So let's follow this scenario:
Kid sees thing about using IDBs to hack PS3s.
Kid downloads IDA.
Kid opens the IDB.
Kid doesn't know what the hell to do.
Kid lets IDA rot on his PC or removes it immediately
I doubt anyone who isn't into the field already is going to be shelling out $550 for a new copy of IDA with no previous experience reversing.
Oh, and hey.... There's a free version of IDA 5 available.
Have you tried recovering the main backup image and/or corrupted partition using TestDisk? I have recovered numerous corrupted storage devices with this and a live Linux USB.
Nice RE on this. I wanted to check the stats vs the trials (because the results seemed surprising to me) and came up with some interesting differences.
The left column conforms almost perfectly to its expected value, the middle and right columns differ greatly. The middle column has an EV significantly lower than the results from your script shows and the right column is not quite as low as the results.
I wonder what else is going on here, maybe the 1 fewer zero modifies the random loss significantly? The results still seem too disparate to me though.
Here's a link to the Excel sheet I used to do the stats
I recommend using this app to intercept packets from apps, but...
...if your phone has Android 6.0+ and the app uses HTTPS, the certificate will fail due to some changes in Android's security, so, if you want to intercept HTTPS, you need to edit some XML files in the app so the app will accept the certificate: https://serializethoughts.com/2016/09/10/905/ (And sometimes the app blocks VPNs so it is kinda a hit or miss, it is VERY good if it works with the app you want to use it but, if it doesn't, you need to go thru the painful way of decompiling the app)
Exactly! That is Montgomery Reduction. Here's proof: http://codepad.org/E9oexooE
It's pretty standard optimization, and it is part of OpenSSL: https://github.com/openssl/openssl/blob/master/crypto/bn/bn_mont.c
Here's a good explanation how it works: ftp://ftp.rsasecurity.com/pub/pdfs/tr201.pdf
See page 46, 3.8 Motgomery's Method and page page 57, 4.2 Improving Montgomery's Method.
GPG Reaper
TL;DR: Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memory
This POC demonstrates method for obtaining GPG private keys from gpg-agent memory under Windows.
Normally this should be possible only within 10 minutes time frame (--default-cache-ttl value).
Unfortunately housekeeping() function (which is responsible for cache cleanup) is executed only if you are using GPG (there is no timer there).
This means that in normal GPG usecase like: you sign some file then close GUI and do other task you password is still in gpg-agent memory (even if ttl expired).
Attacker, who has access to your current session, can use this for stealing private key without knowing your passphrase.
Introduction
GPG-Agent is a daemon to manage private keys independently from any protocol.
GUI interface communicates with agent using Assuan Protocol.
By default agent caches your credentials.
--default-cache-ttl n option set the time a cache entry is valid to n seconds.
The default is 600 seconds. Each time a cache entry is accessed, its timer is reseted.
Under Windows sign process looks like this:
Crucial part here is housekeeping() function which is responsible for removing expired credentials from the memory.
But there is one problem here: this function is executed only in two places (inside agent_put_cache and agent_get_cache).
This means that cached credentials are NOT removed from the memory until some gpg-agent commands which uses agent_put_cache or agent_get_cache or agent_flush_cache are executed.
Note that what is described in the article is not typically what is known as "DLL injection": that term generally refers to loading a DLL inside of a process that is already running -- a dynamic technique -- such as described in this article. This article employs a static technique. I'd call this article "Adding a splash screen by forcing a DLL to load by adding an IMAGE_IMPORT_DESCRIPTOR entry".
Where is OllyDbg64?
Its author Oleh Yuschuk has completely disappeared from the internet since the last update in February 2014. On his site, there are screenshots of a partial version of OllyDbg64 but it was never released to the public. Does anyone know more details about why the project was paused? Or has an alternative source for the partial version?
Motorola Mobility
Chicago IL & Waterloo Ontario
Oh hai! I'm Jeremy, a Security Engineer at Motorola Mobility. We are growing our security team and we are looking for Security Engineers at all levels of experience. We are a multi-disciplinary group is responsible for varied aspects of security assurance of Motorola's products, spanning both hardware and software.
For more details about our openings, please check our posting on LinkedIn. You can also apply through LinkedIn.
Author here. Just a quick note that the post has been updated with a Windows C++ sample to test your architecture: cmps-probe.cpp
Here you go: https://mega.nz/#!nEAkmarQ!ukNcvi7u6nf7Q9pZVmgI6SDIYgB5XdK_R1ML1u4_UaE
zip file includes: Lenovo autochk.exe from Y40-80 bios v2.02 LenovoCheck.exe and LenovoUpdate.exe files it generates(the autochk.exe has complete copies of these stored in it, but I figured I'd chuck them in anyway) a copy of the executable portion of the NovoSecEngine2 bios module that does the deed from that same bios. this has a complete copy of the Lenovo autochk.exe stored in it.
I also have copies of the v2.00 bios from the Y40-80 and a copy of a bios from one of the other affected models somewhere; I'll take a look at them later and report back if either of those have a different version of the autochk.exe included in them.
Enjoy.
btw theres some rather amusing strings in the bios module like: "win7 Create dir zz_Sec Failed, skip bakup autochk,but continue!"
Edit: Looks like the host didn't like the traffic. Here's a mirror: https://stackedit.io/viewer#!provider=gist&gistId=b9a1852a0a17e334f041&filename=wfre
This is not my work, the link was originally published on the UnknownCheats forum, but I thought here would be a good place to share :)
There are a bazillion ways to get code to load when Windows boots... if you're into that kind of thing, grab a copy of Process Monitor, configure it to run at system boot, then reboot your machine and log in. After your HD light stops blinking, fire up ProcMon and check out the logs. They're huge, but you can filter on errors. Look for registry keys and DLL files that aren't found. Tons of them can be used for malware persistence.
A while ago(2008), one of the best reverse engineers I know gave myself and a friend a pretty in-depth lesson about process hooking and DLL injection, and also covered how to get around many common issues faced when doing so. You can find the transcript of the conversation here: http://www.assembla.com/wiki/show/openbook/Hooking_Lesson_1
Note: It is an IRC conversation, so it starts off at a bit of a random point.. keep reading however, there is a lot to be gleaned from it that I think would be helpful to you.
I am a huge fan of dnSpy. Since discovering it, it's my main tool for managed code.
Not only it can decompile .NET code. Debugging with it, is as close to source level debugging as you can get. You can also modify IL code and re-create modules.
If you want to decompile an app that's installed on your device, using this app is even easier. It decompiles it right on the device, so you don't need to copy the APK to a computer first.
Exactly my question too, https://news.ycombinator.com/item?id=9691800
Context: https://news.ycombinator.com/item?id=9691001
There should be a fork in its logic at 1,000,000 for a six character name (eg. FI7244) if its properly coded (one million file names generated) because it removes characters from the left side.
Here is an information thread about the infection. If you want to recover the files, you either need to recover from a backup or pay the ransom.
good job. your answers are correct so far. next task should be to deduce the function prototype (the first parameter should be easy since it is used immediately at the start. HINT: this function performs a common conversion task. You should also convert the constants (0x2b, 0x2d, etc.) to something meaningful.
For those who do not have the book, you can see a picture of the function here: https://drive.google.com/file/d/0B4-Ztj-1nijHd2J3YVBOdzNuNU9wQTdfRDVFWm9ueEJtNFFr/edit?usp=sharing
A quick and dirty C++ translation from the win2k source for comparison: http://codepad.org/ErOxTBL4
(I'm not sure if it's allowed to post leaks here, so I played it safe)
Seems to use a different algorithm unless I fucked up something.
I'm using an OpenBSD machine to reverse native code. My box is installed with HT and radare2. I find radare2 more tractable, as it is capable of disassembling misaligned instructions (and one day I will be writing my analyses in vala/swig).
I mostly look at the output of my own compiled programs and assembly listing from others in academic papers. Such is the life of a PhD student.
I used hopper a lot, it is pretty good (although it would be stupid to compare against IDA), its author is very nice and helpful too. Plugin architecture is also useful (not so mature)
At the end of the day it does the job, I basically reversed whole UIKit with it without problems, patched twitter app for retina before official update, modified Diablo binaries etc.
It works on both ARM and x86, ARM is getting better on every release.
This article is a good read. Have a look at method #2 which explains how you can load up a DLL into an existing process as a new thread.
Theoretically, those functions should be callable through python, but I've never tried.
Also you should note that with this method:
The code you want to execute will run on its own thread (not the application's main thread)
The code must be as part of the dll's DllMain attach process/thread sequence of the generated dll to execute... if it isn't, then it won't run.
As someone who has been down this route, and who has implemented hierarchical graph layout, I applaud your efforts.
