Reversing
- https://www.pentestpartners.com/security-blog/how-to-do-firmware-analysis-tools-tips-and-tricks/
- https://advancedpersistentjest.com/2017/06/19/reversing-the-balong-m3mcu-console-lightning-the-path-to-ring-0/
- https://blog.ret2.io/2017/11/16/dangers-of-the-decompiler/
- https://puri.sm/posts/primer-to-reverse-engineering-intel-fsp/
- https://quequero.org/2017/07/arm-exploitation-iot-episode-1/
- https://quequero.org/2017/09/arm-exploitation-iot-episode-2/
- https://quequero.org/2017/11/arm-exploitation-iot-episode-3/
- http://kakaroto.homelinux.net/2017/11/introduction-to-reverse-engineering-and-assembly/
- https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/
- http://grangeia.io/2015/11/30/hacking-tomtom-runner-pt3/
- Reverse Engineering using the Linux Operating System
- Breaking State-of-the-Art Binary Code Obfuscation
- RECON Bruxelles 2018 slide
- BOLO: Reverse Engineering — Part 1 (Basic Programming Concepts)
- Starting Embedded Reverse Engineering: FreeRTOS, libopencm3 on STM32F103C8T6
- Intro to x64 reversing
- Ida- how to find connection between 2 functions
- How to Hack an Expensive Camera and Not Get Killed by Your Wife
- Deobfuscating MoVfuscator - Part 2
- [DSCTF 2019] CPU Adventure – Unknown CPU Reversing
- Weisfeiler-Lehman Graph Kernel for Binary Function Analysis
- malrev/ABD Course materials for Advanced Binary Deobfuscation by NTT Secure Platform Laboratories
- Bootstrapping Understanding: reversing the level data file for "Chip's Challenge" game
- Reverse engineering Flutter apps (Part 1)
- Analyzing the USB Controller's Firmware
- Advanced Binary Deobfuscation
- Reverse Engineering WiFi on RISC-V BL602
- Symbolic Execution Demystified 2022
- Defeating Code Obfuscation with Angr
- Guy's 30 Reverse Engineering Tips & Tricks
- Unveiling Secrets in Binaries using Code Detection Strategies
Intermediate languages and representations
Protocol
- Analyzing WhatsApp Calls with Wireshark, radare2 and Frida
- USB Reverse Engineering: Down the rabbit hole
- Slides about protocol reverse engineering by netspooky
Hardware
Links
- zeptobars
- visual6502
- siliconpr0n
- CSCI 4974 / 6974 Hardware Reverse Engineering
- UPC UBEE EVW3226 WPA2 Password Reverse Engineering
- im-me LCD Interface Hacked
- Reverse Engineering Flash Memory for Fun and Benefit
- Reverse Engineering the TP-Link HS110
- Embedded Devices Security Firmware Reverse Engineering
- Reversing the parrot skycontroller firmware
- Reverse Engineering the TP-Link HS110
- depcb: PCB Reverse Engineering tool
- Reversing the 76477 "Space Invaders" sound effect chip from die photos
- NMOS IC Reverse Engineering
- Video Reading Silicon: How to Reverse Engineer Integrated Circuits
- Pwn2Win 2017 - Shift Register
- Silicon die analysis: inside an op amp with interesting "butterfly" transistors
- Reverse Engineering a Philips TriMedia CPU based IP camera - Part 1
- REVERSE ENGINEERING ARCHITECTURE AND PINOUT OF CUSTOM ASICS
- Hardware Debugging for Reverse Engineers Part 1: SWD, OpenOCD and Xbox One Controllers
- Reverse Engineering a Digital Answering Machine (part 1)
- Reversing TL-WR840N
- Reverse Engineering an Unknown Microcontroller
- Reverse Engineering the M1
- Reverse Engineering the M6 Smart Fitness Bracelet
Software
- Reverse engineering and removing Pokémon GO’s certificate pinning
- Toy decompiler for x86-64 written in Python
- Finding the actual Thumb code in firmware
- Reverse Engineering Exercises for ARM
- Static analysis of an unknown compression format
- Reverse Engineering Encrypted Code Segments
- Reverse engineer USB stack of Exynos BootROM
- r2-pay: anti-debug, anti-root & anti-frida (part 1)
- r2-pay: whitebox (part 2)
- Undocumented Fastboot Oem Commands
ARM
C++
- Reversing C++ Virtual Functions: Part 1
- Reversing C++
- How to find the location of the vtable?
