Cerbero Suite 4.3 is out and it comes with Decryption of Microsoft Office Documents!
– added Microsoft Office document decryption
– improved CFBF support
– minor improvements
– fixed bugs
More is coming soon…
The new version of Cerbero Suite is out with the following news:
– added CAB format support
– added convert/from_array and convert/to_array filters
– added detection of external resources in Office documents
+ improved renaming of variables in the decompiler
– improved dev/array filter
– included OpenSSL executable
– fixed bugs
We’ll be soon publishing videos detailing some of these additions!
The new version of Cerbero Suite is out with the following news:
+ added Carbon option to import PDB types into the project header
+ improved x86/x64 decompiler
– fixed bugs
The option in Carbon to import types into the header of a project when loading a PDB comes handy when a crash dump is associated to a structure.
In this case the BugCheck information tells us that at a specific address there’s an EPROCESS structure. By importing the types along with the symbols of ntoskrnl.exe, we import the correct EPROCESS structure to map onto memory.
Of course, Cerbero Suite contains kernel symbols for all version of Windows x86/x64, but by relying on the structures in the PDB we don’t need to load the correct Windows header from the headers folder: just import the types and then open the header of the project!
We’re proud to announce the release of Cerbero Suite 4.0!
There are many new features, especially in the advanced version. Support for ARM32/ARM64 in Carbon and the inspection of Windows crash dumps stand out as two major additions.
All of our customers can upgrade at a 50% discount their licenses for the next 3 months! We value our customers and everyone who has bought a license since June should have already received a free upgrade for Cerbero Suite 4! If you fall in that category and haven’t received a new license, please check your spam folder and in case contact us at firstname.lastname@example.org. Everyone who has acquired a license before June, but in the last 3 months, will get an additional discount.
Starting today we’ll be contacting all of our existing customers and provide them with a discount coupon. If you don’t get an email from us in the next two days, please contact us at email@example.com!
This is the full list of news:
+ added Carbon loader for Windows user address space
+ added Carbon loader for Windows DMP files
+ added Carbon support for ARM32 and ARM64
+ added Carbon support for PDB symbols
+ added support in Carbon to define data types
+ added memory analysis support for latest Windows 10 versions
– added Windows x64 setup
– added UI hook extensions
+ improved Windows memory analysis support
+ improved Windows DMP support
+ improved Carbon disassembly
+ improved Ghidra plugin and setup
+ improved decompiler output
– improved Hex Editor
– improved file stats view
– improved symbol demangling
– improved Python speed
– improved headers
– improved PE debug directory support
– improved PDB support
– improved dark mode support on macOS
– improved update check
– improved single view mode
– improved settings
– improved Python SDK
– updated SQLite to 3.32.0
– fixed bugs
Inspecting Windows crash dumps is important for many software developers. Cerbero Suite lets you easily inspect both kernel and mini-dumps. You can view the code, load PDB symbols, inspect the call stack, threads, exception information, bug check information, memory and much more.
This feature does not rely on WinDBG and works on every supported platform!
ARM32 and ARM64 are now supported in Carbon and naturally also in the Sleigh decompiler!
Every Windows address space can now be explored in Carbon, be it from a physical image or from a crash dump.
PDB files can be automatically downloaded and imported into Carbon. This feature does not rely on Windows APIs and works on every supported platform.
Data types can be defined in Carbon by pressing “D” or via the context menu.
The same data type can be reapplied by pressing “W”.
We added the headers necessary to perform memory analysis on the latest Windows 10 versions.
Throughout the lifetime of the 4.x series, we’ll continue improving on the support for Windows 10!
A Windows x64 edition has been long overdue, but we didn’t want to deprive our users from being able to run Cerbero Suite on older 32-bit versions of Windows, so we decided to keep both x86 and x64 editions!
A new type of extension has been introduced. The purpose of this extension type is to provide additional UI elements for specific parts of the UI. We currently use it to create Python plugins in our settings page.
We have improved Carbon all over the place: the analysis, UI, lists. The experience is now much more refined.
