 Welcome to material analysis for hedgehogs. So today I want to look at four disassemblers decompilers. So as you maybe know, disassemblers are the most commonly used tool for reverse engineers and material analysts. So apart from hex editors. So yeah, the reason I wanted to look into them is like for quite some time, I was thinking on which disassembler or decompiler should use to analyze or showcase analysis of native files. Now I'm only used to Ida Pro from work. So I could have used that one. But then most people would not be able to afford it. So that's the reason I decided against it. And I never got around to trying the other three disassemblers for this purpose. So now I did that and just checked four of them. One of them also Ida free. So Ida has a free version with stripped functionality. And yeah, I checked cutter, I checked guide draw and I checked binary ninja. Now binary ninja is not free. But if you are a student, it is very pretty much affordable. So should be an option if you're not a student. I think it's still a bit too expensive for this kind of purpose. But it's yeah, not so much that you cannot pay it. But yeah. So okay, let's start with binary ninja first because why not. And this sample that's like in a very old apparently an old maverick. It's just a random sample that I grabbed from virus total searching for ransom in the engine detection. So that's the first one I got and then check those with the sample. Right. So let's open this one. Now I can tell you right away with binary ninja. The thing that I like the most is I had really no troubles knowing how to use it. Mainly I mean the first thing is it uses similar shortcuts as Ida pro. So like I can press spacebar to switch between the linear and the graph view. And most of the menus they have really, really easy to understand like navigation is easy finding things is easy. It's everything's kind of logical. But also yet has not as many features and as Ida pro. So there's not as much stuff to hide in sub menus. Yeah. But in general it really feels good to use it. It's like quite a quite neat. The whole look and feel I think is the best from all the disassemblers decompress that I tried. So now on this this file here you can see it has some and there should be a triage view. Let's check this on triage summary. Yeah, here it is. So here that's like the summary information with some I get rid of the console with some imports and exports. And you can see here that there are some ordinary imports from MFC 42. Now the little I checked the library actually. And it's a pretty big library and that exports only by ordinary. What does it mean? So it means that I don't have the information on which functions are called here, which is a bummer because you need to know this to reverse the file. So you kind of need to get the info from somewhere. And when I checked the sample in Ida Ida Pro, it was able to identify all of that. So this isn't the case here. And yeah, I ended up using a or you can you can write scripts for Binary Ninja in Python. And I ended up using adding the snippet plugin for it. Like there's a really cool plugin manager like this again, very easy to use to just choose your plugin, right click install, and it's done. And with the snippets, you can have I let's check this one. There's a snippet editor. The snippet editor is not as good. It's buggy. I had messed up highlighting in between. And also what happened in between was I wrote something here. I checked my browser clicked in here and then everything I wrote in the meantime was gone. Generally, it asks you if you want to save it, but it kind of did not recognize that it should ask me if I want to save it from, you know, clicking outside of the window into another program first. So that was a bit. Yeah, the snippet editor is not best. But they have good support, they have select channel, you can hop on the select channel asked there for support. You can get a lot of snippets by executing this script. So when I executed, yes, it will fill your snippet folder with snippets, Python snippets, and you can use them to, you know, see how things work in general with calling their API via Python. So yeah, this is snippet I wrote for to rename all of the symbols. So I used the MFC 42 STB TXT from Qatar from from Ritzi. So right, I'm not sure how to pronounce it in English Ryzen. Yeah, so I grabbed actually their, their database of the ordinates and the functions. So that's what I did. And to apply this. So I use things, see all of the snippets. So you can just, you know, grab what you need, modify them as you wish. And I think with this as a basis, basis, it's pretty easy to write some code to modify or, you know, automate some things you need. I get it here with renaming the ordinal export. So, okay, let's close this. Let's check it. It didn't run. Okay, let's run the snippet again. Yeah. Now, now we got it. And now it's more clear what this code does. So let's go back to the graph. Okay. Yeah, that is the main function right here. And now what unique like there's one thing that's special about binary ninja and that is like this, the intermediate, like the decompiler has like several levels you can use and even more advanced levels. Let's check this in linear mode. Now, this is the disassembly, you know this. So then there is low level IL. That's what low level looks like. We have medium level IL, so it gets smaller and smaller. You get high level IL. And then sudo see. So if you are more used to seeing C, then this would be probably a choice. And then there are some other forms that are more, I'm not sure what they do differently. But yeah, when I use this, I actually never chose the medium and low level, because when I'm not sure about the high level, I look at the disassembly. But yeah, I'm not sure. Maybe it's just because I'm used to having only like some high level decompiler and the disassembly in Ida Pro. So that's just the way I work. And maybe there I think there's some use case to that. So otherwise it wouldn't be there. It's kind of neat. I kind of like this. But I'm not sure how useful it is. So yeah. So one thing that I noticed is you have here, you have calls here. But although it knows when you check the high level, it knows the arguments. But it does not tell you that in like in the comments. So why like it would be nice to see here in the comment that which argument this is. So I usually have to switch or like make make the split view to see this. Let's actually do that with the split view. So we can see here in high. And here we keep the disassembly. So you see if you look at it side by side, you can see what the arguments are for the functions. But you don't see it here in the disassembly. You will need to you know, figure it out by knowing the calling conventions. So that would be nice to have. And I guess there might be a plug in that does it. I'm not sure. But yeah, that's something I miss. Now, if you check this function below that there's a call to start and start have returns like a struct for you know, there's some several timing information. So what it actually does is it returns the size. I'm going to show you now how it looks like in comparison in IDA free. So you know what I mean. Let's check out a free. So new. And we open that one. So IDA free already tells me kind of find the signature MSM FC2. Now IDA pro was able to resolve those ordinates that you saw before IDA free is not it seems that it does not chip with those signatures to do that, which is a bummer. So again, we are left with ordinates without meaning. So let's check the call we went into. So that is something. What did happen right now failed to display graph mode. Let's get back to main. It recognizes the main IDA recognizes main. The other one didn't. Also, why does this happen? That is really odd. I cannot assume it's some did I press something that is really odd. I just clicked here. I did not click on the mode button. No, that is something else like this string. It was not visible in binary ninja. Now we call F open with this data. And there's no indication of what this data might be. So I actually need to click and then I see, okay, it's this and I need to change the type to a C string. And now it shows up as a string RB. Okay, something is wrong here, but that usually doesn't happen. Okay, here IDA immediately recognizes and adds a comment that this is in a string. So one step less. And if I check now the sub function, also, you see, you see it adds in the comments all the arguments. So you know what this actually is here. So and if you go into this, you see there is this struct. Oh, there is a struct and it returns a size. It returns a size of a file that is being given as an argument. So let's name this get size, right? This is something you do not see in here. It doesn't recognize this. Where is it here? And you will see either is actually the only this is something that does recognize this struct. So it has like the type for it. All right. So that's so much for binary ninja. So let's try another one. Okay, then cutter cutter is actually from the look and feel it's I think the most similar to binary ninja cutter is free. So you pay nothing nada. So let's open this file. All right. Now we're going to wait a bit for the auto analysis. So here is cutter. Now cutter also does not recognize the main function. We started the entry and we need to go from up from, you know, from the bottom up to find the main function, which is this one. So as you can see, the decompiler is a little bit low level, low level, more low level than the others. So if you check the it's a bit harder to understand or to see what it does from here. Now you can change this to guide draw decompiler guide draw has a good decompiler. But the disadvantage here is you cannot rename any variables. There is no support for that yet. What happened? So this is not possible. I really like beautifying the code. So and the fact that I'm not able to do this is a bit of a bummer for me. Yeah, I can do this with the with the other one that's like not so beautiful. So that is possible. Good thing is here you actually get the comments on the on the parameters. But you and also next good thing is you get the actual names of the functions. So in this case, the cutter was the only free disassembler that was able to do that. But it's not perfect. Now compared to Ida Pro, Ida Pro actually told me which operator is used here. Yeah, cutter does not tell me what kind of no, I think that's a constructer. It does not tell me what kind of operator this is. So in here as well. So