Static analysis of binary code is challenging for several reasons. In particular, standard static analysis techniques operate over control flow graphs, which are not available when dealing with self-modifying programs which can modify their own code at runtime. We formalize in the Coq proof assistant some key abstract interpretation techniques that automatically extract memory safety properties from binary code. Our analyzer is formally proved correct and has been run on several self modifying challenges, provided by Cai et al. in their PLDI 2007 paper.
↧
Verified Abstract Interpretation Techniques for Disassembling Low-level Self-modifying Code
↧
x64_dbg 0.18
This is a x32/x64 debugger that is currently in active development.
The debugger has (currently) three parts:
- DBG
- GUI
- Bridge
DBG is the debugging part of the debugger. It handles debugging (using TitanEngine) and will provide data for the GUI.
GUI is the graphical part of the debugger. It is built on top of QT and it provides the user interaction, the dump window (not yet implemented), the disassembly, the register window (not yet implemented), the memory map view (not yet implemented) etc.
Bridge is the communication library for the DBG and GUI part (and maybe in the future more parts). The bridge can be used to work on new features, without having to update the code of the other parts.
Features:
- variables (with regard to the upcoming script feature)
- basic calculations (var*@401000+.45^4A)
- hide debugger (very basic)
- software breakpoints (INT3, LONG INT3, UD2)
- memory breakpoints (read, write, execute)
- hardware breakpoints (access, write, execute)
- stepping (into, over, n instructions)
- rtr (return from function)
- memory allocation/deallocation in the debuggee
- quickly accessing API addresses (GetProcAddress->76E13620)
- highlighting (not yet customizable, but really helpful)
- memory map
- basic module labeling
- import reconstruction (plugin using Scylla)
- drag&drop files
- goto window
- register/flags view with editing support
- quite fast working in really big code pages (tested up to 5GB)
- GUI hotkeys
- dynamic jump arrow (just like OllyDbg)
- user databases for labels/comments/breakpoints/bookmarks (*.dd64 or *.dd32 files)
- easy context menu in disassembly (to set breakpoints etc)
- plugin support
- (manual) function analysis
- easily follow calls/jumps/ret (press ENTER when selecting)
- (buggy) dynamic commenting
- scripting support (using the debugger commands)!
- simple dump
- symbols (+ exports) view with search
- simple stack view
- programmable reference view
Known bugs:
- memory breakpoints sometimes fail (TitanEngine bug)
Last words:
The debugger core is based on TitanEngine (an updated version, https://bitbucket.org/mrexodia/titanengine-update)
Disassembly powered by BeaEngine (http://beaengine.org/).
The icon is taken from VisualPharm (http://www.visualpharm.com/)
If you have a suggestion, a bug report, need more info, want to contribute, just post a reply on the forum.
The debugger has (currently) three parts:
- DBG
- GUI
- Bridge
DBG is the debugging part of the debugger. It handles debugging (using TitanEngine) and will provide data for the GUI.
GUI is the graphical part of the debugger. It is built on top of QT and it provides the user interaction, the dump window (not yet implemented), the disassembly, the register window (not yet implemented), the memory map view (not yet implemented) etc.
Bridge is the communication library for the DBG and GUI part (and maybe in the future more parts). The bridge can be used to work on new features, without having to update the code of the other parts.
Features:
- variables (with regard to the upcoming script feature)
- basic calculations (var*@401000+.45^4A)
- hide debugger (very basic)
- software breakpoints (INT3, LONG INT3, UD2)
- memory breakpoints (read, write, execute)
- hardware breakpoints (access, write, execute)
- stepping (into, over, n instructions)
- rtr (return from function)
- memory allocation/deallocation in the debuggee
- quickly accessing API addresses (GetProcAddress->76E13620)
- highlighting (not yet customizable, but really helpful)
- memory map
- basic module labeling
- import reconstruction (plugin using Scylla)
- drag&drop files
- goto window
- register/flags view with editing support
- quite fast working in really big code pages (tested up to 5GB)
- GUI hotkeys
- dynamic jump arrow (just like OllyDbg)
- user databases for labels/comments/breakpoints/bookmarks (*.dd64 or *.dd32 files)
- easy context menu in disassembly (to set breakpoints etc)
- plugin support
- (manual) function analysis
- easily follow calls/jumps/ret (press ENTER when selecting)
- (buggy) dynamic commenting
- scripting support (using the debugger commands)!
