Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/reversing/reversing-tools/README.md
Translator workflow a21a0e7217 Translated to Chinese
2023-08-03 19:12:22 +00:00

16 KiB
Raw Blame History

☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Wasm反编译器 / Wat编译器

在线工具:

软件工具:

.Net反编译器

https://github.com/icsharpcode/ILSpy Visual Studio Code的ILSpy插件你可以在任何操作系统中使用它你可以直接从VSCode安装无需下载git。点击Extensions然后搜索ILSpy)。 如果你需要反编译修改重新编译,你可以使用:https://github.com/0xd4d/dnSpy/releases右键单击 -> 修改方法来更改函数内部的内容)。 你也可以尝试https://www.jetbrains.com/es-es/decompiler/

DNSpy日志记录

为了使DNSpy记录一些信息到文件中,你可以使用以下.Net代码

using System.IO;
path = "C:\\inetpub\\temp\\MyTest2.txt";
File.AppendAllText(path, "Password: " + password + "\n");

DNSpy调试

为了使用DNSpy调试代码您需要

首先,更改与调试相关的程序集属性

从:

[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]

/hive/hacktricks/reversing/reversing-tools/README.md

Reversing Tools

This section provides an overview of various tools that can be used for reverse engineering and analysis of software. These tools are essential for understanding the inner workings of a program and identifying vulnerabilities or weaknesses.

IDA Pro

IDA Pro is a popular disassembler and debugger used for reverse engineering. It supports a wide range of architectures and file formats, making it a versatile tool for analyzing binary code. IDA Pro offers advanced features such as graph view, cross-references, and scripting capabilities.

Ghidra

Ghidra is a free and open-source software reverse engineering suite developed by the National Security Agency (NSA). It provides a wide range of features, including disassembly, decompilation, and analysis of binary code. Ghidra supports multiple platforms and file formats, making it a powerful tool for reverse engineering.

Radare2

Radare2 is a command-line based reverse engineering framework that supports a variety of architectures and file formats. It offers a wide range of features, including disassembly, debugging, and analysis of binary code. Radare2 is highly extensible and can be scripted using its own scripting language.

OllyDbg

OllyDbg is a 32-bit assembler-level debugger for Microsoft Windows. It is widely used for reverse engineering and analyzing binary code. OllyDbg offers features such as code analysis, breakpoints, and memory dumping, making it a valuable tool for understanding the behavior of a program.

x64dbg

x64dbg is a 64-bit debugger for Windows that is compatible with x86 and x64 architectures. It provides a user-friendly interface and a wide range of features, including disassembly, debugging, and memory analysis. x64dbg is highly customizable and supports plugins for additional functionality.

Hopper Disassembler

Hopper Disassembler is a reverse engineering tool for macOS and Linux. It supports a wide range of architectures and file formats, making it a versatile tool for analyzing binary code. Hopper Disassembler offers features such as disassembly, decompilation, and graph view.

Cutter

Cutter is a free and open-source reverse engineering framework powered by Radare2. It provides a user-friendly interface and a wide range of features, including disassembly, debugging, and analysis of binary code. Cutter supports multiple platforms and file formats, making it a powerful tool for reverse engineering.

Binary Ninja

Binary Ninja is a commercial reverse engineering platform that offers advanced features for analyzing binary code. It supports a wide range of architectures and file formats, making it a versatile tool for reverse engineering. Binary Ninja provides features such as graph view, scripting capabilities, and collaboration tools.

Conclusion

These are just a few examples of the many tools available for reverse engineering and analysis of software. Each tool has its own strengths and weaknesses, so it is important to choose the right tool for the task at hand. By using these tools effectively, you can gain a deeper understanding of how software works and identify potential vulnerabilities or weaknesses.

[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default |
DebuggableAttribute.DebuggingModes.DisableOptimizations |
DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |
DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]

然后点击编译

然后将新文件保存在_文件 >> 保存模块..._

这是必要的,因为如果不这样做,在运行时会对代码应用多个优化,可能会导致在调试时断点永远不会触发或某些变量不存在

然后,如果你的.NET应用程序正在由IIS运行,你可以使用以下命令重新启动它:

iisreset /noforce

然后,为了开始调试,您应该关闭所有打开的文件,并在调试选项卡中选择附加到进程...

