Christopher Doege - Intro to Reverse Engineering with Ghidra Taming The Dragon

so good morning all of you may I have your attention please yeah so may I have your attention please good morning welcome to be size 2019 so we have Chris he's a former UTS student and I met him at CSA event so he's personally really good I know him and he has a one youtube channel online so you can watch watch around reverse engineering and different Malviya tutorials on online so today he's going to be presenting the reverse engineering with gyda and I'm sure it's going to be great presentation as moving forward I would like to introduce and myself like these sponsors for the B sides event so Gold level sponsors us and Mary University USA Trend Micro

digital defense sense Silver level sponsors our national security agency X abhi Accenture federal services open security titanium level cybersex jobs denim group LMO is a landmark solution so thank you all for being here and a part of this presentation so Chris will now continue thank you

moment here I have some stickers over here people want them leave them right here comes for me at the end and they have some more stickers all right so this is gonna be my talk it's an introduction to reverse engineering with Deidre but first a little bit about me so I'm a you two are UTSA alumni used to give talks at CSA and that type of thing so some people may have seen me before I am a cyber software engineer at Raytheon codecs I think my business card actually says I'm a cyber Sam but will disregard that for now I like to do like crypto reverse engineering and that type of stuff for like CTFs and things like

that I'm on a CTF team called NASA rejects so what is reverse engineering I think many people might see this in the form of light in our analysis or maybe the reverse engineering tool for like a class or something like that but light in its essence what exactly are you doing when you're versus engineering and so for this talk we're gonna focus on my binary reverse engineering although I do have a android apk that I'm gonna show you that GIJoe can interact with but that's more just for show mostly gonna be focusing on my binary and so on so it's generally taking some type of compiled code ASM and stuff like that and bringing it up to a higher level so

for the most part of Deidra you're gonna see like assembly on another page and then you're gonna see like some type of see light syntax on the right hand side so from a show of hands she listed a little consensus so who's used DJ here before all right tough crowd tough crowd how many people you see or no see good amount okay good good go into other reverse engineering tools how many people use like Ida go to mount binary ninja go to Mount Road Ari and the people who raise their hand for a dari please leave so back to the talk so most of time you see it for like malware CTS there is VR which is vulnerability

research in this context not virtual reality and there are many other use cases you might see like some private forum reverse engineering and other companies stuff for various reasons but for the most part now reverse engineering VR and that type of thing CTF so now we're gonna talk a little bit about static analysis so teacher is now a dynamic tool at its current release it does not have anything to do dynamic analysis per se so it doesn't have a debugger attached so though from what I've heard they are planning to release it or least from what I've heard from people on Twitter so yeah reverse engineering and the focus of this talk is going to be static

analysis but generally versus engineering can be broken down into static and dynamic analysis dynamic being you're actually executing the binary or maybe you're emulating it and you have some way to interact to see what the results are from various instructions and so on static being just looking right at the assembly or maybe a decompiled see lights and taps disassembling is usually taking bytecode and bring you to back up to the assembly so when you execute a binary bead an elf and it's a an MZ or something like that it generally has like a bunch of light ones and zeros and op codes that your computer's going to interpret so this is just bringing those bytecode back to

assembly or in the case of like Java apps it's bringing like decks by code and bringing it back to like the Java syntax and you can go back to de compilation so simply to an i/o which is an intermediate language it's like a step before you get to a see light syntax or for using binary ninja all of their representations are some form of il so it's just a way of abstracting the assembly to try to make it more understandable and give it some type of flow control or flow analysis so what is Deidre so from the I think it's your sre website they give you a way of how to say it so it's D drah know some people

say daya I honestly don't care what you say but that is apparently their official way of saying it so it's software versus engineering tool with version management and DD compilers the version management is interesting so I'm assuming a bunch of people here have used git right so you have a way of tracking binaries and either submitting them locally or submitting them up to a server in order to go back so say that you are doing reverse engineering tasks right and you want to document this binary and let's say you're sharing this converse engineering tasks across like a team of like 2030 people someone can commit the changes they've made back up to a server another piece