We improved the native UI for Ghidra. By default now the assembly is shown in lower case, as we think it’s easier to read (this feature is configurable).
We also added one more toolbar button in Ghidra for the Cerbero Launcher, a way to launch Cerbero tools on the file currently open in Ghidra.
Setting up the native UI for Ghidra is now easier than ever: just go to the settings in Cerbero under ‘Ghidra’ and click on ‘Install Ghidra plugin’, select the root folder of Ghidra and that’s it! Cerbero will take care of the installation for you!
We have improved the decompiler output by inferring the detection of deferred calls and literals from Carbon to it. A before/after screenshot comparison is worth more than a thousand words!
Apart from fixing some bugs, we have improved the hex editor by providing a wait dialog with progress and abort to every major data operation.
We tried to improve the file stats view by providing additional useful information for all the file formats which warranted it.
We have greatly improved symbols demangling both for Visual C++ and GCC. All type of mangled symbols are supported now!
We now deploy the bytecode files for all our Python plugins in order to decrease their load time.
Cerbero Suite 4 makes the update process even easier than before. Hashes for updates have always been cryptographically verified, but now you can opt to download the update directly from the UI and that too is verified.
More PDB strucutres are now explorable from the UI.
Apart from the Ghidra plugin installer, there’s a new tab in the settings to create a portable distribution of Cerbero Suite 4.
We have increased the amout of exposed SDK and added new APIs. Among the many things we have exposed is the Sleigh decompiler. Here’s a small code sample:
from Pro.UI import * from Pro.Carbon import * v = proContext().getCurrentView() c = v.getCarbon() d = CarbonSleighDecompiler(c) s = d.decompileToString(0x004028C9) print(s)
A Carbon instance can be created entirely from Python of course.
Single view mode is perhaps a barely known feature in Cerbero, but a rather useful one. If you press “Ctrl+Alt+S” while in a view, it will hide all other views. Pressing the shortcut again restores the previous state.
In Cerbero Suite 4 we have introduced the concept of dependent views and have updated single view mode to include them.
We can see an example of this by looking at a crash dump. When we are in the disassembly we would like to keep dependent views (like the call stack or the decompiler) visible when switching to single view mode.
Single view mode:
Apart from the news listed here, we have added many refinements and fixed many bugs.
We hope you enjoy this new release!
We’re happy to announce the release of Cerbero Suite 3.5!
This is a single feature release: it includes integration of the Ghidra decompiler (Sleigh) in our Carbon disassembler. No Ghidra or Java installation is necessary!
The decompiler features navigation, comments and renaming of functions, labels and variables.
If you like the idea, we can further expand the functionality and improve the output in next releases!
We’re happy to announce the release of Cerbero Suite 3.4!
This release comes with tons of improvements:
– added Python editor workspace
– added Python snippet action
– added Mariana theme
– improved deployment on OS X
+ improved Ghidra native UI
– improved filters
– improved hex workspace
– improved JS debugger
– improved Monokai theme
+ updated Ghidra support to 9.1-BETA
– fixed Header Manager crash due to themes
– fixed some bugs
As you can see from the screen-shots in this post, we have introduced the Mariana theme. I think it’s even easier on the eyes, than the Monokai one.
The Ghidra native UI is now compatible with the latest 9.1-BETA and has been further improved!
Deployment on OS X has been greatly improved by removing the external Python dependency. Just as in the Windows and Linux version, the OS X version now embeds Python.
Also interesting for OS X users: a new instance of Cerbero can be spawned from anywhere in the program by pressing Ctrl+Alt+N (or by clicking the relative toolbar button). This works on other platforms as well, but on OS X it’s especially useful.
To make the writing of scripts even easier, there’s a new action to insert a Python code snippet.
You can choose from a selection of useful snippets.
This is especially useful to avoid looking up the SDK even for simple things and in time the selection of snippets will grow.
We also improved and added new misc filters.
I personally played many CTFs using Cerbero Suite before working on this release and the improvements are directly related to that. I hope that our users will enjoy these improvements as much as we do!
