Binary rewriting is becoming increasingly popular for a variety of low-level code manipulation purposes. One of the difficulties encountered in this context is that machine-language programs typically have much less semantic information compared to source code, which makes it harder to reason about the program’s runtime behavior. This problem is especially acute in the widely used Intel x86 architecture, where the paucity of registers often makes it necessary to store values on the runtime stack. The use of memory in this manner affects many analyses and optimizations because of the possibility of indirect memory references, which are difficult to reason about. This paper describes a simple analysis of some basic aspects of the way in which programs manipulate the runtime stack. The information so obtained can be very helpful in enhancing and improving a variety of other data flow analyses that reason about and manipulate values stored on the runtime stack. Experiments indicate that the analyses are efficient and useful for improving optimizations that need to reason about the runtime stack.
↧
Stack Analysis of x86 Executables
↧
RDG Packer Detector 0.7.2
RDG Packer Detector Detector of packers (Protectors of Software), Compilers, Fitters. etc...
↧
↧
Nanomite 0.1 Beta 17
A graphical debugger for x64 and x86 on Windows. Features:
- Debugging x86 and x64 (+ WOW64) processes
- Breakpoints
- Software
- Memory
- Hardware
- Step In
- Step Over
- Step Out
- Step back to user code
- Attaching
- Detaching
- Single Step Tracing
- Supporting child processes
- Supporting multithreading
- Display source code
- Patching of instructions
- Detailed view of:
- disassembly
- windows
- handles
- debug strings
- threads
- (child)processes
- exceptions
- process privileges
- loaded modules
- strings
- callstack
- stack
- heap
- cpu registers
- functions
- pe header
- TEB/TBI
- PEB/PBI
↧
MOllyDbg Language Files v0.1
I translated OllyDbg 2.01 to the following Languages (OllyDbg.lng); Irish, French and German.
↧
Holyshit 0.3.3 (2)
The first version of this plugin had only one feature, that was to add a label list. The second edition includes a feature to let OllyDbg load .sys files. I added this feature for common use (but with this plugin - so far - you can't unpack driver files, it can't even get you to the EP). In a future edition we will be able to unpack a packed driver in OllyDbg, in ring3!
The toolbar is from IDAFicator, I just improved it. It is flexible and supports OllyDbg 2.01h.
I have written all details in toolbar.ini in Chinese because this plugin was only released yesterday and I had never thought it would be released on Tuts 4 You.
The main goal of this plugin is same as IDAFicator: "This plugin tries to make the life of OllyDBG users easier by bringing to him some fast and frequently used function."
The toolbar is from IDAFicator, I just improved it. It is flexible and supports OllyDbg 2.01h.
I have written all details in toolbar.ini in Chinese because this plugin was only released yesterday and I had never thought it would be released on Tuts 4 You.
The main goal of this plugin is same as IDAFicator: "This plugin tries to make the life of OllyDBG users easier by bringing to him some fast and frequently used function."
↧
↧
Holyshit 0.3.3
The first version of this plugin had only one feature, that was to add a label list. The second edition includes a feature to let OllyDbg load .sys files. I added this feature for common use (but with this plugin - so far - you can't unpack driver files, it can't even get you to the EP). In a future edition we will be able to unpack a packed driver in OllyDbg, in ring3!
The toolbar is from IDAFicator, I just improved it. It is flexible and supports OllyDbg 2.01h.
I have written all details in toolbar.ini in Chinese because this plugin was only released yesterday and I had never thought it would be released on Tuts 4 You.
The main goal of this plugin is same as IDAFicator: "This plugin tries to make the life of OllyDBG users easier by bringing to him some fast and frequently used function."
The toolbar is from IDAFicator, I just improved it. It is flexible and supports OllyDbg 2.01h.
I have written all details in toolbar.ini in Chinese because this plugin was only released yesterday and I had never thought it would be released on Tuts 4 You.
The main goal of this plugin is same as IDAFicator: "This plugin tries to make the life of OllyDBG users easier by bringing to him some fast and frequently used function."
↧
BinaryCopyEx 1.1.0
BinaryCopyEx is a plugin for OllyDbg 2.01 debugger. The plugin allows to extend the OllyDbg capabilities. Now binary code can be copied with following syntaxes:
- Hex Values
- Assembler
- C/C++
- Pascal
- Basic
- Binary As ASCII String
- Binary As Unicode String
Also binary code can be copied with following data types:
- Byte
- Word
- Dword
- Qword
Installation:
- Extract BinaryCopyEx.dll in OllyDbg plugin folder.
Main features allow:
- to select vitual memory address/address range directly in CPU Pane (Disasm, Dump or Stack panes)
- to enter vitual memory address/address range in window manually
- to copy binary to clipboard (according to selected format: syntax, data type, etc.)