person can might go in - and see what types of things they've added in they can merge it in or they can deny it and so on so it actually adds some very like powerful features and has been useful for like CTFs and also for like group reverse engineering at companies so they have a repo on github where they have active like contributors and you see people actually fixing bards and so on you also have people who I want to say are just looking for bugs in deidre just to look for bugs in Deeja there have been some good TVs that I've noticed but I think the first one that somebody was trying to talk about was a bard I think by

default when it was first released it had a debug port that was open where you could only win in debug mode it had a debug port open for which you could connect in and send arbitrate send stuff to attitude but how many people use debug mode and then also the issue was that I listened on 0.020 instead of the like local interface or something like that I don't know but I was really happy about his first blood on Hedra I thought it was kind of lame but some other people have found bugs where like in the parsing of the actual like blob that it gives you you can have ways of manipulating their database so they get

Co data to show and so I thought those are pretty cool and then also it is multi-platform so it forms on Linux OSX windows etc so yes

I'll let them talk about that personally I have only used Deidre since the public release somebody's trying to find the feds in the room also can everybody in the back hear me okay sorry I didn't really check sweet okay so the question that was just asked was if anybody had used Deidre prior to the public release that I don't think anybody raised their hands all right so going on to support it architectures we see Rob Joyce who is the person who I believe was fighting to get DJ released but also gave the talk at RSA that initially released eager to the public but we see a lot of different architectures yeah so we see a ton of

architectures some of them that are very interesting that aren't available and other decompilers would be like MIPS for instance so Ida does not have a MIPS T compiler as of yet so this is one thing that made snips reversing a little bit easier I recall from a time when we were at DEFCON CTF last year in 2018 everybody wanted to shoot themselves because they are working with the mips binary and nobody likes reading mips yep so they have a ton of different architectures and also it's pretty extendable the the the D compilers are now open source so I believe as of 902 they are open source so now you can go and see the C code that does the

decompilers just recently in May they release the nine dot o for that we'll talk about

also feel free to stop me if anybody has any questions or anything like that so this is how you get access to Deidre Deidre sorry or gives you a download and then you can also compile from source from the DJ repo on github and notice that if you try to do a quick github search for hey wait it's not the right one all right there we go if you try to do a quick search for back door and the github you can't find any so yeah so you have at the current time of the string shot which was probably around April sometime maybe you had 241 open issues 28 pull requests and a lot of people watching you 15500 50 stars

and so on so seems like it's garnered a lot of interest and I mean for decompilers that are open source there haven't really been any good ones so far I mean I qualified as good as that there haven't been anything there hasn't been much that could compete with some of the other paid options so he'd res definitely added a lot of features that are very nice and also opened the world to more competition as we'll get into a little bit later so what's inside the box so when you download deidre off of google srt you did a sip that you'll go through an unzip and it has a bunch of different documents in there if you're running on linux or OS

such you're gonna use e to run otherwise you have a teacher rhonda bat for windows and that just starts up the DJ interface and we'll go through a little bit about that but going into some of the other things so we have docs they actually have a DJ class going through advanced intermediate beginner steps of light powerpoints for what they do have internal training for people for each other so those are actually really powerful they're really interesting I would recommend anybody who wants to get in the DJ like scream through those a little bit to at least learn some quick tidbits they have some like HTML stuff for like a cheat sheet changelog they also have

all of their Java Docs so they have all the UI written in Java so they have Java Docs for all of that as well so pretty much everything that you see when you're trying to like modify or edit each other for something is actually very well documented so that's something that's really nice already kind of talked about eager trainings there's also a tool that will convert your eye to databases so let's say you've done a lot of work maybe your vendor locked in to Ayodhya something would say where you have these databases you spend months and months of research modifying this database and so on why would they switch to aegis so they actually have a thing that works very

