From simple to complex

The last week Elias ran a sample malware in the Bochs emulator and I was curious to see what it exactly does. So I took the unpacked version of the malware and fed it into the decompiler. It turned out to be a pretty short downloadler (different AV vendors give it different names: Lighty after the compression method, or FraudLoad, or FakeAlert, etc). Such simple code is very easy to decompile. I renamed some functions and added some
comments to it. The final text looks like this:

Continue reading From simple to complex

BITS used as a covert channel

The idea to use BITS to download files from the internet is not new. If you check the corresponding page from Wikipedia, you will find that
Background Intelligent Transfer Service (BITS) is a component of modern Microsoft Windows operating systems that facilitates prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth.
The web page ends with a list of third-party applications that use BITS. However, as any technical method, it can be used for evil purposes as well. Eric Landuyt analyzed a malware that exploits it for bad:
http://www.datarescue.com/laboratory/trojan2008/index.html
I liked the “proof of concept” WinDbg script that runs the malware in a controlled manner. Breakpoints with actions are very powerful, indeed.
Nice work, Eric!

Some functions are neater than the decompiler thinks

The decompiler makes some assumptions about the input code. Like that call instructions usually return, the memory model is flat, the function frame is set properly, etc. When these assumptions are correct, the output is good. When they are wrong, well, the output does not correspond to the input. Take, for example, the following snippet:

The decompiler produces the following pseudocode:

Apparently, the v3 variable (it corresponds to edx) is not initialized at all. Why?

Continue reading Some functions are neater than the decompiler thinks

New Hex-Rays Demo

This has been online for a while now, I just had no time to announce it properly: a new thorough demo of the decompiler by ccso.com, our US distributor:




This demo is not just a teaser like the previous one. It is much deeper and shows many decompiler aspects in detail: it starts with the plugin configuration, shows a couple of simple decompilation cases, and then moves on to more complex functions. If you wondered how to improve the resulting pseudocode and handle typical cases, this video is for you!

Easy structure types

I’m happy to tell you that a new build of the decompiler is ready! It introduces new easily accessible commands to manipulate structure pointers. First, a variable can be converted into a structure pointer with one click. Also, new the structure types can be build on the fly by the decompiler. As usual, any type or name can be modified any time. All this makes using the decompiler really agreeable. Please watch a short demo:

Continue reading Easy structure types

Better user interface for decompiler

We are glad to release a new version of the Hex-Rays decompiler!
Highlights of this build:

  • improved usability
  • support for unusual calling conventions
  • better handling of obfuscated code

The most important improvement is the user interface. Now the decompiler is
at your fingertips at all times, the same way as the graph view.
Remember that you can toggle graph-text views in IDA with one keyboard hit?
For the decompiler you can use the Tab key: it toggles between
the disassembly and pseudocode views.

For those of you who prefer to see both the decompiler output and disassembler output
in the same window, we added the “copy to disassembly” command. It just does what
its names says: copies the pseudocode text to the disassembly window. You can
see both outputs simultaneously: mapping of low level assembly idioms to high
level constructs is made as transparent as possible.

With this build, you will be able to open multiple pseudocode windows.
This will be especially useful for long functions: just open a separate window
for each called function by Ctrl-double clicking on function names. The long
function will stay intact in its own window and you won’t lose time by
reanalyzing it upon each return.

One more command to handle code complexity: ability to hide parts of code.
The new hide/unhide command allows you to collapse a multiline statement into
just one line. Collapsing unimportant sub-statements reveals
the global structure of the decompiled function.

We also added other things to make the life easier: the command to jump to xrefs,
better status line information, support for the __spoiled keyword, and more
heuristic rules to the analyzer.

Here’s a short video:





The detailed list of changes can be accessed here

Nice analysis!

Decompiler output ctree

The upcoming version of the decompiler SDK adds some nice features.
First, we created a reference manual. It is in doxygen format: cross references make it really easy to browse. Second, the SDK is compatible with both IDA v5.1 and v5.2. Third, we added functions to retrieve and modify all user-defined attributes like variable names, types, and comments. Fourth, we added more sample plugins. And fifth, our forum is open. All your decompiler and SDK related questions can be asked there.
Since the “show, don’t tell” rule applies to everyone, here’s a short video demonstrating one of the new sample plugins (it displays the decompiler output as a graph):


Hopefully the new version will be available this week, as soon as the regression tests are over.

Hex-Rays SDK is ready!

A binary analysis tool like a decompiler is incomplete without a programming interface.
Sure, decompilers tremendously facilitate binary analysis. You can concentrate
of the program logic expressed in a familiar way. Just add comments, rename variables
and functions to get almost the original source code, almost perfect. However, quite often there
is a small ugly detail and the output falls short of being satisfactory.

Continue reading Hex-Rays SDK is ready!

Coordinate system for Hex-Rays

One of must-have features of a reverse engineering tool is the ability to add comments to the output listing. Without this feature, the output stays difficult to understand. The user copies it to a text editor to continue the analysis but this is a bad solution because the dynamic nature of the output is lost. The command to rename variables alleviates the problem but comments are still necessary.

Continue reading Coordinate system for Hex-Rays