We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Ghidra - An Open Source Reverse Engineering Tool

00:00

Formal Metadata

Title
Ghidra - An Open Source Reverse Engineering Tool
Subtitle
How the NSA open-sourced all software in 2019
Title of Series
Number of Parts
94
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The NSA released a tool called Ghidra both for free usage as well as in source code format. It is a software reverse engineering framework with advance capabilities like a powerful decompiler. This lecture will give a short introduction into Ghidra and cover examples of both benign executables as well as malware with a focus on the Windows operating system. Reverse engineering - more specifically software reverse engineering - is the process of deconstructing computer programs with the purpose of understanding their feature set. This especially includes software that is not available as source code but only as binary executables. These files can be analyzed by executing them, which is often referred to as "dynamic analysis" or by translating them into another language, like assembly, which the reverse engineer then tries to reason about. The second approach is often referred to as "static analysis". While it is - in principle - possible for a human to fully understand and statically analyze a binary by reading raw assembly, this approach does not scale well: The x86 assembly language for example - which is used in most desktop computers and servers - is made up of thousands of different instructions. Each of these instructions only performs a very small task, like adding two integers. One can imagine that a binary - even as mundane as a tool to list the current directory content - is made up of a large number of these instructions. In practice, the reverse engineering therefore heavily relies on tooling. The Vault 7 leak by WikiLeaks in 2017 suggested that the NSA owns or develops a reverse engineering tool called "Ghidra". Two years later, at the RSAConference in 2019, the NSA released the tool to the public, first as ready-to use software, then even all its source code. For the reverse engineering community, this is a huge thing: All tools available until that point in time where either very expensive or lack advanced capabilities. While this lecture will only cover executables for the Microsoft Windows operating system, Ghidra also supports a very wide variety of platforms reaching from ARM - used in many IoT devices - over DEX - for Android-based devices to more exotic architectures as PowerPC, MIPS or SPARC. This versatility is a huge pro for Ghidra when compared to its main competing software product like the Hex-Rays decompiler. A lot of people think, that reverse engineering is a dark art only a few selected individuals are chosen to be gifted in. I honestly think that it is just another skill and would even go as far as saying that maintaining a legacy software product without good documentation - which is a common scenario in the software development industry - is much harder than understanding how WannaCry worked.
15
Thumbnail
1:16:56
20
Thumbnail
59:24
23
Thumbnail
10:02
48
Thumbnail
50:08
56
76
Thumbnail
12:05
Reverse engineeringOpen sourceFreewareOpen sourceBranch (computer science)SoftwareReverse engineeringInformation securityMusical ensembleXMLUMLLecture/Conference
Open sourceReverse engineeringSoftwareNon-standard analysisMusical ensembleReverse engineeringContext awarenessBoss CorporationBitProcess (computing)Drum memoryOpen sourceAssembly languageMultiplication signExpected valueSlide ruleDressing (medical)Lecture/ConferenceComputer animation
MathematicsSoftwareSoftware developerInformation securityReverse engineeringMultilaterationSharewareSpeech synthesisMereologySoftware developerUniverse (mathematics)Data structureTwitterReverse engineeringMathematicsEmailVideo gameMusical ensembleDivisorGradient descentJSONComputer animation
Reverse engineeringTerm (mathematics)Process (computing)Artificial neural networkArchitecturePresentation of a groupFocus (optics)Latent heatBinary fileSoftwareReverse engineeringSoftwareArtificial neural networkObject (grammar)Process (computing)Metropolitan area networkTerm (mathematics)Multiplication signBinary codeTwitterNatural numberProduct (business)Musical ensembleComputer hardwareSmartphoneJSONComputer animation
Compilation albumFreewareOpen sourceReverse engineeringBinary fileSoftwareSource codeBinary codeProcess (computing)Computer architectureBitMachine codeReading (process)Compilation albumCompilerMultiplication signTwitterReverse engineeringSoftware industryOpen sourceComputer animation
Reverse engineeringSource codeSoftwareReading (process)Process (computing)Software bugSoftware industryOpen sourceComputer clusterBinary codeLecture/ConferenceComputer animation
FreewareOpen sourceMathematical analysisMalwareExploit (computer security)Software crackingImplementationSoftwareSlide ruleProcess (computing)MalwareCopyright infringementElectronic mailing listOpen sourceSource codeVulnerability (computing)Reverse engineeringAlgorithmAudio file formatMathematical analysisMachine codeHacker (term)outputGroup actionPresentation of a groupAuthorizationVideo gameSoftware developerPasswordMultiplication signTextsystemInterrupt <Informatik>Exploit (computer security)
Reverse engineeringLevel (video gaming)SoftwareCategory of beingSlide ruleExpert systemCASE <Informatik>MalwareSoftware developerMusical ensembleMathematical analysisPower (physics)Bus (computing)Electronic mailing listMereologyComponent-based software engineeringServer (computing)Closed setOpen sourceAsynchronous Transfer ModeExploit (computer security)Vulnerability (computing)Lecture/Conference
CompilerBinary filePoint (geometry)FunktionalanalysisPhysical systemComputer programTouchscreenoutputWordLetterpress printingLine (geometry)Inclusion mapString (computer science)Reverse engineeringMachine codeMathematical optimizationFehlererkennungCompilation albumOperating systemBitError messageStatement (computer science)Binary codeMultiplication signSharewareComputer animationJSONXML
Sample (statistics)MIDIOnline helpComputer fileFreewareRevision controlVolumeSerial portNumberDirectory serviceTouchscreenMathematical analysisDynamical systemWindowPresentation of a groupSoftwareProcess (computing)Reverse engineeringLimit (category theory)FunktionalanalysisComputer programComputer virusComputer animation
Computer fileFreewareVolumeNumberSerial portDirectory serviceString (computer science)Dynamical systemSoftwareString (computer science)System callNumber2 (number)Sinc functionReverse engineeringMathematical analysisFluid staticsTouchscreenWeb pageASCII
Chinese remainder theoremAsynchronous Transfer ModeDensity of statesError messagePublic domainParameter (computer programming)Sign (mathematics)Mathematical singularityBuffer overflowRange (statistics)Total S.A.Run time (program lifecycle phase)Address spaceQuery languageMachine codeRevision controlCommunications protocolPartial derivativeSheaf (mathematics)Web pageString (computer science)TouchscreenLine (geometry)Electronic mailing listAsynchronous Transfer ModeComputer programDensity of statesBinary codeCursor (computers)Price indexPresentation of a groupComputer animationSource code