- Guidelines to MFC reversing
Win32
- How to GetProcAddress() like a boss
- Reversing Microsoft Visual C++ Part I: Exception Handling
- Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI
- PortEx Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness
- Applied Reverse Engineering: Exceptions And Interrupts
- Methodology for Static Reverse Engineering of Windows Kernel Drivers
Java
- Introduction to Radare Java Reverse Engineering
- Using Radare to Enumerate Artifacts in a Java Class File
- The Java Virtual Machine Instruction Set
- Exploring Java bytecode
- charles2gan/GDA-android-reversing-Tool GDA is a new fast and powerful decompiler in C++(working without Java VM) for the APK, DEX, ODEX, OAT, JAR, AAR, and CLASS file. which supports malicious behavior detection, privacy leaking detection, vulnerability detection, path solving, packer identification, variable tracking, deobfuscation, python&java scripts, device memory extraction, dat…
It is possible to edit a single class file and save it, after that you can reput it into the jar with
$ jar uf jar-file input-file(s)
If you want to quickly find class names you can launch this oneliner
$ for f in $(ls /path/to/jars/*); do echo '-- '$f' --';strings -10 $f;done | less
An example with radare2
of what you can see reversing the simple hello world
program:
/ (fcn) sym.HelloWorld.main 9
| sym.HelloWorld.main ();
| 0x00000183 b20002 getstatic java/lang/System/out Ljava/io/PrintStream;
| 0x00000186 1203 ldc "Hello, World"
| 0x00000188 b60004 invokevirtual java/io/PrintStream/println(Ljava/lang/String;)V
\ 0x0000018b b1 return
[0x00000158]> is
[Symbols]
Num Paddr Vaddr Bind Type Size Name
000 0x00000158 0x00000158 NONE FUNC 5 <init>
000 0x00000142 0x00000142 NONE FUNC_META 43 meta_<init>
001 0x00000183 0x00000183 NONE FUNC 9 main
001 0x0000016d 0x0000016d NONE FUNC_META 51 meta_main
001 0x00000001 0x00000001 NONE import 0 imp.<init>
002 0x00000002 0x00000002 NONE import 0 imp.out
004 0x00000004 0x00000004 NONE import 0 imp.println
[0x00000158]> iz
[Strings]
Num Vaddr Paddr Len Size Section Type String
007 0x00000022 0x00000022 6 9 () ascii <init>
008 0x0000002b 0x0000002b 3 6 () ascii ()V
009 0x00000031 0x00000031 4 7 () ascii Code
010 0x00000038 0x00000038 15 18 () ascii LineNumberTable
011 0x0000004a 0x0000004a 4 7 () ascii main
012 0x00000051 0x00000051 22 25 () ascii ([Ljava/lang/String;)V
013 0x0000006a 0x0000006a 10 13 () ascii SourceFile
014 0x00000077 0x00000077 15 18 () ascii HelloWorld.java
018 0x00000096 0x00000096 12 15 () ascii Hello, World
021 0x000000ad 0x000000ad 10 13 () ascii HelloWorld
022 0x000000ba 0x000000ba 16 19 () ascii java/lang/Object
023 0x000000cd 0x000000cd 16 19 () ascii java/lang/System
024 0x000000e0 0x000000e0 3 6 () ascii out
025 0x000000e6 0x000000e6 21 24 () ascii Ljava/io/PrintStream;
026 0x000000fe 0x000000fe 19 22 () ascii java/io/PrintStream
027 0x00000114 0x00000114 7 10 () ascii println
028 0x0000011e 0x0000011e 21 24 () ascii (Ljava/lang/String;)V
Go
- The Go low-level calling convention on x86-64
- Reversing GO binaries like a pro
- Reverse Engineering Go, Part I
Android
- http://www.juanurs.com/Bypassing-Android-Anti-Emulation-Part-II/
- Kotlin and Java: How Hackers See Your Code
- Android application reversing 101
- Android OWASP crackmes: Write-up UnCrackable Level 2
- Reversing HackEx - An android game
- CyberTruckChallenge The CyberTruckChallenge is a workshop about Android Security sponsored by NowSecure and created by @enovella.
- shroudedcode/apk-mitm A CLI application that prepares Android APK files for HTTPS inspection
- fkie-cad/DeStroid Fighting String Encryption in Android Malware
- Reverse engineering Flutter for Android
- Obfuscated obfuscation: reversing of an APK of a device
Python
- Looking inside the box: notes about reversing Dropbox's client
SEGA
WASM
WebAssembly is a new type of code that can be run in modern web browsers and provides new features and major gains in performance. It is not primarily intended to be written by hand, rather it is designed to be an effective compilation target for low-level source languages like C, C++, Rust, etc.