Giving the code a cursory look, are you attempting to reduce edge crossings? I can't find that in DisassemblerView.py .
[edit] Ah I see now, a, "Full Release," will be coming soon https://binary.ninja/download.html .
These 2 free programs offer what I believe you are looking for:
These are Windows specific applications.
I can't speak to Ollydb64. But, I have used X64Dbg on a couple occasions recently. It can get the job done so far as I can tell though I haven't explored it's feature set more fully. Mostly quick reversing of 64-bit malware where I was already familiar w/ 32-bit variant.
Did anyone else cringe just a little bit reading some of the metaphors in the article? Otherwise, it was definitely an interesting read. There's actually a TED talk by Ralph Langner, the German with no internet at home talked about in the article.
After reading http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information#shares there is a section about files ending with .VVV It is written that "Can only be decrypted if victim was able to capture the key during encryption process in memory (full process dump/hibernation)."
Which implies that the key was present inside the process (which also mean that it is not using either a symetric key or a that the private key was present on the user's computer...
https://github.com/agustingianni/pin-tools this is a fork of sp's work. I've fixed some stuff (or at least I think I did).
I hope you enjoy it.
PS: I'm still missing the ROP detection which is something ill code on the weekend.
Have fun
EDIT: The rop stuff is in already. It is very hacky and not really tested. So any opinions are welcome.
There is something similar for classical exploits using dynamic taint analysis. It a master project extending Argos to collect runtime information when a attack is detected. Link
> Practical Reverse Engineering
It's on my list to order. I'm also looking at http://www.abebooks.com/servlet/SearchResults?kn=3rd&tn=a+programmer%27s+perspective but the latest edition is super expensive.
XBMC's VGMStream source code states NPSF is Namco Production Sound File. I used the source code found here to piece together a header structure for the filetype in 010 Editor:
typedef struct { char NPSF[4]; int32 BlockSize; int32 LoopEnd; int32 Channels; int32 StartOffset; int32 LoopStart; int32 SampleRate; int32 Unknown1; int32 Unknown2; int32 Unknown3; int32 Unknown4; int32 Unknown5; int32 Unknown6; string Name; } NPSFHeader;
According to this header, the dummy file is a Stereo 44100Hz file. Apparently XBMC can read these NPSF files if their source code is to be believed, so you might want to check that out.
"There are several existing crypto scanners, but they are all for Windows, and are closed source", are you sure?
Well, try to check here: http://aluigi.org/mytoolz.htm#signsrch
From the description:
"tool for searching signatures inside files, extremely useful as help in reversing jobs like figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file."
At the moment it can recognize approx 1400 signatures.
Well, in windows I'd dump the process with something like mdmp or Scylla which dumps the raw executable from memory and tries to fix it best it can.
I know you can inject shared libraries into Linux executables, so maybe the method is worth a shot?
also, this:
http://serverfault.com/questions/173999/dump-a-linux-processs-memory-to-file/174027#174027
dumping after it's unpacked itself (loaded into memory that is, and it's generally the case as not many packers are more complex than that) should work on most executables. Not sure if ELF makes this difficult or easier than PE.
After that, static analysis.
You've almost come to the right place, read the side bar - StackExchange:RE would be better.
However you've asked the wrong question - at the moment your ask for help is extremely open ended and liable to scare people off. Be specific, include examples, the details you know (e.g. product/protocol name, model number), what you've tried so far. Read How to ask.
Here's the page translated to english LINK
The new tools / newer version of the tools make everything much much easier. But reversing malware hasn't really changed much, Windows and PE file format are still basically the same. Ida Pro + x64dbg + PEStudio + Detect It Easy + app.any.run and you're basically unstoppable
You should check out burp proxy as well. Great tool and makes a lot of that sort of thing very easy, like matching hosts and including or excluding certain traffic. You can export the cert and have this sign certs on the fly to MITM https requests. You can have it pause the traffic and let you modify the request before it goes out. It's a really great tool.
It can be helpful with reverse engineering for sure. I've used it to MITM my android traffic and figure out what an app was sending out and getting back. The appuse VM includes it and makes it easy to RE android malware and that sort of thing. It's great for reverse engineering some privately used REST API.
You need a flash / swf decompiler.
I've Sothink SWF Decompiler before which works pretty well. There is a trial you can use, but I'm not sure if that offers the full functionality.
Else there are some free tools which offer similar functionalities, but I haven't used any of those, so I don't know how well they perform.
