robre's blog
making sense of stuff
  • run strings, strace, trace execution path in graph view (maybe get trace through gdb), get class list/function list
  • patch the binary for log messages
  • recognize crypto by looking up constants
  • have some unpackers ready (eg for UPX)
  • get a list of function names / class names as an overview
  • find main
  • look for refs to relevant strings(shift+f12) in the code (xref shortcut: x)
  • use placeholder names (eg. fruits) for unknown functions to make them recognizable
Decomplicate in ida:
  • use group nodes functionality
  • rename stuff.. (shortcut: n)
  • retype stuff.. (shortcut: y)
Other valid strategies:
  • reengineer the code, recompile it
  • clever hooks instead of tedious reversing
dynamic approaches:
  • breakpoints at all functions, run and see what breakpoints remain
Copy link