ScratchABit

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the efforts of the OpenSource reverse engineering community (reverse engineering to produce OpenSource drivers/firmware for hardware not properly supported by vendors, for hardware and software interoperability, for security research).

ScratchABit supports well-known in the community IDAPython API to write disassembly/extension modules.

FAQ

Q: What processors/architectures are supported?

A: ScratchABit doesn’t support any processor architectures on its own, it is fully retargettable using IDAPython API plugins. Many plugins are available, writing a new plugin is easy. To let users test-drive ScratchABit, a simple x86 processor plugin is included in the distribution, using Pymsasid disassembler under the hood.

From version 2.0, Capstone plugin is also included, allowing access to a number of architectures, including x86, ARM, MIPS, PowerPC, SPARC, etc. (architecture support is enabled gradually based on user testing).

You can read about the plugins shipped together with ScratchABit in the README for plugins/cpu/ dir.

Q: Debugger?

A: ScratchABit is dedicated to static analysis and easy support for new CPU architectures (just code up an new CPU plugin in Python – you can get initial results in few hours). Dynamic analysis wasn’t conceived to be a core feature and there’re no immediate plans to implement it. Patches are welcome though.

Q: Decompiler?

A: There is a related project, called ScratchABlock for deep program analysis, transformation and decompilation. It’s expected that as ScratchABlock matures, some of its functionality will be available within ScratchABit (perhaps via plugins).

Q: I’m not on Linux, how can I run ScratchABit?

A: Install Linux in an emulator/VM on your system and rejoice.

Q: Mandatory screenshot?

A: Sure:

Download

git clone https://github.com/pfalcon/ScratchABit.git

Use

Copyright (C) 2015 pfalcon