The set-up

Before the analysis, one should have all tools installed. This ensures that there is no time lost during the investigation by configuring or installing missing components. In this chapter, all the tools for this book are described. If you follow this guide, you’re all set to follow all the examples that are analysed.

Prerequisites

Before the installation of the tools in this chapter, it is required to have installed certain dependencies on your system:

  1. pkg-config
  2. Git

Use your package manager to install these dependencies, or install them manually. If you’re on a system which uses APT, the following command can be used to install all the prerequisites:

sudo apt install pkg-config git

Radare2

Starting out as a free and simple CLI hexadecimal editor with 64-bit offset support, the Radare project has evolved into a complete framework which can be used to analyse binaries. There are a lot of sources out there which go in-depth on the framework as a whole, discussing each part meticulously. One that is worth to mention is the Radare2 book.

Radare2 can process a lot of different architectures, with the most known ones being i386 (also known as x86), x86-64 (also known as x86_64), ARM and MIPS. Additionally, Radare2 can process a lot of file formats, most notably the ELF, Mach-O and PE formats and their different versions.

One can install Radare2 by cloning the Git repository and executing the following command:

git clone https://github.com/radare/radare2
./radare2/sys/install.sh

If you wish to install Radare2 in your home directory without using “sudo” permissions, use:

./radare2/sys/user.sh

Every command in Radare2 is heavily documented. This documentation can be used in the command line interface with the ?. Using just this command, provides a list of all possible commands consisting of a single letter. In this example, “a” is chosen to illustrate how to use the help function. To view additional commands that are linked to “a”, such as “aa”, one should type a?. In short, the question mark allows the user to request help one level deeper than it is typed, with no characters being the lowest possible option.

Plug-ins

Radare2 offers users the option to write a plug-ins themselves or to download them.

R2dec
This plug-in decompiles a function to pseudo C code. Although the code is not optimised, it offers great readability. It is still important to note the importance of understanding assembly language because the registers are still in the pseudo code, together with casts to types derived from the parsed assembly language.

The plug-in is open-source and can be found on Github. To install the plug-in, run the following commands after the installation of Radare2:

r2pm init
r2pm update
r2pm install r2dec

After the installation is done, one can use the plug-in with the command pdd after the function has been analysed (with either af [function name] or after using aaa). Additionally, one can view the assembly and the pseudo C code in one view, using the command pdda.

Cutter
The first official GUI for Radare2 is available on Github. This tool removes part of the steep learning curve that is required for Radare2: to know all the commands by heart. Essentially, it provides an overview of functions, the visual mode menu (VV) and the disassembly of a specified function (pdf, Print Disassembly Function). Obviously, there is more to Cutter than these three things: the user has a more compact overview, which reduces the chaos some users may experience with the Radare2 default CLI.

GDB

The GNU Project Debugger is a tool similar to Radare2 but with slightly different functionality. It can disassemble binaries just like Radare2 but has a different look and feel. This tool has a steep learning curve too, which makes it difficult to start out with. To install GDB, one can use the system default package manager. On Debian based systems, one can use:

sudo apt-get install gdb

Plug-ins

pwndbg

With the help of Python scripts and a stable GDB version, pwndbg provides a much more user friendly interface which provides more information to the user and lowers the skill level that is required for the tool. Unlike the Radare2 GUI Cutter, this version is a CLI.

GNU Compiler Collection

To install the GNU Compiler Collection (commonly known as GCC, one needs to install the build-essential package via package manager. For users on a Debian based  system, the following command installs the required package:

sudo apt-get install build-essential

With GCC, the user can compile code into a binary. Based on the native architecture of your operating system, GCC will be either 32-bits (x86) or 64-bits (x86_64). The program gcc is used to compile C into a binary, whereas g++ compiles C++ code into a binary. GCC will be the default compiler during this course, unless specified otherwise.

As a first parameter, the source file should be provided. Then the output file name is specified with the flag -o and the output file name. Then, the flag -s can be added to strip the binary of the debug information. During the analysis, function names are replaced by compiler generated names. All of the assembly samples that have been written and compiled during this course have been compiled with the -s flag. An example to compile the file input.c into the binary file output.bin can be found below. Note that the input file should be in the current working directory. The output file will also be placed in said directory.

gcc ./input.c -o output.bin -s

dnSpy

The free and open-source tool dnSpy is a .NET editor and debugger. The installation can be done via the provided project solution on the Github page. Additionally, one can download the latest release which is also provided on the Github page. Do note that the .NET Framework is required to run dnSpy, but also to disassemble .NET binaries. It is therefore recommended to downloaded the latest version of the .NET Framework here.

JADX

A tool to decompile an APK, JAR, Class or DEX file into Java source code. There are multiple options which can be used during the decompilation, such as the -d flag, which specifies the output directory. Additionally, one can use the –deobf flag to deobfuscate the names of the classes, functions and fields in the output. The minimum and maximum length of these names can be set, respectively, with the –deobf-min and –deobf-max flags.

To install the tool, one should clone the git repository and build it with Gradle, as is given below.

git clone https://github.com/skylot/jadx.git
cd jadx
./gradlew dist

Note that the ./gradlew dist does not work on Windows machines. Instead, the the gradlew.bat should be used.
The build output can be found in the build/jadx/bin folder.

APKTool

To decode the Android manifest, which resides within the APK, one can use APKTool. This tool decodes the complete APK, but does not convert the classes.dex file back to Java source code. The aforementioned JADX is capable of this conversion.

To install APKTool, one should clone the repository and build the source code with Gradle. Note that the ./gradlew script does not work on a Windows machine. Use gradlew.bat instead.

git clone git://github.com/iBotPeaches/Apktool.git
cd Apktool
./gradlew build shadowJar

The build output can be found in the brut.apktool/apktool-cli/build/libs folder.

The next article regarding basic CPU architecture can be found here!


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.