Density of statesAsynchronous Transfer ModeOpen sourceFreewareConstraint (mathematics)Reverse engineeringDensity of statesWindowMereologyPhysical systemPrice indexComputer programFluid staticsAsynchronous Transfer ModeMultiplication signTouchscreenRadical (chemistry)Point (geometry)Binary codeConfidence intervalFault-tolerant systemString (computer science)2 (number)ComputerConstraint (mathematics)Chemical equationForm (programming)Video projectorCuboidVideo gameCompilerJSONXML
Reverse engineeringAerodynamicsFluid staticsAudio file formatBitMereologyReverse engineeringSheaf (mathematics)Pairwise comparisonGoodness of fitDynamical systemFluid staticsAudio file formatLecture/ConferenceJSONXML
AerodynamicsReverse engineeringFluid staticsComputer programComputerSoftwareProcess (computing)Mathematical analysisContext awarenessReverse engineeringGreatest elementElectronic mailing listWindowComputer programMathematical analysisSoftwareProcess (computing)Fluid staticsDynamical systemString (computer science)VirtualizationAudio file formatMultiplication signSlide ruleResultantPresentation of a groupFunction (mathematics)Lecture/ConferenceComputer animation
Audio file formatPhysical systemTouchscreenVirtual machineAudio file formatLatent heatPhysical systemMultiplication signComputer fileExpert systemWindowOperating systemDifferent (Kate Ryan album)Portable communications deviceMoment (mathematics)JSONLecture/Conference
Audio file formatPhysical systemFocus (optics)Portable communications deviceOpen sourceFreewareWeightProgramming languageComputer fileNormal (geometry)Reverse engineeringExpert system.NET FrameworkEvent horizonBinary codeNormal (geometry)Different (Kate Ryan album)Sheaf (mathematics)Computer programPoint (geometry)DisassemblerWordFunktionalanalysisMoment (mathematics)Open sourceComputer fileWindowAudio file formatRevision controlException handlingSource codeSoftwareComputerEmailOverlay-NetzWeightMalwarePortable communications devicePunched cardXML
FreewareOpen sourceComputer fileBootingContent (media)Read-only memoryPunched cardComputer programSheaf (mathematics)Virtual memorySpacetimeVirtual machineBootingWindowSemiconductor memoryDifferent (Kate Ryan album)Interactive televisionLecture/ConferenceXML
FreewareOpen sourceBefehlsprozessorProgramming languageLevel (video gaming)MultilaterationPresentation of a groupSheaf (mathematics)Programming languageBefehlsprozessorComputerHigh-level programming languageNumberMereologyComplex analysisRight angleSemiconductor memoryMetropolitan area networkLevel (video gaming)Software developerPerspective (visual)Virtual machine
CompilerAssembly languageMereologyBefehlsprozessorSemiconductor memorySource codeComputer programSoftwarePoint (geometry)Compilation albumOpen sourceLecture/Conference
Open sourceFreewareBefehlsprozessorProgramming languageStack (abstract data type)Function (mathematics)FunktionalanalysisBefehlsprozessorSemiconductor memoryComponent-based software engineeringMereologyComputerAssembly languageRandom accessStructural loadHard disk driveRight anglePerspective (visual)Point (geometry)
Multiplication signCompilerComputer programMereologyFunktionalanalysisSoftwareCompilation albumMathematical optimizationLecture/Conference
Open sourceFreewareProgramming languageBefehlsprozessorLevel (video gaming)Function (mathematics)Stack (abstract data type)Representation (politics)HexagonCodierung <Programmierung>Binary fileLevel (video gaming)1 (number)DecimalComputational scienceSequenceBinary codeState of matterComputerNumberDigitizingDisassemblerNumerical analysisAudio file formatTouchscreenGoodness of fitLecture/Conference
Open sourceFreewareBefehlsprozessorProgramming languageLevel (video gaming)Stack (abstract data type)Function (mathematics)DisassemblerPositional notationData storage deviceRight angleNumberParameter (computer programming)Assembly languageMereologySequenceProgramming languageSupremumIntelXML
DisassemblerInteractive televisionReading (process)Web pageDescriptive statisticsBit rate1 (number)Interactive televisionDisassemblerReverse engineeringForm (programming)Multiplication signLecture/ConferenceComputer animation
FreewareOpen sourceInteractive televisionDisassemblerProgramming languageBefehlsprozessorLevel (video gaming)Function (mathematics)Stack (abstract data type)Open setTranslation (relic)SupremumMachine codeDisassemblerPoint (geometry)HexagonCompilerXMLLecture/Conference
Open sourceInteractive televisionSoftwareReverse engineeringVariable (mathematics)FunktionalanalysisMachine codeSocial classExistenceBinary codeLecture/Conference
FreewareOpen sourceInteractive televisionDisassemblerBinary fileSource codeMachine codeMoment (mathematics)Binary codeCompilerOpen sourceVideo gameForm (programming)Presentation of a groupMultiplication signPhysical systemComputer architectureSign (mathematics)Bit
FreewareOpen sourceLeakExistenceRSA (algorithm)Non-standard analysisSoftwareGraphical user interfaceJava appletSource codeReverse engineeringCross-platformGraphical user interfaceSoftwareExistenceLeakOpen sourceInformation securityComponent-based software engineeringWindowComputing platformComputer programJava applet
FreewareOpen sourceExistenceLeakNon-standard analysisRSA (algorithm)Graphical user interfaceJava appletSoftwareAudio file formatComputing platformComputer fileSource codeFilm editingRight angleInterface (computing)Configuration spaceSega Enterprises Ltd.Inheritance (object-oriented programming)Machine codeAudio file formatPlastikkarteNon-standard analysisLecture/Conference
Open sourceFreewareMachine codeElectronic visual displayFunction (mathematics)Variable (mathematics)Code refactoringIntegrated development environmentLibrary (computing)SharewareWindowCartesian coordinate systemMachine codeGastropod shellComputer fileMultiplicationMoment (mathematics)Multiplication signFunktionalanalysisIterationVariable (mathematics)Open sourceCondition numberComputer programLoop (music)Software developerLecture/ConferenceXML
Open sourceGame theoryComputer programDrag (physics)Projective planeInformationGoodness of fitWindowComputer fontTouchscreenPresentation of a groupComputer animation
Computer-generated imageryFunction (mathematics)EmailDensity of statesIcosahedronoutputMaxima and minimaSymbol tableInclusion mapAddressing modeDesign of experimentsMoving averageSystem callUniform resource locatorRepetitionRAIDOvalSystem callFunktionalanalysisSpeicheradresseSpacetimeInterpreter (computing)Electronic visual displayPresentation of a groupVirtual memoryAddress spaceSemiconductor memoryComputer animation
Symbol tableOvalSystem callMetropolitan area networkRAIDQuantum stateAddressing modeRadial basis functionBlock (periodic table)Execution unitDesign of experimentsVirtual memoryObject-oriented programmingRandom matrixSample (statistics)String (computer science)Function (mathematics)Kerr-LösungEmailNetwork topologyComputer programOpen setSource codeReading (process)Software developerRight angleOpen sourceSoftwareMoment (mathematics)Reverse engineeringComputer programComputer animation
