hacktricks/exploiting/reversing.md

# Reversing

## Wasm decompiler

[https://www.pnfsoftware.com/jeb/demowasm](https://www.pnfsoftware.com/jeb/demowasm)

## .Net decompiler

[https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)  
[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS \(you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**\).  
If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) \(**Right Click -&gt; Modify Method** to change something inside a function\).

### DNSpy Logging

In order to make **DNSpy log some information in a file**, you could use this .Net lines:

```bash
using System.IO;
path = "C:\\inetpub\\temp\\MyTest2.txt";
File.AppendAllText(path, "Password: " + password + "\n");
```

### DNSpy Debugging

In order to debug code using DNSpy you need to:

First, change the **Assembly attributes** related to **debugging**:

![](../.gitbook/assets/image%20%287%29.png)

From:

```aspnet
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
```

To:

```text
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default |
DebuggableAttribute.DebuggingModes.DisableOptimizations |
DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |
DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
```

And click on **compile**:

![](../.gitbook/assets/image%20%28144%29.png)

Then save the new file on _**File &gt;&gt; Save module...**_:

![](../.gitbook/assets/image%20%28261%29.png)

This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.

Then, if your .Net application is being **run** by **IIS** you can **restart** it with:

```text
iisreset /noforce
```

Then, in order to start debugging you should close all the opened files and inside the **Debug Tab** select **Attach to Process...**:

![](../.gitbook/assets/image%20%28166%29.png)

Then select **w3wp.exe** to attach to the **IIS server** and click **attach**:

![](../.gitbook/assets/image%20%28274%29.png)

Now that we are debugging the process, it's time to stop it and load all the modules. First click on _Debug &gt;&gt; Break All_ and then click on _**Debug &gt;&gt; Windows &gt;&gt; Modules**_:

![](../.gitbook/assets/image%20%28210%29.png)

![](../.gitbook/assets/image%20%28341%29.png)

Click any module on **Modules** and selec**t Open All Modules**:

![](../.gitbook/assets/image%20%28216%29.png)

Right click any module in **Assembly Explorer** and click **Sort Assemblies**:

![](../.gitbook/assets/image%20%28130%29.png)

## Java decompiler

[https://github.com/skylot/jadx](https://github.com/skylot/jadx)  
[https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases)

## Debugging DLLs

### Using IDA

* **Load rundll32** \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\)
* Select **Windbg** debugger
* Select "**Suspend on library load/unload**"

![](../.gitbook/assets/image%20%2869%29.png)

* Configure the **parameters** of the execution putting the **path to the DLL** and the function that you want to call:

![](../.gitbook/assets/image%20%28325%29.png)

Then, when you start debugging **the execution will be stopped when each DLL is loaded**, then, when rundll32 load your DLL the execution will be stopped.

But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how.

### Using x64dbg/x32dbg

* **Load rundll32** \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\)
* **Change the Command Line** \( _File --&gt; Change Command Line_ \) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\14.ridii\_2.dll",DLLMain
* Change _Options --&gt; Settings_ and select "**DLL Entry**".
* Then **start the execution**, the debugger will stop at each dll main, at some point you will **stop in the dll Entry of your dll**. From there, just search for the points where you want to put a breakpoint.

Notice that when the execution is stopped by any reason in win64dbg you can see **in which code you are** looking in the **top of the win64dbg window**:

![](../.gitbook/assets/image%20%28181%29.png)

Then, looking to this ca see when the execution was stopped in the dll you want to debug.

## ARM & MIPS

{% embed url="https://github.com/nongiach/arm\_now" %}

## Shellcodes

You should try ****[**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152).  
It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory.

```bash
scdbg.exe -f shellcode # Get info
scdbg.exe -f shellcode -r #Run it
scdbg.exe -f shellcode -r #Run it with hooks
scdbg.exe -f shellcode -d #Dump decoded shellcode
scdbg.exe -f shellcode /findsc #Find offset where starts
```

To **run a shellcode** you can also use: [http://mcdermottcybersecurity.com/articles/windows-x64-shellcode\#testing](http://mcdermottcybersecurity.com/articles/windows-x64-shellcode#testing)

## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)

This ofuscator change all the instructions for `mov`\(yeah, really cool\). It also uses interruptions to change executions flows. For more information about how does it works:

* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF_wPkiBJY)
* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf)

If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies

```text
apt-get install libcapstone-dev
apt-get install libz3-dev
```

And [install keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) \(`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`\)

If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) 

## Courses

* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)
* [https://github.com/malrev/ABD](https://github.com/malrev/ABD) \(Binary deobfuscation\)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# Reversing`

			`## Wasm decompiler`

			`[https://www.pnfsoftware.com/jeb/demowasm](https://www.pnfsoftware.com/jeb/demowasm)`

			`## .Net decompiler`

			`[https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)`
			`[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS \(you can install it directly from VSCode, no need to download the git. Click on Extensions and search ILSpy\).`
			`If you need to decompile, modify and recompile again you can use: [https://github.com/0xd4d/dnSpy/releases](https://github.com/0xd4d/dnSpy/releases) \(Right Click -> Modify Method to change something inside a function\).`

