Recently I have been studying some frameworks for reverse engineering: Chain of Fundamental Engines for Reverse Engineering: Capstone, Keystone, Unicorn, Qemu, Qiling. These tools can help us perform reverse work very well in some situations.
Assembly and disassembly
Capstone
A disassembly engine released by the Nanyang Technological University team in Singapore at Blackhat USA 2014
- Capstone disassembly engine official website
- Project homepage: https://github.com/aquynh/capstone
- Multi-platform Windows, *nix
- Multiple architectures such as Arm, Mips and x86
- Support C/Python interface
Keystone
An assembly framework released by the Nanyang Technological University team in Singapore at Blackhat USA 2016
- Capstone assembly framework official website
- Project homepage: https://github.com/keystone-engine/keystone
- Multi-platform: Windows, *nix
- Multiple architectures such as Arm, Mips and x86
- Support C/Python interface
Binary simulation execution
QEMU
QEMU is a set of free software for simulating processors written by Fabrice Bellard, a general-purpose system space and user space emulator and virtual machine.
- QEMU virtual machine official website
- Project homepage: https://github.com/qemu/qemu
- Multi-platform: Windows, *nix
- Multiple architectures such as Arm, Mips and x86
- Support C/Python interface
Unicorn
A lightweight multi-platform, multi-architecture CPU emulator framework released by the Nanyang Technological University team in Singapore at Blackhat USA 2015
- Unicorn engine CPU simulation framework official website
- Project homepage: https://github.com/unicorn-engine/unicorn
- Multi-platform: Windows, *nix
- Multiple architectures such as Arm, Mips and x86
- Support C/Python interface
- Based on QEMU
QEMU provides a complete simulation environment that can simulate hardware peripherals, the entire system, and a single binary program. Unicorn focuses on the simulation of CPU instructions.
Do it
The advanced binary simulation framework released by the JD team at Defcon 2019
- Capstone binary simulation framework official website
- Project homepage: https://github.com/qilingframework/qiling
- Multi-platform: Windows, *nix
- Multiple architectures such as Arm, Mips and x86
- Qiling is designed as a higher-level framework based on Unicorn . It uses Unicorn to simulate CPU instructions. In addition, it also has advanced analysis functions: perform dynamic detection and even hot-patch code at runtime.
Summarize
The above-mentioned open source tools for binary reverse engineering provide detailed usage methods and are maintained by teams, which are of great benefit to the research of binary viruses and malicious sample analysis. For example,
- Modify the firmware and binary, add or modify the instructions , and use Capstone/Keystone to convert assembly instructions and binary.
- To cross-platform simulate binary executable files of some architectures, you can use QEMU
- Simulation of binary instruction fragments can use Unicorn or QiLing
The author has used several of them and has the idea to integrate some of them and write a visualization tool. Here is just a brief introduction. If you are interested, you still have to practice it. The official websites of these tools provide usage tutorials, and they are relatively simple to use.
Of course, if it is normal penetration testing, vulnerability mining, and CTF, the situations where these tools may be used are still relatively limited, because our more commonly used tools are IDA, Ghidra, and pwntools, which have better integration and scalability. You may be more familiar with these tools, so I won’t go into details here.