Current Version: 0.5

Intro
The Examiner is an application that utilizes the objdump command to disassemble and comment foreign executable binaries. This app was designed to analyze static compiled binaries but works ok with others. The intention is for forensic research but could also be used in general reverse engineering.

This program can only handle basic dissassembly. If the binary has been modified to resist debugging then the Examinier probably will not be able to analyze the code. Also the Examiner will not analyze live running code. This can be a good thing but if you need to look at code when it runs or deal with complicated disassembly you should probably use Fenris.

I would like to support many other options and platforms still. This app is still in it's early stages so bare with me. My ultimate goal is to be able to get output similar to strace without executing the binary in question. At the same time create a template file that can be read and further edited. Suggestions are always welcome.

Craig Smith

Sample
Here is a section of output:
#CALL CHDIR_FUNCT("/")
 8048211:       e8 1e ef 00 00          call   0x8057134
 8048216:       6a 00                   push   $0x0
 #CALL CLOSE_FUNCT(STDIN)
 8048218:       e8 43 ef 00 00          call   0x8057160
 804821d:       6a 01                   push   $0x1
 #CALL CLOSE_FUNCT(STDOUT)
 804821f:       e8 3c ef 00 00          call   0x8057160
 8048224:       6a 02                   push   $0x2
 #CALL CLOSE_FUNCT(STDERR)
 8048226:       e8 35 ef 00 00          call   0x8057160
Here is an example of what a UPXinfo file looks like:
UPX information for ping.rootkit
====================================
Compressed with UPX v1.11
Version: 11
Format: LINUX i386
--- [ Info from the tailend ] ---
Version: 11 (Should be same as above)
Format: LINUX i386 (Should be same as above)
Method Used: NRV2B_LE32
Level of Compresion: 10
Here is an example of xhierarchy
##
## Hierarchy of hackedelf.dump.commented
##
.TEXT_FUNCT
+ __LIBC_START_MAIN_FUNCT(80489e0,SI,CX,80486e4,8048dcc,DX,SP,AX)
+ _START_MAIN_FUNCT()
|+ FUNCTION40("/lib/security/. ...","[login]","ping",BX,SI,BP,BP)
||+ FOPEN_FUNCT(8,"r")
||+ TIME_FUNCT(0)
||+ SRAND_FUNCT(DX)

Summary of features
Supported Platforms
The app is written in perl but it currently only disassembles the following binaries:

Linux ELF i386 - (Actually it will do any ELF but this is the testing platform)
FreeBSD i386 - (Not fully tested but seems to be working)
OpenBSD/NetBSD - Will run but still does a poor job of commenting

The app will also take advantage of the Linux source and include files if running from a Linux based system

Download
Examiner v0.5
CHANGELOG
Tutorial on Examiner
Man Page