04 Reversing Tools
04 Reversing Tools
ENGINEERING AND
MALWARE ANALYSIS
Topic – Reversing Tools
Reversing Tools
● There are many different approaches for reversing and choosing the right
one depends on the target program, the platform on which it runs and on
which it was developed, and what kind of information you’re looking to
extract
● There are two fundamental reversing methodologies:
− Offline analysis and
− Live analysis.
Offline Code Analysis
● Offline analysis of code means that you take a binary executable and use a
disassembler or a decompiler to convert it into a human-readable form.
● Reversing is then performed by manually reading and analyzing parts of that
output.
● Offline code analysis is a powerful approach because it provides a good
outline of the program and makes it easy to search for specific functions that
are of interest
● The downside of offline code analysis is usually that a better understanding
of the code is required because you can’t see the data that the program
deals with and how it flows.
Offline Code Analysis
● You must guess what type of data the code deals with and how it flows
based on the code. Offline analysis is typically a more advanced approach
to reversing
● There are some cases (particularly cracking-related) where offline code
analysis is not possible.
● This typically happens when programs are “packed,” so that the code is
encrypted or compressed and is only unpacked in runtime.
Live Code Analysis