Skip to content

Reverse Engineering

I have what I consider to be a very lazy and practical approach to RE. This project is a collection of guides on attacking programs compiled in various languages and is not a primer on intermediate languages or instruction sets.

Language Detection

How do you figure out what language a program was written in?

This leverages a lot of experience seeing patterns etc. but I have a few tricks that don't involve brute forcing the program through disassemblers.

  • look at the libraries in the program's directory. You see common patterns repeated for given language, like cefsharp and directx libs for electron apps, etc.
  • Look at the UI for an application. You can usually tell between Winforms/Java/Qt etc. styles.

C#

DnSpyEx

Github Page

The continuation of DnSpy. A GUI focused C# decompiler and reassembler.

Usage Notes

When editing a more complex program, especially large inter-linked files, you are going to find more often than not that the graphical decompilation based code editing will fail to recompile. This is because the program is attempting to recompile the entire class file which it has to do and can't for obvious reasons.

What you should do instead is edit the IL instructions of the given scope and figure out the easiest way to achieve your goals with that. It will directly reassemble the file and you'll have no issues.

Compiled Code (C++, Native, etc.)

IDA Pro 9+ with Keypatch

Github Page

C++ is a truly compiled language, and the best machine code disassembler is IDA Pro. Keypatch is a reassembler plugin written for IDA that lets you directly edit assembly instructions in graph view and auto-pads with nop's to fill voids and a bunch of really nice stuff. Ghidra is nice too but at time of writing there's no point for me to look into it to see if it can follow my workflow.

I have a setup for all this stuff. The annoying part is getting ida and keypatch to find and select python 3.10.

General Notes

You're usually going to be doing the following:

  1. Run a text search (alt+t) for something along the lines of "license" etc. You can use the program's UI to help give you contextual strings to search for.
    • Search seems to run from the currently selected address onwards, make sure you're at the beginning of the program before running.
  2. Explore around in graph view for code flows that produce licensed software or prevent checks from running
  3. Change the jump logic with keypatch
  4. Apply changes to input file

Java

Recaf

Github Page

The best decompiler and bytecode editor I've come across. I've used this to successfully patch programs with extremely expensive obfuscation and anti-tamper.