This paper is discussing 64-bit calc.exe crash analysis , the bug found is a Stack Overflow Exception and I tried to define the root cause of this bug and what are the exact conditions in which a user can successfully reproduce the bug.
↧
64-bit calc.exe Stack Overflow Root Cause Analysis
↧
ELF101 - A Linux Executable Walkthrough
This graphic is a walk through of a simple Linux executable that shows its dissected structure and explains how it's loaded by the operating system.
↧
↧
!apilookup PyCommand 1.0
Win32API Function Finder Locator. This Immunity Debugger PyCommand can be used to get quick access to Win32 API functions based in the old Win32API.HLP file.
↧
Writing a WinRAR Key Logger
In this tutorial I will show how to write a WinRAR key logger. This key logger is different from other key loggers that are available on the net in the sense that it does not require any installation or starting any background hidden process/services that hijacks the keyboard and listens for key presses. This key logger is also not truly a key logger. It only logs password typed on the ‘Enter password’ dialog box as shown below.
↧
Themida + WinLicense 2.x (HWID + UnVirtualize + OEP + VM)
Today I have a free hour and I want to share a little not too much discussed issue of Themida/WL: Unvirtualization of the VM.
We will follow some steps:
1. Unpacking
2. Unvirtualize the VM (in this case the OEP).
3. Rebuild the PE
4. Remove the VM from the file
I am sure there can be some questions but if you have any ttouble understanding feel free to ask.
The unpack and HWID bypass is done via LCF-AT script.
The Unvirtualise is done via plugin by DeathWay
The rest is all by hand.
If you don't understand why I have used some addresses or values think a little bit and if you don't catch the point just ask on the forum.
P.S.
Thanks to LCF-AT and DeathWay for their information posted on Tuts 4 You.
We will follow some steps:
1. Unpacking
2. Unvirtualize the VM (in this case the OEP).
3. Rebuild the PE
4. Remove the VM from the file
I am sure there can be some questions but if you have any ttouble understanding feel free to ask.
The unpack and HWID bypass is done via LCF-AT script.
The Unvirtualise is done via plugin by DeathWay
The rest is all by hand.
If you don't understand why I have used some addresses or values think a little bit and if you don't catch the point just ask on the forum.
P.S.
Thanks to LCF-AT and DeathWay for their information posted on Tuts 4 You.
↧
↧
Reversing a Frozen Python Executable
This document presents a way to reverse engineer frozen python executables.
We all at some point of time have reversed native compiled application like the ones generated from Visual C++, Delphi etc, but reversing frozen python executable presents a new challenge and the area in this field is not yet fully explored.
So this document is going to explore some of those and the way we can proceed in such a situation.
[This whole tutorial is for learning purposes only and any other unethical use is strongly discouraged]
We all at some point of time have reversed native compiled application like the ones generated from Visual C++, Delphi etc, but reversing frozen python executable presents a new challenge and the area in this field is not yet fully explored.
So this document is going to explore some of those and the way we can proceed in such a situation.
[This whole tutorial is for learning purposes only and any other unethical use is strongly discouraged]
↧
MPress 2.19 x32 x64 (Unpacking)
Because of a request from someone I created a tutorial on unpacking MPRESS v2.19 (x32 and x64 build).
The tutorial + unpackme files is attached, the debugged used in the tutorial can be downloaded at: http://x64dbg.com. Notice that the tutorial is intended for newbies and as promotion of x64_dbg, so don't expect much special.
The tutorial + unpackme files is attached, the debugged used in the tutorial can be downloaded at: http://x64dbg.com. Notice that the tutorial is intended for newbies and as promotion of x64_dbg, so don't expect much special.
↧
Exploit Writing - Stack Based Overflows
This tutorial will explain what Buffer Overflow is, and how attackers can inject malicious code due to software bugs.
The exploit will be implemented on vulnerable version of Easy RM to MP3 Converter Version 2.7.3.7.00
Tools used:
Immunity Debugger (XP – SP3)
Python (XP – SP3)
Metasploit (Kali-linux)
The exploit will be implemented on vulnerable version of Easy RM to MP3 Converter Version 2.7.3.7.00
Tools used:
Immunity Debugger (XP – SP3)
Python (XP – SP3)
Metasploit (Kali-linux)
↧
Automatic Deobfuscation of Emulation-Obfuscated Software
Malicious software are usually obuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed (“deobfuscated”) in order to understand the internal logic of the code and devise countermeasures. This paper discusses an approach for deobfuscation of code that uses emulation-based obfuscation, a particularly challenging class of obfuscations that have deployed in recent years. Our approach is highly general in that we do not make any assumptions about the nature of the obfuscations used; instead, we use semantics preserving program transformations to simplify away obfuscation code. Experiments show that our approach is effective in extracting the internal logic from code obfuscated using a variety of emulation-based obfuscators, including tools such as Themida that previous approaches could not handle.