well for converting your Ida database into a Dedra database so I thought that was pretty cool all right so Jenny started with Udrih so once you run that a teacher on either - script or X dot bat you're gonna get a little pop-up that looks like this and you have to create an active project and we'll go through a little bit of that in the demo later from there you add like different binaries that you want to add something cool that makes it really nice so those of you have used Ida are you familiar with flirt signatures anybody familiar with Lars Henderson okay so Fleur genders are like signatures that you can apply to like different shared

objects so like if you have a Lib C that's not current on your machine or something like that or you have a bunch of different other shared objects for like libraries for instance that the binary had and you want to include those things usually you had to run across a flirt signature to get those loaded into the binary to be able to see what functions are in that library that are also used inside of your binary Dedra just allows you to import the shared object and it will automatically try to figure out which things are available in the shared objects that you have loaded which is actually really use and I have really enjoyed but generally

when you try to open something so I didn't see I was using my Mac for this so we have a maca format just an x86 binary and to load things then you'll press I but would go through that a little bit more then you can let go file import into the automated analysis so when you first open a binary reading in the screen that says some like weird stuff saying do you want to run this analysis and it's going to be able to have stuff that is already checked and then give you an option to check something so I have read through a lot of these and for your default like head cities it's fine Ares there's one of

them that you want to go through and do the analysis afterwards but then there are a lot of them that are read some of them are either prototypes it may not work other ones are like may take a long time and so usually the ones that take a long time I'm like I'm willing to invest the time so I just liked them but we can go through some of these options as well and a few I just hover over any of these options it actually gives you a nice description of what they do alright so another thing so it's not I believe immediately opened on a new session but I could be wrong maybe it changed the

newest version but refu is another option that you have inside of Dedra that is very nice so anybody who's used Ida probably lives in the draft view for the most part probably uses the decompiler for certain things but generally it's trying to go through the flow control figure out where things are going and living in the graph view I've noticed that the word flow with each row is a little bit different I don't spend as much time and graph view as I might have in Ida which has its pros and cons and also server collaboration so as well as mentioning before you can set up a DJ server and the download that you have for when you download DJ from teacher

sree you get some stuff we can run and maintain a server for Diedre which allows you to push up your DJ uh my databases to that server and allows you to collaborate with other people for our CTF tea and we have someone who has set up a teacher server and we use that to analyze some of our binaries when we're trying to collaborate and work on a challenge note that that's not great for every CTF because sometimes you get a lot of binaries and the binaries a little bit easier so you may not want to do this much collaboration but like for things like DEFCON DEFCON calls we're spending a lot of time reversing them

and also like google CTF coming up and like generally for harder challenges where you need a lot of people and a lot of time it's actually pretty useful some useful features that we can talk about so you have themes I've actually personally had a difficult time finding a theme that I like there's a deado dark mode that you can use which I believe you go to like metallic and then you invert the colors and it gives you like the pseudo dark mode but it also makes everything else kind of illegible so still working on that I know some people have published some like open source like solar eyes dark themes and stuff like that but there's no like I'm

fitting the name of the repo but there's a like tonight.a themes repo which gives you like tons of things that there isn't one for a teacher as of yet oh yeah so we talked about a little bit about xrefs and light function talltrees it's a little bit different you don't just press I believe accent might be NIDA so I go to their tress you have to like I don't think there is a button here at the edge stress usually there is located on the disassembly view or you can might click a button and one of the UI features will talk about navigating the symbol tree so symbol tree is this box over here I probably use this a lot more with

Deidre than I would with Ida navigating the graph view but this gives you like access to see like what things are imported what things are exported different functions that you have labels classes the namespaces so go through that little bit when we do the demos and then Mahdi is just something to remind me to show you one of the weird features that it has so now for like useful plugins there's dragon dance which is kind of similar to lighthouse for Gaeta and it's used to like visualize manipulate and I get a dress of light the areas that have been visited and so on so very useful for code coverage lighthouse is very useful risen by I believe that one's written by

