Jump to content

Search the Community

Showing results for tags 'reversing'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 3 results

  1. Title: Analysing RPC With Ghidra and Neo4j Synopsis: Hunting for new lateral movement techniques or interesting ways to execute code can be a nice way to sink some free time. With Windows spawning numerous RPC services on boot, finding unusual execution techniques is sometimes as simple as scratching just below the surface. And often the payoff far outweighs the time to discovery, with SOC or EDR vendors focusing on the more common published techniques, identifying a new way to introduce code execution on a host can throw a spanner in the works of the investigating team. In previous posts I've tried to look at different ways to mix up common attack signatures. Since working on posts exploring Mimikatz and lsass internals, I've had a few requests for information on how the demonstrated lsass DLL loading techniques were found, and how it may be possible to identify others. So in this post I wanted to present a workflow which I have found to be a useful when looking at Windows RPC method internals, and walk through some of the techniques I've used to minimise the grinding required to hunt for interesting vectors. Source: https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j/ Via:
  2. Hey Friend's, I just write small paper on Android Reversing based on Target which i reverse.. Hop u Guy's like it.. Download Link:- https://www.dropbox.com/s/nkkmp4ait71kjku/Android%20Application%20Reversing%20Via%20Android%20Mobile.pdf?dl=0 Br, Nieo
  3. Reversing the bomb Acest tutorial are ca scop o introducere in domeniul reversing , aici voi discuta despre modul in care poate fi schimbat fluxul unui program.In acelasi timp va fi si un raspuns pentru challenge-ul pe care l-am creat .Vom avea urmatorul exemplu:Un program in care user-ului i se cere o cheie pentru a putea schimba fluxul , in acelasi timp se presupune ca user-ul nu poate ghici care este aceasta cheie sau serial.Vom lua executabilul bomb32 si il vom analiza.Vom folosi urmatoarele tool-uri pentru a face aceasta inspectie: Un debugger , eu prefer gdb dar poate fi oricare altul.Un Hex editor , voi folosi bvi dar exista diverse altele cu interfata grafica precum bless , okteta sau wxHexEditor.In acest articol voi folosi objdump si nm . Tin sa precizez faptul ca nu intotdeauna se pot extrage unele informatii folosind objdump sau nm.In urmatorul exemplu vom vedea sectiile create in acest executabil. [pyth0n3@mc]$ nm bomb 080491e0 A __bss_start 080491e0 A _edata 080491e0 A _end 08048081 T _start 0804919e d arm 08048085 t armed 080490f4 d buf 00000095 a bufl 08049174 d bufs 08049189 d dis 080480c6 t disarm 080491b1 d do 080480d8 t explode 080480e8 t out 08048074 t print 080480bb t wires Folosind un debugger vom putea pune un breakpoint si analiza fiecare sectie , dar inainte vom dezasabla fiecare sectie de cod folosind objdump [pyth0n3@mc]$ objdump -S bomb bomb: file format elf32-i386 Disassembly of section .text: 08048074 <print>: 8048074: b8 04 00 00 00 mov $0x4,%eax 8048079: bb 01 00 00 00 mov $0x1,%ebx 804807e: cd 80 int $0x80 8048080: c3 ret 08048081 <_start>: 8048081: 90 nop 8048082: 90 nop 8048083: 90 nop 8048084: 90 nop 08048085 <armed>: 8048085: 8d 0d 9e 91 04 08 lea 0x804919e,%ecx 804808b: ba 13 00 00 00 mov $0x13,%edx 8048090: e8 df ff ff ff call 8048074 <print> 8048095: 8d 0d b1 91 04 08 lea 0x80491b1,%ecx 804809b: ba 2f 00 00 00 mov $0x2f,%edx 80480a0: e8 cf ff ff ff call 8048074 <print> 80480a5: b8 03 00 00 00 mov $0x3,%eax 80480aa: bb 00 00 00 00 mov $0x0,%ebx 80480af: b9 f4 90 04 08 mov $0x80490f4,%ecx 80480b4: ba 95 00 00 00 mov $0x95,%edx 80480b9: cd 80 int $0x80 080480bb <wires>: 80480bb: 31 c0 xor %eax,%eax 80480bd: 3d 09 03 00 00 cmp $0x309,%eax 80480c2: 75 14 jne 80480d8 <explode> 80480c4: cd 80 int $0x80 080480c6 <disarm>: 80480c6: 8d 0d 89 91 04 08 lea 0x8049189,%ecx 80480cc: ba 16 00 00 00 mov $0x16,%edx 80480d1: e8 9e ff ff ff call 8048074 <print> 80480d6: eb 10 jmp 80480e8 <out> 080480d8 <explode>: 80480d8: 8d 0d 74 91 04 08 lea 0x8049174,%ecx 80480de: ba 15 00 00 00 mov $0x15,%edx 80480e3: e8 8c ff ff ff call 8048074 <print> 080480e8 <out>: 80480e8: b8 01 00 00 00 mov $0x1,%eax 80480ed: bb 00 00 00 00 mov $0x0,%ebx 80480f2: cd 80 int $0x80 Voi comenta fiecare sectie pentru a avea o idee putin mai clara.Aici vine declarata o functie care va stampa pe ecran valori (momentan a fost doar declarata functia , dar poate fi chemata in alte sectii) Daca ati citit articolul pe care l-am scris despre assembly veti putea interpeta fiecare valoare care vine pusa in registrii. 08048074 <print>: 8048074: b8 04 00 00 00 mov $0x4,%eax 8048079: bb 01 00 00 00 mov $0x1,%ebx 804807e: cd 80 int $0x80 8048080: c3 ret De la sectia start incepe executarea programului iar 4 valori chemate nop nu fac absolut nimic .In sectia armed vin incarcate cateva valori in registri dupa care vine chemata functia print care nu face altceva decat sa stampeze aceste valori pe ecran. 08048081 <_start>: 8048081: 90 nop 8048082: 90 nop 8048083: 90 nop 8048084: 90 nop 08048085 <armed>: 8048085: 8d 0d 9e 91 04 08 lea 0x804919e,%ecx 804808b: ba 13 00 00 00 mov $0x13,%edx 8048090: e8 df ff ff ff call 8048074 <print> 8048095: 8d 0d b1 91 04 08 lea 0x80491b1,%ecx 804809b: ba 2f 00 00 00 mov $0x2f,%edx 80480a0: e8 cf ff ff ff call 8048074 <print> 80480a5: b8 03 00 00 00 mov $0x3,%eax 80480aa: bb 00 00 00 00 mov $0x0,%ebx 80480af: b9 f4 90 04 08 mov $0x80490f4,%ecx 80480b4: ba 95 00 00 00 mov $0x95,%edx 80480b9: cd 80 int $0x80 Pentru a analiza exact ce vine facut in aceasta sectie vom folosi gdb (gdb) break armed Breakpoint 1 at 0x8048085 (gdb) run Starting program: /home/pyth0n3/Desktop/bomb Breakpoint 1, 0x08048085 in armed () (gdb) s Single stepping until exit from function armed, which has no line number information. 0x08048074 in print () (gdb) s Single stepping until exit from function print, which has no line number information. [COLOR="#00FF00"]Bomb Armed ______ 0x08048095 in armed ()[/COLOR] (gdb) s Single stepping until exit from function armed, which has no line number information. 0x08048074 in print () (gdb) s Single stepping until exit from function print, which has no line number information. [COLOR="#00FF00"]Disarm the bomb by cutting the correct wires > 0x080480a5 in armed ()[/COLOR] (gdb) s Single stepping until exit from function armed, which has no line number information. [COLOR="#00FF00"]Aici vine cerut un input [/COLOR] Am pus un breakpoint in sectia armed dupa care am rulat programul si am vazut ce face in fiecare step.Am evidentiat in culoare verde ceea ce vine executat in aceasta sectie.Dupa cum observati vin stampate cateva informatii si vine cerut un input de la user.Vom merge mai departe sa analizam urmatoarea sectie. 080480bb <wires>: 80480bb: 31 c0 xor %eax,%eax 80480bd: 3d 09 03 00 00 cmp $0x309,%eax 80480c2: 75 14 jne 80480d8 <explode> 80480c4: cd 80 int $0x80 080480c6 <disarm>: 80480c6: 8d 0d 89 91 04 08 lea 0x8049189,%ecx 80480cc: ba 16 00 00 00 mov $0x16,%edx 80480d1: e8 9e ff ff ff call 8048074 <print> 80480d6: eb 10 jmp 80480e8 <out> 080480d8 <explode>: 80480d8: 8d 0d 74 91 04 08 lea 0x8049174,%ecx 80480de: ba 15 00 00 00 mov $0x15,%edx 80480e3: e8 8c ff ff ff call 8048074 <print> Imediat dupa armed vine executata sectia wires .Vom analiza fiecare instructie.xor %eax,%eax nu face altceva decat sa puna valoarea 0 in registrul eax. cmp $0x309,%eax compara numarul 777 cu registrul eax.309 in hex este echivalent cu 777.In eax avem valoarea 0 datorita instructiei precedente.Deci vine comparat 777 cu 0 , asadar aceste 2 valori nu sunt egale deci este fals deoarece 777 nu este egal cu 0.Urmatoarea instructie va fi executata in baza rezultatului acestei instructii si anume jne va face un jump in urmatoarea adresa de memorie 80480d8 daca valorile in urma comparatiei nu sunt egale .Cum am mai spus 777 nu este ega cu valoarea din eax asadar se va face un jump .Dupa cum observati la adresa 80480d8 incepe sectia <explode>.In acest caz imediat dupa instructia jne va fi executata aceasta sectie.Tin sa precizez faptul ca in momentul in care comparatia ar fi fost adevarata si anume valoarea din eax ar fi fost 777 atunci 777 este egal cu 777 si instructia jne nu va mai face un jump in sectia explode ci va fi executata urmatoarea instructie imediat dupa.jne face un jump atata timp cat valorile care au fost comparate in instructia precedenta nu sunt egale in mod divers vine executata urmatoarea instructie dupa jne.Evident datele nu au fost alterate dupa input asadar se va face un jump in explode iar sectia disarm nu va fi executata.Ia sa vedem ce se intampla in explode.Am incarcat executabilul in gdb dupa care am pus un breakpoint in sectia explode (gdb) break explode Breakpoint 1 at 0x80480d8 (gdb) run Starting program: /home/pyth0n3/Desktop/bomb [COLOR="#00FF00"]Bomb Armed ______ Disarm the bomb by cutting the correct wires > test [/COLOR] Breakpoint 1, 0x080480d8 in explode () (gdb) s Single stepping until exit from function explode, which has no line number information. 0x08048074 in print () (gdb) s Single stepping until exit from function print, which has no line number information. [COLOR="#00FF00"]***BOOM! You Failed![/COLOR] 0x080480e8 in out () (gdb) s Single stepping until exit from function out, which has no line number information. [COLOR="#00FF00"]Program exited normally.[/COLOR] Asadar programul va fi rulat, userului ii vine cerut un input , am pus "test" dupa care ajungem direct in sectia explode unde am facut un breakpoint.Dupa cum observati instructiile din sectia explode stampeaza niste informatii dupa care programul vine terminat.Deci pana aici am observat ca nu vine facut nici un control asupra datelor pe care le-am introdus.(am scris programul in acest fel pentru a explica faptul ca oricare ar fi input-ul user-ului nu exista nici o probabilitate sa coincida cu serialul sau cu cheia pentru a dezarma bomba.) Acum daca nu s-ar fi facut un jump in sectia explode s-ar fi executat intructiile exact dupa sectia wires si anume disarm. 