Function (mathematics)Execution unitKerr-LösungSymbol tableComputer programMetropolitan area networkOvalNormed vector spaceExclusive orVirtual memorySkewnessMIDIRepetitionStack (abstract data type)MalwareObject-oriented programmingMenu (computing)System callAddressing modeGamma functionElectronic meeting systemInclusion mapMaß <Mathematik>Rule of inferenceMachine codeMathematicsPoint (geometry)FunktionalanalysisString (computer science)MaizeFigurate numberStack (abstract data type)HTTP cookieMultiplication signComputer fontParsingDirectory serviceComputer fileCompilerComputer programFunction (mathematics)Compilation albumMachine codeReverse engineeringVariable (mathematics)Mechanism designBitIntegrated development environmentBinary codeComplex analysisLecture/ConferenceComputer animation
Sample (statistics)String (computer science)Maxima and minimaMenu (computing)Execution unitMetropolitan area networkDesign of experimentsFunction (mathematics)Exclusive orSystem callAddressing modeoutputElectronic meeting systemFreewareComputer fileVolumeNumberSerial portDirectory serviceMathematical analysisComputer programBitNumberoutputReverse engineeringComputer animation
Sample (statistics)String (computer science)Design of experimentsConvex hullExclusive orSystem callKerr-LösungAddressing modeFunction (mathematics)Metropolitan area networkInclusion mapNormal (geometry)Symbol tableCNNEmailDisk read-and-write headExecution unit10 (number)Interior (topology)Computer clusterComa BerenicesError messageMenu (computing)String (computer science)Drop (liquid)Hardware description languageoutputMereologyBinary codeComputer animation
Metropolitan area networkComputer programConvex hullMenu (computing)Symbol tableNormed vector spaceFunction (mathematics)Machine codeStack (abstract data type)System callHTTP cookieAddressing modePort scannerRepetitionoutputSkewnessDelay differential equationMIDIString (computer science)TouchscreenView (database)Source codeOpen sourceFunktionalanalysisMachine codeAngleoutputComputer programLoop (music)Function (mathematics)Square numberNumberSummierbarkeitWindowType theorySoftwareLetterpress printingVariable (mathematics)Greatest elementComputer animation
Social classReverse engineeringEmailSharewareEmailSocial classReverse engineeringAddress spaceSheaf (mathematics)Lecture/ConferenceJSONComputer animation
LeakMachine codeComputer programReverse engineeringSheaf (mathematics)BitState of matterDisassemblerComputer architectureRadarSuite (music)Open sourceComputing platformArmHexagonContext awarenessSoftwareBackdoor (computing)Principle of maximum entropySet (mathematics)Line (geometry)Compilation albumCompilerScaling (geometry)Lecture/Conference
FreewareOpen sourceXMLComputer animation
Transcript: English(auto-generated)
Hello and welcome to the next talk. This is Lars Balsall. I'm very glad that he will give us this talk because I think it's quite interesting to hear about how there is an open source or the software there is.
Or at least that is a claim. Yes, and the question is how will somebody come to this. Yes, Lars is working in the IT security branch as a reverse engineer, so this is quite natural for him.
Or something that he is doing or trying to address it. The talk is about Gizmo, or how it is pronounced, an open source reverse engineer.
Hello everyone. Happy to be here. I'm really excited. I'm working as a reverse engineer in my day job. I will be talking about a tool that was released into open source at the beginning of the year.
And it's called B drum. First of all, I would like to give a bit of context and a bit of motivation. Maybe you don't even know what reverse engineering is or what assembly language is and so on. So just many expectations. This will not be a deep dive into all the features Dica has, but more like an introduction.
And give you some context into the whole industry. So first, why you should listen to me slide. So I'm Lars, this is my email address, this is my twitter handle, this is my github handle and so on and so on. I've worked as an IT freelancer for a few years, since 2004, like at high school and got some money in size and stuff.
And then I did my diploma in mathematics here at Bach. And then I worked as a software developer at a small company for two years. And then an old buddy from the university asked me, hey, I just joined this startup thingy, do you want to join?
And then I joined CrowdStrike, which was 2015. And since then I've worked as a reverse engineer and what that is will come next. First, a small structure of the talk. I will first give you, as a sense, an introduction for what reverse engineering is.
Then motivation, why you should do it or not. And then how to do it, basically. This will be the first half of the talk and then I will go into more detail at the later part. And there will be demos in between. You can watch me fail at live demoing. Also, if you have any questions, just interrupt me, especially you, my buddy.
I'm looking forward to being interrupted by you. And if you are not comfortable speaking or asking a question in English, feel free to ask it in German and I will try to translate it and butcher you. And you can also make comment on the German accent later. So, what's the most engineering?
I will probably call it reversing later on in this talk. And abbreviated as RE in the slides, just so you know what I'm talking about. It's a very general term of, you take an object that has been produced, an artificial object, not by nature or something, but by man or woman.
And reversing this production process is generally called reverse engineering. You can think of any piece of hardware, any piece of software and beyond, whatever that may mean. So reverse engineering includes both people opening up smartphones and soldiering, unsoldering the
stuff on it and understanding how it works and so on and so on. And reverse engineering has a goal. It has the aim to understand the design and the architecture or in the most general sense to extract knowledge from the object, from the artificial object.
In this talk I will be focusing myself on software, obviously. So I will only be talking about software reverse engineering, just to be clear. So the object that we study will be compiled binaries, mainly.
So, binary software reverse engineering. So what is binary software reverse engineering? A lot of you people will already know that. But I'm trying to be funny on the way so you will not get that bored and fall asleep or check Twitter all the time. So you normally start with something that you can read easily, or easy-ish. For example, source code.
And then there is a process going on that is called compiling and then an executable comes out of it. And this executable depends on the architecture and so on and so on. So the compiler needs to generate the correct code for the target architecture and so on. And the process to reverse this compilation can be considered reverse engineering.