We’re happy to announce the release of Cerbero Suite 3.3!
While the most anticipated feature may have been theme support, there’s much more:
Apart from themes, most of the work went into improving the Ghidra native UI. Specifically we improved navigation, added comments in the decompiler, added support for renaming variables and parameters both in the disassembly and the decompiler, improved cross references, added make code / undefine commands, added status updates, fixed bugs.
Also, if you’d like to run Ghidra and the native UI on two different machines, just open the install.pdf in util/ghidra.zip to learn how. 🙂
We also added support for x86/x64 MachO files in Carbon!
Cerbero can now run on Windows XP.
Everything is working apart from the Python ssl module (we might provide support for it in the future). So if you need a malware triage tool or just a Python3 interpreter on XP, you can use Cerbero. 🙂
This is a rather unusual release and as you can see the change-list is short:
+ added experimental native UI for Ghidra
+ improved disassembly speed
– fixed SSL on Linux
The main addition in version 3.2 is an experimental native UI for Ghidra. Here are a few screen-shots on all supported platforms.
Since this experimental UI has been more of a personal project, I discussed it in more depth on my blog.
As this is a proof of concept, it will be of fundamental importance whether or not you, the user, want this project to mature. Feedback is highly appreciated and will be taken into consideration in order to prioritize this feature and decide how much time to invest into it. Even curses are considered valuable feedback! 🙂
Supporting Ghidra has already had its benefits even considering other features. In fact, in version 3.2 the disassembly view of Carbon has been made faster as a positive side-effect. More of these benefits are about to come as we’re preparing a lot of cool new additions for the upcoming releases. 🙂
Version 3.1 is out with many improvements! The main news is the support in Carbon for ELF files and the improved deployment of the Linux edition.
This is the full list of news:
+ added ELF Carbon loader
+ added edit bytes command to Carbon
+ added write method to Carbon
+ added detection of 16-bits wide strings in Carbon
+ added open in hex editor action in Carbon
+ added filters to Carbon
+ added Carbon Monokai theme
– added single view mode (Ctrl+Alt+S)
– improved deployment on Linux
+ improved x86/x64 disassembly
– improved hex workspace
– updated capstone to 4.0.1
– fixed misidentified object crash
– fixed some bugs
Here we can see an ELF x64 file in Carbon. As we can see we have an entry point with a call to __libc_start_main.
We can follow the first argument which will bring us to the main function.
.text:0x000007BA main proc start .text:0x000007BA ; EXPORT .text:0x000007BA ; DATA XREF: 0x000006CD .text:0x000007BA 55 push rbp .text:0x000007BB 48 89 E5 mov rbp, rsp .text:0x000007BE 8B 05 4C 08 20+ mov eax, dword ptr [rip + 0x20084C] .text:0x000007C4 89 C6 mov esi, eax .text:0x000007C6 48 8D 3D B7 00+ lea rdi, [rip + 0xB7] ; "test is: %d\n" .text:0x000007CD B8 00 00 00 00 mov eax, 0 .text:0x000007D2 E8 B9 FE FF FF call plt_002 -> printf .text:0x000007D7 B8 00 00 00 00 mov eax, 0 .text:0x000007DC E8 9F FE FF FF call plt_001 -> libfunc .text:0x000007E1 89 C6 mov esi, eax .text:0x000007E3 48 8D 3D A7 00+ lea rdi, [rip + 0xA7] ; "libfunc result is: %d\n" .text:0x000007EA B8 00 00 00 00 mov eax, 0 .text:0x000007EF E8 9C FE FF FF call plt_002 -> printf .text:0x000007F4 B8 00 00 00 00 mov eax, 0 .text:0x000007F9 5D pop rbp .text:0x000007FA C3 ret .text:0x000007FA .text:0x000007FA main proc end
Simple 16-bit wide strings are now automatically detected in Carbon.
It is now possible to open the hex editor from the disassembly. To demonstrate this feature I crafted a small executable which asks for a password and prints an error message if the password is wrong.
