Skip to content

Reversing

Intermediate languages and representations

Protocol

Hardware

Software

ARM

C++

Win32

Java

It is possible to edit a single class file and save it, after that you can reput it into the jar with

$ jar uf jar-file input-file(s)

If you want to quickly find class names you can launch this oneliner 

$ for f in $(ls /path/to/jars/*); do echo '-- '$f' --';strings -10 $f;done | less

An example with radare2 of what you can see reversing the simple hello world program:

/ (fcn) sym.HelloWorld.main 9
|   sym.HelloWorld.main ();
|           0x00000183      b20002         getstatic java/lang/System/out Ljava/io/PrintStream;
|           0x00000186      1203           ldc "Hello, World"
|           0x00000188      b60004         invokevirtual java/io/PrintStream/println(Ljava/lang/String;)V
\           0x0000018b      b1             return
[0x00000158]> is
[Symbols]
Num Paddr      Vaddr      Bind     Type Size Name
000 0x00000158 0x00000158   NONE   FUNC    5 <init>
000 0x00000142 0x00000142   NONE FUNC_META   43 meta_<init>
001 0x00000183 0x00000183   NONE   FUNC    9 main
001 0x0000016d 0x0000016d   NONE FUNC_META   51 meta_main
001 0x00000001 0x00000001   NONE import    0 imp.<init>
002 0x00000002 0x00000002   NONE import    0 imp.out
004 0x00000004 0x00000004   NONE import    0 imp.println

[0x00000158]> iz
[Strings]
Num Vaddr      Paddr      Len Size Section  Type  String
007 0x00000022 0x00000022   6   9 () ascii <init>
008 0x0000002b 0x0000002b   3   6 () ascii ()V
009 0x00000031 0x00000031   4   7 () ascii Code
010 0x00000038 0x00000038  15  18 () ascii LineNumberTable
011 0x0000004a 0x0000004a   4   7 () ascii main
012 0x00000051 0x00000051  22  25 () ascii ([Ljava/lang/String;)V
013 0x0000006a 0x0000006a  10  13 () ascii SourceFile
014 0x00000077 0x00000077  15  18 () ascii HelloWorld.java
018 0x00000096 0x00000096  12  15 () ascii Hello, World
021 0x000000ad 0x000000ad  10  13 () ascii HelloWorld
022 0x000000ba 0x000000ba  16  19 () ascii java/lang/Object
023 0x000000cd 0x000000cd  16  19 () ascii java/lang/System
024 0x000000e0 0x000000e0   3   6 () ascii out
025 0x000000e6 0x000000e6  21  24 () ascii Ljava/io/PrintStream;
026 0x000000fe 0x000000fe  19  22 () ascii java/io/PrintStream
027 0x00000114 0x00000114   7  10 () ascii println
028 0x0000011e 0x0000011e  21  24 () ascii (Ljava/lang/String;)V

Go

Android

Python

SEGA

WASM

WebAssembly is a new type of code that can be run in modern web browsers and provides new features and major gains in performance. It is not primarily intended to be written by hand, rather it is designed to be an effective compilation target for low-level source languages like C, C++, Rust, etc.

There are currently two distinct sets of tools that are of interest to compiler writers or developers who want to work with WebAssembly binary generated by other tools like Emscripten:

  • WABT - The WebAssembly Binary Toolkit
  • Binaryen - Compiler and toolchain infrastructure

Tools

Z3

MIT licensed SMT solver from Microsoft Research

import z3

b = [
    106, 196, 106, 178, 174, 102, 31, 91,
    66, 255, 86, 196, 74, 139, 219, 166,
    106, 4, 211, 68, 227, 72, 156, 38, 239,
    153, 223, 225, 73, 171, 51, 4, 234, 50,
    207, 82, 18, 111, 180, 212, 81, 189, 73, 76
]


solver = z3.Solver()

B39 = z3.BitVec("B39", 8)

solver.add(B39 == 212)

B39 -= b[18] + b[16] + b[8] + b[19] + b[5] + b[23] + 36

solver.add(B39 <= 0x7f)
solver.add(B39 >= 0x20)

print(solver.check())
print(solver.model())

print(chr(solver.model().eval(B39).as_long()))

Binwalk

$ git clone https://github.com/devttys0/binwalk && cd binwalk
$ sudo ./deps.sh
$ sudo python setup.py install

Plasma

Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.