So you start with an executable and you reverse the process of compiling into something source code or source code-like. I will phrase it a bit more general now. So you have something that is easy to read, then X happens and then you end up with something that is harder to read.
Source code is of course hard to read but not as hard as compiled binaries. And the reverse process is called reverse engineering. I mean, this can be everything. I mean, a lot of you are probably working in the software industry. So I guess maintaining a legacy software can also be considered reverse engineering.
I mean, the software probably started as something that was easy to read and then X happened. A lot of people don't know what. And now it's hard to read and now you are responsible to maintain it and to fix bugs and to implement new features. So even if you have the source code, I would consider the process of understanding hard to read source code as reverse engineering.
So in some sense, a lot of you are already reverse engineers. Welcome to the club. Now some motivation why one would even want to reverse binaries. And this is a pretty long slide.
So the first motivation may be quality assurance. So this is you buy a software and then you execute it and you want to make sure that it does what it's supposed to do basically. So it probably comes with some documentation or with a manual and so on. And it says this software does, I don't know, word processing.
And then you want to make sure that it only does word processing and also that it does word processing in a good way and so on. And then reverse engineering is the process to understand this. Sounds like a lot of effort but there are entities that want to make sure if they buy a software that the software doesn't do fancy stuff or generally stuff that it's not supposed to do.
Like download something from the internet and execute it. So quality assurance. The next one is for educational purposes. So just for fun. This is in my opinion often just an excuse to do some hacking. Another motivation to do reverse engineering is malware analysis.
I mentioned this here not only but also because I do this in my daily life. So my day job is to look at malware which is often only present in the compiled format. So the malware authors not often open source their stuff.
Sometimes they do which is good because then you have source code and can compare your binary to the source code and so on and so on. And you might ask why one even wants to analyse malware and the motivation behind this is you want to understand how they work. How these hacker groups, the bad guys work and how you can defend yourself better against them and so on and so on.
Just to repeat myself if you have any questions just raise your hand or start talking, interrupt me, no worries. I can always talk over you because I have this microphone. Another motivation to do reverse engineering is exploit development.
So you have a piece of software and you want to put something in, supply some input to the software so it behaves differently than it was supposed to behave. This is maybe a definition for exploit. What I mean with this is there is software and if you, I don't know, use letter A as a password but supply it 1000 times then it crashes.
And maybe if you not only use letter A but other stuff it starts to execute code that it shouldn't do and so on and so on. This is like first finding a vulnerability and then building an exploit for the vulnerability maybe a motivation for reverse engineering.
Another one is cracking so how to circumvent software, copy protections and so on. And the next one is economic espionage so you have a software and in the software there is a fancy algorithm you want to have because you also want to build the same software and implement the same algorithm and sell it for less money than the other company.
This may be a motivation. So I'm not a lawyer but I tried to sort this list roughly by how legal I think it is to do this stuff with reverse engineering in Germany on a sunny day.
I don't know. I'm not a lawyer at all so I think customer protection is pretty strong in Germany so I guess quality assurance is always okay. You can do a lot of stuff for educational purposes in Germany so this is probably also okay. Maybe it's illegal to analyze malware but on the other hand I'm looking forward to being sued by one of them.
Come again please. Maybe malware analysis is illegal. I'm not a lawyer. You're also not a lawyer. I know that. Exploit development. I recently met a guy at a conference and he worked at a startup that do vulnerability research and exploit development.
They were sued and they settled I think but it was not a one case. Cracking is probably pretty sure illegal in Germany and stealing of intellectual property and then making money out of it is also illegal I guess.
I'm pretty sure. So this is the motivation. And I included this slide so you know that there are legitimate use cases for reverse engineering and also illegitimate use cases for reverse engineering. So the power I supply you, you know, with great power. Another good motivation. I will repeat the question. Thank you.
The question or comment was there are a bunch of more motivations. I'm just trying to distill it down. Another motivation is if you have a closed source component and you want to interact with it.
I don't know maybe an API server or some low level stuff and there is no documentation around and the developer of this part, software part left the company or got hit by a bus or something. And you still want to interact with this piece of software you may be forced to do reverse engineering to understand it and interact with it.
This is probably pretty up high on the list. This is probably super legal in Germany. You are a lot of people and sometimes if you do this it looks like you are raising your hand and I'm not sure. So how do I even do it? I will now make an example.
So if you know C, this is probably not a problem at all. If you don't know C, I will just give you a quick run through. This is the most basic C program you can come up with. First you make sure that you can do input and output. This is the first line. Include stdio.h. Then you define the main function.
This will be the entry point of execution. The word entry point will repeat itself later in this talk. So this is basically the point where execution starts after you compiled it and then ran it on your system. Then it uses printf which is a function to print something on the screen.
And here I just print a constant string. Hello Froskon which is German for hello Froskon. I could have translated this. And then it contains a statement return 0. And this will also be important later on during this talk.
This is the so-called return code of the program. And it signals back to the operating system that everything went well. So the return code of a program is interpreted as an error code. So if there is no error, we just all agreed on this is represented by 0.
So then we compile it as I said in the very beginning. You can for example use GCC for it or I think I used MinGW. There is Microsoft Visual Studio. There are a lot of compilers around. You probably know much more about compilers than I do and how they are built and so on.
And to make it a bit harder for the reverse engineer, you can call strip on the resulting binary. This makes sure that there are no function names in the binary anymore. So if you just compile it without any flags and without any optimization and so on, then it will still be possible to see how you named the different functions.
In this program it's super boring because I only had one function and it's called main. But reversing of a program gets harder if there are more functions. And if you also don't have the names, then it's even harder.
So, demo time. So we will start with something that can be called dynamic reverse engineering or dynamic analysis. For this I will start a VM which started on a different screen.
So let's close this. I have a presentation window which is larger. Hello. So there is a program called hwelt.exe which is German for hworld.exe.
And I will execute it and it prints Hallo Froskorn on the screen. So this was the most basic way to do some dynamic software analysis. I executed the program and observed what it printed on the screen. It may have done a lot of other things in the background.
And this is already a downside of dynamic reverse engineering. It may do stuff and it may be doing it in such a sneaky way that you cannot notice it like this. I mean you can start like process monitoring and API hooking and so on and so on. But generally dynamic reverse engineering is very fast but also has its limitations.
Mainly there may be functionality hidden in the software that is only triggered at night. Or that is only triggered if the number of seconds since midnight is divisible by six or something, whatever. So there is another thing that is called static software analysis.
