OpenDis
-------

1) What is OpenDis?

OpenDis is a tool to look in a semi-automated fashion for vulnerabilities in closed source programs by decompiling, analyzing and, also, highlighting the error prone sections and/or functions.

2) Is this a disassembler?

No, itsn't. The decompilers, really, are "objdump" and "nm", tools which are internally used by OpenDis.

3) What are the advantages of using it over a manual decompilation of a binary?

A lot of work is done from the start of a reverse enginering project: Strings search, highlight of the most common vulnerable functions and constructions, local variables and function arguments recognition, etc...

4) It generates assembler or "pseudo-assembler"?

It doesn't generate assembler, it adapts the assembler output generated by objdump to be more readable and understandable. The pseudo-assembler generated is less "mistake-prone" than a raw disassembled file but is not re-compilable.

5) If the binary is stripped, how are functions detected?

Currently, OpenDis only supports x86. In that instruction set the following lines marks the start of a function/procedure:

	push	%esp
	mov	%esp,%ebp

OpenDis looks for these 2 lines to detect functions and procedures. Of course, you can use "very advanced" anti-reverse enginering techniques to evade function detection by, in example, using constructions in C as follows:

	void foo(int argc, char *argv[])
	{
		/* You're sure that is impossible, you coded it. But the compiler is not aware */
		if (argc < 0xfffffff0)
		{
			__asm__("push %esp");
			__asm__("mov  %esp,%ebp");
		}
		else
		{
			argc = 0; // "Real" code goes here
		}
	}

Anyway (and I will try to do it) is easily detected by viewing the execution flow as shown below in an example when the binary is not striped:

foo:
	0x0804832c: push   %ebp
	0x0804832d: mov    %esp,%ebp
	0x0804832f: mov    func_argument_1,%eax
	0x08048332: cmp    $0xffffffef,%eax
	0x08048335: ja     0804833c <foo+0x10>	
	; if (func_argument_1 < 0xfffffff0) goto foo+0x10

	; Dead code but compiler is not aware
	foo+0xb:
		0x08048337: push   %esp
		0x08048338: mov    %esp,%ebp
		0x0804833a: jmp    08048343 <foo+0x17>	; Never executed

; Real code starts here
foo+0x10:
	0x0804833c: movl   $0x0,func_argument_1
	0x08048343: pop    %ebp
	0x08048344: ret

I can't detect automatically if that is dead code or not but detection of anti-reverse enginering code by looking the execution flow can be.

6) What functions are highlighted as error prone?

The most common calls to vulnerable functions: strcpy, strcat, printf, etc... It does a "good" job trying to detect some program's private variants of that functions and is able to detect the most common mistakes with, in example, printf. At the moment it, only, checks if the last parameter to the printf call (which is the first) is a constant or a variable/argument/function parameter.

7) Will OpenDis become a C decompiler, not a "security researcher friendly" disassembler?

Maybe one day...

8) Can it be considered a replacement for IDA Pro?

No. IDA Pro is a nice tool with many years of development used daily by the vast majority of security researchers around the world. OpenDis is a recently born Open Source tool which is under heavy development.