- to save binary to text file (according to selected format: syntax, data type, etc.)
Some format features allow:
- to set items (byte, word, dword, qword) per line
- to set leading zero (if it is necessary)
- to split items by any characters (also spaces, tabs and etc.)
- to swap bytes of items (word, dword, qword)
Some plugin options allow:
- to create toolbar button on startup (default is on)
- to change toolbar button offset (position in toolbar)
- to switch on/off flashes (messages) in the OllyDbg info line when vitual memory address/address range is selected
- to change text file extention (default is .txt)
Shortcut:
- Use ALT+Q to open BinaryCopyEx window
- Hex Values
- Assembler
- C/C++
- Pascal
- Basic
- Binary As ASCII String
- Binary As Unicode String
Also binary code can be copied with following data types:
- Byte
- Word
- Dword
- Qword
Installation:
- Extract BinaryCopyEx.dll in OllyDbg plugin folder.
Main features allow:
- to select vitual memory address/address range directly in CPU Pane (Disasm, Dump or Stack panes)
- to enter vitual memory address/address range in window manually
- to copy binary to clipboard (according to selected format: syntax, data type, etc.)
- to save binary to text file (according to selected format: syntax, data type, etc.)
Some format features allow:
- to set items (byte, word, dword, qword) per line
- to set leading zero (if it is necessary)
- to split items by any characters (also spaces, tabs and etc.)
- to swap bytes of items (word, dword, qword)
Some plugin options allow:
- to create toolbar button on startup (default is on)
- to change toolbar button offset (position in toolbar)
- to switch on/off flashes (messages) in the OllyDbg info line when vitual memory address/address range is selected
- to change text file extention (default is .txt)
Shortcut:
- Use ALT+Q to open BinaryCopyEx window
↧
ArkDasm 0.5.0
ArkDasm is a 64-bit interactive disassembler. Supported file types: PE64, raw binary files.
↧
A Model for Self-Modifying Code
Self-modifying code is notoriously hard to understand and therefore very well suited to hide program internals. In this paper we introduce a program representation for this type of code: the state-enhanced control flow graph. It is shown how this program representation can be constructed, how it can be linearized into a binary program, and how it can be used to generate, analyze and transform self-modifying code.
↧
↧
Pev 0.70
Pev is a multiplatform PE analysis toolkit that includes tools to retrieve and parsing information about Windows PE files.
* pehash - calculate PE file hashes
* pedis - PE disassembler
* pepack - packer detector
* pescan - search for suspicious things in PE files, including TLS callbacks
* pesec - check security features in PE files
* pestr - search for unicode and ascii strings in PE files
* readpe - show PE file headers, sections and more
* rva2ofs - convert RVA to raw file offsets
* ofs2rva - convert raw file offsets to RVA
The main points are:
- No need for Windows API. We use our own PE library called libpe.
- Tested on Windows, Linux and OS X.
- Support for 32 and 64-bit PE files.
- Written entirely in C, using C99 standard. So, it's multiplatform.
- Fully scriptable. All pev tools uses CLI and produces outputs in clear text and CSV (HTML, XML and JSON in development).
* pehash - calculate PE file hashes
* pedis - PE disassembler
* pepack - packer detector
* pescan - search for suspicious things in PE files, including TLS callbacks
* pesec - check security features in PE files
* pestr - search for unicode and ascii strings in PE files
* readpe - show PE file headers, sections and more
* rva2ofs - convert RVA to raw file offsets
* ofs2rva - convert raw file offsets to RVA
The main points are:
- No need for Windows API. We use our own PE library called libpe.
- Tested on Windows, Linux and OS X.
- Support for 32 and 64-bit PE files.
- Written entirely in C, using C99 standard. So, it's multiplatform.
- Fully scriptable. All pev tools uses CLI and produces outputs in clear text and CSV (HTML, XML and JSON in development).
↧
64-bit calc.exe Stack Overflow Root Cause Analysis
This paper is discussing 64-bit calc.exe crash analysis , the bug found is a Stack Overflow Exception and I tried to define the root cause of this bug and what are the exact conditions in which a user can successfully reproduce the bug.
↧
ELF101 - A Linux Executable Walkthrough
This graphic is a walk through of a simple Linux executable that shows its dissected structure and explains how it's loaded by the operating system.
↧
!apilookup PyCommand 1.0
Win32API Function Finder Locator. This Immunity Debugger PyCommand can be used to get quick access to Win32 API functions based in the old Win32API.HLP file.
↧
↧
Writing a WinRAR Key Logger
In this tutorial I will show how to write a WinRAR key logger. This key logger is different from other key loggers that are available on the net in the sense that it does not require any installation or starting any background hidden process/services that hijacks the keyboard and listens for key presses. This key logger is also not truly a key logger. It only logs password typed on the ‘Enter password’ dialog box as shown below.