080480bb <wires>: 80480bb: 31 c0 xor %eax,%eax 80480bd: 3d 09 03 00 00 cmp $0x309,%eax 80480c2: 75 14 jne 80480d8 <explode> 80480c4: cd 80 int $0x80 Ei bine ca sa fie executate aceste intructii valoarea care vine confruntata cu eax trebuie sa fie egala cu valoarea din eax.Acest lucru poate fi doar cazual in momentul in care eax dintro oarecare greseala ar fi avut valoarea 777 dar este si imposibil deoarece urmatoarea instructie va pune 0 in eax xor %eax,%eax.Daca nu ar fi existat xor o probabilitate ar fi ca eax sa aiba alta valoare dar nu este confirmat ca aceasta valoare ar fi fost egala cu 777.Asadar nu cunoastem serialul dar stim ca daca valorile confruntate nu sunt egale vine facut un jump in sectia explode si vin executate instructiile de acolo.Hai sa vedem ce face sectia disarm care nu vine executata niciodata. (gdb) disas disarm Dump of assembler code for function disarm: 0x080480c6 <disarm+0>: lea 0x8049189,%ecx 0x080480cc <disarm+6>: mov $0x16,%edx 0x080480d1 <disarm+11>: call 0x8048074 <print> 0x080480d6 <disarm+16>: jmp 0x80480e8 <out> End of assembler dump. (gdb) x/20cb 0x8049189 0x8049189 <dis>: 66 '[COLOR="#00FF00"]B[/COLOR]' 111 '[COLOR="#00FF00"]o[/COLOR]' 109 '[COLOR="#00FF00"]m[/COLOR]' 98 '[COLOR="#00FF00"]b[/COLOR]' 32 ' ' 68 '[COLOR="#00FF00"]D[/COLOR]' 105 '[COLOR="#00FF00"]i[/COLOR]'115 '[COLOR="#00FF00"]s[/COLOR]' 0x8049191 <dis+8>: 97 '[COLOR="#00FF00"]a[/COLOR]' 114 '[COLOR="#00FF00"]r[/COLOR]' 109 '[COLOR="#00FF00"]m[/COLOR]' 101 '[COLOR="#00FF00"]e[/COLOR]' 100 '[COLOR="#00FF00"]d[/COLOR]' 32 ' ' 95 '_' 95 '_' 0x8049199 <dis+16>: 47 '/' 32 ' ' 95 '_' 95 '_' Dupa cum observati vin incarcate in eax datele de la adresa 0x8049189 si anume "Bomb Disarmed __/ __" dupa care vine chemata functia print care le stampeaza si se face un jump in out care e urmatoarea sectie 080480e8 <out>: 80480e8: b8 01 00 00 00 mov $0x1,%eax 80480ed: bb 00 00 00 00 mov $0x0,%ebx 80480f2: cd 80 int $0x80 Aici programul iese.Acum am observat care sunt datele in sectia disarm , am observat faptul ca nu vine executata aceasta sectie.Pentru a rezolva problema nu ne ramane decat sa facem in asa fel incat sectia disarm sa fie executata.CUM?Pentru ca aceasta sectie sa fie executata valorile care vin comparate trebuie sa fie egale sau sa nu fie executata instructia jne.Deci va trebui lucrat asupra sectiei wires deoarece aici vine facut controlul asupra fluxului: 080480bb <wires>: 80480bb: 31 c0 xor %eax,%eax 80480bd: 3d 09 03 00 00 cmp $0x309,%eax 80480c2: 75 14 jne 80480d8 <explode> 80480c4: cd 80 int $0x80 1. Putem modifica valoarea care vine comparata cu eax in asa fel incat sa fie 0 asadar 0==0 si instructia jne nu va face un jump ci se vor executa urmatoarele instructii si anume sectia disarm.Va trebui doar sa modificam valoarea 777 cu 0 , acest lucru se poate face cu un hex editor. 0x080480bb in wires () (gdb) (gdb) disas wires Dump of assembler code for function wires: 0x080480bb <wires+0>: xor %eax,%eax 0x080480bd <wires+2>: cmp $[COLOR="#00FF00"]0x309[/COLOR],%eax 0x080480c2 <wires+7>: jne 0x80480d8 <explode> 0x080480c4 <wires+9>: int $0x80 End of assembler dump. (gdb) x/4bx wires+2 0x80480bd <wires+2>: 0x3d [COLOR="#00FF00"]0x09 0x03[/COLOR] 0x00 (gdb) Asadar daca modificam urmatoarele valori 09 03 cu 00 00 programul isi va schimba fluxul deoarece comparatia va da True deoarece 0 este egal cu 0 00000090 E8 DF FF FF FF 8D 0D B1 91 04 08 BA 2F 00 00 00 ............/... 000000A0 E8 CF FF FF FF B8 03 00 00 00 BB 00 00 00 00 B9 ................ 000000B0 F4 90 04 08 BA 95 00 00 00 CD 80 31 C0 3D [COLOR="#00FF00"]09 03[/COLOR] ...........1.=.. 