We can easily find the “wrong password” string in Carbon by pressing Ctrl+5.
Right before the referenced string, there’s a scanf followed by a strcmp.
We go to the jne which evaluates the result of the strcmp and we open the hex editor from the contextual menu. It will ask us to open a file (it must be a copy of the file we’re analysing).
We can just nop the two bytes representing the jne and then we save the file.
Whatever password we insert now, it will be accepted.
While filters are already accessible from hex views, it is now possible to access them from Carbon as well.
Let’s take the same sample analyzed in the previous blog post with xored strings. We select on of those xored strings and we open the filters from the contextual menu or by pressing Ctrl+T.
We can now test out a filter on the selected bytes. In this case we simply use a xor to see the string in plain.
The Monokai theme has been added to Carbon.
I have been using this theme for some development projects and wondered what it would look like in a disassembly. I don’t know about you, but I like it… 🙂
While it has always been possible to trigger the full-screen mode via Ctrl+Alt+F, now there’s also single-view mode which can be triggered via Ctrl+Alt+S.
What it does is to hide all other views, leaving only the focused view open. Press the same shortcut to exit the mode and have all other views visible again.
The Linux edition has been drastically improved by simplifying its deployment. As a result it should now be compatible with many more versions of Linux, without having to adjust dependencies. It also comes with a built-in Python distribution, just like the Windows edition.
The disassembly in Carbon has been improved so that it now shows import forward calls. Let’s take this simple call to __crtTerminateProcess.
If we follow the call, we’ll see that it just calls a jumps which in turn jumps to the actual API.
These sort of calls to jumps or jumps to jumps are now automatically resolved to improve the readability of the code.
The hex workspace comes with a number of small improvements, but mainly the initial layout doesn’t show the output view by default.
We hope you enjoy this version as we’re already working on the next one and I can’t wait to show you some of the cool things we’re working on. 🙂
We’re proud to announce the release of the new 3.0 version of Cerbero Suite!
The main news for the advanced version is the introduction of the Carbon Interactive Disassembler and of a full-fledged hex-editor, while the standard version features only the hex-editor.
We have removed the nag-screen from our trial, making ours the most permissive trial of all time. 🙂 Truth is, I have never been a fan of software protections, as they degrade the experience for every user, including customers and limit the immediacy of application of the software when needed.
We live in a time with virtual machines and it’s often necessary to install something on the fly and use it right away. That’s also why we included a local Python distribution in our installer on Windows, so that users are no longer required to separately install Python and configure it in our software, but can use all the functionality right away after a quick installation process.
While we changed the prices of our commercial licenses, we kept basically unchanged prices for personal licenses. Also, for a week starting today all personal licenses are sold at a discount, so hurry up! 😉
All of our customers can upgrade at a 50% discount their licenses for the next 3 months. Not only that, for the same period of time, customers of the 2.x series can purchase new licenses at a 50% discount! If you want to upgrade or purchase a new license at a discount, please contact us at firstname.lastname@example.org.
As usual our licenses will be valid for the whole duration of the 3.x series. Because of this licensing scheme we offer even bigger discounts to anyone who bought a license in the last two months. Please contact us at email@example.com to get a precise renewal quote.
This is the full list of news for the 3.0 version:
+ added Carbon interactive disassembler
– added hex editing workspace
– added command line workspace
+ added Windows DMP format support
+ added Windows Hibernation files format support
– added undo capability in hex views
– exposed workspaces to Python
– improved appearance on high resolution displays
– improved support for SQLite files
+ improved support for EML files
– included local python on Windows
(Note: entries with the ‘+’ sign apply only to the advanced edition.)
As we want to share our road-map with our users, in the next releases we’ll:
– Improve some of the rough edges still present in Carbon.
– Continue working on our x86/x64 analysis.
– Add loaders for ELF and Mach-O.
– Start working on creating signatures for library functions.
– Improve code analysis for memory images.
– Further improve memory analysis.
– Start working on analysis for ARM. This, however, may take a while.
Have a great day and happy hacking! 😉