Skip to content

Native Code Analysis

JEB is fully-equipped to perform native code analysis of binary files compiled for Windows (PE), Linux and variants (ELF), or most other platforms, including headless firmware files.

Info

Find additional documentation about JEB's native analysis pipeline (code analysis and decompilation) on our blog: List of posts tagged Native Code.

Decompilers#

JEB Pro ships with analysis modules, including gendec decompilers for Intel x86, ARM, MIPS, RISC-V, Ethereum, WebAssembly, and more.

gendec is a deobfuscating decompiler that will attempt to clean and restructure binary code as much as it can. It ships with many built-in optimizers, including advanced ones such as control-flow unflattener, opaque predicate cleaner, various code cleaners, etc. and is also extensible for users that wish to craft their own IR plugins.

Find out more about gendec on our blog.

Siglibs#

JEB supports the creation of signature libraries (siglibs) for library code recognition. JEB Pro includes complete library signature sets for:

  • Android NDK libraries (ARM/ARM64). Common libraries (libc, libc++, zlib, etc.) are signed from NDK v11 up to the latest version (v20 as of 11/19).
  • Microsoft Visual Studio libraries (x86/x86-64). C runtime libraries and standard C++ libraries are signed from Visual Studio 2003 up to Visual Studio 2019.

Note

Users can generate their own signature libraries: Native Signatures Generation (blog); Android NDK signatures presentation Android NDK Library Signatures (blog)

Typelibs#

JEB supports the creation of type libraries (typelibs) for common Windows and Linux subsystems, including:

  • Android NDK on ARM 32-bit
  • Android NDK on ARM 64-bit
  • Android NDK on x86 32-bit
  • Android NDK on x86 64-bit
  • Windows win32 on Intel x86 32-bit
  • Windows win32 on Intel x86 64-bit
  • Windows win32 on ARM 32-bit
  • Windows win32 on ARM 64-bit
  • Windows DDK on Intel x86 32-bit
  • Windows DDK on Intel x86 64-bit
  • Linux glibc on Intel x86 32-bit
  • Linux glibc on ARM 32-bit
  • Linux glibc on MIPS 32-bit

Note

Users can generate their own type libraries: Native Types and Typelibs (blog)

Native Code Actions#

Common native code actions can Be found in the Native menu:

Analysis Types#

Standard Analysis#

Leave the default settings.

Quick Analysis#

The simplest and fastest type of initial analysis can be achieved with the following settings:

  • Analysis Style: select LAZY NO DATA
  • Advanced Analysis: Disabled
  • RTTI recovery: Disabled
  • Global Analysis: Disabled
  • Signatures Package Loading (siglib): Disabled
  • Tail call analysis: Disabled
  • Switch Analysis: Disabled

Section to be completed