In this chapter, we have learned that, even if the file is not a Windows or a Linux x86-native executable, we can still analyze a non-x86 executable file. With static analysis alone, we can analyze a file without even doing dynamic analysis, although we still need references to understand the low-level language of non-x86 architectures, categorized as RISC or CISC. Just as we learned x86 assembly language, languages such as ARM assembly can be learned with the same concepts.

However, an analysis can still be proven with actual code execution, using dynamic analysis. To do that, we need to set up the environment where the executable will run natively. We introduced an emulation tool called QEMU that can do the job for us. It has quite a number of architectures that it can support, including ARM. Today, one of the most popular operating system using ARM architecture is Arch Linux. This operating system is commonly deployed by Raspberry Pi enthusiasts.

We also learned about debugging MBR code taken from a disk image. Using Bochs, a tool that can emulate the boot sequence of an x86 system, we were able to show how you can load and debug 16-bit code that uses hardware interrupts. In addition, some ransomware employ features that can inject or replace the MBR with malicious code. With what we learned in this chapter, nothing can stop us from reversing these pieces of code.