- simple dump
- symbols (+ exports) view with search
- simple stack view
- programmable reference view
Known bugs:
- memory breakpoints sometimes fail (TitanEngine bug)
Last words:
The debugger core is based on TitanEngine (an updated version, https://bitbucket.org/mrexodia/titanengine-update)
Disassembly powered by BeaEngine (http://beaengine.org/).
The icon is taken from VisualPharm (http://www.visualpharm.com/)
If you have a suggestion, a bug report, need more info, want to contribute, just post a reply on the forum.
↧
↧
LoadDll 1.0.0.1
Better version of RunDll with GUI. This program allows you to load DLLs on Windows. You can select how to load the DLL. By direct Entry Point call (DllMain) or if you want to call directly an exported function of the DLL.
The number of arguments will be disassembled and assumed by LoadDll (RETN instruction). You can always change the number of arguments. I support only up to 5 arguments of a function. The argument types can be selected from: DWORD (numeric argument, support for dec and hex. Hex start with 0x), STR (String in ASCII), STRW (Unicode String) and a PTR (pointer which points to a empty memory allocation).
The number of arguments will be disassembled and assumed by LoadDll (RETN instruction). You can always change the number of arguments. I support only up to 5 arguments of a function. The argument types can be selected from: DWORD (numeric argument, support for dec and hex. Hex start with 0x), STR (String in ASCII), STRW (Unicode String) and a PTR (pointer which points to a empty memory allocation).
↧
IDA Pro Disassembler 6.6.140625 (Windows, Linux, Mac)
IDA Pro is a programmable, interactive, multi-processor disassembler combined with a local and remote debugger and augmented by a complete plugin programming environment.
IDA Pro is in many ways unique. Its interactivity allows you to improve disassemblies in real time. Its multi-processor support is unmatched. Yet, two of our technologies are truly unique, have never been implemented under any form in any real-life disassemblers and, more importantly, are incredible time savers.
IDA Pro is a disassembler.
As a disassembler, IDA Pro explores binary programs, for which source code isn't always available, to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are actually executed by the processor in a symbolic representation called assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close to the original source code that produced the binary program. The map of the program's code then be postprocessed for further investigations. Some people have used it as the root of a genomic classification of viruses. (digital genome mapping advanced malware analysis)
IDA Pro is a debugger.
But, in real life, things aren't always simple. Hostile code usually does not cooperate with the analyst. Viruses, worms and trojans are often armoured and obfuscated. More powerful tools are required.
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on the 80x86 (typically Windows/Linux) and the ARM plaform (typically Windows CE PDAs). Remote debuggers are very useful when one wants to safely dissect potentially harmful programs.
IDA Pro is interactive.
Because no computer can currently beat the human brain when it comes to exploring the unknown, IDA Pro is fully interactive. In sharp contrast with its predecessors, IDA always allows the human analyst to override its decisions or to provide hints. Interactivity culminates in a built-in programming language and an open plugin architecture.
IDA Pro is programmable
IDA Pro contains a complete development environment that consists of a very powerful macro-like language that can be used to automate simple to medium complexity tasks. For more advanced tasks, our open plugin architecture puts no limits on what external developers can do to enhance IDA Pro's functionality. One could, for example, extend IDA Pro with a MP3 player and make malware sing. However, we suspect our governmental customers are involved in more serious projects.
IDA Pro is in many ways unique. Its interactivity allows you to improve disassemblies in real time. Its multi-processor support is unmatched. Yet, two of our technologies are truly unique, have never been implemented under any form in any real-life disassemblers and, more importantly, are incredible time savers.
IDA Pro is a disassembler.
As a disassembler, IDA Pro explores binary programs, for which source code isn't always available, to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are actually executed by the processor in a symbolic representation called assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close to the original source code that produced the binary program. The map of the program's code then be postprocessed for further investigations. Some people have used it as the root of a genomic classification of viruses. (digital genome mapping advanced malware analysis)
IDA Pro is a debugger.
But, in real life, things aren't always simple. Hostile code usually does not cooperate with the analyst. Viruses, worms and trojans are often armoured and obfuscated. More powerful tools are required.
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on the 80x86 (typically Windows/Linux) and the ARM plaform (typically Windows CE PDAs). Remote debuggers are very useful when one wants to safely dissect potentially harmful programs.
IDA Pro is interactive.
Because no computer can currently beat the human brain when it comes to exploring the unknown, IDA Pro is fully interactive. In sharp contrast with its predecessors, IDA always allows the human analyst to override its decisions or to provide hints. Interactivity culminates in a built-in programming language and an open plugin architecture.
