# Reversing Here are some tools for general evaluation of targets: * [Detect it Easy](https://github.com/horsicq/Detect-It-Easy) * [TrID](https://mark0.net/soft-trid-e.html) * [Polyfile](https://github.com/trailofbits/polyfile) * `file --keep-going` * [binwalk](https://github.com/ReFirmLabs/binwalk) * [Decodify](https://github.com/s0md3v/Decodify) auto-decodes strings using various methods ## Anti-debugging Several techniques exist to prevent dynamic analysis. This section needs more info on that. ### `/proc/self/status` Does `strace` appear to show a different execution than the normal one? If the program reads `/proc/self/status`, that's probably why. TracerPid in there is non-zero if any debugger is connected: ``` $ grep TracerPid /proc/self/status TracerPid: 0 $ strace grep TracerPid /proc/self/status TracerPid: 6553 ``` ## Code mangling [Tell me more](https://www.alchemistowl.org/pocorgtfo/pocorgtfo19.pdf) (see article 19:04) Instruction encodings may have some undefined/reserved bits. If these are garbled, the program may still be *valid*, but your disassembler might choke. ## Custom tooling It can pay off, during bigger challenges, to write robust tools. [pwnlib](https://docs.pwntools.com/en/stable/) has excellent i/o facilities, on top of all the exploit development goodies.\ [pwndbg](https://github.com/pwndbg/pwndbg) makes GDB a lot friendlier. ### Custom GDB scripts It's surprisingly easy to implement your own GDB commands using the [python API](https://sourceware.org/gdb/onlinedocs/gdb/Python-API.html): ```python import os class MyCMD (gdb.Command): """Implements the run_my_stuff command, which will be available at the gdb prompt""" def __init__(self): super(MyCMD, self).__init__("run_my_stuff", gdb.COMMAND_USER) def invoke(self, arg, from_tty): gdb.execute("info breakpoints") rax = gdb.parse_and_eval("$rax") MyCMD() ``` If you know what a binary is up to, you can set breakpoints at well-chosen locations and use a GDB script to pretty-print program state. ### Custom Ghidra scripts [Snippets](https://github.com/HackOvert/GhidraSnippets) of ghidra-python\ [API](https://ghidra.re/ghidra_docs/api/index.html) reference ## Fat binaries Windows PE can have a windows portion and a DOS portion in the same .exe. Usually the DOS part just prints a helpful message, but nothing prevents a narnia door to another world... [Rusty from justCTF2020](https://ctftime.org/task/14642) is an example of this in the wild. Macintosh apps can be both Intel and PPC (and presumably ARM now). ## Hidden code [Tell me more](http://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-v.html) There are a few mechanisms to run code before `main()` gets invoked. Look for `_init_array` (called by `__libc_start_main`) and the even sneakier `_preinit_array` (invoked by the loader). Try `LD_DEBUG=all` to see what `ld` is up to. ## Polyglots JAR is zip and zip can be combined with all kinds of stuff. [Polyfile](https://github.com/trailofbits/polyfile) can help map out files like this. Beware zip bombs, PDF bombs and the like, they can make output *explode*. [Mitra](https://github.com/corkami/mitra) can generate 2-polyglots between a large number of formats ## Python interpreter with modifications [Tell me more](https://medium.com/tenable-techblog/remapping-python-opcodes-67d79586bfd5)\ [Writeup](https://lkmidas.github.io/posts/justctf2020_writeups/#remap) Apparently it's pretty common to mess with the byte-to-opcode mapping of Python and then embed your custom interpreter. ## Self-modifying code #### EXE packing [Detect it Easy](https://github.com/horsicq/Detect-It-Easy) shows all kinds of info about binaries.\ [xvolkolak](http://ntinfo.biz/index.html#xvolkolak) emulates the processor to safely let the binary unpack itself.\ `file` can identify UPX packing, and the [tool](https://github.com/upx/upx) can also unpack.\ [Helpful list](https://www.bttr-software.de/freesoft/arc2.htm#exepck) of DOS/Windows packers.\ [PEiD](https://www.aldeid.com/wiki/PEiD) can identify several DOS/Windows packers. ## Windows Tools [bytepointer](http://bytepointer.com/tools/index.htm) has a bunch of small utilities --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://luftenshjaltar.gitbook.io/ctf/general/reversing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.