Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-27-2023, 06:02
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
Q: There is a tool like IDR for x64 PEs?

Looking for anything that can decompile PE64 like IDR, except 64bit. Maybe only IDA Pro, but I thought I would ask just in case.

-thx

Last edited by Stingered; 04-27-2023 at 06:10.
Reply With Quote
  #2  
Old 04-27-2023, 14:22
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 421
Rept. Given: 26
Rept. Rcvd 128 Times in 65 Posts
Thanks Given: 54
Thanks Rcvd at 816 Times in 300 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
There was a start of IDR64 here: https://github.com/crypto2011/IDR64 But it is marked as 'incomplete' so it may not work that well or have everything you'd need/want. Hasn't been worked on in a long time either so don't expect updates.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following 2 Users Say Thank You to atom0s For This Useful Post:
niculaita (04-27-2023), Stingered (04-27-2023)
  #3  
Old 04-27-2023, 18:06
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,136
Rept. Given: 334
Rept. Rcvd 229 Times in 120 Posts
Thanks Given: 272
Thanks Rcvd at 542 Times in 302 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Keep in mind that IDR / IDR64 is only for Delphi based binaries

I'd recommend Ida for PE64 - especially if you want to see high level like language... - HR decompilers are good enough
or try Ghidra as well
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
Stingered (04-27-2023)
  #4  
Old 04-27-2023, 21:59
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
Quote:
Originally Posted by sendersu View Post
Keep in mind that IDR / IDR64 is only for Delphi based binaries

I'd recommend Ida for PE64 - especially if you want to see high level like language... - HR decompilers are good enough
or try Ghidra as well
This is 100% a Delphi binary. I was not aware there was an IDR64 available. Have only used IDR for 32bit binaries. Was able to locate a version of IDR64 off GitHub!

Update: Copied the .BIN files from the 32bit version and IDR64 was able to load the binary.

Last edited by Stingered; 04-27-2023 at 22:07.
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
niculaita (04-27-2023)
  #5  
Old 04-28-2023, 13:45
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,136
Rept. Given: 334
Rept. Rcvd 229 Times in 120 Posts
Thanks Given: 272
Thanks Rcvd at 542 Times in 302 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Thats interesting case...
original IDR64 repo contains only syskb2012/13/14.bin files
I guess these were produced from corresponding 64 bit Delphi
but taking into account that 32 bit *.bin packages also works... it sounds very suspicious,
do you think that 32 bit code from 32 bit Delphi would have the same patterns as in 64 bit? Do you see any system modules APIs detected by reusing it from 32 bit IDR?
Just thoughts aloud
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 10:45.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )