Bruno Kerouanton

Do you remember one of my last posts, about my christmas wishes for “geek presents” ?

I have to admit that this year, I pleased myself… a bit too much perhaps ! Because Santa’s gonna bring (or already has !) nearly everything I had wished about :

• Wii (For the whole family, as I’m not so attracted by games)
• Mindstorms + RobotC (a very nice C development environment for Mindstorms, inclugind realtime debuggind and so on…) + 2 extra sensors (magnetic compass, and 3 axis acceleormeter). My son and I have already started building nice models, robots and buggies, but he’s still too young to program it with the LabView’s graphical programming environment (a bit like Grafcet), so I won’t even ask him to start learning ! At least he can understand what programming means since he now know that the programs I “put into” the robot make it feel and do actionsaccording to what I decided. Definitelya a good education tool.
• I didn’t feel the need to buy maths and physics programs. I have spent some time to look at them, and even try them, but I still think their licensing model is not as I like it (when I buy programs, I am very concerned by those licencing issues and conditions. For example I hate (and so won’t buy) programs bound to my hardware to generate serial licenses, as I can change my PC. I also dislike when some companies change their licencing model from version N to version N+1. This was the case for SpaceTime, a nice maths program that was once ago sold in a single piece, and which is now sold in separate parts (at, shamefully, 4 times the price if you want to get the same functions as the old version…).
• Finally, I explained that my last wish was mostly a dream, since I couldn’t afford it. Hex-Rays decompiler plugin for IDA Pro, an exceptional tool… Well, I’ve made the step, and finally bought it

HEX-RAYS FIRST THOUGHTS

First of all, let’s explain what Hex-Rays is about. It is a plugin for IDA Pro 5.1 and later versions, that adds two shortcuts : <F5> and <Ctrl><F5>. That’s all ! But those two shortcuts are so powerful that can assure it’s enough.

1. SOME FACTS ABOUT DECOMPILATION

IDA Pro is a decompiler. Very certainly the best one on the place. It ables its user to view and analyse binary programs graphically and interactively. But even if it is a great tool, the output is still assembly language and may be difficult to interpret in some cases. This discipline is called Software Reverse Engineering, or Reversing, or RCE… Most uses are now to interpret how malware and unknown programs behave, as would do a scientific team working on human viruses. Basically it is on of the major tools that should be in a malware research laboratory. Some people also uses those kind of tools for unlawful purposes but that’s another story (in general, and not speaking about IT, most laboratory tools (chemical, physical…) can be used for good or evil, that’s what is called dual technology).

Mr. Guilfanov, the main IDA Pro developer, maintains a nice blog about Reversing. Since several years, he wrote posts about his research on the field of decompilation. Let me clarify things : disassembly is the act to translate machine code (bytes) to assembly language. decompilation is the act to translate binary language to the high-level language that was originally used to build the program. A very huge and difficult task, since most compilers now severely optimize the programs, rendering their decompilation a nightmare.

Back in 2000, I was also interested in this research field, and deeply studied the great works of Cristina Cifuentes, who at that time already had produced a decompiler : dcc, and a PhD thesis about it. Having worked some time on this too with a friend (which is a great researcher too, he left several years ago to the States, working on post-doctorate subjects at Google, Microsoft and now Oracle, hi Jacques !), I can tell you that decompilation is a deep and troublesome project that is really difficult to master.

2. HEX-RAYS USAGE

… Ilfak Guilfanov has made it a reality ! His decompiler WORKS… and it works pretty fast and well. Once installed, just run IDA Pro, disassemble a binary, and just press <F5>. Magically, you’ll see the function in C language ! And it is really a nice C output, not a crappy one embedded with a lot of asm() functions or unreadable code. The decompilation process is quite fast too, very important to mention !

If you press another swhortcut : <ctrl><F5>,you are just presented with a dialogbox asking you for the filename of the C source you want to save ! And it decompiles the whole program in C. Very efficient too. I have made several tries, the rendered code is very nice and even ready to recompile in some cases (simple ones, don’t try this on programs such as Skype !!)

For now, it is “only” able to decompile x86 code, but Ilfak is working on a multi processor version and the ARM processor should be supported in 2008. A first step before he can generalize to other processors, I guess.

CONCLUSION

Hex-Rays is only available to IDA Pro 5.1 and above owners (legally bought, obviously !) , as the buying process requires you to send your IDA licence key. Also worth to mention that your copy of Hex-Rays is deeply linked with your IDA Pro version, and bound to it.

Pricing ? Well, in fact not so expensive. Some may complain that it’s around $1000 per shortcut !, but those are so powerful that I claim the product is worth its price. And don’t forget that some other plugins such as Sabre BinDiff are even more expensive (and from my point of view much less useful).

I was just surprised to see that when I registered to the “owners only” forum of HexRays, there were only… 32 users. That is not very much, but the product is so young that I’m just confident that there will be more and more users of this great solution. I even saw a nickname that reminds someone I know in Paris, that could be one of the happy owners of Hex-Rays… He’s got a blog about Vista, that’s all I can say !

I’m now happy with my christmas gifts… and geeky toys