↧
↧
An Introduction to Reverse Engineering for Beginners
Here (will be) some of my notes about reverse engineering in English and Russian language for those beginners who like to learn to understand x86 code created by C/C++ compilers (which is a most large mass of all executable software in the world).
There are two most used compilers: MSVC and GCC, these we will use for experiments.
There are two most used x86 assembler syntax: Intel (most used in DOS/Windows) and AT&T (used in *NIX) 1. Here we use Intel syntax. IDA 5 produce Intel syntax listings too.
http://en.wikipedia.org/wiki/X86_assembly_language#Syntax
There are two most used compilers: MSVC and GCC, these we will use for experiments.
There are two most used x86 assembler syntax: Intel (most used in DOS/Windows) and AT&T (used in *NIX) 1. Here we use Intel syntax. IDA 5 produce Intel syntax listings too.
http://en.wikipedia.org/wiki/X86_assembly_language#Syntax
↧
IDA Pro Disassembler 6.5.131213 (Windows, Linux, Mac)
IDA Pro is a programmable, interactive, multi-processor disassembler combined with a local and remote debugger and augmented by a complete plugin programming environment.
IDA Pro is in many ways unique. Its interactivity allows you to improve disassemblies in real time. Its multi-processor support is unmatched. Yet, two of our technologies are truly unique, have never been implemented under any form in any real-life disassemblers and, more importantly, are incredible time savers.
IDA Pro is a disassembler.
As a disassembler, IDA Pro explores binary programs, for which source code isn't always available, to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are actually executed by the processor in a symbolic representation called assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close to the original source code that produced the binary program. The map of the program's code then be postprocessed for further investigations. Some people have used it as the root of a genomic classification of viruses. (digital genome mapping advanced malware analysis)
IDA Pro is a debugger.
But, in real life, things aren't always simple. Hostile code usually does not cooperate with the analyst. Viruses, worms and trojans are often armoured and obfuscated. More powerful tools are required.
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on the 80x86 (typically Windows/Linux) and the ARM plaform (typically Windows CE PDAs). Remote debuggers are very useful when one wants to safely dissect potentially harmful programs.
IDA Pro is interactive.
Because no computer can currently beat the human brain when it comes to exploring the unknown, IDA Pro is fully interactive. In sharp contrast with its predecessors, IDA always allows the human analyst to override its decisions or to provide hints. Interactivity culminates in a built-in programming language and an open plugin architecture.
IDA Pro is programmable
IDA Pro contains a complete development environment that consists of a very powerful macro-like language that can be used to automate simple to medium complexity tasks. For more advanced tasks, our open plugin architecture puts no limits on what external developers can do to enhance IDA Pro's functionality. One could, for example, extend IDA Pro with a MP3 player and make malware sing. However, we suspect our governmental customers are involved in more serious projects.
IDA Pro is in many ways unique. Its interactivity allows you to improve disassemblies in real time. Its multi-processor support is unmatched. Yet, two of our technologies are truly unique, have never been implemented under any form in any real-life disassemblers and, more importantly, are incredible time savers.
IDA Pro is a disassembler.
As a disassembler, IDA Pro explores binary programs, for which source code isn't always available, to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are actually executed by the processor in a symbolic representation called assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close to the original source code that produced the binary program. The map of the program's code then be postprocessed for further investigations. Some people have used it as the root of a genomic classification of viruses. (digital genome mapping advanced malware analysis)
IDA Pro is a debugger.
But, in real life, things aren't always simple. Hostile code usually does not cooperate with the analyst. Viruses, worms and trojans are often armoured and obfuscated. More powerful tools are required.
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on the 80x86 (typically Windows/Linux) and the ARM plaform (typically Windows CE PDAs). Remote debuggers are very useful when one wants to safely dissect potentially harmful programs.
IDA Pro is interactive.
Because no computer can currently beat the human brain when it comes to exploring the unknown, IDA Pro is fully interactive. In sharp contrast with its predecessors, IDA always allows the human analyst to override its decisions or to provide hints. Interactivity culminates in a built-in programming language and an open plugin architecture.
