Tools and references for reversing binaries and bytecode.
- Identify the language/format first (Python bytecode, Rust/Go signatures).
- Use decompilers to get a quick view before manual RE.
- Keep resource editors and unpackers handy for Windows challenges.
-
Reversing Compiled Python
(.pyc)
-
Resource editor
-
Convert asm to binary
gcc -c chall.s -o chall.o -masm=intel
-
Capa
- The FLARE team's open-source tool to identify capabilities in executable files.
-
Detect It Easy
- Program for determining types of files for Windows, Linux and MacOS.
-
Process monitor filter
- Advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
-
Run server
cd /data/local/tmp; ./frida-server &
-
Show installed apps
frida-ps -Uai
-
Call function
-
Trace function calls
If index.android.bundle isn’t readable and it’s likely Hermes bytecode, the compiled form of React Native’s JavaScript. You can disassemble or decompile it using hermes-dec
# clone and install hermes-dec
git clone https://github.com/P1sec/hermes-dec
cd hermes-dec
python3 setup.py install
# disassemble or decompile Hermes bytecode
python3 hbc_disassembler.py index.android.bundle disassembled_hermes
python3 hbc_decompiler.py index.android.bundle decompiled_hermes- Challenge: Bypass ptrace
- Solution:
- Open with ghidra (raw binary)
- Change JNS compare to JMP for disabling TEST instuction
- Donut TODO
- UPX
- Sometime UPX packed binary can't decompressed back. So author is manually changed some byte or even sections.
- Missing library. Append kernel32.dll to actual binary. code
Extract python code from binary
- PyInstallerExtractor Python script to extract the contents of a PyInstaller generated Windows executable file.