↧
Themida + WinLicense 2.x (HWID + UnVirtualize + OEP + VM)
Today I have a free hour and I want to share a little not too much discussed issue of Themida/WL: Unvirtualization of the VM.
We will follow some steps:
1. Unpacking
2. Unvirtualize the VM (in this case the OEP).
3. Rebuild the PE
4. Remove the VM from the file
I am sure there can be some questions but if you have any ttouble understanding feel free to ask.
The unpack and HWID bypass is done via LCF-AT script.
The Unvirtualise is done via plugin by DeathWay
The rest is all by hand.
If you don't understand why I have used some addresses or values think a little bit and if you don't catch the point just ask on the forum.
P.S.
Thanks to LCF-AT and DeathWay for their information posted on Tuts 4 You.
We will follow some steps:
1. Unpacking
2. Unvirtualize the VM (in this case the OEP).
3. Rebuild the PE
4. Remove the VM from the file
I am sure there can be some questions but if you have any ttouble understanding feel free to ask.
The unpack and HWID bypass is done via LCF-AT script.
The Unvirtualise is done via plugin by DeathWay
The rest is all by hand.
If you don't understand why I have used some addresses or values think a little bit and if you don't catch the point just ask on the forum.
P.S.
Thanks to LCF-AT and DeathWay for their information posted on Tuts 4 You.
↧
Reversing a Frozen Python Executable
This document presents a way to reverse engineer frozen python executables.
We all at some point of time have reversed native compiled application like the ones generated from Visual C++, Delphi etc, but reversing frozen python executable presents a new challenge and the area in this field is not yet fully explored.
So this document is going to explore some of those and the way we can proceed in such a situation.
[This whole tutorial is for learning purposes only and any other unethical use is strongly discouraged]
We all at some point of time have reversed native compiled application like the ones generated from Visual C++, Delphi etc, but reversing frozen python executable presents a new challenge and the area in this field is not yet fully explored.
So this document is going to explore some of those and the way we can proceed in such a situation.
[This whole tutorial is for learning purposes only and any other unethical use is strongly discouraged]
↧
MPress 2.19 x32 x64 (Unpacking)
Because of a request from someone I created a tutorial on unpacking MPRESS v2.19 (x32 and x64 build).
The tutorial + unpackme files is attached, the debugged used in the tutorial can be downloaded at: http://x64dbg.com. Notice that the tutorial is intended for newbies and as promotion of x64_dbg, so don't expect much special.
The tutorial + unpackme files is attached, the debugged used in the tutorial can be downloaded at: http://x64dbg.com. Notice that the tutorial is intended for newbies and as promotion of x64_dbg, so don't expect much special.
↧
↧
Exploit Writing - Stack Based Overflows
This tutorial will explain what Buffer Overflow is, and how attackers can inject malicious code due to software bugs.
The exploit will be implemented on vulnerable version of Easy RM to MP3 Converter Version 2.7.3.7.00
Tools used:
Immunity Debugger (XP – SP3)
Python (XP – SP3)
Metasploit (Kali-linux)
The exploit will be implemented on vulnerable version of Easy RM to MP3 Converter Version 2.7.3.7.00
Tools used:
Immunity Debugger (XP – SP3)
Python (XP – SP3)
Metasploit (Kali-linux)
↧
PeStudio 8.00
PeStudio is a free tool which can be used to perform static analysis of any Windows application and reveals not only Raw-data, but also Indicators of Trust. Executable files analyzed with PeStudio are never started. For this reason, you can analyze suspicious applications with PeStudio with no risk!
Depending on how it is started PeStudio has a Graphical User Interface (GUI) or a Character-Based User Interface (CUI), which is especially useful when performing batch-mode oriented parsing of executable files.
PeStudio has a set of unique features like looking-up for the image being analyzed on Virustotal, the possibility to start new instances of PeStudio with the dependencies of the image. PeStudio does a RAW access to the data of the Windows Portable Executable format. No Windows API is used to gather elements.
A feature which is also unique to PeStudio is the ability to create an XML report of the image being analyzed.
Depending on how it is started PeStudio has a Graphical User Interface (GUI) or a Character-Based User Interface (CUI), which is especially useful when performing batch-mode oriented parsing of executable files.
PeStudio has a set of unique features like looking-up for the image being analyzed on Virustotal, the possibility to start new instances of PeStudio with the dependencies of the image. PeStudio does a RAW access to the data of the Windows Portable Executable format. No Windows API is used to gather elements.
A feature which is also unique to PeStudio is the ability to create an XML report of the image being analyzed.
↧
PeSpin 1.22 x64 (Unpacking)
Just another basic x64 unpacking video tutorial, proof of concept for x64_dbg and Scylla.
↧