.. | ||
blobrunner.md | ||
README.md |
☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
-
你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
-
发现我们的独家NFTs收藏品The PEASS Family
-
加入 💬 Discord群组 或 电报群组 或 关注我在推特上的🐦@carlospolopm。
-
通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。
Wasm反编译器 / Wat编译器
在线工具:
- 使用https://webassembly.github.io/wabt/demo/wasm2wat/index.html将wasm(二进制)反编译为wat(明文)
- 使用https://webassembly.github.io/wabt/demo/wat2wasm/将wat编译为wasm
- 你也可以尝试使用https://wwwg.github.io/web-wasmdec/进行反编译
软件工具:
.Net反编译器
https://github.com/icsharpcode/ILSpy Visual Studio Code的ILSpy插件:你可以在任何操作系统中使用它(你可以直接从VSCode安装,无需下载git。点击Extensions然后搜索ILSpy)。 如果你需要反编译,修改和重新编译,你可以使用:https://github.com/0xd4d/dnSpy/releases(右键单击 -> 修改方法来更改函数内部的内容)。 你也可以尝试https://www.jetbrains.com/es-es/decompiler/
DNSpy日志记录
为了使DNSpy记录一些信息到文件中,你可以使用以下.Net代码:
using System.IO;
path = "C:\\inetpub\\temp\\MyTest2.txt";
File.AppendAllText(path, "Password: " + password + "\n");
DNSpy调试
为了使用DNSpy调试代码,您需要:
首先,更改与调试相关的程序集属性:
从:
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
/hive/hacktricks/reversing/reversing-tools/README.md
Reversing Tools
This section provides an overview of various tools that can be used for reverse engineering and analysis of software. These tools are essential for understanding the inner workings of a program and identifying vulnerabilities or weaknesses.
IDA Pro
IDA Pro is a popular disassembler and debugger used for reverse engineering. It supports a wide range of architectures and file formats, making it a versatile tool for analyzing binary code. IDA Pro offers advanced features such as graph view, cross-references, and scripting capabilities.
Ghidra
Ghidra is a free and open-source software reverse engineering suite developed by the National Security Agency (NSA). It provides a wide range of features, including disassembly, decompilation, and analysis of binary code. Ghidra supports multiple platforms and file formats, making it a powerful tool for reverse engineering.
Radare2
Radare2 is a command-line based reverse engineering framework that supports a variety of architectures and file formats. It offers a wide range of features, including disassembly, debugging, and analysis of binary code. Radare2 is highly extensible and can be scripted using its own scripting language.
OllyDbg
OllyDbg is a 32-bit assembler-level debugger for Microsoft Windows. It is widely used for reverse engineering and analyzing binary code. OllyDbg offers features such as code analysis, breakpoints, and memory dumping, making it a valuable tool for understanding the behavior of a program.
x64dbg
x64dbg is a 64-bit debugger for Windows that is compatible with x86 and x64 architectures. It provides a user-friendly interface and a wide range of features, including disassembly, debugging, and memory analysis. x64dbg is highly customizable and supports plugins for additional functionality.
Hopper Disassembler
Hopper Disassembler is a reverse engineering tool for macOS and Linux. It supports a wide range of architectures and file formats, making it a versatile tool for analyzing binary code. Hopper Disassembler offers features such as disassembly, decompilation, and graph view.
Cutter
Cutter is a free and open-source reverse engineering framework powered by Radare2. It provides a user-friendly interface and a wide range of features, including disassembly, debugging, and analysis of binary code. Cutter supports multiple platforms and file formats, making it a powerful tool for reverse engineering.
Binary Ninja
Binary Ninja is a commercial reverse engineering platform that offers advanced features for analyzing binary code. It supports a wide range of architectures and file formats, making it a versatile tool for reverse engineering. Binary Ninja provides features such as graph view, scripting capabilities, and collaboration tools.
Conclusion
These are just a few examples of the many tools available for reverse engineering and analysis of software. Each tool has its own strengths and weaknesses, so it is important to choose the right tool for the task at hand. By using these tools effectively, you can gain a deeper understanding of how software works and identify potential vulnerabilities or weaknesses.