Wireshark or one of the HTTP(S) proxies may be good enough but I've seen both ad trackers and games encode or encrypt the contents prior to sending. If that's the case, you'll have to reverse engineer the Flash bytecode to determine how the request is encrypted or obfuscated.
I've used both the Sothink decompiler and the SWFDump from SWFTOOLS. There are plenty of other options but those are two good places to start if you have the need to inspect bytecode. I've seen both fail on obfuscated bytecode.
Good luck!
Good overview! I'll add: If you are an OS X developer, grab Hopper or otx and play with decompiling your own binary. This will give you a better view into what a potential cracker sees.
Ultimately, you can't prevent binary patches to your program (digital signing can help, but it's also possible to re-sign the binary and/or take out the signature checking code.). Nor can you prevent dynamic code injection (like mach_inject or SIMBL). If somebody is truly determined, they can crack your software. But you can make it a pain in the ass by following mojave_wasteland's advice :)
Telerik has a free one also: http://www.telerik.com/products/decompiler.aspx
I am licensed for Reflector (part of the Red Gate .Net Bundle) and ReSharper. I do like JetBrain's version, but Telerik's wins I think. I can take an assembly and decompile the entire thing into a project of whichever language I choose.
I have two questions:
First: Hooking function calls of .NET program: There are not many libraries/tools that allow us to do this. I know Deviare-in-proc which was recently released with a dual license claims to accomplish this. But there is almost no examples on how to do this. To be fair they have a sample program inside the repo that I will be looking at this weekend. There are a few tutorials on Nektra's website (one uses Python) but nothing more. Does anyone have examples or pointers? :)
Second:
This is similar to last one. Is there something similar to ltrace for Windows? I know of API Monitor and have used it in the past, but I am looking for something that I can use like ltrace to monitor calls and then use a functionality like ltrace.conf to look at parameters. I have seen articles pointing towards WinDbg so perhaps creating a WinDbg extension is the way to go? Again if there are not tools that do this, pointers on how to proceed are greatly appreciated (maybe I can try my hand at creating it).
EDIT: I am looking for something more texty than API Monitor. For example if we could export API Monitor's output to text and process it, that would work.
At the moment just macOS, but the core disassembler is written in pure Swift so should be portable to Linux at a minimum. Not sure about Windows but I believe there's efforts going on there to support it (https://swift.org/blog/swift-on-windows/).
I use Ollydbg, but due to it not being updated in forever, I've switched to x64dbg (http://x64dbg.com/#start). x64dbg (also has a x32dbg that comes with it) is almost exactly like Olly with just a few hotkeys changed. Any ollydbg tutorial will translate to x64dbg. Good luck. If you have any questions about the two challenges I stated, feel free to msg me.
Thanks for the shoutout! The link is dead, but the official is here and Amazon is here.
@OP hacking games is what ignited my passion for coding. It allowed me to make things which were in line with my hobby--gaming--and quickly became my hobby itself. Whether or not you're a gamer, it's important to apply coding to whatever grabs your attention. When you go that route, you can be sure you'll have the drive to get better and make coding a way of life. Luckily for gamers who aspire to hack, game hacking is a popular industry and the techniques have reverse engineering baked right in, so it is a double whammy.
Check with wireshark if any other communication is going on (beside json data). If not, make sure curl sends the exact same header as the android app (cookies, useragent, ...).
To easily capture traffic on android you can simply use the app tpacketcapture [0]. It creates a vpn connection. All communication is then routed through the vpn connection and recorded to a pcap file. Wireshark can open the file so you can analyze it.
[0] https://play.google.com/store/apps/details?id=jp.co.taosoftware.android.packetcapture&hl=en
I was wondering why no one has mentioned Jamella Diablo II Character Editor. I use to love that editor! Especially when he/she released the source code. I still have the original PDF of the source. I believe I cracked it awhile back, and wrote a program to translate the PDF code to proper .cc, .h, and .rc files so it could be compiled. I can look around for those files if needed. Here is a link to PDF of source code:
http://www.pdf-archive.com/2016/07/08/jamella-diablo-ii-source-code/
Also as an add-on I will include my lame attempt at making my own version of Diablo II character editor which I called Jamella2 - although it is far from the complexity and superiority of the original Jamella editor (but my project should be complete with code; binary; and pictures):
http://www.filedropper.com/jamellatwo
I hope this helps. -Matt
>Ida Bell Wells-Barnett (July 16, 1862 – March 25, 1931) was an African American journalist
Most other images on Google show a darker complexion as well. Unless you're absolutely positive she was white...
