7.8 KiB
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Wasm Decompilation and Wat Compilation Guide
In the realm of WebAssembly, tools for decompiling and compiling are essential for developers. This guide introduces some online resources and software for handling Wasm (WebAssembly binary) and Wat (WebAssembly text) files.
Online Tools
- To decompile Wasm to Wat, the tool available at Wabt's wasm2wat demo comes in handy.
- For compiling Wat back to Wasm, Wabt's wat2wasm demo serves the purpose.
- Another decompilation option can be found at web-wasmdec.
Software Solutions
- For a more robust solution, JEB by PNF Software offers extensive features.
- The open-source project wasmdec is also available for decompilation tasks.
.Net Decompilation Resources
Decompiling .Net assemblies can be accomplished with tools such as:
- ILSpy, which also offers a plugin for Visual Studio Code, allowing cross-platform usage.
- For tasks involving decompilation, modification, and recompilation, dnSpy is highly recommended. Right-clicking a method and choosing Modify Method enables code changes.
- JetBrains' dotPeek is another alternative for decompiling .Net assemblies.
Enhancing Debugging and Logging with DNSpy
DNSpy Logging
To log information to a file using DNSpy, incorporate the following .Net code snippet:
%%%cpp using System.IO; path = "C:\inetpub\temp\MyTest2.txt"; File.AppendAllText(path, "Password: " + password + "\n"); %%%
DNSpy Debugging
For effective debugging with DNSpy, a sequence of steps is recommended to adjust Assembly attributes for debugging, ensuring that optimizations that could hinder debugging are disabled. This process includes changing the DebuggableAttribute
settings, recompiling the assembly, and saving the changes.
Moreover, to debug a .Net application run by IIS, executing iisreset /noforce
restarts IIS. To attach DNSpy to the IIS process for debugging, the guide instructs on selecting the w3wp.exe process within DNSpy and starting the debugging session.
For a comprehensive view of loaded modules during debugging, accessing the Modules window in DNSpy is advised, followed by opening all modules and sorting assemblies for easier navigation and debugging.
This guide encapsulates the essence of WebAssembly and .Net decompilation, offering a pathway for developers to navigate these tasks with ease.
Java Decompiler
To decompile Java bytecode, these tools can be very helpful:
Debugging DLLs
Using IDA
- Rundll32 is loaded from specific paths for 64-bit and 32-bit versions.
- Windbg is selected as the debugger with the option to suspend on library load/unload enabled.
- Execution parameters include the DLL path and function name. This setup halts execution upon each DLL's loading.
Using x64dbg/x32dbg
- Similar to IDA, rundll32 is loaded with command line modifications to specify the DLL and function.
- Settings are adjusted to break on DLL entry, allowing breakpoint setting at the desired DLL entry point.
Images
- Execution stopping points and configurations are illustrated through screenshots.
ARM & MIPS
- For emulation, arm_now is a useful resource.
Shellcodes
Debugging Techniques
- Blobrunner and jmp2it are tools for allocating shellcodes in memory and debugging them with Ida or x64dbg.
- Blobrunner releases
- jmp2it compiled version
- Cutter offers GUI-based shellcode emulation and inspection, highlighting differences in shellcode handling as a file versus direct shellcode.
Deobfuscation and Analysis
-
scdbg provides insights into shellcode functions and deobfuscation capabilities. %%%bash scdbg.exe -f shellcode # Basic info scdbg.exe -f shellcode -r # Analysis report scdbg.exe -f shellcode -i -r # Interactive hooks scdbg.exe -f shellcode -d # Dump decoded shellcode scdbg.exe -f shellcode /findsc # Find start offset scdbg.exe -f shellcode /foff 0x0000004D # Execute from offset %%%
-
CyberChef for disassembling shellcode: CyberChef recipe
Movfuscator
- An obfuscator that replaces all instructions with
mov
. - Useful resources include a YouTube explanation and PDF slides.
- demovfuscator might reverse movfuscator's obfuscation, requiring dependencies like
libcapstone-dev
andlibz3-dev
, and installing keystone.
Delphi
- For Delphi binaries, IDR is recommended.
Courses
- https://github.com/0xZ0F/Z0FCourse_ReverseEngineering
- https://github.com/malrev/ABD
Binary deobfuscation
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.