Marcus I always have to say his last name he's like last load in or something then you have a dieter community Geist which I thought was pretty interesting it lists a bunch of like plugins CPU intentions that people have written and so on and then you have Daenerys which is so we talked about having like an ID B to DJ database conversion and this converts your Ida scripts which allow people have Ida Python strips that they care about and also kind of interlock them into i2 so now you can pervert and run your deed strips in Ida and run your Ida strips in Dedra whatever that was regal now it's Emma time

one second got to figure out how to get all of my OS ID streams to go to the right place anybody have any questions in the meantime well I am getting this rolling so you can definitely learn light our load a kernel into so like if you want to alert like the Linux kernel for instance the Windows kernel into deidre that definitely works but not to be able do the debugging aspect so like though I wouldn't say that you would necessarily use Ida for the dividing aspect of that as well so Ida does have a debugger this is my personal view where the Ida debugger is pretty awful so normally for light doing Windows debugging for instance is that

especially if you're trying to debug the Windows kernel when debug probably gonna be the best but there are like plugins to integrate Ida with one debug and I believe there are new plugins now to integrate deidre select the view that you have on the teacher page it's like where you are in the graph view or in the decompiled view or in the disassembly to the execution or order or to the instruction that's being executed in the binary does that answer your question Satya is a little bit of a mouthful but okay

[Music] let's see how this is gonna be fun

all right sweet actually see okay that works a little bit better all right so now we have Dedra open notice that we don't have an active project so trade a new project here and now I have no idea what's going on so I would go back run teacher

all right so now you're getting the option of a shared project or non shared shared going to be if you have a DJ server that is up and running the name a project was named it light tests with a bunch of random T so don't overwrite my other test suite so now we're going to upload a binary so used out a little scrunched up because of the new layout so let me organize these real quick okay so over here on my desktop I have three different binaries with source so that I want to go through and then I have an apk that I wanted to look at as well as a mips binary that we worked on from

DEFCON CTF last year also a recent meme that I wanted to show you so I believe I talked about it but teacher has an undo feature so when you for instance make a mistake in the might modifying something you can hit ctrl Z or undo and undo some of the things note that this is not something that you're able to do with Ida and you could horan ously mess up in Ida database just by messing up something and there was no undo so a lot of people would have to like take snapshots of their databases constantly or if they messed up something would have to go back to get from scratch or deal with it or something like that so

undo is a nice feature but looks like Ida is going to be adding and undo and I just haven't point three so I thought that was pretty interesting also Dedra throwing shade on Twitter telling them that's a cool feature

all right so let's see we're going through hello world first so doing back to that interface I was telling you about so we have these why do I have so many things open here we go so yeah so we have that interface we're still hit okay there's really nothing in here that you'd want to do if you were trying to load a binary that is the same name so for instance you want it to you had light binaries that were different versions so you had like a version 1.0 1.1 1.2 or something like that you had different versions of it and you wanted to diff them for that you would want to like rename the program names like 1 2

or something like that to differentiate based on name and then you could just dip them like as normal one thing that I've noticed as well with so for instance say that you are trying to reverse engineer something that does have multiple versions and that thing also has a ton of like shared objects you might have a bad time if the shared objects have differences so you might want to create a new project for each different version after you have different shared objects and stuff like that so it's not like either we can just have a database and apply flirt symbols of the new saying you have to create a new project but just a little caveat so

we see here that we're a lot of information just gives you bunch to know information about the binary down here if you had like shared objects that were found then we could get that notice that over here I don't have this shared object here load it into my teacher instance and so it's not able to find that reference but that's okay for right now so now we're gonna double click on HelloWorld notice we did the dragon stuff like now we're being asked to analyze the binary so now we're gonna go back to that one stream that I showed you you see how we have a bunch of different options like DJ pile of parameters saying this is gonna take forever so run

this afterwards so generally I would recommend run I mean running this afterwards and we have a bunch of them that are like prototypes that I personally haven't really played with too much or haven't really run so I'm gonna just go with the default right now now what's happening is that it's analyzing the binary so very small binary so it's done already notice that we only have one function that is the entry and this is just a simple hello world so we see that we have the pull this over the assembly and I'm not sure if many people either read or go through it city sits somebody a lot like this is pretty common pretty easy to understand

but if you aren't able to understand that we have a pretty simple printf - hello world and then return zero note that we can do things like renaming this function so this is actually my main function for instance switch renamed that says UPS undefined we can edit the like return variable so be like I don't know an int or something like that that type of thing so the lots of different things that we can do with that I will close this