This is the github repo. The installation instructions are strange but a simple

$ pip3 install -r requirements.txt
$ ./install.sh --update

(use update also the first time otherwise it will clone capstone without reason).

$ plasma -i /opt/low-level/docs/code/payload-eater_x86
plasma> help
analyzer
      Analyzer status.
dump SYMBOL|0xXXXX|EP [NB_LINES]
      Print contents at the specified address.
exit
      Exit
frame_size [SYMBOL|0xXXXX|EP] frame_size
      Change the frame size of a function, the function will be re-analyzed.
functions
      Print the function list.
help
      Display this help.
hexdump SYMBOL|0xXXXX|EP [NB_LINES]
      Dump memory in hexa.
history
      Display the command history.
info
      Information about the current binary.
jmptable INST_ADDR TABLE_ADDR NB_ENTRIES SIZE_ENTRY
      Create a jump table referenced at TABLE_ADDR and called
      from INST_ADDR.
memmap
      Open a qt window to display the memory.
mips_set_gp ADDR
      Set the register $gp to a fixed value. Note that it will
      erase all defined memory.
py [!][FILE]
      Run an interactive python shell or execute a script.
      Global variables api and args will be passed to the script.
      The character ! is an alias to the scripts directory.
push_analyze_symbols
      Force to analyze the entry point, symbols and a memory scan will be done.
rename OLD_SYM NEW_SYM
      Rename a symbol.
save
      Save the database.
sections
      Print all sections.
sym [SYMBOL 0xXXXX] [| FILTER]
      Print all symbols or set a new symbol.
      You can filter symbols by searching the word FILTER.
      If FILTER starts with -, the match is inversed.
x [SYMBOL|0xXXXX|EP]
      Decompile and print on stdout. By default it will be main.
      The decompilation is forced, it dosn't check if addresses
      are defined as code.
v [SYMBOL|0xXXXX|EP|%VISUAL]
      Visual mode: if no address is given, previous visual is
      reopen. You can keep up to 3 visuals. Use %1, %2 or %3
      to select the visual.

      Main shortcuts:
      c       create code
      b/w/d/Q create byte/word/dword/qword
      a       create ascii string
      p       create function
      o       set [d|q]word as an offset
      *       create an array
      x       show xrefs
      r       rename
      space   highlight current word (ctrl-k to clear)
      ;       edit inline comment (enter/escape to validate/cancel)
      U       undefine

      Options:
      I       switch to traditional instruction string output (3 modes)
      M       show/hide mangling
      B       show/hide bytes

      Navigation:
      |       split the window
      j       jump to an address or a symbol
      /       binary search: if the first char is ! you can put an
              hexa string example: /!ab 13 42
              the search is case sensitive.
      n/N     next/previous search occurence
      g       top
      G       bottom
      z       set current line on the middle
      %       goto next bracket
      { }     previous/next paragraph
      tab     switch between dump/decompilation
      enter   follow address
      escape  go back
      u       re-enter
      q       quit
xrefs SYMBOL|0xXXXX|EP
      Print cross references to the specified address.

Vivisect

This the github page.

Capstone

Home page

Below a random dump of the instruction to cross compile it for ARM

# apt-get install gcc-arm-linux-gnueabi
$ git clone https://github.com/aquynh/capstone && cd capstone
$ CROSS=arm-linux-gnueabi- ./make.sh
 ...
$ file libcapstone.so
libcapstone.so: ELF 32-bit LSB  shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=d3aa90b9edfef4bdd461ac5908c7a2ec08b7d199, not stripped