And this is if you don't execute the software itself but instead use tools to analyze it. And the first tool you may use to start your reverse engineering career is the tool called strings.
Which just looks for printable characters in the executable and prints them on the screen. So I will call this on the exe and then pipe it into less. Which makes sure that because there will be a lot of stuff and I only want to view it page by page.
And then stuff happens. So you see all the printable stuff in the executable. The first line may already spring to your eye. It's this program cannot be run in DOS mode. And I will explain later what it means and so on. But let's just scroll down the list. There is a lot of printable stuff. There is probably nothing interesting.
And then I scroll on and on. And here stuff happens. I totally expected this string because it was printed on the screen. It better be in the binary. There is also some stuff about GNU. And there is also MinGW-W64.
So this may be an indicator that something happened here. Then I scroll down and more stuff and more stuff. Anyway, anyway, anyway. Let's switch back to the presentation. So what did we learn from this static reverse engineering? Most basic static reverse engineering part. It will get better soon.
So I will not only do string-based reverse engineering. But just as an example. So this program cannot be run in DOS mode. This is an indicator that this is probably a Windows executable we are dealing with. And this is because something very, I think, very remarkable. Every single Windows executable you have on your system is backwards compatible to DOS.
So you can execute it in DOS and it will run. It will not crash. I mean, I forgot how old DOS is. But I think it's pretty amazing that they work. It will not do the same thing. So if you, I don't know, what's a recent computer game? Is Overwatch still a thing?
No? Anyway, I will take Overwatch as an example. If you execute Overwatch.exe on your DOS box, it will not run Overwatch. But it will just print the string, this program cannot be run in DOS mode on the screen and terminate gracefully. So it's compatible. It does a different thing.
So when this string is present, it's an indicator that the thing we are looking at, the target of our reverse engineering is a Windows executable. The other one was Hello FrostCon. So I think it may be a Hello World style program. Maybe it's doing more, maybe not. I don't know yet. And I also saw this string, which suggests that it was compiled with a certain compiler.
So we already extracted three pieces of knowledge from this binary. And you see it on the projector. So this can be considered the most basic form of reverse engineering. You may notice that there are a lot of probabilities and suggests and so on in the sentences above.
This is because there is always a time constraint. First of all, you only have 24 hours a day and you probably want to sleep. And you hate to break it to you, but you will probably die at some point. So there is a very tense time constraint on how much time you can spend with reverse engineering.
So it will always be like a balance you have to find between how much time you want to spend with reverse engineering and how confident you are in your assessments you are making. So I only spend 30 seconds or something.
So I'm pretty fine with the confidence levels I extracted from it. What questions do you have at this point? Rene, maybe you? No questions? Okay. Anyone else? Okay. So this was, the talk is over. I already covered all of this.
No, just making fun. The next five sections of the talk will be a quick comparison between static and dynamic reverse engineering. Then I will talk a bit about executable formats and what formats I'm interested in and so on.
Then I will give a very quick primer on assembly. But the awesome part is that you don't have to know assembly anymore to be a reverse engineer. You should learn it to become a good reverse engineer, but it's not the first thing you need to do, which in my opinion is good.
Then I will talk a bit about tools and what the tool landscape changed, or how the NSA changed the tool landscape. And then I will talk about Ghidra. So I hope you're not that annoyed that Ghidra is very at the bottom of the list. But as I said, I wanted to give some context. So static versus dynamic reverse engineering.
Here are two super boring definitions. We will just read them. Dynamic software reverse engineering is the analysis of computer software that is performed by executing programs on a real or virtual processor. And static software reverse engineering is the analysis of computer software that is performed without actually executing the target program. So this is what we just did.
I first started a VM with Windows in it, and then I executed the program and observed what it did. And then I called strings on the program, which doesn't execute the program at all. And I read the output of the helper program, which is strings. And there are a lot of upsides and downsides.
I also have a slide on the upsides and downsides at the very end of the presentation. So if we want to go into detail then and have time, I can do that. But the TLDR is that dynamic analysis is not foolproof. The program can behave differently.
It's super fast because you'll get instant results and it's not that boring. And static reverse engineering, maybe the TLDR is, you can be more confident that you understood all the features the software has. But it's also not foolproof. I mean, you can always spend more time and maybe you missed something.
And maybe the tools you use to analyze the software are broken or not working well, and so on and so on. So executable formats. What I mean with this is, if you have an executable in your machine, you can execute it. We just observed this. I called hvelt.exe and it puts something on the screen.
And these executables have a very specific format. It totally depends on the operating system. So Linux uses ELF files mainly. Of course, there are Windows-based systems that use the PE format.
I will talk about this in a moment. And there are a lot of other systems with all kinds of formats. And I'm not an expert in them, so I will not waste your time if I try to explain stuff that I don't know very well. But they are always expert for everything. There are different systems. RMS is another big candidate. We will focus on Windows here.
And it uses the so-called portable executable format, or PE. Which is obviously funny, because Windows executables are not that portable. I mean, they are portable, but only from one Windows version to the next. Which is already pretty amazing. But they are not portable to Linux, except for now there's wine.
Anyway, this is probably nothing I have to explain a lot for this audience. But what techniques we use to do reverse engineering on these different executable formats is heavily dependent on how they were produced.
Were they written in C? Were they written in C++? Were they written in Delphi? Were they written in Go and compiled through the Windows target? Were they written in .NET and so on and so on? For example, C programs are normally the easiest to reverse engineer. This is, I think, because the tools are so good in doing this.
C++ is normally more a pain, but on the other hand, even reading C++ source code may be more complex than reading plain C source code. Delphi is a mess. It produces so many functions. And it has so much indirection, so everything in Delphi is an event,
and it triggers other things and so on. I'm no expert in Go, but if you want to do Go, talk to the red guy. .NET is quite easy. I heard that, right?
So the question and the answer, which both I wasn't involved in, were Delphi is pretty easy to reverse because there is a good disassembler. I will explain all these words in a moment. And he was like, malware is harder to reverse. Did I cover your points accurately?
OK. .NET is super easy. There are tools where you can just drag and drop the binary into, and then you have the source code again. So if you develop .NET software and you want to protect your source code, then you should use obfuscators. I don't think that I should have said that,
but just don't protect your source code. Just open source everything, right? This is an open source conference? But now I will talk on native PE files. With this, I mean no .NET binaries. And we will start with normal native PE binaries,
so no Delphi, at least for starters, and also no Go. So, PE files. They are made up of so-called sections. So there are different sections in a PE file, and you can really imagine it as there is a header, and then there are one section, another section, another section, another section,
and then at the very end is something that is called overlay, which is just appended to the executable itself. And these sections, there can be a lot of sections, and they have names, and they are called, for example, .text, .data, .rdata, .bullshitshit, or bss.
