Reverse engineering (decompiling) an hackme challenge .exe file in OSX

Question

I am a complete newbie in the reverse engineering world, and being able to decompile .exe files in my OSX is being a pain.

Does anybody know a good decompiler of .exe for OSX, or any hint about where I can find one? Have I got any conceptual mistake like "that things don't exist"? :P Google is being quite confusing about it.

BTW, I know these apps could have illegal applications, but also very legal ones (nothing new for this site, i guess :P) In my case, I'm just trying to learn a little bit of reversing and I need this decompiler to pass some levels of an online wargame (or, at least, I think so). In concrete, this one: http://www.yashira.org/index.php?mode=Retos&resp=inforeto&level=126 (in spanish)

Thanks a lot for your time! :D

EDIT: @YoavAner has brought to my eyes that the linked page requires a login (thanks, @YoavAner :D). If you are interested in the wargame (or in this level in particular), you will need to register in to access to the levels.

It does actually sound illegal. I can't access the link because it leads to a login page, but most (closed-source) products, particularly commercial, explicitly prohibit any reverse-engineering of their code. see [this question](http://programmers.stackexchange.com/q/73830) — Yoav Aner, Mar 01 '12 at 08:49
Learning reverse-engineering, or performing it for *research* purposes is probably legal though. This means you're not supposed to use it (subtle, but important difference). I am not a lawyer, and I believe it changes from country to country. — Yoav Aner, Mar 01 '12 at 08:57
Oopse! My fault. I linked to a page only accessible for registered members, but the thing is: it's just a public wargame. In that level they give you the .exe file and ask you to cause a buffer overflow to it; after that you will receive a password which you have to input in the webpage to get the level passed. As you see, the code has been done to be hacked :) — Palantir, Mar 01 '12 at 10:14
@YoavAner Indeed, different countries have different laws. In France, the law explicitly allows reverse engineering when the purpose is interoperability, e.g. reverse-engineer a communication program in order to write a program that communicates with it. (ObUSdisclaimer: this is my layman's explanation, don't rely on it as if it was legal advice.) The offshot is that there are enough legal applications that this question is definitely valid. — Gilles 'SO- stop being evil', Mar 01 '12 at 10:14
@Palantir - that explains it then. I thought it was some online game simulating a war rather than an pentesting / reverse-engineering exercise. — Yoav Aner, Mar 01 '12 at 10:29
You know you could also use a program that scans the memory and changes some values in it to attempt your goal? There are tools (https://www.cheatengine.org ) used for cheating in games - don't have enough money/credits/whatever resource? Edit the value in memory and make a new save :) Ofc. You need to first know what value to edit, which is achieved by scanning the process for known numbers (the number of points), playing the game a bit so that the desired value changes and then scanning for the new value between the memory adresses you found. — mishan, Feb 16 '21 at 15:52

score 4 · Answer 1 · answered Nov 27 '12 at 03:44

GNU binutils include the objdump utility which can disassemble executable files into human-readable, or at least programmer-readable, assembly source code. It can do so for any supported target it has been compiled for, regardless of what architecture the tool itself is running on. In particular, it can disassemble a Windows .exe file even when running on MacOS X.

(Installing GNU binutils with support for a lot of binary targets, not only the one the tools are actually running on, entails downloading the source code for GNU binutils, and recompiling it with the appropriate cross-target options. Documentation is included. People who can do anything at all with a disassembled binary ought to be able to do such a task easily.)

Of course, disassembly is only the first step in reverse-engineering. The second step is a lot of hard thinking, which you do in your brain.

Note: I assumed here that the .exe was a Windows binary file, with x86 opcodes. Nowadays, it may also be a .NET assembly, i.e. not x86 opcodes, but CIL. In that case, you will want to use specific disassembler like these ones. It will still work with MacOS X, and still be opensource and free. And you will still need to think a lot.

I do _my_ hard thinking on a piece of paper (or sometimes more than one). — AJMansfield, May 06 '13 at 21:12

score 3 · Answer 2 · edited Jun 16 '20 at 09:49

IDA Pro is widely considered to be the single best static analysis for binary software. It also supports debugging, but in this field other tools (Immunity Debugger, ollydbg, WinDbg, etc.) may be better in various scenarios. Since you have no intention (and you can't) of executing and debugging your binary, we need not worry about that.

The recent versions of IDA support Linux and Mac OS X in addition to Windows (since version 6.0). Unfortunately for you, it's kind-of pricey. There is a free for non-commercial use download, but it's the 5.0 version, and runs only on Windows.

You can, however, download an evaluation version of IDA 6.3. It has several limitation, the one that is most crucial for you is: "you will not be able to save your work, it will time out after some use, it will not disassemble itself." But after trying it for a while, in comparison to other tools suggested here, you might find that it's worth the 500$ (unless you want 64-bit support, and then the price is double).

IDA is the answer to your question, since you didn't specify that you only want free solutions. Several lists of disassemblers are given below. Many are free, like REC Studio 4, Shadok mentioned in his answer, but none of them comes close to IDA.

There is the hexrays decompiler plugin for IDA which is pretty cool. Unfortunately it's even pricier than IDA. — CodesInChaos, Dec 02 '12 at 13:44

score 2 · Answer 3 · answered Mar 01 '12 at 11:40

2

I'm a little confused with your question... Reverse-engineering in your case means executing the binary to understand it so you must execute .exe files on MacOsX.

So first, you should look at DarWine (Wine for MacOSX), Wine is an alternate Win32 Environnement which can execute your .exe file. After this you can attach a debugger (OllyDbg, Ice, ...) as you would on Windows (Don't forget to look at the compatibility of your game with wine on the wine appdb).

Btw I advise you to learn reverse-engineering by cracking some simpler software before (look at hack challenge on google, there is plenty of it). Because real-life software are a litte difficult.

answered Mar 01 '12 at 11:40

anonymous

29
1

4

Software reverse engineering does **not** mean executing the binary, just like missile reverse engineering does not mean launching the missile you study. There are many ways to reverse engineer hardware without actually attempting to power it; basically various kinds of scanning. Same goes for software. You're confused with the question because of the false assumption you have. I suggest you start with [this section](http://en.wikipedia.org/wiki/Reverse_engineering#Reverse_engineering_of_software) in a wikipedia article, and then take a look at [this book](http://www.amazon.com/dp/1593271786). – conio Dec 03 '12 at 00:58
+1 conio, though PMA is arguably a more newbie friendly book: Practical Malware Analysis: http://practicalmalwareanalysis.com/ – adric Aug 01 '13 at 17:01

score 1 · Answer 4 · answered Mar 01 '12 at 11:42

You should lookt at those two articles from Symantec:
Reverse Engineering Hostile Code
Alien Autopsy: Reverse Engineering Win32 Trojans on Linux

The tools used in those two articles are basic GNU tools (diff, grep, hexedit...), Wine, gdb and IDA Pro (Freeware version).
Two other tools you could be interested in are REC Studio and NASM.

All the above tools support OSX.

score 1 · Answer 5 · answered Jul 31 '13 at 22:40

1

An accessible, reasonably priced (~US$60) tool is Hopper. It is a a good balance between price and functionality compared to more expensive (~US$1129) but more powerful IDA Pro. If you are just starting out, this is an excellent tool that easier to use than most disassemblers, and it is relatively economical.

answered Jul 31 '13 at 22:40

Andrew Odri

111
3

Hopper is quite nice and also has a free demo version: http://hopperapp.com/download.html – adric Aug 01 '13 at 16:59

score 0 · Answer 6 · edited Nov 20 '16 at 18:25

0

You can use string to get the order its look that lets say that it's the code

int main(){
fprintf(stderr ,"hello word");
}

and then write in the terminal

$strings file.exe

If you want to get real function and not only requests from the kernel you need to use a tool like ida pro or something.

edited Nov 20 '16 at 18:25

kasperd

5,402
1
19
38

answered Nov 20 '16 at 17:56

daniel

34
5

1

I fixed the most obvious grammatical mistakes. But there are still parts left where I have no clue what you were trying to say. So I suggest you edit it further. – kasperd Nov 20 '16 at 18:27

score 0 · Answer 7 · answered Feb 16 '21 at 13:10

0

There are some good answers here. One I haven't seen is the free Ghidra tool. It will run on Mac OS but it's Java-based so you need a JRE. And some people have a thing against running software from the NSA.

answered Feb 16 '21 at 13:10

CorruptedHeapScapeGoat

354
1
6

Reverse engineering (decompiling) an hackme challenge .exe file in OSX

7 Answers7