IDA Pro is programmable
IDA Pro contains a complete development environment that consists of a very powerful macro-like language that can be used to automate simple to medium complexity tasks. For more advanced tasks, our open plugin architecture puts no limits on what external developers can do to enhance IDA Pro's functionality. One could, for example, extend IDA Pro with a MP3 player and make malware sing. However, we suspect our governmental customers are involved in more serious projects.
↧
DEF 1.0
DEF is a small plugin to search for Delphi events.
↧
↧
DumpPE 0.1
DumpPE is a WinDBG extension that dumps PE files from memory.
It contains two commands:
!dumppe.dump_raw - dumps a PE file from memory to disk as-is (the result will be a PE file as it appears in memory (after relocations, things will be located where they should be based on RVAs, etc.)
!dumppe.dump_disk - dumps a PE file from memory to disk and attempts to write it as it was before being loaded - therefore making it a valid PE that can be loaded again at will.
It contains two commands:
!dumppe.dump_raw - dumps a PE file from memory to disk as-is (the result will be a PE file as it appears in memory (after relocations, things will be located where they should be based on RVAs, etc.)
!dumppe.dump_disk - dumps a PE file from memory to disk and attempts to write it as it was before being loaded - therefore making it a valid PE that can be loaded again at will.
↧
IDAPython 1.5.5
IDAPython is an IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro. These programs have access to IDA Plugin API, IDC and all modules available for Python. The power of IDA Pro and Python provides a platform for easy prototyping of reverse engineering and other research tools.
Archive contains Windows and Mac OS X versions.
Archive contains Windows and Mac OS X versions.
↧
CleanupExEx 0.1
CleanupExEx is a plugin for x64_dbg (32bit support only - ALPHA 18) to clear debug data. My (first) plugin is used to test x32_dbg debugger and plugin pdk in delphi LoL :))
↧
CopyHexCode 0.30
Translates Opcodes to C-Style "\x%%"
How to use?
- Copy plugin into your Olly plugin folder
- Select code in Olly Disassembly window
- Press right mouse and choose "Use CopyHexCode 2014"
- Now you got the C-Style bytes in clipboard
- Just paste them where you want
- Very useful plugin for coders or MultiASM users
How to use?
- Copy plugin into your Olly plugin folder
- Select code in Olly Disassembly window
- Press right mouse and choose "Use CopyHexCode 2014"
- Now you got the C-Style bytes in clipboard
- Just paste them where you want
- Very useful plugin for coders or MultiASM users
↧
↧
Enigma Protector 1.5x - 4.2x (Inline Patching) v1.0
Today I release a new tutorial and script I made for Enigma what can patch your new valid HWID XY. As you will see the included script works for all Enigma Versions.
You have a choice to choose a Inline or loader file what the script will create for you and your target XY.
InLine File: Script creates a new _DP file with the added inline into new section.
Loader File: Script creates a new - Loader file which starts & patched your original file.
You have a choice to choose a Inline or loader file what the script will create for you and your target XY.
InLine File: Script creates a new _DP file with the added inline into new section.
Loader File: Script creates a new - Loader file which starts & patched your original file.
↧
Highlightfish 1.0 (x64_dbg)
Highlightfish Plugin will allow you to customize x64-dbg colors and Highlightings. It supports the schemes published by "cypher" and "tr4ceflow" here: https://forum.tuts4you.com/topic/35989-themes-for-x64-dbg
If you have a nice and comfortable scheme, send it to me and I will add it in the next release.
If you have a nice and comfortable scheme, send it to me and I will add it in the next release.
↧
How To Add Your Own Relocations
Today I show you an example of how to add own relocations into your file. Lets imagine you have any none protected file like a DLL / OCX / DRV or ASLR exe file which gets loaded dynamic (ASLR) and you want to patch this file with direct VA addresses to prevent creating much patch code + creating a dynamic patch. We want to create our own code part who looks same as usually and want working with VA addresses. So to get this also working with ALSR you need to add relocations for all your new VA addresses you have added in your patch code and now I show you how you can handle this manually. So I also have never seen any relocation tool where you can do this.
↧
How To Load My DLL With a Base Offset
Today I show you quickly how you can tell your system to load your DLL with your desired base address you want manually if OllyDbg's LoadDLL tool didn't work for you.
↧
↧
IDA Skins 1.1.0
Plugin providing advanced skinning support for the Qt version of IDA Pro utilizing Qt stylesheets, similar to CSS.