Loden anyone now would go through recursion so I'm assuming most people are familiar with what recursion is your calling same bunch in multiple times and have different light statements for where things might go through so very similar you did a very clear understanding of what's going on note that these are pretty simple binaries at first and then we kind of like progressively dough deeper and again it's analyzed pretty quickly I know a lot of people are going to be afraid that uh Dedra was going to be extremely slow because the interface is written in Java and by all means for the graph interface I'd also probably show you that so function graph we're looking at

an undefined symbol so we'll go to our functions we have our entry and if we go back we can see a little function graph here personally for my workflow with Dedra one monitor does not cut it you generally you need either a very large monitor or two monitors preferably and I generally have the graph view on one monitor and then my monitor I think just like a general difference and how people work at the place that this was developed so maybe everybody there has multiple monitor so maybe has a different workflows unlike what people may have but generally two monitors is probably the minimum that I would recommend otherwise gonna be doing like what I'm doing and having it like click

back through and then if you're running something like like you're on Windows for instance you have to like click over find the window that you want stuff like that or things like that so generally two monitors is what I would recommend yeah any questions yet on what I've done I've kind of gone through things a little bit fast on what I'm doing so any questions sweet so right here again we have a very simple sample of light just recursion and we can go through and put the mic down real quick now you can see that we just have a main function and then a recursive function and as we go over so touch to the pull these closer together

you can see this is our main function kind of noted as entry for here I didn't right-click I just hit L if we go back if we right-click I can see that we can just hit L to rename the function so this is gonna be our main function we have like you VAR one we just slide called this X so we can rename this to X and it'll go through and rename the rest of them as well we can go down into our recursion function now what's going on here is a little bit more complex than we have going on over here but this is just trying to interpret this square root over here which looks very simple

here when you're decompiling it has a lot of different steps so this is something that you deal with a lot with anything that happens math wise when you're reverse engineering while it may look simple when you coded it's InnoDB pile to look pretty ugly and you just kind of have to like figure it out but you see here that we're just calling it a square root function on this so we can see yeah okay we're square rooting something we have a sub going on and then we also call recursion again

now we're going to move on to a little I guess I want to call it more complicated example so this is going to be an echo server and we can pull up the code for this as well well that goes up oh okay is this [Music]

so remember last time I said like after you finished you might want to go through and do the dienophile affirm a parameter IDE has a one-shot kind of afterwards just as I mention that it may take a little bit of time but since this binary is again so small it goes by pretty much instantaneously alright so

now we're back over here so move that to the side you see that we have over at the top here a bunch of different variables that are like conduce down the stack barrier bowls and then we also have xrefs over here another good way to get X reps is to hit the button here this green downward button and we see like incoming references and outgoing calls I know that this one really doesn't have any other functions that are really calling it so we're not really gonna go anywhere but for our instance let's say that we went to like memset and then try to look at incoming calls to that you can see entry calls it

and we can see where it calls it here so if you wanted to go down and see like the functions that are like for instance how I like to reverse as I go from this is the function that is being told I know what this function does but I not may not know what this like subroutine is doing so I go from like I know what memset does I know what mallet does and stuff like that so I would kind of like go up from there some people do it a little bit differently you can also navigate from okay I know from the entry point of the binary and I want to navigate down to I'm like the different

calls that it goes through and stuff like that so really just depends on what you're looking for and what type of understanding you're trying to get to generally I do for like networking because I know if I can get or receive I know that's where my inputs coming in and I can try to look for something like if I'm looking for a CTF where that input is going to see what manipulation I may have of the binary yeah going back to the top here so we see our entry and if you don't stop doing on so if you're not familiar with like see sockets it's kind of fairly simple you set the family to a fi net so we're saying this

is going to be ipv4 we're saying the address is going to be an integer in E and then we're doing H to network stack so it's like our network symbol or something like that I've got the NS the S stands for but we're basically converting this from a human-readable to a network readable address and then here we just like listening on port seven but we can see some of the same calls so you see that I don't actually call mem said it called b0 but under the hood b0 is just calling mince that to zero out the data inside of this local stack variable that I have so let's go through and light Fitch some of these things up so

let's see we have our character 100 we can see that we have our string here so just rename this to strange right okay so that's interesting and 1.4 they were actually supposed to fix this but it seems like they didn't so let's actually go through and manually fixed this so if anybody noticed that this was a character array of a hundred and when I renamed it I mapped it to a character array of 108 so that she ate one of the variables that were underneath it so we just retype that to 108 hannah fetches itself back up but some of the bots that I found when like manipulating Udrih 1904 release notes let's see actually

mentioned fetching this bar but I guess they didn't fix all of it so yeah fetch the current modification inception when replacing one data type with another the results in some other data type be night renamed removed it seems like they didn't actually fix that for my space auto we updated that bug ticket but that's the one thing that's nice about dicho is that the people that are maintaining it and actively working on it have a github where you can go through you can notice bards when you're working on something and submit issues and a lot of times some of these things do get fixed yeah so now we can go through and see some of the other stuff

that were doing so we see that our bind has some different stuff that's being told so we have three variables being passed to bind we go back and look over here or if we just like did a man of bind actually we're looking for like a man to so Bynes used to name a socket and we see that we have three things best in a socket a socket address of an address Lin and so when I go through and I'm reversing you say that I don't remember the parameters that are passed to a function I can go man the function lookup what's going on and say okay so I know that this is going to be the socket

that's being passed so we'll just name this thing socket and we know that this is going to be a light socket or address switch over here I'm just drawing like stock server or something like the serve address no and yes so we just call this server address

and you see that we kind of like make it a little bit more readable so now we can see that because we renamed this variable that was being passed to by and we know see that her name the variable passed to listen we can kind of clean up the binary as we do a law and knew this with global variables as well to try to make it a little bit more readable you're going through in reverse engineering yeah oh yeah we're going to show you I guess one of the interesting features so if you do mati her control e I just spat it there's a lot of random things it does the same thing when you

spam click the thingy site I just try to show you like hey this is where the thing you just opened is or this is what the last page you clicked on is [Music] I thought that some of funny features looking at some other people's like presentations and talks on teacher I know it's not a time that they show that you can click on it and a lot of people talk about like mod or ctrl e as much and then again you can go through and you can reverse this a little bit more these have just been like plain and simple like x86 binaries though at 64 such go down let's do something cool so let's open up our apk so this is a apk

is like an Android app and we're going to open it as a filesystem note that we then get to see all of the contents of an apk so if people that aren't familiar you get like an Android manifest and you get some white various other information the Dex is a Java bytecode essentially and so that's what we're going to be interested in and for some reason doesn't like me let's see here there we go [Music] so one thing that's interesting I guess I did this demo like the prep work for this demo 902 and in 902 I was able to double click this maybe I just didn't wait long enough for her to analyze it I

didn't have to right click and then insert it but any rate we have now our classes.dex and we can go through and analyze this note that we're getting different options now for the deck spy code and we get a ton of options that aren't charts we'll just go through the basic ones for now another thing of note is that while the C binaries were fairly simple took a very short time to go through and analyze the Derrick's hatch it takes quite a while to analyze even though this is the simple hello world we note that Java throws everything in the kitchen sink into the binary so it can be understandable

any questions while this loads go forth so the question is if there is a size limitation theoretically yes I mean you probably gonna be limited by your Ram noting that this thing probably does take up quite a bit of RAM just to light analyze and do all of that loading but I haven't ran into many issues and I've opened some pretty like large files and binaries and like firmware so maybe if you ran into something that was like gigabytes large is a binary which would be insane but that might cause some issues I haven't actually like ran into that like things in the upper hundreds of megabytes have analyzed no problem any other questions actually does look like we're done