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default |
DebuggableAttribute.DebuggingModes.DisableOptimizations |
DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |
DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
然后点击编译:
然后将新文件保存在_文件 >> 保存模块..._:
这是必要的,因为如果不这样做,在运行时会对代码应用多个优化,可能会导致在调试时断点永远不会触发或某些变量不存在。
然后,如果你的.NET应用程序正在由IIS运行,你可以使用以下命令重新启动它:
iisreset /noforce
然后,为了开始调试,您应该关闭所有打开的文件,并在调试选项卡中选择附加到进程...:
然后选择w3wp.exe以附加到IIS服务器,然后点击附加:
现在我们正在调试进程,是时候停止它并加载所有模块了。首先点击_Debug >> Break All_,然后点击_Debug >> Windows >> Modules_:
在模块中点击任何模块,然后选择打开所有模块:
右键单击程序集浏览器中的任何模块,然后点击排序程序集:
Java反编译器
https://github.com/skylot/jadx https://github.com/java-decompiler/jd-gui/releases
调试DLL
使用IDA
- 加载rundll32(64位在C:\Windows\System32\rundll32.exe,32位在C:\Windows\SysWOW64\rundll32.exe)
- 选择Windbg调试器
- 选择“在库加载/卸载时暂停”
- 配置执行的参数,将DLL的路径和要调用的函数放入其中:
然后,当您开始调试时,每次加载DLL时都会停止执行,然后当rundll32加载您的DLL时,执行将停止。
但是,您如何获取已加载的DLL的代码?使用这种方法,我不知道如何。
使用x64dbg/x32dbg
- 加载rundll32(64位在C:\Windows\System32\rundll32.exe,32位在C:\Windows\SysWOW64\rundll32.exe)
- 更改命令行(文件 --> 更改命令行)并设置dll的路径和要调用的函数,例如:"C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\14.ridii_2.dll",DLLMain
- 更改_Options --> Settings_并选择“DLL Entry”。
- 然后开始执行,调试器将在每个dll主函数处停止,最终您将停在您的dll的dll Entry处。从那里,只需搜索您想要设置断点的位置。
请注意,当执行由于任何原因停止时,在win64dbg中,您可以在win64dbg窗口顶部查看您所在的代码:
然后,查看此处,您可以看到执行停止在您要调试的dll中的位置。
ARM和MIPS
{% embed url="https://github.com/nongiach/arm_now" %}
Shellcode
使用blobrunner调试shellcode
Blobrunner将在内存空间中分配shellcode,并指示shellcode分配的内存地址,并停止执行。 然后,您需要将调试器(Ida或x64dbg)附加到进程,并在指示的内存地址处设置断点,然后恢复执行。这样,您就可以调试shellcode了。
发布的github页面包含了编译版本的zip文件:https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5 您可以在以下链接中找到稍微修改过的Blobrunner版本。为了编译它,只需在Visual Studio Code中创建一个C/C++项目,复制并粘贴代码,然后构建。
{% page-ref page="blobrunner.md" %}
使用jmp2it调试shellcode
jmp2it与blobrunner非常相似。它将在内存空间中分配shellcode,并启动一个无限循环。然后,您需要将调试器附加到进程,播放开始等待2-5秒然后按停止,然后您将发现自己处于无限循环中。跳转到无限循环的下一条指令,因为它将是对shellcode的调用,最后您将发现自己正在执行shellcode。
您可以在发布页面下载编译版本的jmp2it。
使用Cutter调试shellcode
Cutter是radare的图形界面。使用cutter,您可以动态地模拟和检查shellcode。
请注意,Cutter允许您“打开文件”和“打开shellcode”。在我的情况下,当我将shellcode作为文件打开时,它正确反编译了,但当我将其作为shellcode打开时,它没有:
为了从您想要的位置开始模拟,设置一个断点,显然cutter将自动从那里开始模拟:
您可以在十六进制转储中看到堆栈,例如:
反混淆 shellcode 并获取执行的函数
你可以尝试使用 scdbg。 它会告诉你 shellcode 使用了哪些函数,并且如果 shellcode 在内存中进行了解码。
scdbg.exe -f shellcode # Get info
scdbg.exe -f shellcode -r #show analysis report at end of run
scdbg.exe -f shellcode -i -r #enable interactive hooks (file and network) and show analysis report at end of run
scdbg.exe -f shellcode -d #Dump decoded shellcode
scdbg.exe -f shellcode /findsc #Find offset where starts
scdbg.exe -f shellcode /foff 0x0000004D #Start the executing in that offset
scDbg也提供了一个图形化启动器,您可以在其中选择所需的选项并执行shellcode。
如果对shellcode在内存中进行了任何动态更改(用于下载解码后的shellcode),Create Dump选项将转储最终的shellcode。start offset可以用于在特定偏移处启动shellcode。Debug Shell选项可用于使用scDbg终端调试shellcode(但是我发现前面解释的任何选项都更适合此事,因为您将能够使用Ida或x64dbg)。
使用CyberChef进行反汇编
将shellcode文件上传为输入,并使用以下配方对其进行反汇编:https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)
Movfuscator
这个混淆器将所有指令更改为mov
(是的,非常酷)。它还使用中断来改变执行流程。有关其工作原理的更多信息:
- https://www.youtube.com/watch?v=2VF_wPkiBJY
- https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf
如果您很幸运,demovfuscator将解混淆二进制文件。它有几个依赖项。
apt-get install libcapstone-dev
apt-get install libz3-dev
并且安装keystone `apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`
如果你在玩CTF,这个绕过方法来找到flag可能非常有用:https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html
Delphi
对于Delphi编译的二进制文件,你可以使用https://github.com/crypto2011/IDR
课程
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
-
你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
-
发现我们的独家NFTs收藏品The PEASS Family
-
加入💬 Discord群组或电报群组或关注我在Twitter上的🐦@carlospolopm。
-
通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。