Reversing

Here are some tools for general evaluation of targets:

Detect it Easy
TrID
Polyfile
file --keep-going
binwalk
Decodify auto-decodes strings using various methods

Anti-debugging

Several techniques exist to prevent dynamic analysis. This section needs more info on that.

`/proc/self/status`

Does strace appear to show a different execution than the normal one? If the program reads /proc/self/status, that's probably why. TracerPid in there is non-zero if any debugger is connected:

$ grep TracerPid /proc/self/status
TracerPid:      0

$ strace grep TracerPid /proc/self/status
TracerPid:      6553

Code mangling

Tell me more (see article 19:04)

Instruction encodings may have some undefined/reserved bits. If these are garbled, the program may still be valid, but your disassembler might choke.

Custom tooling

It can pay off, during bigger challenges, to write robust tools.

pwnlib has excellent i/o facilities, on top of all the exploit development goodies. pwndbg makes GDB a lot friendlier.

Custom GDB scripts

It's surprisingly easy to implement your own GDB commands using the python API:

import os

class MyCMD (gdb.Command):
  """Implements the run_my_stuff command, which will be available at the gdb prompt"""

  def __init__(self):
    super(MyCMD, self).__init__("run_my_stuff", gdb.COMMAND_USER)

  def invoke(self, arg, from_tty):
    gdb.execute("info breakpoints")
    rax = gdb.parse_and_eval("$rax")

MyCMD()

If you know what a binary is up to, you can set breakpoints at well-chosen locations and use a GDB script to pretty-print program state.

Custom Ghidra scripts

Snippets of ghidra-python API reference

Fat binaries

Windows PE can have a windows portion and a DOS portion in the same .exe. Usually the DOS part just prints a helpful message, but nothing prevents a narnia door to another world... Rusty from justCTF2020 is an example of this in the wild.

Macintosh apps can be both Intel and PPC (and presumably ARM now).

Hidden code

Tell me more

There are a few mechanisms to run code before main() gets invoked. Look for _init_array (called by __libc_start_main) and the even sneakier _preinit_array (invoked by the loader). Try LD_DEBUG=all to see what ld is up to.

Polyglots

JAR is zip and zip can be combined with all kinds of stuff.

Polyfile can help map out files like this. Beware zip bombs, PDF bombs and the like, they can make output explode.

Mitra can generate 2-polyglots between a large number of formats

Python interpreter with modifications

Tell me more Writeup

Apparently it's pretty common to mess with the byte-to-opcode mapping of Python and then embed your custom interpreter.

Self-modifying code

EXE packing

Detect it Easy shows all kinds of info about binaries. xvolkolak emulates the processor to safely let the binary unpack itself. file can identify UPX packing, and the tool can also unpack. Helpful list of DOS/Windows packers. PEiD can identify several DOS/Windows packers.

Windows Tools

bytepointer has a bunch of small utilities

PreviousLinks NextBasics

Last updated 3 years ago