environment for Reversers at any platform. I saw many members of MMD research group was using stuffs in this framework. and they’re really powerful. I think that in future, radare will be the most commonly used toolkit in Reverse Engineering.

Homepage: http://www.radare.org/

Features:
Multi-architecture and multi-platform
GNU/Linux, Android, *BSD, OSX, iPhoneOS, Windows{32,64} and Solaris
i8080, 8051, x86{16,32,64}, avr, arc{4,compact}, arm{thumb,neon,aarch64}, c55x+, dalvik, ebc, gb, java, sparc, mips, nios2, powerpc, whitespace, brainfuck, malbolge, z80, psosvm, m68k, msil, sh, snes, gb, dcpu16, csr, arc
pe{32,64}, te, [fat]mach0{32,64}, elf{32,64}, bios/uefi, dex and java classes
Highly scriptable
Vala, Go, Python, Guile, Ruby, Perl, Lua, Java, JavaScript, sh, ..
batch mode and native plugins with full internal API access
native scripting based in mnemonic commands and macros
Hexadecimal editor
64bit offset support with virtual addressing and section maps
Assemble and disassemble from/to many architectures
colorizes opcodes, bytes and debug register changes
print data in various formats (int, float, disasm, timestamp, ..)
search multiple patterns or keywords with binary mask support
checksumming and data analysis of byte blocks
IO is wrapped
support Files, disks, processes and streams
virtual addressing with sections and multiple file mapping
handles gdb:// and rap:// remote protocols

Filesystems support

allows to mount ext2, vfat, ntfs, and many others
support partition types (gpt, msdos, ..)
Debugger support
gdb remote and brainfuck debugger support
software and hardware breakpoints
tracing and logging facilities
Diffing between two functions or binaries
graphviz friendly code analysis graphs
colorize nodes and edges
Code analysis at opcode, basicblock, function levels
embedded simple virtual machine to emulate code
keep track of code and data references
function calls and syscall decompilation
function description, comments and library signatures
And more…

Download:
Binaries (compiled package) download link:
Binary packages for various platform download page (No ads)
Source code:
Source Code download section (No ads)
Documentations:
Documentation from official website(No ads)
Screenshot radare2 (r2 disassembler) running on Linux:

Linux Patching Helper – Source Code download

Hello all mates,

This is my small tool coded in Free Pascal/Lazarus for Linux Platform, that i’ve made a demonstration video before, you can view it here. I planned to make it public long time ago, but due to some issues in code makes it become non-stable. Nothing special, just some dummy lines of code, and now i fixed (a bit) about memory consumption when displaying the result in memobox. Changed from TMemo to TSynMemo and added a timer to avoid the delay. Take a look at this screenshot:

Click on the picture  to view full image

I captured that picture on my Arch KDE desktop, and the project was built using Qt (Created by Lazarus-qt version0. In order to make it working properly, we MUST HAVE binutils installed (which contains objdump – the most important tool)

The source code is a archive of whole my Lazarus Project. Just download the archive, extract and open project in Lazarus, and then compile it. It’s ready to use :). And if you don’t know how to use, just watch my demonstration video (link above).

Link download:

DOWNLOAD LINK MEGA.CO.NZ (ADF.LY ENABLED) (sorry about ads)

Update: Source code now available at github you can grab the source with bash commands;

 cd ~/
git clone git://github.com/levisre/linux_patching_helper.git

Enjoy and best regards,

Levis

Reter Decompiler – Yet another .NET Decompiler

This is an old decompiler, but great one, created by yck1509 (aka Ki, author of Confuser and ConfuserEx). This one was released in couple of years before, and i was lost the download link. But right now i can find a working link to download, so I posted it here. The most interesting features of this decompiler comes from the ability to display all the metadata streams in main window and it has a built-in hex editor. Moreover, it can displays MSIL opcode directly in decompile window (if you use IL mode). Look the picture below:

And the author said:

Features:
-Decompile…
-Browse
-Search
-Token, RVA
-Analyzer-Renaming
-Bookmark

Link download:

DOWNLOAD MEGA.CO.NZ LINK

de4dotShell – Integrate de4dot to Context Menu

Just a basic application, nothing special here

The idea is simple. This small tool adds an entry named “de4dotShell” to context menus of .exe and dll files. From there you can interact with de4dot easily. It also has textboxes to input specific parameters to control de4dot’s works as you want.

To use it, first copy the de4dotShell.exe to de4dot’s root folder (which contains de4dot.exe), and then run de4dotShell.exe, check the box “Register Shell Extension” and voila!

Thanks for Yashar Mahmoudnia for his great idea about de4dotUI. Let make this de4dotShell as a modification of de4dotUI, so nothing special, feel free to use it and all credits go to Yashar Mahmoudnia.

Any bug reports are welcome

de4dotShell

Requires .NET 2.0 and a working de4dot

Download:

DOWNLOAD MEGA.CO.NZ LINK

 

Enjoy and best Regards

Levis

Detect It Easy (DiE) reached version 0.79 with Linux and MacOS Supports

Hello all mates,

Detect it Easy (aka DiE) is a packer indentifier like PEiD or exeinfoPE. Good sign is, now it supports Windows, Linux and MacOS.

Here is the picture captured from my running Linux:

DiE in Linux

Working smoothly and many more features are waiting for you to discover.
Sorry I’m testing it so i can not write a review article now, hope that i can write soon :).

For more Information and downlaod link, please go here:

Goto DiE’s Official Website

Enjoy and Best Regards,
Levis

FileInsight – A free tool from McAfee for Malware Analysis

FileInsight is a free hex editor from McAfee Labs that runs on Microsoft Windows. As expected, it can perform standard hex editor duties, such as viewing and editing file contents in a hex form, but it also does more than that.

FileInsight is able to parse the structure of compiled Windows executables (PE files) and binary Microsoft Office (OLE) documents.Furthermore, the tool has a built-in x86 disassembler: simply point the cursor at the area of the file you want to treat as code, and the tools will show you the corresponding assembly instructions. The disassembler is especially helpful when looking at shellcode embedded in malicious files.

FileInsightincludes numerous other analyst-friendly features, such as the ability to import data structure declarations, HTML syntax highlighting, and tools for decoding various data obfuscation methods (xor, add, shift, Base64, etc.).FileInsight also allows you to automate actions using JavaScript and Python. Nick Harbour wrote several Python plugins for FileInsight, which you candownload from his website.

The tool’s biggest weakness is, perhaps, its inability to open very large files. For instance, when attempting to load a 512MB file, FileInsight produced a “Failed to open document” error. Also, FileInsight does not support searching for Unicode-encoded strings that look like ASCII strings.

Image Fileinsight running on my machine:

FileInsight

Download Direct Link (McAfee server)