-
Notifications
You must be signed in to change notification settings - Fork 85
/
RE
148 lines (116 loc) · 4.67 KB
/
RE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# reverse
# learn
https://github.com/mytechnotalent/Reverse-Engineering-Tutorial
http://wiki.yobi.be/wiki/Reverse-Engineering
# ghidra tuto
https://ringzer0.training/reverse-engineering-with-ghidra.html
# compiler explorer
http://gcc.godbolt.org/
# x64 c++ decompiler
Snowman https://derevenets.com/
# system calls
strace -e trace=open -p $PID
strace -f -s3000 -e trace=execve
# syscall dymanic tracer for Linux
https://github.com/iovisor/ply
# reversing network protocols
https://github.com/netzob/netzob
# static analysis tool for binaries. ELF/PE, x86/x64, IL RREIL, DBI PIN
https://bitbucket.org/mihaila/bindead/overview
# symbolic execution
https://github.com/trailofbits/manticore
# python for reverse engineering
http://pythonarsenal.erpscan.com/
# PE format
# windows executable walkthrough
https://code.google.com/p/corkami/wiki/PE?show=content
# jumps
Mnemonic Condition tested Description
jo OF = 1 overflow
jno OF = 0 not overflow
jc, jb, jnae CF = 1 carry / below / not above nor equal
jnc, jae, jnb CF = 0 not carry / above or equal / not below
je, jz ZF = 1 equal / zero
jne, jnz ZF = 0 not equal / not zero
jbe, jna CF or ZF = 1 below or equal / not above
ja, jnbe CF or ZF = 0 above / not below or equal
js SF = 1 sign
jns SF = 0 not sign
jp, jpe PF = 1 parity / parity even
jnp, jpo PF = 0 not parity / parity odd
jl, jnge SF xor OF = 1 less / not greater nor equal
jge, jnl SF xor OF = 0 greater or equal / not less
jle, jng (SF xor OF) or ZF = 1 less or equal / not greater
jg, jnle (SF xor OF) or ZF = 0 greater / not less nor equal
# timeless
qira
rr-project
Reven Axion https://www.youtube.com/watch?v=5WNRplDPf5s
# emulate asm with unicorn (http://idabook.com/ctf/pwn2win_botnet.txt)
def hook_syscall(mu, user_data):
mu.emu_stop()
def do_milkshake(milkshake):
#milkshake is the fleebot provided machine code
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(0x1000000, 4096)
mu.mem_write(0x1000000, milkshake)
mu.reg_write(UC_X86_REG_RSP, 0x1000000 + 4096 - 16)
mu.hook_add(UC_HOOK_INSN, hook_syscall, None, 1, 0, UC_X86_INS_SYSCALL)
mu.emu_start(0x1000000, 0x1000000 + len(milkshake))
rsi = mu.reg_read(UC_X86_REG_RSI)
rdx = mu.reg_read(UC_X86_REG_RDX)
magic = mu.mem_read(rsi, rdx)
return magic
# qa-based disassembly viewer based on radare2
https://github.com/sapir/sonare
# registers (AL, BL etc.)
http://i.stack.imgur.com/rzuaP.jpg
================ rax (64 bits)
======== eax (32 bits)
==== ax (16 bits)
== ah (8 bits)
== al (8 bits)
# stack layout
http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64/
http://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86/
# 101
system call number passed in the EAX register
x86 args
1 2 3
ebx ecx edx
x64 args
1 2 3 4 5 6
rdi rsi rdx rcx r8 r9
argc argv
see http://wiki.osdev.org/Calling_Conventions
eax=1, rdi=1: write to stdout
eax=0, rdi=0: read from stdin
[corelan] The CPU’s general purpose registers (Intel, x86) are :
EAX : accumulator : used for performing calculations, and used to store return values from function calls. Basic operations such as add, subtract, compare use this general-purpose register
EBX : base (does not have anything to do with base pointer). It has no general purpose and can be used to store data.
ECX : counter : used for iterations. ECX counts downward.
EDX : data : this is an extension of the EAX register. It allows for more complex calculations (multiply, divide) by allowing extra data to be stored to facilitate those calculations.
ESP : stack pointer
EBP : base pointer
ESI : source index : holds location of input data
EDI : destination index : points to location of where result of data operation is stored
EIP : instruction pointer
lea eax,[ebp-0x4] // load effective address: eax recupere l'address
mov BYTE PTR [ebx], 2 ; Move 2 into the single byte at the address stored in EBX.
mov WORD PTR [ebx], 2 ; Move the 16-bit integer representation of 2 into the 2 bytes starting at the address in EBX.
mov DWORD PTR [ebx], 2 ; Move the 32-bit integer representation of 2 into the 4 bytes starting at the address in EBX.
* prologue
push ebp // increment esp de 4 bytes
move ebp, esp // ebp prend la valeur de esp
sub esp, 0x8
* epilogue
mov esp, ebp// esp prend la valeur de ebp
pop ebp
ret
//ou
leave
ret
# arm 101
https://azeria-labs.com/writing-arm-assembly-part-1/
# intel opcode reference
http://ref.x86asm.net/coder32.html