000000C0 00 00 75 14 CD 80 8D 0D 89 91 04 08 BA 16 00 00 ..u............. 000000D0 00 E8 9E FF FF FF EB 10 8D 0D 74 91 04 08 BA 15 ..........t.... 2. Putem modifica instructia jne cu nop (care este echivalent la no operation performed) asadar nu va face jump deoarece nop nu face nimic si va fi executata urmatoarea instructie care apartine sectiei disarm.Va trebui doar sa gasim valoarea care corespunde instructiei jne in hex si sa o modificam.Acest lucru poate fi facut folosind gdb. Dump of assembler code for function wires: 0x080480bb <wires+0>: xor %eax,%eax 0x080480bd <wires+2>: cmp $0x309,%eax 0x080480c2 <wires+7>: [COLOR="#00FF00"]jne [/COLOR] 0x80480d8 <explode> 0x080480c4 <wires+9>: int $0x80 End of assembler dump. (gdb) x/4bx wires+7 0x80480c2 <wires+7>:[COLOR="#00FF00"] 0x75 0x14[/COLOR] 0xcd 0x80 (gdb) Dupa cum observati una din valori sau poate chiar 2 pot apartine instructiei jne .exlud ultima 0x80 si penultima deoarece instructia e la inceput asadar verific 75 si 14 000000B0 F4 90 04 08 BA 95 00 00 00 CD 80 31 C0 3D 09 03 ...........1.=.. 000000C0 00 00 [COLOR="#00FF00"]75 14[/COLOR] CD 80 8D 0D 89 91 04 08 BA 16 00 00 ..u............. 000000D0 00 E8 9E FF FF FF EB 10 8D 0D 74 91 04 08 BA 15 ..........t..... 000000E0 00 00 00 E8 8C FF FF FF B8 01 00 00 00 BB 00 00 ................ 000000F0 00 00 CD 80 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Aici se afla instructia jne pe care o vom inlocui cu nop , nop in hex e 90 si va trebui sa inlocuim 2 B asadar vom pune 90 90 in locul 75 14. Problem solved.! [pyth0n3@mc]$ ./bomb Bomb Armed ______ Disarm the bomb by cutting the correct wires > test Bomb Disarmed __/ __ Puteti testa fiecare ceea ce am descris mai sus.Cum am ajuns la problema? Simplu , verificand structurele de control conditionat sau inconditionat.Pentru mai multe informatii in legatura cu instructiile care pot schimba fluxul X86 Assembly/Control Flow In momentul in care exista un program care cere un serial sau un cod , va exista intotdeauna o instructie care ii poate schimba fluxul, trebuie doar gasita si modificata.Challenge-ul a fost rezolvat de catre Flubber si em, DarkyAngel a individuat problema dar era confuz asupra valorilor, nu am mai primit raspuns. Codul l-am scris doar pentru a demonstra cum functioneaza structurele de control in asembly sintaxa e AT&T Gas ISA Intel 32 biti .data buf: .space 0x80 bufs: .ascii "***BOOM! You Failed!\n" bufl= .-buf dis: .ascii "Bomb Disarmed __/ __\n" arm: .ascii "Bomb Armed ______ \n" do: .ascii "Disarm the bomb by cutting the correct wires\n> " .text #.global main .globl _start .type print, @function print: movl $4, %eax movl $1, %ebx int $0x80 ret #main: _start: nop nop nop nop armed: leal arm,%ecx movl $0x13, %edx call print leal do,%ecx movl $0x2F,%edx call print movl $0x3,%eax movl $0x0,%ebx movl $buf,%ecx movl $bufl,%edx int $0x80 wires: xorl %eax, %eax cmp $0x309,%eax jne explode int $0x80 disarm: leal dis,%ecx movl $0x16, %edx call print jmp out explode: leal bufs,%ecx movl $0x15, %edx call print out: movl $0x1,%eax movl $0x0,%ebx int $0x80 Am tradus codul si pentru arhitectura Intel 64 bit , sintaxa e tot AT&T Gas .data buf: .space 0x80 bufs: .ascii "***BOOM! You Failed!\n" bufl= .-buf dis: .ascii "Bomb Disarmed __/ __\n" arm: .ascii "Bomb Armed ______ \n" do: .ascii "Disarm the bomb by cutting the correct wires\n> " .text #.global main .globl _start .type print, @function print: movq $0x1, %rax movq $0x1, %rdi syscall retq _start: nop armed: movq $arm,%rsi movq $0x13, %rdx call print movq $do,%rsi movq $0x2E,%rdx call print movq $0x0,%rax movq $0x0,%rdi movq $buf,%rsi movq $bufl,%rdx syscall wires: xor %rax, %rax cmp $0x309,%rax jne explode syscall disarm: movq $dis,%rsi movq $0x15, %rdx call print jmp out explode: movq $bufs,%rsi movq $0x15, %rdx call print out: movq $0x3C,%rax movq $0x0,%rdi syscall
×
×
  • Create New...