然后选择w3wp.exe以附加到IIS服务器,然后点击附加

现在我们正在调试进程是时候停止它并加载所有模块了。首先点击_Debug >> Break All_然后点击_Debug >> Windows >> Modules_

模块中点击任何模块,然后选择打开所有模块

右键单击程序集浏览器中的任何模块,然后点击排序程序集

Java反编译器

https://github.com/skylot/jadx https://github.com/java-decompiler/jd-gui/releases

调试DLL

使用IDA

  • 加载rundll3264位在C:\Windows\System32\rundll32.exe32位在C:\Windows\SysWOW64\rundll32.exe
  • 选择Windbg调试器
  • 选择“在库加载/卸载时暂停

  • 配置执行的参数,将DLL的路径和要调用的函数放入其中:

然后,当您开始调试时,每次加载DLL时都会停止执行然后当rundll32加载您的DLL时执行将停止。

但是您如何获取已加载的DLL的代码使用这种方法我不知道如何。

使用x64dbg/x32dbg

  • 加载rundll3264位在C:\Windows\System32\rundll32.exe32位在C:\Windows\SysWOW64\rundll32.exe
  • 更改命令行文件 --> 更改命令行并设置dll的路径和要调用的函数例如"C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\14.ridii_2.dll",DLLMain
  • 更改_Options --> Settings_并选择“DLL Entry”。
  • 然后开始执行调试器将在每个dll主函数处停止最终您将停在您的dll的dll Entry处。从那里,只需搜索您想要设置断点的位置。

请注意当执行由于任何原因停止时在win64dbg中您可以在win64dbg窗口顶部查看您所在的代码:

然后查看此处您可以看到执行停止在您要调试的dll中的位置。

ARM和MIPS

{% embed url="https://github.com/nongiach/arm_now" %}

Shellcode

使用blobrunner调试shellcode

Blobrunner将在内存空间中分配shellcode并指示shellcode分配的内存地址停止执行。 然后您需要将调试器Ida或x64dbg附加到进程,并在指示的内存地址处设置断点,然后恢复执行。这样您就可以调试shellcode了。

发布的github页面包含了编译版本的zip文件https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5 您可以在以下链接中找到稍微修改过的Blobrunner版本。为了编译它只需在Visual Studio Code中创建一个C/C++项目,复制并粘贴代码,然后构建

{% page-ref page="blobrunner.md" %}

使用jmp2it调试shellcode

jmp2it与blobrunner非常相似。它将在内存空间中分配shellcode并启动一个无限循环。然后,您需要将调试器附加到进程播放开始等待2-5秒然后按停止,然后您将发现自己处于无限循环中。跳转到无限循环的下一条指令因为它将是对shellcode的调用最后您将发现自己正在执行shellcode。

您可以在发布页面下载编译版本的jmp2it

使用Cutter调试shellcode

Cutter是radare的图形界面。使用cutter您可以动态地模拟和检查shellcode。

请注意Cutter允许您“打开文件”和“打开shellcode”。在我的情况下当我将shellcode作为文件打开时它正确反编译了但当我将其作为shellcode打开时它没有

为了从您想要的位置开始模拟设置一个断点显然cutter将自动从那里开始模拟

您可以在十六进制转储中看到堆栈,例如:

反混淆 shellcode 并获取执行的函数

你可以尝试使用 scdbg。 它会告诉你 shellcode 使用了哪些函数,并且如果 shellcode 在内存中进行了解码

scdbg.exe -f shellcode # Get info
scdbg.exe -f shellcode -r #show analysis report at end of run
scdbg.exe -f shellcode -i -r #enable interactive hooks (file and network) and show analysis report at end of run
scdbg.exe -f shellcode -d #Dump decoded shellcode
scdbg.exe -f shellcode /findsc #Find offset where starts
scdbg.exe -f shellcode /foff 0x0000004D #Start the executing in that offset

scDbg也提供了一个图形化启动器您可以在其中选择所需的选项并执行shellcode。

如果对shellcode在内存中进行了任何动态更改用于下载解码后的shellcodeCreate Dump选项将转储最终的shellcode。start offset可以用于在特定偏移处启动shellcode。Debug Shell选项可用于使用scDbg终端调试shellcode但是我发现前面解释的任何选项都更适合此事因为您将能够使用Ida或x64dbg

使用CyberChef进行反汇编

将shellcode文件上传为输入并使用以下配方对其进行反汇编https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)

Movfuscator

这个混淆器将所有指令更改为mov(是的,非常酷)。它还使用中断来改变执行流程。有关其工作原理的更多信息:

如果您很幸运,demovfuscator将解混淆二进制文件。它有几个依赖项。

apt-get install libcapstone-dev
apt-get install libz3-dev

并且安装keystone `apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`

如果你在玩CTF这个绕过方法来找到flag可能非常有用https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html

Delphi

对于Delphi编译的二进制文件你可以使用https://github.com/crypto2011/IDR

课程

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