			`### DNSpy Logging`

			`In order to make DNSpy log some information in a file, you could use this .Net lines:`

			```bash
			`using System.IO;`
			`path = "C:\\inetpub\\temp\\MyTest2.txt";`
			`File.AppendAllText(path, "Password: " + password + "\n");`
			```

			`### DNSpy Debugging`

			`In order to debug code using DNSpy you need to:`

			`First, change the Assembly attributes related to debugging:`

			`![](../.gitbook/assets/image%20%287%29.png)`

			`From:`

			```aspnet
			`[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]`
			```

			`To:`

			```text
			`[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default \|`
			`DebuggableAttribute.DebuggingModes.DisableOptimizations \|`
			`DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints \|`
			`DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]`
			```

			`And click on compile:`

			`![](../.gitbook/assets/image%20%28144%29.png)`

			`Then save the new file on _File >> Save module..._:`

			`![](../.gitbook/assets/image%20%28261%29.png)`

			`This is necessary because if you don't do this, at runtime several optimisations will be applied to the code and it could be possible that while debugging a break-point is never hit or some variables don't exist.`

			`Then, if your .Net application is being run by IIS you can restart it with:`

			```text
			`iisreset /noforce`
			```

			`Then, in order to start debugging you should close all the opened files and inside the Debug Tab select Attach to Process...:`

			`![](../.gitbook/assets/image%20%28166%29.png)`

			`Then select w3wp.exe to attach to the IIS server and click attach:`

			`![](../.gitbook/assets/image%20%28274%29.png)`

			`Now that we are debugging the process, it's time to stop it and load all the modules. First click on _Debug >> Break All_ and then click on _Debug >> Windows >> Modules_:`

			`![](../.gitbook/assets/image%20%28210%29.png)`

			`![](../.gitbook/assets/image%20%28341%29.png)`

			`Click any module on Modules and select Open All Modules:`

			`![](../.gitbook/assets/image%20%28216%29.png)`

			`Right click any module in Assembly Explorer and click Sort Assemblies:`

			`![](../.gitbook/assets/image%20%28130%29.png)`

			`## Java decompiler`

			`[https://github.com/skylot/jadx](https://github.com/skylot/jadx)`
			`[https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases)`

			`## Debugging DLLs`

			`### Using IDA`

			`* Load rundll32 \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\)`
			`* Select Windbg debugger`
			`* Select "Suspend on library load/unload"`

			`![](../.gitbook/assets/image%20%2869%29.png)`

			`* Configure the parameters of the execution putting the path to the DLL and the function that you want to call:`

			`![](../.gitbook/assets/image%20%28325%29.png)`

			`Then, when you start debugging the execution will be stopped when each DLL is loaded, then, when rundll32 load your DLL the execution will be stopped.`

			`But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how.`

			`### Using x64dbg/x32dbg`

			`* Load rundll32 \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\)`
			`* Change the Command Line \( _File --> Change Command Line_ \) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\14.ridii\_2.dll",DLLMain`
			`* Change _Options --> Settings_ and select "DLL Entry".`
			`* Then start the execution, the debugger will stop at each dll main, at some point you will stop in the dll Entry of your dll. From there, just search for the points where you want to put a breakpoint.`

			`Notice that when the execution is stopped by any reason in win64dbg you can see in which code you are looking in the top of the win64dbg window:`

			`![](../.gitbook/assets/image%20%28181%29.png)`

			`Then, looking to this ca see when the execution was stopped in the dll you want to debug.`

			`## ARM & MIPS`

			`{% embed url="https://github.com/nongiach/arm\_now" %}`

			`## Shellcodes`

			`You should try **[scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152).`
			`It will tell you things like which functions is the shellcode using and if the shellcode is decoding itself in memory.`

			```bash
			`scdbg.exe -f shellcode # Get info`
			`scdbg.exe -f shellcode -r #Run it`
			`scdbg.exe -f shellcode -r #Run it with hooks`
			`scdbg.exe -f shellcode -d #Dump decoded shellcode`
			`scdbg.exe -f shellcode /findsc #Find offset where starts`
			```

			`To run a shellcode you can also use: [http://mcdermottcybersecurity.com/articles/windows-x64-shellcode\#testing](http://mcdermottcybersecurity.com/articles/windows-x64-shellcode#testing)`

			`## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)`

			This ofuscator change all the instructions for `mov`\(yeah, really cool\). It also uses interruptions to change executions flows. For more information about how does it works:

			`* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF_wPkiBJY)`
			`* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf)`

			`If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies`

			```text
			`apt-get install libcapstone-dev`
			`apt-get install libz3-dev`
			```

			And [install keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) \(`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`\)

			`If you are playing a CTF, this workaround to find the flag could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html)`

			`## Courses`

			`* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)`
			`* [https://github.com/malrev/ABD](https://github.com/malrev/ABD) \(Binary deobfuscation\)`