Say have a binary file without the source code available, how to get started understanding how it works?
I found some sources:
- http://decompilation.wiki/
- https://mahaloz.re/dec-progress-2024
- https://github.com/NationalSecurityAgency/ghidra
Can I spot places in the code that make network connection attempts, de obfuscate spyware?
For network calls, they probably have socket related system calls in the binary file, that would be my second step in reversing. First step would be to try things like Wireshark to intercept the network calls only, as that would be a lot cleaner.
When you say “intercept the network calls” with Wireshark, are you able to hook Wireshark to a selected binary so that it shows its network traffic?
I don’t really know much about how capable Wireshark filtering is to be honest. I usually can filter out what I think are background noises, and it has been enough for me so far. No clue if Wireshark allows filtering by process ID.
