From e896d65b84bc7c81469545164d176b9542d46e03 Mon Sep 17 00:00:00 2001 From: Mari Wahl Date: Thu, 20 Nov 2014 20:45:07 -0500 Subject: [PATCH] reverse eng --- README.md | 57 +++++--- Reverse_Engineering/README.md | 246 +++++++++++++++++++++++++++++++--- 2 files changed, 266 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 39fb6d9..6d4a2d7 100644 --- a/README.md +++ b/README.md @@ -19,53 +19,68 @@ All in one big bag. For fun, profits, or CTFs. ----- +---- ### Useful Command Line #### Searching - - + + ``` grep word f1 - + sort | uniq -c - + diff f1 f2 - + find -size f1 ``` - - + + #### Compressed Files - - + + ``` zcat f1 > f2 - + gzip -d file - + bzip2 -d f1 - + tar -xvf file ``` - - - + + + #### Connecting to a Server/Port - + ``` echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000 - + openssl s_client -connect localhost:30001 -quiet - + nmap -p 31000-32000 localhost - + telnet localhost 3000 ``` - + + +---- + +## References: + +### Books +- The Tangled Web +- The Art of Exploitation +- The Art of Software Security Assessment: +- Practical Packet Analysis + +### Websites +- https://ctf.isis.poly.edu + + ---- ### License diff --git a/Reverse_Engineering/README.md b/Reverse_Engineering/README.md index bfcdae8..ebebf0e 100644 --- a/Reverse_Engineering/README.md +++ b/Reverse_Engineering/README.md @@ -1,6 +1,219 @@ # Reverse Engineering +* Objective: turn a x86 binary executable back into C source code. +* Understand how the compiler turns C into assembly code. +* Low-level OS structures and executable file format. +--- +##Assembly 101 + +### Arithmetic Instructions + +``` +mov eax,2 ; eax = 2 +mov ebx,3 ; ebx = 3 +add eax,ebx ; eax = eax + ebx +sub ebx, 2 ; ebx = ebx - 2 +``` + +### Accessing Memory + +``` +mox eax, [1234] ; eax = *(int*)1234 +mov ebx, 1234 ; ebx = 1234 +mov eax, [ebx] ; eax = *ebx +mov [ebx], eax ; *ebx = eax +``` + +### Conditional Branches + +``` +cmp eax, 2 ; compare eax with 2 +je label1 ; if(eax==2) goto label1 +ja label2 ; if(eax>2) goto label2 +jb label3 ; if(eax<2) goto label3 +jbe label4 ; if(eax<=2) goto label4 +jne label5 ; if(eax!=2) goto label5 +jmp label6 ; unconditional goto label6 +``` + +### Function calls + +First calling a function: + +``` +call func ; store return address on the stack and jump to func +``` +The first operations is to save the return pointer: +``` +pop esi ; save esi +``` + +Right before leaving the function: +``` +pop esi ; restore esi +ret ; read return address from the stack and jump to it +``` +--- + + +## Modern Compiler Architecture + +**C code** --> Parsing --> **Intermediate representation** --> optimization --> **Low-level intermediate representation** --> register allocation --> **x86 assembly** + +### High-level Optimizations + + + +#### Inlining + +For example, the function c: +``` +int foo(int a, int b){ + return a+b +} +c = foo(a, b+1) +``` +translates to c = a+b+1 + + +#### Loop unrolling + +The loop: +``` +for(i=0; i<2; i++){ + a[i]=0; +} +``` +becomes +``` +a[0]=0; +a[1]=0; +``` + +#### Loop-invariant code motion + +The loop: +``` +for (i = 0; i < 2; i++) { + a[i] = p + q; +} +``` +becomes: +``` +temp = p + q; +for (i = 0; i < 2; i++) { + a[i] = temp; +} +``` + +#### Common subexpression elimination + +The variable attributions: +``` +a = b + (z + 1) +p = q + (z + 1) +``` + +becomes +```` +temp = z + 1 +a = b + z +p = q + z +``` + +#### Constant folding and propagation +The assignments: +``` +a = 3 + 5 +b = a + 1 +func(b) +``` + +Becomes: +``` +func(9) +``` + +#### Dead code elimination + +Delete unnecessary code: +``` +a = 1 +if (a < 0) { +printf(“ERROR!”) +} +``` +to +``` +a = 1 +``` + +### Low-Level Optimizations + +#### Strength reduction + +Codes such as: +``` +y = x * 2 +y = x * 15 +``` + +Becomes: +``` +y = x + x +y = (x << 4) - x +``` +#### Code block reordering + +Codes such as : + +``` +if (a < 10) goto l1 +printf(“ERROR”) +goto label2 +l1: + printf(“OK”) +l2: + return; +``` +Becomes: +``` +if (a > 10) goto l1 +printf(“OK”) +l2: +return +l1: +printf(“ERROR”) +goto l2 +``` + + +#### Register allocation + +* Memory access is slower than registers. +* Try to fit as many as local variables as possible in registers. +* The mapping of local variables to stack location and registers is not constant. + +#### Instruction scheduling + +Assembly code like: +``` +mov eax, [esi] +add eax, 1 +mov ebx, [edi] +add ebx, 1 +``` +Becomes: +``` +mov eax, [esi] +mov ebx, [edi] +add eax, 1 +add ebx, 1 +``` + + +--- ## Tools Folder - X86 Win32 Cheat sheet @@ -9,7 +222,7 @@ - Command line tricks - +---- ## Other Tools - gdb @@ -27,18 +240,18 @@ - uncompyle2 (Python) - unpackers, hex editors, compilers - +--- ## Encondings/ Binaries - + ``` file f1 - + ltrace bin - + strings f1 - + base64 -d - + xxd -r nm @@ -47,17 +260,17 @@ objcopy binutils ``` - - + +--- ## Online References [Reverse Engineering, the Book]: http://beginners.re/ - +--- ## IDA - Cheat sheet @@ -65,7 +278,7 @@ binutils - +--- ## gdb - Commands and cheat sheet @@ -88,8 +301,8 @@ set disassembly-flavor intel disas main ``` - -## objdump +--- +## objdump Display information from object files: Where object file can be an intermediate file created during compilation but before linking, or a fully linked executable @@ -98,14 +311,15 @@ created during compilation but before linking, or a fully linked executable $ objdump -d ``` +---- ## hexdump & xxd For canonical hex & ASCII view: ``` -$hexdump -C +$hexdump -C ``` - -## xxd +---- +## xxd Make a hexdump or do the reverse: ``` xxd hello > hello.dump