Exetools - Q: There is a tool like IDR for x64 PEs?

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Q: There is a tool like IDR for x64 PEs? (https://forum.exetools.com/showthread.php?t=20529)

Stingered

04-27-2023 06:02

Q: There is a tool like IDR for x64 PEs?

Looking for anything that can decompile PE64 like IDR, except 64bit. Maybe only IDA Pro, but I thought I would ask just in case.

-thx

atom0s

04-27-2023 14:22

There was a start of IDR64 here: https://github.com/crypto2011/IDR64 But it is marked as 'incomplete' so it may not work that well or have everything you'd need/want. Hasn't been worked on in a long time either so don't expect updates.

sendersu

04-27-2023 18:06

Keep in mind that IDR / IDR64 is only for Delphi based binaries

I'd recommend Ida for PE64 - especially if you want to see high level like language... - HR decompilers are good enough
or try Ghidra as well

Stingered

04-27-2023 21:59

Quote:

Originally Posted by sendersu (Post 127595)

This is 100% a Delphi binary. I was not aware there was an IDR64 available. Have only used IDR for 32bit binaries. Was able to locate a version of IDR64 off GitHub! :D

Update: Copied the .BIN files from the 32bit version and IDR64 was able to load the binary. ;)

sendersu

04-28-2023 13:45

Thats interesting case...
original IDR64 repo contains only syskb2012/13/14.bin files
I guess these were produced from corresponding 64 bit Delphi
but taking into account that 32 bit *.bin packages also works... it sounds very suspicious,
do you think that 32 bit code from 32 bit Delphi would have the same patterns as in 64 bit? Do you see any system modules APIs detected by reusing it from 32 bit IDR?
Just thoughts aloud

All times are GMT +8. The time now is 07:14.