So, who wants to guess where the program resides, the actual program? In the text section, yeah. There is no text in the text, or there is not much text in the text section. The text is in the rdata section. So, Hello FrostCon will be in rdata.
This means read only data, which also makes sense, but this is always surprising that the program is called text. I think it's because of these old computers. Oh, I don't even know what Lochkarte means in English. Punch card. Or for these old computers with punch cards, and I don't know why, but they called these things on the punch card text or something.
If some of you know why it's called .text section, speak now or be silent forever. So then there is a program, or there are actually a few programs, that interact with the low-level Windows API to load an executable into memory.
They are normally called PE loaders, and they are not doing fancy stuff. They just pull out the sections from the executable and place it in a virtual memory space. So, I will not go into detail there.
They just place it into the virtual memory space. The PE can say, I would like to have this section somewhere here in memory, and I would like to have this section somewhere here in memory, and so on and so on. The PE loader can also take care of something called relocation, where you can place it somewhere else, where it places the sections in a different spot in memory,
and then it passes execution to the .text sections where the actual program is. So this happens if you double-click something. All that, what I just said, happens in a Windows machine. Oh, I just said that. Cool. So, what is in the text section?
In the text section, there is assembly. And I see that we are fast-ish in this presentation, so maybe I will go into more detail later. If you don't know assembly, I will try to summarize it for you in five minutes. This will definitely suck. So if you know assembly, don't judge me for the next five minutes.
It's a low-level language. You can consider it a programming language because you can program a computer with it. And it's executed by the central processing unit of your machine, by your CPU. I say low-level because for assembly developers, C is a high-level language.
I mean, for, I don't know, JavaScript developers, C is a low-level language. It always depends on the perspective, right? Assembly is only able to do very basic things.
It's also able to do some more complex things, but it's definitely not able to play Iron Man the movie or something. It is only able to do stuff like, here is your memory, copy something from this part of memory into a register. Copy something from this register to this part in memory.
Here, there is a five, please double the number. Or this part in memory, add three. Or stuff like that. And this is pretty remarkable. I mean, these are the only things a normal x86 CPU can execute,
and a few more. And we still have all this software. This is, I think, it always blows my mind whenever I think about it. And, I mean, people, and we have these compiler things. They are magic programs that turn C source code,
which is super readable in my opinion, into these low-level thingies. And then, if you think about it, at some point there was no compiler. So, you cannot write a compiler in C without a compiler for C. So, the first compilers were actually built in assembly language.
Okay. You are not that excited about this. I'm awesome. There are a few very central concepts when it comes to assembly language. Registers, stack and functions. There are a lot more, but I will focus on these three for now.
Registers are part of your CPU. So, it's very small memory components in your computer that can store data. But the upside of them is they are super fast. They are even super fast compared to your random access memory through your RAM, which is normally considered the fast one compared to hard disks.
Always a point of perspective, right? And they are used for stuff that I just described. So, load something from this part of memory into this register. Double what is in this register. Take something from this register and this register, add it together and store it in the first one. And so on and so on.
And the last thing are functions. You probably know, if you ever developed software, you probably, you should definitely know about functions. They are parts of your program and oftentimes, not always, if you write a function, a compiler will turn it into an assembly function
to something that you can call and that will return in the end. Of course, compilers are also doing optimization things. So, they may remove a function and inline it or they may create functions and they may do all kinds of things.
So, assembly is often shown in the disassembled state. So, instead of, oh yeah, I have to talk about hex encoding. So, as the computer science teacher at your school probably told you, in your computer, there are only ones and zeros.
And this basically means you can represent data as ones and zeros, which are represented at the lowest level by there is current applied or there is no current applied. And if you look at it mathematically, a sequence of ones and zeros can be, is a number. It's not encoded in decimal format, but in binary format.
And this is a representation in hexadecimal format. So, there are digits in it. One, two, three, four, five, six, seven, eight, nine and zero. And the next few digits are A, B, C, D, E, F. But still, this is not very readable. I mean, if you just have tons of these hex numbers on your screen,
you cannot deduce a lot of them. So, there were disassemblers invented, and I heard there is a very good disassembler for Delphi. And these disassemblers turn these sequences of data into something like this, which is considered to be more readable. And what this command does,
this is a so-called Intel notation for assembly language, which I prefer. I don't know why, because it's harder to read, because you have to read it from left and then from right to left. So, you first look at the very first part that is called sub. This is a mnemonic. I don't know why they call it that, but it's called mnemonic.
And the mnemonic, mnemonic, mnemonic, mnemonic. The M is silent. Yeah, I don't know how to pronounce Johnny Mnemonic. Anyway, the question was, how do you pronounce Johnny Mnemonic? And it's pronounced Johnny Mnemonic.
Mnemonic, mnemonic, mnemonic. The mnemonic here is sub, which means subtract something. And what from what is the following? There are two arguments now, RSP and the number 0x98. And now you have to read it from right to left, if it's an Intel notation. And RSP is one of these registers I talked about.
So, what this assembly instruction does is it subtracts 0x98 from the register RSP and stores it back into RSP. So, you just learned your first instruction in assembly language. Oh, you already knew that. I didn't want to mock you.
And there are the mnemonics. There are like a few hundreds or a few thousands, depends on how you count. And I don't know them all by heart. Actually, I often have to look up the most basic ones, especially if I want to understand some educated behavior of them and so on.
But there is a large documentation, the Intel assembly documentation. It's a light read for a sunny evening, only two or three hundred pages of mnemonics, description, what it does, what is allowed, what is not allowed, and so on and so on. I can definitely do recommend that one.
Not. Let's talk about tools. So, at the dawn of time, there was only one tool for reverse engineering. No, that's not right. I don't know. There also was IDA. There always was IDA, which is short form for interactive disassembler.
I didn't catch that. Saucer. Saucer. Like a sorcerer. There were a lot of tools before that, but I'm young.
I'm not young anymore, I know. So I didn't know. Or at least I'm young in the industry. And there always was IDA. And it was a tool, or it still is a tool, to do this translation step I just showed you. The step from 4881EC980002-SUB-RSP-OX98.
This is called disassembling. And it showed you the resulting code. It also did some syntax highlighting and helped you with that. But then at some point, they decided to do something pretty amazing,
and this was creating the hex race decompiler. And it just does what its name suggests. It takes assembly commands and translates them back into C-like code, or pseudocode, generally. Of course, it can only do so much.