loading similar we did like a view of the decks by code so I personally don't know how to read decks I don't know how many of you do but we can go through a look at some of the stuff that's been like incorporated and stuff like that but this is just trying to let show that you can open and analyze my KP cage as well and then the last thing is gonna show that you can open and analyze MIPS

there so one thing about the pointless binary is it also takes a little bit longer than the other ones this is an actual binary that was given to us from DEFCON CTF so rather than being like a toy binary it has a little bit more stuff going on but as you can see we can go through we can analyze a as soon as these functions pop up it's actually pretty nice we do get main so there's a I guess for the binary isn't stripped so stripping a binary is like removing symbols so for instance if I didn't want someone to be able to reverse-engineer it i could ship to buy binary but also stripping reduces the size of the binary

so a lot of binaries do get stripped just because of size it removes a lot of life some of the debug symbols some of the like nice names that might be added and so on but as you can see this is a mips binary this is pretty nice because previously and like other things we would have had to go through and read through all of this MIPS assembly but now we did like a little see like syntax that we can read to try to figure out what's going on and that's it for my demo and go back through to my slides now let me get this set up so that it's no longer mirrored

that way it looks a little bit nicer

oh there's now we'd about to presents if I can click see all right so now any other questions about Deidre go for it

what do you mean so I looked for like workflow so for instance mmm so I will say that the original developers are maintaining it so for instance I don't believe they're going to add in every pull request that is given to them and for instance I know they haven't for some of them but I didn't they are taking them into consideration and we'll add some of them the issue is that they have their own baselines and stuff of users that they also need a support so there's that as far as like issues though I've seen a lot of fixes for the issues and actually if you go back to the website so let's pull this up

where's my mouse

so you see how they have issue numbers these are actually go back to the ones that these actually go back to the Hedra page or github I will show like this the issue these are the fixes needs to the commits that fixed it so say the community's been very active and like publishing issues when it first came out everybody was trying to look for any lights into the back door and incidents and stuff like that people were looking for bugs in it just for the memes so there was that little rush but after that it seems like there have been some really good fixes so for instance when 9.0 came out using Dedra auto SH was

actually awful if you tried to scroll you would like fleeing all over the binary and stuff like that so they fetched a little bit of the DPI settings because I mean the people over there aren't going to be using touch pads till you do the reverse engineering work and stuff like that so there are some UI fixes for that that were purchased any other questions go for it I will answer that question a little bit any other questions

I've actually had so funny thing my I mean going back to the workflow when Ida fails to decompile something I'll open Deidre and decompile it because usually it works they'll go into a little bit more of my opinions of the different tools in a bit I haven't seen it crash noticed that when I was trying to open it at first I just installed nine dotto for this morning and trying to open it light and create a new project crashed it on my machine something there definitely barged in the new version but overall far as the light decompilation like I've never had it not be able to decompile something that Ida wasn't able decompile apart I mean theoretically yes

but it really depends on what they're doing for the DLP station though it's like a hard answer to answer I don't really know say again an obfuscated file well the depends on what type of operation you're talking about is it like a binary which just load something that is encrypted into memory and something like that hmm I haven't run into those issues when working through malware with Dedra so I can't really say yeah okay go for it I haven't been repeating the question sorry so the question is do I know of any efforts to port the assembler or decompilers to other tools right I don't know of any so i troll on the bin just like a lot not troll but i

lurk on the bin just lack a lot a lot of people have mentioned like would it be possible to integrate the dgod compilers in dementia and for their use case no mostly because they're very different as far as P code P code being the il for Piedra versus binary ninjas il there's just not as many some there's not similarities in the way that they have done things and lifting is different and so there's not a one-to-one match otherwise I know of some people who want to build a new UI for Diedre because they hate that it's written in Java and also it looks kind of dated so people have been wanting to build a new UI for

it but nothing as far as like porting it to other already available tools I know the person who made I áfourá which is like a bend if theme tool for Ida is working on a Deidre thing for that let's close this any other questions yeah genuine off the record can you turn the recording off