STAN

STAN is a sTAtic aNalyser. It is my pet project to learn about reverse engineering.

It is in alpha phase and it may crash at any point... but it is usable for simple projects...

Features

• Support 32 and 64 bits ELF binaries
• Support x86 (32/64bits) and ARM (32bits)
• Analysis capabilities
  • Automatically create function objects out of CALL mnemonics
  • Automatically create label objects out of JX mnemonics
  • Resolve IP relative addressing
  • Shows data when it is printable
• More to come

And this is how it looks like

Dependencies

STAN uses capstone (http://www.capstone-engine.org/) for its disassembling needs.

Installation

./configure && make && sudo make install

Commands

This is the list of current available commands

• case.dump. Dumps information about the current case/project
• case.save. Saves the current case. It will save the status in a file named against the binary loaded with the extension .srep
• case.load file.srep. Loads a previously saved case.
• case.save file.. Saves current core image (including patches) in a new file. Automatically creates a case file. If no name is provided the data is stored in 'original_core_file.PATCHED'.
• core.info. Dumps information about the current binary being analysed
• core.symbol. Dumps the symbols of the binary being analysed
• core.functions. Dumps the sumbols that STAN belives are functions
• core.labels. Dumps the identified labels
• core.load file. Loads the binary specified by file
• dis.section section_name. Disassembles a whole section
• dis.function function_name. Disassembles a function. You can define functions using func.def in case the analysis failed.
• dis.addr addr icount. Disassembles iconunt instructions from the specified address.
• dis.range. Disassembles the current defined working range. See set.range for detauls.
• set.range addt icount. Defines a starting addres and a instruction count to be disassembled using dis.range as a way to easily work on a region of a program
• func.rename old_function_name new_function_name. Renames a function
• func.def func_name address. Tells STAN that there is a function at address
• label.rename old_label_name new_label_name. Renames a lable
• label.gen_table prefix addr count. Generates label prefix_X for count pointer in a pointer table at addr
• comment.add address Comment. Adds a comment at a given address. Address has to be hexadecimal without 0x at the beginning
• comment.del address. Deletes a comment associated to a given address
• mem.dump fmt address count. Dumps count items from memory at address. Valid formats are x for hex bytes and p for pointers... more to come
• mem.poke fmt address string. Writes the specified string at address addr. Valid formats are x for hex bytes.
• mem.xor key address1 address2. Xor encodes from address1 to address2 using key.
• sym.def sym_name address. Defines a generic symbol at address
• help. Shows help
• help.abi. Shows the function calling convention for the binary being analysed
• quit. Do not leave STAN alone!!!!

You can use TAB autocompletion to figure out the commands. Segments, Functions and Labels are also autocompleted when available. Typinh a command with the wrong syntax will show the associated help