that's the only thing you need to guess or find out in a different way. So that's missing. But yeah, the only one that actually provides the only three one that provides these. So I also want to mention this one was the most buggy disassembler while I tried it. It just crashed one time. And one time the windows got messed up and it suddenly called, you know, I don't I don't know how to explain it, but the windows really got messed up was buggy and I need to restart it to fix it. So and these were bugs that were not reproducible for me. So it's hard to write a bug report on them. And yes, so I guess, yeah, I'm not sure. And then this thing with the decompiler. Yeah, I am actually not sure which one I like the most of the three ones. I'm still not sure. So let's let's check Gaidra now. So Gaidra. First of all, I personally do not like the look and feel so much. It feels kind of difficult to use. Then it probably has the most features. I'm not sure. Okay, there's like here's a lot you can configure and change in the menus and stuff is buried in the menus. So this is like more difficult to get into. But I guess it also has advantages, if you can change a lot. So yeah, the first one was like, how did I first challenge? How did I open a file in this? Like, I have to create a project first, and then I have to add a file somehow. This was like, yeah, but I guess once you get used to it, it's fine. So also the installation of Gaidra wasn't so straightforward because there you need to install the JDK, so the Java development toolkit, but the one that they linked on their installation instructions page was too old. So Gaidra refused to work with it. And the error message was like, oh, there's no path variable set. Although I did set the path variable to the JDK. So it wasn't clear what the cause was. So it took some time to figure out how to actually install Gaidra in this case because of the wrong, that this was the wrong version actually, on their website installation instructions. So yeah, here we got, what happened? Ah, now I got the sample in my project and I can click on it. Okay. This is a bit, so Gaidra now takes its sweet time to analyze. So yes, that's analyzed. All right. So what I like about Gaidra is the decompiler. And I think we still need to wait a little. No function. I need to go to one to some function. Let's find the entry point. Let's go to this place. Also, it wasn't immediately clear to me how to use it. I guess there's, it's just too different for minor pro. So that doesn't mean it's bad. It's just more different than the others. I think the others are more like we use the same shortcuts as Ida Pro. And here I didn't get immediately to do the things that I want to do. So it took some time to figure out. That is the main function. Right. Can I rename it? Not this way. Function. Edit label. Oh, that's how I rename it. Okay. Bam. So we are here again. So let's check. You see, and in this case, because it's like the Gaidra decompiler, but in in Qatar, there's no support to rename variables. But in this case, you can do that. You can rename it to value. I don't know what to write. Result value. Yeah. Okay. Yeah. Gaidra also does not recognize the ordinates. And it doesn't even, oh yeah, it does tell me where it comes from. From MSE 42. Yeah. But again, the only one that was able to recognize it was Qatar. So let's try to find this function. The function should be this one. It is a little bit confused with the colors, I think. All right. Yeah. Yeah. The one where we get back the size, it's also not recognized. Like we call stats, but it's not recognized that this is the size that is being returned, because it doesn't know the struct that's behind it. So like this is our get size function right here. So that's Gaidra. Oh, and by the way, I changed the theme. So this is not the default theme. This is inverted colors. The default theme, I think you have seen Gaidra before. Like you will see it's more inverted. It's like bright. And with the inverted colors, I have some troubles with the menu above here. I think there are more themes like that look a bit better when you like dark mode. So yeah, you can apply other ones. But in general, this is not my taste of how it looks. Okay. So in the end, what would I prefer? I'm still not sure. I have no idea. Like they have all their pros and cons. I really like with Gaidra, I can beautify the code. Same binary ninja, but binary ninja is probably still not affordable for many people. So this is probably not an option. I'm not sure. Ida 3, I will not use that one because every time I use it, I'm sad that about all the functions that are not there because when I'm at work, I have Ida Pro and it makes me sad to use it. So I'm not sure. I'm also not sure what to recommend to you. If you're looking for something, I don't know, try them all. Try them the free ones and see what you like best. I heard several approaches. Some people even use several of these at once like they check if the disassembly in Gaidra, but then the decomposition and the disassembly in Ida 3 and the decomposition Gaidra and like combine the two. Yeah, but in the end, it's just a tool and I'm not sure what I will use in the future. Maybe I will switch between tools. I might just do that. It doesn't hurt. Happy reversing.