drawing by Lee John Phillips
Static Analysis vs Dynamic Analysis
- Static analysis refers to analyzing a binary without running it whereas dynamic analysis refers to analyzing a binary BY running it. These two ideas can be further categorized into manual or automated analysis. Manual static/dynamic analysis involves human interaction throughout the reversing process. Examples of manual analysis to understand program behavior includes studying the assembly listings from a disassembler (e.g. IDA) or executing the binary and inspecting its memory and registers' states at different execution points with the help of a debugger (e.g. GDB). Automated static/dynamic analysis doesn't exactly mean human interaction is not required. An automated analysis tool still require human to setup/script the tool (e.g. DBI framework like Intel Pin). What's automated is the execution of the tool to discover points of interest (e.g. buffer overflow).
- In terms of automation, static analysis technique such as symbolic execution is associated with soundness, meaning that it doesn't result in false negative (not identifying something as point of interest when it is). Although it is more sound, it is also more prone to false positive since it is hard to model with 100% accuracy a binary's interactions with its intended environment without executing it. Furthermore, often we will have to sacrifice some soundness for static analysis to be practical since modeling a whole program is infeasible due to the amount of data that needs to be kept track of. On the other hand, dynamic analysis such as fuzzing is associated with completeness or that it doesn't result in false positive (identifying something as point of interest when it is not). For example, every single crash a fuzzer finds is a real and reproducible crash. The tradeoff here is that a fuzzer is less sound since it reasons in terms of a single path; it's very unlikely that a fuzzer will hit all execution paths that leads to a crash by providing it with random inputs. To mitigate static and dynamic analysis' drawbacks, they are often used together (e.g. concolic execution).
Static Analysis Is King
- When reversing a binary, most likely you don't need to reverse every little detail of it to reach your goal. Initial triage efforts using various static analysis (e.g. strings), dynamic analysis, and/or automation tools will help you identify points of interest to start reversing from. Some of those tools may also be ran throughout the reversing process to ascertain particular suspicion or to assist with deobfuscation, but either way, you will be spending the majority of your time inside a disassembler. As a result, at least know how to use a disassembler well.
Be Cautious...
- Although reversing can be done with just a pen, papers, and the world wide web, with the right tools one can dramatically speed up the reversing process. But remember: never be too reliant on any one tool. For most popular tools, depending on their usages, there are ways to detect their presences, hide certain program properties from them, or make them not function properly.
- Free Reverse Engineering Tools by Wiremask: list of relevant (still maintained) and free reverse engineering tools
- IDA Alternatives: there is no disassembler that rivals IDA, but getting a IDA license does costs a fortune. Personally, for alternatives, I would recommand Binary Ninja since it only costs 150 dollars and has an interactive GUI interface like IDA or Radare2 if you don't mind working in the command-line and spending a little more time learning how to use the tool. Plus, Radare2 is free
- 2019 update: now there's also Ghidra!
- Tips and Tricks: IDA, Ghidra, Binary Ninja, and Radare2
.general <- RERM -> .instruction-sets