hacktricks/reversing/reversing-tools/README.md
Carlos Polop 7aaa08ff92 a
2024-02-09 01:38:08 +01:00

7.8 KiB

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Wasm Decompilation and Wat Compilation Guide

In the realm of WebAssembly, tools for decompiling and compiling are essential for developers. This guide introduces some online resources and software for handling Wasm (WebAssembly binary) and Wat (WebAssembly text) files.

Online Tools

Software Solutions

  • For a more robust solution, JEB by PNF Software offers extensive features.
  • The open-source project wasmdec is also available for decompilation tasks.

.Net Decompilation Resources

Decompiling .Net assemblies can be accomplished with tools such as:

  • ILSpy, which also offers a plugin for Visual Studio Code, allowing cross-platform usage.
  • For tasks involving decompilation, modification, and recompilation, dnSpy is highly recommended. Right-clicking a method and choosing Modify Method enables code changes.
  • JetBrains' dotPeek is another alternative for decompiling .Net assemblies.

Enhancing Debugging and Logging with DNSpy

DNSpy Logging

To log information to a file using DNSpy, incorporate the following .Net code snippet:

%%%cpp using System.IO; path = "C:\inetpub\temp\MyTest2.txt"; File.AppendAllText(path, "Password: " + password + "\n"); %%%

DNSpy Debugging

For effective debugging with DNSpy, a sequence of steps is recommended to adjust Assembly attributes for debugging, ensuring that optimizations that could hinder debugging are disabled. This process includes changing the DebuggableAttribute settings, recompiling the assembly, and saving the changes.

Moreover, to debug a .Net application run by IIS, executing iisreset /noforce restarts IIS. To attach DNSpy to the IIS process for debugging, the guide instructs on selecting the w3wp.exe process within DNSpy and starting the debugging session.

For a comprehensive view of loaded modules during debugging, accessing the Modules window in DNSpy is advised, followed by opening all modules and sorting assemblies for easier navigation and debugging.

This guide encapsulates the essence of WebAssembly and .Net decompilation, offering a pathway for developers to navigate these tasks with ease.

Java Decompiler

To decompile Java bytecode, these tools can be very helpful:

Debugging DLLs

Using IDA

  • Rundll32 is loaded from specific paths for 64-bit and 32-bit versions.
  • Windbg is selected as the debugger with the option to suspend on library load/unload enabled.
  • Execution parameters include the DLL path and function name. This setup halts execution upon each DLL's loading.

Using x64dbg/x32dbg

  • Similar to IDA, rundll32 is loaded with command line modifications to specify the DLL and function.
  • Settings are adjusted to break on DLL entry, allowing breakpoint setting at the desired DLL entry point.

Images

  • Execution stopping points and configurations are illustrated through screenshots.

ARM & MIPS

  • For emulation, arm_now is a useful resource.

Shellcodes

Debugging Techniques

  • Blobrunner and jmp2it are tools for allocating shellcodes in memory and debugging them with Ida or x64dbg.
  • Cutter offers GUI-based shellcode emulation and inspection, highlighting differences in shellcode handling as a file versus direct shellcode.

Deobfuscation and Analysis

  • scdbg provides insights into shellcode functions and deobfuscation capabilities. %%%bash scdbg.exe -f shellcode # Basic info scdbg.exe -f shellcode -r # Analysis report scdbg.exe -f shellcode -i -r # Interactive hooks scdbg.exe -f shellcode -d # Dump decoded shellcode scdbg.exe -f shellcode /findsc # Find start offset scdbg.exe -f shellcode /foff 0x0000004D # Execute from offset %%%

  • CyberChef for disassembling shellcode: CyberChef recipe

Movfuscator

  • An obfuscator that replaces all instructions with mov.
  • Useful resources include a YouTube explanation and PDF slides.
  • demovfuscator might reverse movfuscator's obfuscation, requiring dependencies like libcapstone-dev and libz3-dev, and installing keystone.

Delphi

  • For Delphi binaries, IDR is recommended.

Courses

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: