This tool will extract the opcodes from the .text section and display in different hex formats for different syntaxes. Works only with valid PE files. Coded in C++Builder XE5.
Download: https://github.com/OsandaMalith/ShellCode-Extractor/releases
Reversing
2014 Flare On Challenge 1
You can download the challenge from here: http://www.flare-on.com/files/C1.exe
As we run the application we get this.
When we click on decode the we get this encrypted string.
Share this:
Hiding Data Inside Memory Addresses
This is a small finding I found while I was experimenting on pointers in C. Usually in C the arithmetic on pointers depend on the size of the data types. If we initialize a int variable, the compiler will allocate 4 bytes in memory since its 32 bits. I assume you are well aware of these basics in C 🙂 I wanted to store data inside the empty addresses allocated by int data type. This is a bit challenging in a high level programming language. Of course using inline assembly I could have achieved this. But I wanted to achieve this using native C operators.
To understand this let’s begin from a simple approach.
|
1 2 3 4 5 6 7 8 9 10 |
#include <stdio.h> int main() { unsigned int var = 100; unsigned int var2 = 200; printf("%u\n",var); printf("%u\n",var2); } |
Share this:
Rootme No software breakpoints Cracking Challenge
Here is another very interesting challenge from Rootme. The title says ELF – no software breakpoints.
Let’s run the file command and see.
% file ch20.bin ch20.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
The executable seemed to be striped.
Next I examined the sections in file and the .text section starts at 0x08048080
This is the disassembly of the text section. I spent some time trying to understand the logic. Well let’s see what this is 🙂
(more…)
Share this:
Newbie Keygenning 1
This is a random very old crackme I found when I was bored with assignments, which is pretty easy and thought of sharing with you. Doing crackmes one by one 😀 Download: https://www.mediafire.com/?351rp7o9qmf97js
After opening in Olly and checking the string references we can see the congratulations string.
After following the string we see the following disassembly.
Share this:
Writing a Bootloader
What is a Bootloader?
A bootloader is a special program that is executed each time a bootable device is initialized by the computer during its power on or reset that will load the kernel image into the memory. This application is very close to hardware and to the architecture of the CPU. All x86 PCs boot in Real Mode. In this mode you have only 16-bit instructions. Our bootloader runs in Real Mode and our bootloader is a 16-bit program.
https://manybutfinite.com/img/boot/bootProcess.png
How this works?
When you switch on the PC the BIOS want to boot up an OS which must be found somewhere in hard disks, floppy disk, CDs, etc. The order in which BIOS searches an OS is user configurable. Next the BIOS reads the first 512 byte sector of the bootable disk. Usually a sector is 512 bytes in size. This is known as the Master Boot Record (MBR). BIOS simply loads the contents of the MBR into memory location “0x7c00” and jumps to that location to start executing whatever code is in the MBR. Our bootloader should be 512 bytes in size as well.
https://manybutfinite.com/img/boot/masterBootRecord.png
(more…)
Share this:
How to Turn Your Switch into a Snitch
Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.
This post is all about modifying your existing router firmware to perform cool things.
Hardware and Tools Needed:
For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).
Download Firmware Mod Kit
(more…)
Share this:
Getting Shellcode from ARM Binaries
For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:
.section .text
.global _start
_start:
.code 32
# Thumb-Mode on
add r6, pc, #1
bx r6
.code 16
# _write()
mov r2, #7
mov r1, pc
add r1, #12
mov r0, $0x1
mov r7, $0x4
svc 0
# _exit()
sub r0, r0, r0
mov r7, $0x1
svc 0
.ascii "Osanda\n"
Share this:
Solving Root-me Ptrace challenge
You can find the challenge from here. The challenge is to find the password for the elf 32 binary. This is how this looks at a glance.
Let’s fire up GDB and check this out. I’ll break main and run. We can see that arguments to ptrace() function is being pushed on the stack and ptrace is being called.
=> 0x080483fe <+14>: sub esp,0x14
0x08048401 <+17>: mov DWORD PTR [ebp-0xc],0x80c2888
0x08048408 <+24>: push 0x0
0x0804840a <+26>: push 0x1
0x0804840c <+28>: push 0x0
0x0804840e <+30>: push 0x0
0x08048410 <+32>: call 0x8058a70 <ptrace>
Share this:
Running Shellcode in your Raspberry Pi
I was interested in learning ARM assembly language for developing small applications for microcontrollers. I wrote this small piece of shellcode which will write “127.0.0.1 google.lk” inside the /etc/hosts file in a Linux system. I used my Raspberry Pi model B+ for this 🙂
We will be needing the following syscalls.
[code language=”c”]
#define __NR_exit (__NR_SYSCALL_BASE+ 1)
#define __NR_write (__NR_SYSCALL_BASE+ 4)
#define __NR_open (__NR_SYSCALL_BASE+ 5)
#define __NR_close (__NR_SYSCALL_BASE+ 6)
[/code]