Based on what I'm reading, it looks like the hash collision only needs to be done once, and after that the number on the right hand side repeatedly increments..? cit: https://news.ycombinator.com/item?id=9691015
> If the checksums collide, then the number after the tilde is incremented again, (eg. SOBC84~2.ASP). This time, it won't stop at ~4, so you can go up to ~10 and beyond. The file name will be shortened accordingly to fit the number in (eg. SOBC8~10.ASP). This was tested on Windows 7 x64.
I may be reading this wrong, though. I don't have a Windows box to test this on nor the experience.
Nope!
Student discount applies to all full-time students. We just have an automated verification system for US students which makes it a bit easier to verify them, but we've probably given out more international student discounts if I had to guess. Just follow the directions on https://binary.ninja/faq/#student-discount
What is the right way to learn Assembly with the purpose of starting in RE in 2022?
I already tried to reverse and solve some simple crackmes quests for Windows which was written on C. And I can say that yes, it's a much fun for me to read the decompiled C-like code generated by Ghidra decompiler and also read assembly (but I don't understand the most of asm code tho) for hours.
The last two - three years I was writing on high level programming languages like JS and Python. Familiar with common algorithms and data structures. Well, familiar with programming.
What you think about that book?: https://www.amazon.com/Modern-X86-Assembly-Language-Programming-ebook/dp/B07L6Z6K9Z Is it enough book to start reading something more specifically like this?: https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901
Aren't the Practical Malware Analysis book outdated by 2022?
Cool! How about perfromance ? Some people where testing various instrumentation options and they reported mediocre or flaky performance with Dynamorio and similar tools. Also can anyone elaborate on Dyninst's 'patch-based' approach ?
Someone suggested adding a multiplayer mode but was denied. I remember in college when multitheftauto was first released in the mid-2000's and wanted to set up a deathmatch in Vice City for my suite mates and myself (I wanted to play a deadly chef using the Leo Teal character). Sadly but unsurprisingly, it was buggy as hell when first released.
That's what "sudo" is for.
In the old days (e.g. Ubuntu 10.04 and older) /proc/sys/kernel/yama/ptrace_scope
used to be set to 0 and you could debug basically any process belonging to your user, whether it was a child process or not.
This seemed like the place to post this... The code is absolute shit (I was just learning java when I made this) and I've made an updated version with cleaner code ([1] https://github.com/Contra/JMOT) but haven't rewritten most of the deobfuscation transformers. I have a ton of other java reversing tools up on my github if you want to hate/rate
(Didn't know how to put this in the post)
Kaspersky Lab is hiring for a Junior Malware Analyst!
About us
We are a growing team of analysts who work out of the Bellevue, WA office. We're fairly relaxed around here. The job mostly entails working with a stream of requests that we receive from B2B and B2C clients which all involve fixing false positives or adding detections to our AV bases.
If you have any questions for me about the position, please reply to this post or send me a PM. Thanks!
Job Description
Main functions and tasks:
Requirements:
Desirable:
Position Location: Bellevue, WA
Telecommuting Available?: No
Relocation available?: Yes
US Citizen required?: No
Education / certs?: None required. Experience is worth more than education/certs.
Want to apply?: Please apply through our LinkedIn Portal
That distinction between youtube content and twitch streams makes sense, streams offer you more freedom to go off on tangents because the people tuning in are most likely already hooked onto the subject.
It'd be nice to have that content mirrored over to youtube too though.
If you're planning on using OBS, you could set it to start recording the session when you're ready to RE the game, then stop the recording every hour or so, then start a new recording when you're ready again. That'll give you cut sessions that can be uploaded onto youtube more compactly to help with upload/processing times without needing to edit a long recording yourself.
Or you could download the recorded videos from twitch which will give you 30-minute chunks, but since they changed their policies recently twitch only keeps those videos for around two weeks.
It's all up to you though, no need to make extra work for yourself. Plus, not recording the twitch streams could turn it into a VIP session :D.
Edit: As for ways of having more community input, I'd say the easiest thing is to make a twitter account and tweet when you make a new post, when you're live and when you upload a new video. Twitter is also a great way to just interact with people and ask/answer questions to build a community.
As for IRC, I'd look into using your Twitch channel for the IRC chat (though that requires them to have a Twitch account to log into the server), since that room should remain active when you're not streaming too, and it'll mirror the channel chat which you could then log through an IRC client.
