Reversing is the process of taking something (not necessarily a program), in its completed or built state, and attempting to make sense of its inner workings. Reversing forms the backbone for a lot of other topics in security and software and thus a good understanding of reversing strategies goes along way.
- Before cracking open a disassembler like cutter, binja or r2 it can be useful to dump some of the binary contents using simple command line tools
- Its always a good idea to see what printable strings a compiled program contains
strings <binary>
- For a less cluttered view of strings likely added by the programmer use r2's cli tools
rabin2 -z split
- All binary functions can be listed with objdump
objdump -t <binary>
- Defined functions with interesting symbols can be listed using
nmor r2s cli toolrabin2
rabin2 -qs ret2win32 | grep -ve imp -e ' 0 '
- For more on specific tooling for disassembly and decompilers see tooling
- In the case of many decompilers variables will be identified relative to the base pointer and identified with a syntax similar to
var_c6- This means that the variable is hex
0xc6bytes away from the ebp - We can use this fact to also determine how far away another variable on the stack is from the given one
- For example if a variable is
var_6and another isvar_8then they would be0x8 - 0x6 = 2bytes apart from each other - Another use of this hexadecimal reference notation is that we can also statically calculate offsets required to overflow / reach the return pointer