• Infosec In the City (IIC)

Maximise the Power of Hex-Rays Decompiler — by Igor Kirillov

Updated: Jun 19

#IICSG2018 Conference Deep-Tech Track


Day 1 (24 May 2018)

5.30pm—6.15pm

@ Stamford Ballroom (Olivia)


[#IICSG2018 Conference Full Schedule]


Abstract

IDA Pro Hex-Rays decompiler serves as a perfect abstraction producer over assembly language.

Its main advantage is that it gives an opportunity to modify the pseudo-code, making it as transparent and clear as possible. However, the process is extremely laborious, time-consuming, and even tedious, because, as a rule, the original code is a complete mash of standard types and variables. Standard functionality IDA Pro is equipped with are not of much help either. A major stumbling block all researchers come across in the process is structure recovery. In a decompiled code, field references look like pointer dereferences with some offset. The core feature of HexRaysPyTools plugin enables its user to collect the references of the code in a semi-automatic mode. After that, the information gathered in the GUI may be corrected and transformed into a complete structure.

Also, the plugin adds cross-refs by structure fields, helping to identify the purposes they serve much easier. Along with that, the plugin is equipped with a wide range of features that simplify the process of reverse engineering:

  • Symbols and RTTI information are used to create names of virtual tables and classes

  • Assert functions can be used to automatically rename functions

  • The GUI for classes and their methods

  • Makes structure graphs

  • Negative offsets handling

  • Makes recasts and changes names. Simplifies the process of changing names and types

  • Cross-references to virtual functions

  • Modifies and hides “if-then” branches. Hides switch-branches separately


About Igor Kirillov

Security researcher, reverse engineer. At first, researching was just a hobby: he developed and supported a bot for an online game while researching security mechanisms that would prevent the bot from executing. Then, it became his profession and life-long passion. He is also a C and Python programmer at Embedi interested in automatization of reverse engineering and searching for vulnerabilities in IoT devices.
0 views

Contact Us

Terms of Use | Code of Conduct

All rights reserved.

IIC Productions (Pte. Ltd.) © 2017-2020.