For example, function names may be lost, variables are lost, but it tries to reconstruct them, and it does all kinds of things to do that. This is also the reason this software was super, or still is super expensive. So the existence of this software basically divided
the reverse engineering communities into two classes. The one that can afford IDA. I think it was around $6,000 a year or something. And the one that cannot. I mean, for a company, that's probably not that much money. On the other hand, if you want to employ 10 reverse engineers, then it's $60,000 and so on.
And there were people that were not able to pay this kind of money. Then there are other tools like Binary Ninja. I personally didn't use it, but I heard from people, it's good. And then they stopped using it and went back to IDA. On the other hand, Binary Ninja is cheaper. It only costs a few hundred bucks.
Then there is RedDeck, which is very promising. It's an open source effort, and it's short for retargetable decompiler. And they have a pretty awesome goal. They not only want to produce pseudocode, but they want to produce real code that then can be recompiled.
So there was this question with closed binary blobs and the source code is gone and so on. They want to produce source code from it, and this source code can then be compiled again. Which is pretty amazing because this means there is no architecture problems anymore. If you haven't binary, you can recompile it for another system,
or the other system. So that's cool. But in daily life, it doesn't work well for me. I mean, you drop something in and then it produces code that is hard to read and so on. And then the NSA came around and open sourced Ghidra. Now we are nearly through in the presentation.
I only have 20 minutes left. You will start raising signs in a moment. Yeah, five minutes. Okay, you have five minutes to raise the first sign. And open sourced a tool called Ghidra. And now I will talk about Ghidra a bit. There were these Vault 7 leaks like two years ago.
I already forgot who leaked, but I think someone broke into the CIA and stole data. And from this data you could deduce that the NSA created the software that is called Ghidra and that is used for reverse engineering. This software was somehow classified so the source code wasn't public
and even the existence was a secret so it only leaked through the Vault 7 leaks and so on. But since then we know that we knew that this software exists. And then, very surprising to me, two years later the NSA decided at a security conference
we will release it into open source. And I was like, okay, well, that was unexpected. And then they really did that a few months later. I mean, it's a government agency after all. So a few months later they released it into open source. Ghidra is made up of two components.
There is, come again please. Oh, there was no question, sorry. It consists of a Java based graphical user interface and a backend written in C. And it's all compiled for all platforms. So Ghidra is open source and cross platform, which is also very surprising to me. So you can use Ghidra on Windows, Linux and MacOS
and reverse programs for all the other platforms. And it's capable of, wait for it, decompiling native PE files. So it also produces C-like source code and you can look at it. And what it does then is, oh, it also supports a lot of other formats.
Like all kinds of formats. It also has an interface to specify your own formats and then it tries to compile it based on that. There was for example a guy that wrote configuration files
for the Sega Mega Drive card writes and then you can put the ROMs from these card writes into Ghidra and it decompiles it to C code. Super amazing to be honest. So I'm not an NSA fanboy, but I think this was good. You can speculate why they did it.
Oh, you have a question, Rene, finally. I will repeat the question because the microphone is flipped off. The last one? Yes.
DLLs are PE files. Or DLLs means Dynamic Link Library. It's the way of Windows to put library code that can be used by multiple applications. And Ghidra can even more, it can just generically decompile assembly. So if you have shell code, for example, it can decompile it.
If you have library code, it can decompile it and so on and so on. Sometimes, thank you very much, 15 minutes. So we will, in a moment, the next demo is coming up. So we will import an executable, the Hello World program from the beginning.
Then we will be able to decompile the assembly, look at the pseudo code and then it also tries to guess some variable names because sometimes even if there are, for example, if a variable is initialized with zero and then used in the condition of a loop
and in every loop iteration is increased by one, it may name it i, for example. Stuff like this. I think this concrete example is wrong, so it doesn't name it i, but it could. And it's open source, so you can contribute and make it name it i.
And then it allows you to refactor the resulting code. As a real developer, the refactoring capabilities are very limited, so you cannot inline functions or extract functions and so on, but you can rename functions and rename variables and so on and so on.
So I think now is demo time again. So if you start Ghidra, it looks like this. You first have to create a project and it's very Java, so there are a lot of dialogues where you have to click, but it's really usable. So you first have to create a project, I called it FrostCon,
and now I will take the hVelt program from the beginning and drag and drop it into Ghidra. Are you ready? So then it says, yeah, this is a portable executable, it gives you some information, I normally don't read it, just click OK. Then it displays more information, don't read it, just click OK.
Now you have the hVelt program in Ghidra and now you drag and drop it onto the dragon. Be prepared for something. Someone at RSA programmed this. I mean, it was like, we have to do this dragon animation.
And then other people were like, yeah, that's a good idea. Then it asks you again, do you want to analyze this? And then you say yes and then it all shows up on the wrong screen, but I will just throw it over and then it says analyze again and then this window opens. Then it says, then it's displaying warning, which means we are done.
And then, so I increased the font size for this presentation. Normally you can read more than just something. And now there is stuff happening. So this segment on the left will display assembly commands
and if I scroll down, you will see some of them. So here is the address in virtual memory space. Here are the not disassembled, here is the not disassembled data. Then there comes the mnemonic and the interpretation that happens then.
For example, I don't know, E8, I know that is a call, which is translated into a call. And then here comes the memory address, which seems to hold a function that Ghidra decided to name strlenght. So sometimes these pop-ups open up.
And then on the right-hand side, it already displays some source code. I mean, it's hard to read source code, but especially if you are in software development, you may have read worse. Oh, oh no, oh no, oh no, oh no. Okay, I just closed it by accident, sorry for that.
I have to start it again. We'll take a moment, sorry. Oh, thank you very much.
Oh, it's crashed. It's open source, you should fix it. This is an open source conference, right? And now there are two approaches to try to reverse engineer this program. There is like a top-down approach or a bottom-up approach. So bottom-up would be look at the exports of this function, figure out where the entry point is,
and top-down would be, I know that there is the string HelloFrostCon in this binary, and we will find the string in the binary where it's referenced, and then find the function where it exists. What do you want to do first? Oh, that was a surprising question.
Do you want to do top-down or bottom-up first? Bottom-up, okay. So I will start with the exports. I didn't increase the font size here, but you can trust me, there is an export directory. It only has one export that is called entry. And now comes something that you only get used to.
