HexRaysCodeXplorer:
make object-oriented RE easier

Aleksandr MatrosovEugene Rodionov
@matrosov

@vxradius
C++ Code Reconstruction Problems
 Object identification
 Type reconstruction

 Class layout reconstruction





Ide...
C++ Code Reconstruction: the truth is out there
An overview of the Flamer Framework
Vector<Command Executor>

Vector<Consumer>
DB_Query

ClanCmd

FileCollect

Driller

Ge...
An overview of the Flamer Framework
Vector<Command Executor>

Vector<Consumer>
DB_Query

ClanCmd

FileCollect

Driller

Ge...
An overview of the Flamer Framework
Vector<Command Executor>

Vector<Consumer>
DB_Query

ClanCmd

FileCollect

Driller

Ge...
HexRaysCodeXplorer
HexRaysCodeXplorer Features
 Hex-Rays decompiler plugin

 The plugin was designed to facilitate static
analysis of:
 ob...
Hex-Rays Decompiler Plugin SDK
 At the heart of the decompiler lies ctree structure:
 syntax tree structure
 consists o...
Hex-Rays Decompiler Plugin SDK
 At the heart of the decompiler lies ctree structure:
 syntax tree structure
 consists o...
Hex-Rays Decompiler Plugin SDK
 Type citem_t is a base class for:
 cexpr_t – expression type
 cinsn_t – statement type
...
Hex-Rays Decompiler Plugin SDK
 Type citem_t is a base class for:
 cexpr_t – expression type
 cinsn_t – statement type
...
HexRaysCodeXplorer: Gapz Position Independent Code
HexRaysCodeXplorer: Virtual Methods
 The IDA’s “Local Types” is used to represent object type
HexRaysCodeXplorer: Virtual Methods
 Hex-Rays decompiler plugin is used to navigate through
the virtual methods
HexRaysCodeXplorer: Virtual Methods
 Hex-Rays decompiler plugin is used to navigate through
the virtual methods
HexRaysCodeXplorer: Object Type REconstruction
 Hex-Rays’s ctree structure may be used to
partially reconstruct object ty...
HexRaysCodeXplorer: Object Type REconstruction
 Hex-Rays’s ctree structure may be used to
partially reconstruct object ty...
HexRaysCodeXplorer: Object Type REconstruction
 citem_t objects to monitor:
 memptr  call (LOBYTE, etc.)
 idx
 memref
HexRaysCodeXplorer: Object Type REconstruction
// reference of DWORD at offset 12 in buffer a1
*(DWORD *)(a1 + 12) = 0xEFC...
HexRaysCodeXplorer: Object Type REconstruction
// reference of DWORD at offset 12 in buffer a1
*(DWORD *)(a1 + 12) = 0xEFC...
HexRaysCodeXplorer 1.1 [ZeroNights Edition]

 Type Reconstruction:
 reconstruct type into IDA local types
 bugfixes =)
...
NO TIME for DEMO
Thank you for your attention!

Eugene Rodionov

Aleksandr Matrosov

@vxradius

@matrosov
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier
Upcoming SlideShare
Loading in …5
×

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier

407 views
244 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
407
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier

  1. 1. HexRaysCodeXplorer: make object-oriented RE easier Aleksandr MatrosovEugene Rodionov @matrosov @vxradius
  2. 2. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction     Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  3. 3. C++ Code Reconstruction: the truth is out there
  4. 4. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  5. 5. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  6. 6. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  7. 7. HexRaysCodeXplorer
  8. 8. HexRaysCodeXplorer Features  Hex-Rays decompiler plugin  The plugin was designed to facilitate static analysis of:  object oriented code  position independent code  The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type
  9. 9. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  10. 10. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  11. 11. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
  12. 12. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
  13. 13. HexRaysCodeXplorer: Gapz Position Independent Code
  14. 14. HexRaysCodeXplorer: Virtual Methods  The IDA’s “Local Types” is used to represent object type
  15. 15. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
  16. 16. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
  17. 17. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  18. 18. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  19. 19. HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  call (LOBYTE, etc.)  idx  memref
  20. 20. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  21. 21. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  22. 22. HexRaysCodeXplorer 1.1 [ZeroNights Edition]  Type Reconstruction:  reconstruct type into IDA local types  bugfixes =)  ObjectExplorer:  Auto structures for VTBL  Click on VTBL and jump to code  ObjectExplorer hints for VTBL
  23. 23. NO TIME for DEMO
  24. 24. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov @vxradius @matrosov

×