There are currently two distinct sets of tools that are of interest to compiler writers or developers who want to work with WebAssembly binary generated by other tools like Emscripten:
Links
- Specification
- Mozill's documentation
- WASM fiddle
- Reversing WASM
- wasmdec WebAssembly to C decompiler
- Writing WebAssembly By Hand
Tools
Z3
MIT licensed SMT solver from Microsoft Research
- Z3 API in Python
- Breaking Algorithms - SMT Solvers for WebApp Security
- Z3 by example
- A gentle introduction to SMT-based program analysis
import z3
b = [
106, 196, 106, 178, 174, 102, 31, 91,
66, 255, 86, 196, 74, 139, 219, 166,
106, 4, 211, 68, 227, 72, 156, 38, 239,
153, 223, 225, 73, 171, 51, 4, 234, 50,
207, 82, 18, 111, 180, 212, 81, 189, 73, 76
]
solver = z3.Solver()
B39 = z3.BitVec("B39", 8)
solver.add(B39 == 212)
B39 -= b[18] + b[16] + b[8] + b[19] + b[5] + b[23] + 36
solver.add(B39 <= 0x7f)
solver.add(B39 >= 0x20)
print(solver.check())
print(solver.model())
print(chr(solver.model().eval(B39).as_long()))
Binwalk
$ git clone https://github.com/devttys0/binwalk && cd binwalk
$ sudo ./deps.sh
$ sudo python setup.py install
Plasma
Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
This is the github repo. The installation instructions are strange but a simple
$ pip3 install -r requirements.txt
$ ./install.sh --update
(use update
also the first time otherwise it will clone capstone
without reason).
$ plasma -i /opt/low-level/docs/code/payload-eater_x86
plasma> help
analyzer
Analyzer status.
dump SYMBOL|0xXXXX|EP [NB_LINES]
Print contents at the specified address.
exit
Exit
frame_size [SYMBOL|0xXXXX|EP] frame_size
Change the frame size of a function, the function will be re-analyzed.
functions
Print the function list.
help
Display this help.
hexdump SYMBOL|0xXXXX|EP [NB_LINES]
Dump memory in hexa.
history
Display the command history.
info
Information about the current binary.
jmptable INST_ADDR TABLE_ADDR NB_ENTRIES SIZE_ENTRY
Create a jump table referenced at TABLE_ADDR and called
from INST_ADDR.
memmap
Open a qt window to display the memory.
mips_set_gp ADDR
Set the register $gp to a fixed value. Note that it will
erase all defined memory.
py [!][FILE]
Run an interactive python shell or execute a script.
Global variables api and args will be passed to the script.
The character ! is an alias to the scripts directory.
push_analyze_symbols
Force to analyze the entry point, symbols and a memory scan will be done.
rename OLD_SYM NEW_SYM
Rename a symbol.
save
Save the database.
sections
Print all sections.
sym [SYMBOL 0xXXXX] [| FILTER]
Print all symbols or set a new symbol.
You can filter symbols by searching the word FILTER.
If FILTER starts with -, the match is inversed.
x [SYMBOL|0xXXXX|EP]
Decompile and print on stdout. By default it will be main.
The decompilation is forced, it dosn't check if addresses
are defined as code.
v [SYMBOL|0xXXXX|EP|%VISUAL]
Visual mode: if no address is given, previous visual is
reopen. You can keep up to 3 visuals. Use %1, %2 or %3
to select the visual.
Main shortcuts:
c create code
b/w/d/Q create byte/word/dword/qword
a create ascii string
p create function
o set [d|q]word as an offset
* create an array
x show xrefs
r rename
space highlight current word (ctrl-k to clear)
; edit inline comment (enter/escape to validate/cancel)
U undefine
Options:
I switch to traditional instruction string output (3 modes)
M show/hide mangling
B show/hide bytes
Navigation:
| split the window
j jump to an address or a symbol
/ binary search: if the first char is ! you can put an
hexa string example: /!ab 13 42
the search is case sensitive.
n/N next/previous search occurence
g top
G bottom
z set current line on the middle
% goto next bracket
{ } previous/next paragraph
tab switch between dump/decompilation
enter follow address
escape go back
u re-enter
q quit
xrefs SYMBOL|0xXXXX|EP
Print cross references to the specified address.
Vivisect
This the github page.
Capstone
Below a random dump of the instruction to cross compile it for ARM
# apt-get install gcc-arm-linux-gnueabi
$ git clone https://github.com/aquynh/capstone && cd capstone
$ CROSS=arm-linux-gnueabi- ./make.sh
...
$ file libcapstone.so
libcapstone.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=d3aa90b9edfef4bdd461ac5908c7a2ec08b7d199, not stripped