So I can give you so much knowledge, but you only get used to the fact that there are two functions in some binaries, and you have to look at the second one, okay? This is like a preamble in a lot of PE files. And then there is a lot of code, but from looking at it, if you are an experienced reverse engineer,
you know this is just setup code that does command-line parsing and so on and so on. And at the very end, there is a return. And by the way, it is an IDE, so if you click this variable, it will highlight all the other occurrences of this variable. So it returns this variable, and you remember when I said we are interested, there is something that is called return code.
So this is the return code of the program. So I'm, to find the actual entry point of the executable, I'm interested in the function where this uvar8 variable comes from. I can also rename it. Oh, this is broken, but there's ten minutes, thank you very much.
And there is a return code, and I notice it comes from this function. So I double-click this function to go into it, and there we are. There is the PUTS HelloFrostCon. Something interesting, by the way, I used the printf function, but the compiler decided, hey, this guy doesn't know what printf does.
It does formatted output. You can also use PUTS, which just puts out a constant string, and it replaced it, yeah? Go compilers. There is also this function here. There was a question? Yeah, okay.
There was a lot of questions, and I don't have time to go into detail right now to this one, sorry. This function here at the beginning, if you look at it, you may think something funky is going on, but again, if you gather some experience, you may realize this is nothing fancy.
This is something connected to so-called stack cookies. So there is a protection mechanism where you put something on the stack that I talked about, and then you later check that it's still there, so this is just a stack cookie function. I still have a few minutes left, so do you want to see a bit more complex program,
or do you want to ask questions? Complex, okay, got that. So then we will first execute it. Because everyone loves dynamic analysis. So hvelt2.exe.
This program accepts some input, so I don't know, I put in a number, and then it puts something out. Maybe I do it a bit more systematically. One, two, three. So if you put in one, it outputs one. If you put in two, it outputs five, three, 14. Already have an idea what's happening?
You shouldn't have, but you can, I don't know. The suggestion was it's one, okay, the suggestion was drawn back, but we don't have to guess, we can just reverse engineer it, okay?
So I open it up, and then I close this one. Yeah, save it, I did so much work. And then I drag and drop hvelt2 into the executable. Now I can show you the bottom-up approach, and just look for the string Eingabel,
which is input in German. And first of all, we can enjoy this one again. I will search for the string Eingabel, see where it's referenced. This is where all the fun stuff happens. So let's go to search for string. Then it displays another useful dialogue,
which I will just confirm. Then these are all the strings in the binary. Well, we already knew them. Here's Eingabel, but you can also search for Eingabel. Then you click it. Then it went to this string in the disassembly view, and you already notice more screens are very useful.
So if the string view pops up on another screen, this helps a lot, so here's Eingabel. Then I will click this thing and then look for references of this. Again, opened up on the other screen. So there are two references. The first one is this one, and the other one is this one. The first one looks weird. This is probably just the thing I looked at.
And the other one is used in some assembly instruction. So I will click that and go back to the source code. And here we are. Here is the stack cookie thing. Then it prints Eingabel on screen. First initializes a variable with zero, prints Eingabel on screen.
scanf is the function to read something. So I just want this variable input. Then another variable is initialized with one. And then there is a loop that checks if this variable is smaller than input. And then something happens, and then this variable is increased by one.
So this should be called i. And then there is another, the last variable. This is also the output, which we realized here at the very bottom. So I will just call it output. Normally you can see when you type in this window that pops up. And maybe we already see what this program does.
It takes an input, then squares the input, or then squares every number up to that input and sums them all up. So this is the sum of squares up to the number that was put in. Five minutes left, thank you. So this is just possible by clicking and double-clicking
and receiving email. So this software is an open source now. So every one of you can just download it. Also download OpenJDK to execute it. Execute it and start reversing stuff. Let me go back to the demo. And this is it, basically.
Some shameless advertisement. I will be giving reverse engineering classes soon. So if you are interested in that, just hit me up, give me your email address, or, I don't know, contact me later and so on. And we now have four minutes or three minutes left for questions.
Oh, thank you very much. First, a big thank you for this introduction. I believe a lot of people are very happy. There was one question. I believe there were more questions. You explained what the different sections are for.
You didn't say what BSS was for. Can you explain that in four minutes or is it like magic? It's not magic at all. They are all well documented. It's a bit out of scope to explain it now, but you can also Google it. PE BSS section will be a long explanation.
You probably need some context to understand everything. More questions? There, at the very... Okay, you told us about Gitama, about NSA. I think this is American, North American. What do you know about the reverse engineering capabilities of other countries, maybe European, French,
Britain or even Sweden? But I'm interested also in the Far East and also Russian. What do you know about this? I don't know a lot. I only know the software that is there and that is sold publicly. For example, IDA that I mentioned is just publicly sold. You can go to them and buy it. It's produced in Russia.
This may be a motivation for the NSA solution that they can produce in-house and maintain in-house and make sure there are no backdoors in the software you use for reverse engineering and so on. But I don't have insights into the secret programs of other nation states. Sorry. And if I had, I couldn't tell you, I guess.
I don't know. No. Yeah, and I don't know. There are also not very... a lot of leaks for other countries. I haven't heard of any leaks from... Next question, please. Go to IDA. Gidra. It's better and worse. So, I have to say, IDA is generally a bit better
when compiling C or C++ code. Also, a tiny bit faster, which is very important because then you can use it more interactively. Gidra supports many more architectures than IDA does.
I think the IDA decompiler only works for x86. Everything it compiles, everything it supports, which is pretty awesome. Yeah, but on the downside, the decompiled code is not that readable. For example, often memset or memcopy instructions are inlined by compilers. IDA always notices that, puts in the correct name.
But if you use Gidra, you sometimes start to reverse memset, which is not good. Another question up there. Did you? Huh? Here's the microphone. He needs to talk. Did you compare it to another open source decompiler suite
like Radare? Oh, yeah. Radare 2, or I don't know how to pronounce it. Yeah. Is it a decompiler? I thought it was just a disassembler. I compared it. As far as I know, okay, Radare is much slower.
If you want to call it at scale, it doesn't scale well. And I thought that Radare doesn't produce decompiled code. It only produces disassembled code, does it? Or to be quick, I didn't compare them because I didn't know Radare could produce disassembled code.
Could decompile code. The next one. Radare has a decompiler since two years and it's written in Rust. Second, the hex OS decompiler can x86, x86-64 and ARM. 32 and some ARM platforms.
Okay, okay, okay. Yes, it can do much more. This is not a question. This was a statement. Also, Ephra needs to put the microphone away from you and thank you very much for all your attention.