IDA Pro is programmable
IDA Pro contains a complete development environment that consists of a very powerful macro-like language that can be used to automate simple to medium complexity tasks. For more advanced tasks, our open plugin architecture puts no limits on what external developers can do to enhance IDA Pro's functionality. One could, for example, extend IDA Pro with a MP3 player and make malware sing. However, we suspect our governmental customers are involved in more serious projects.
↧
Win32 Programmers Reference Guide CHM
Microsoft's Win32 programmers API reference guide in CHM format.
↧
OllyDbg 1.10 Manual
OllyDbg v1.10 manual in CHM format.
↧
↧
Intel Hex Opcodes and Mnemonics
The Intel Hex Opcodes and Mnemonics manual in CHM format.
↧
Immunity Debugger 1.0 Manual
Immunity Debugger 1.0 manual in CHM format.
↧
Immunity Debugger Python API
Immunity Debugger Python API list in CGM format.
↧
Immunity Debugger Command Box
Immunity Debugger Command Box in CHM format.
↧
↧
x64_dbg 0.4
This is a x32/x64 debugger that is currently in active development.
The debugger has (currently) three parts:
- DBG
- GUI
- Bridge
DBG is the debugging part of the debugger. It handles debugging (using TitanEngine) and will provide data for the GUI.
GUI is the graphical part of the debugger. It is built on top of QT and it provides the user interaction, the dump window (not yet implemented), the disassembly, the register window (not yet implemented), the memory map view (not yet implemented) etc.
Bridge is the communication library for the DBG and GUI part (and maybe in the future more parts). The bridge can be used to work on new features, without having to update the code of the other parts.
Right now the debugger supports the following features:
- variables (with regard to the upcoming script feature)
- basic calculations (var*@401000+.45^4A)
- hide debugger (very basic)
- software breakpoints (INT3, LONG INT3, UD2)
- memory breakpoints (read, write, execute)
- hardware breakpoints (access, write, execute)
- stepping (into, over, n instructions)
- rtr (return from function)
- memory allocation/deallocation in the debuggee
- quickly accessing API addresses (GetProcAddress->76E13620)
- highlighting (not yet customizable, but really helpful)
The debugger core is based on TitanEngine (an updated version) and the disassembly is powered by BeaEngine. The icon is taken from VisualPharm.
If you have a suggestion, a bug report, need more info, want to contribute, just post a reply on the forum.
The debugger has (currently) three parts:
- DBG
- GUI
- Bridge
DBG is the debugging part of the debugger. It handles debugging (using TitanEngine) and will provide data for the GUI.
GUI is the graphical part of the debugger. It is built on top of QT and it provides the user interaction, the dump window (not yet implemented), the disassembly, the register window (not yet implemented), the memory map view (not yet implemented) etc.
Bridge is the communication library for the DBG and GUI part (and maybe in the future more parts). The bridge can be used to work on new features, without having to update the code of the other parts.
Right now the debugger supports the following features:
- variables (with regard to the upcoming script feature)
- basic calculations (var*@401000+.45^4A)
- hide debugger (very basic)
- software breakpoints (INT3, LONG INT3, UD2)
- memory breakpoints (read, write, execute)
- hardware breakpoints (access, write, execute)
- stepping (into, over, n instructions)
- rtr (return from function)
- memory allocation/deallocation in the debuggee
- quickly accessing API addresses (GetProcAddress->76E13620)
- highlighting (not yet customizable, but really helpful)
The debugger core is based on TitanEngine (an updated version) and the disassembly is powered by BeaEngine. The icon is taken from VisualPharm.
If you have a suggestion, a bug report, need more info, want to contribute, just post a reply on the forum.
↧
Themida + WinLicense 2.x Ultra Unpacker v1.0
This script can unpack your Themida and WinLicense targets completely and independently in the best case.
↧
Themida + WinLicense 2.x (Ultra Unpacker v1.0)
So you know already my older script which is no more up to date and failed mostly to unpack newer protected files. Now after working a long time on a new script to handle Themida and WinLicense targets its finished now so far. The script will unpack your files complete and you don't need to dump or fix anything!
All what you have to do now is to follow each video I made before you start to test the script so there are also some information which you need to know. Okay so then lets start!
All what you have to do now is to follow each video I made before you start to test the script so there are also some information which you need to know. Okay so then lets start!
↧