↧
IDA Styler 0.1
A small plugin to change the style of Ida Pro.
↧
Themida + WinLicense 2.x (Relocation Fixing)
Short info for you about fixing unpacked DLL's with two different bases who don't have any VM Entrys.
So if you unpack a DLL which used no VM entrys then you can unpack the same DLL twice with 2 different used bases and to create later new relocations with the relox tool. Now if you use my "Ultra" unpack script then you get new unpacked conditions which you need to handle manually before you can use the relox tool to get both files loaded.
So if you unpack a DLL which used no VM entrys then you can unpack the same DLL twice with 2 different used bases and to create later new relocations with the relox tool. Now if you use my "Ultra" unpack script then you get new unpacked conditions which you need to handle manually before you can use the relox tool to get both files loaded.
↧
White-box Attack Resistant Cryptography
This thesis is focused on a study of security issues related to an execution of cryptographic algorithms in an untrusted environment. It mainly studies whitebox cryptography methods of transforming algorithms in such a way they resist attacks like key-extraction and inverting in some extent. Particularly it examines whitebox transformations of AES cipher and attacks on these transformations. Transformations construction and implementation is described. In the thesis was discovered the known attack works also on AES transformation using dual ciphers by Karroumi that was supposed to resist the attack. The new improvements for increasing a resistance of transformations to known attacks were proposed.
↧
↧
Enigma Protector 4.10 (Unpacking)
A video tutorial showing a method of unpacking Enigma Protector 4.10.
↧
Dr. Gadget 0.57b
This is an IDAPython plugin for the Interactive Disassembler for all your ROP experimentation needs ;-)
Develop and analyze ROP exploits for all processor architectures supported by IDA itself!
What's new:
* This is a fork of the 'original' Dr.Gadget plugin
* State is saved to and loaded from IDB by default
* (hopefully universal) support for all processor modules supported by IDA itself (including 64bit etc.)
* "plugin" interface - write a plugin for this plugin! ;-)
* IDA disassembly is kept in its original state
* hotkeys "1" and "2" for decrementing and incrementing an item's value, respectively (yay, more interactivity) this allows you to interactively "browse" the disassembly and memory for useful gadgets
* context-sensitive content viewers
- now used to display data by default
- visually highlight return instructions
* show extended information about modules (ASLR/DEP)
How to install:
* copy the following files and folders to your IDA/plugins directory:
- drgadget.py
- drgadget
How to use:
* restart IDA
* use the alt-F5 hotkey to invoke the plugin or invoke the plugin from the IDA plugin menu
* right-click the Dr.Gadget window for a popup menu to appear.
* use the context-sensitive popup menu to add/modify/delete items and to invoke Dr.Gadget plugins, such as the instruction finder
* with an item selected, use "1" and "2" on your keyboard to decrement and increment the item's value, respectively
* the plugin may be used both during an active debugging session (recommended!) and on a static disassembly listing
Develop and analyze ROP exploits for all processor architectures supported by IDA itself!
What's new:
* This is a fork of the 'original' Dr.Gadget plugin
* State is saved to and loaded from IDB by default
* (hopefully universal) support for all processor modules supported by IDA itself (including 64bit etc.)
* "plugin" interface - write a plugin for this plugin! ;-)
* IDA disassembly is kept in its original state
* hotkeys "1" and "2" for decrementing and incrementing an item's value, respectively (yay, more interactivity) this allows you to interactively "browse" the disassembly and memory for useful gadgets
* context-sensitive content viewers
- now used to display data by default
- visually highlight return instructions
* show extended information about modules (ASLR/DEP)
How to install:
* copy the following files and folders to your IDA/plugins directory:
- drgadget.py
- drgadget
How to use:
* restart IDA
* use the alt-F5 hotkey to invoke the plugin or invoke the plugin from the IDA plugin menu
* right-click the Dr.Gadget window for a popup menu to appear.
* use the context-sensitive popup menu to add/modify/delete items and to invoke Dr.Gadget plugins, such as the instruction finder
* with an item selected, use "1" and "2" on your keyboard to decrement and increment the item's value, respectively
* the plugin may be used both during an active debugging session (recommended!) and on a static disassembly listing
↧
XexTool 6.6
This is a tool to extract information on an xex file. It will print out xex information to the console, alter xex attributes, extract executable code and other basefiles and create idc scripts files to help with disassembling the extracted executable code.
Note: Any altered or created retail xex files will not be correctly signed.
Note: Any altered or created retail xex files will not be correctly signed.
↧