Here they are in the main post: > Update 1 Thanks to you all, I've isolated two versions of what appears to be the unencrypted firmware. From here it will be slow going, it seems. There's a lot to learn.
I put up the entropy graphs as well, if you want to glance at them.
You're right, I should probably do a running write-up if only for my own purposes, beyond posting here. If I get side-tracked, I wouldn't want to have to reprocess everything.
Fortunately NSIS is open-source and 7zip have a module to unpack it. So the sources are the only reference I was able to find, no need to actually reverse engineer the installer's script engine.
there is now but prior to the IDA 7 release, the freware of IDA was a stripped down (lol yes) version of IDA 5. Only x86 32, half the analysis neutered, and it looked like this. IIRC you couldn't even reliably remove all the toolbars because it would usually crash if you tried
Thanks for the link. Attack Surface Analyzer looks like it could be a useful tool. I have always used Installwatch for snapshots of an OS.
Fantastic work and awesome job putting that article on blast, OP. This (the CNN article) is a prime example of a writer looking for clicks with sensationalism instead of having the wherewithal to write one of the bigger, more relevant stories: Old technology is easy to hack, and unfortunately, there are some pretty important™ systems out there ripe for the picking.
We hear nearly every single day about some new hack that's taken place, and the news is always right there to try to make it sound more grandiose than the last (or than their competitor is making it sound). Not only does that create complacency, but it marginalizes the very serious issue that someone with such shoddy codemanship (as you've wonderfully demonstrated) can actually find successful execution on a system like it did.
Anyone worth their salt in Shodan or otherwise, knows just how terrifying reality is. You don't need crazy adjectives or sensational headlines to convey the severity of the security landscape as it stands and continues to flourish at a rate that, quite frankly, security can't keep up with.
But yeah, let's just go with <h2>Hackers destroyed computers at six important Saudi organizations two weeks ago, marking a reappearance of the most damaging cyberweapon the world has ever seen.</h2>
Can't you just smell that ad revenue?
I asked him here, and he says that we can tell them to avoid certain function calls...
Which lead to the obvious conclusions on my part > https://www.reddit.com/r/gamedev/comments/11lyuo/is_software_piracy_a_problem_for_you/c6pgo47
People are talking about there should be a better method that isn't malware that is non intrusive because of stuff like OP found, I would say it is pretty fucking relevant.
I am not talking about the game overwatch, I am talking about the anti-cheat feature of CS Go called overwatch.......
https://blog.counter-strike.net/index.php/overwatch/
It is a method to stop cheating without the need for any intrusive software at all.
It sounds like the network is using 802.1x authentication. Are you provided a username and password to use? If so, then it's almost 100% likely 802.1x
If it's a wired network see: http://serverfault.com/questions/667234/linux-802-1x-on-a-windows-wired-network/667907#667907 If it's wireless the term you want to search for is PEAP - http://lug.wsu.edu/wireless/peap/ubuntu is a decent looking tutorial.
Edit: This isn't very reverse engineering related - I'd suggest asking in r/LinuxQuestions if you are not able to get it working with those links.
I started out by writing small C programs and disassembling them. Using this technique you can assume there are no obfuscation nasties which would cause an incorrect disassembly. From here you can inspect how high level constructs map to low level constructs.
To disassemble you can use GNU object dump or HT (http://hte.sourceforge.net/). Windows users prefer Ollydbg.
That will get you started on calling convention and addressing modes for sure. Have fun.
Hopper Disassembler is a really cool project that's on Windows, Mac and Linux. Not sure what features are available on the Linux version. I know that the Mac version has a working debugger.
Pretty awesome software so far though and it had a really reasonable price.
We've thought of more generic approach (i.e. with de-optimizations), but eventually we've settled with our "brute-force" way - it proved to be much more effective. As I said, the real problem was not the matching of individual functions per se, but combining hypothesis in a way that will look most natural — as a real human would have probably implemented them in a real-life project.
Unfortunately, main product of Kaitai project (i.e. a disassembler / decompiler) is kind of stalled now. I'd love to release it in open source, but the situation with copyrights is kind of messy and the rest of the team still believes that there are certain know-hows there that should be kept secret and exploited commercially.
http://kaitai.io is indeed a site of Kaitai project, though right now it's only used as a homepage for my smaller side project called "Kaitai Struct". You're most welcome to take a look, though :) It's heavily used in main Kaitai disassembler/decompiler as a tool for flexible description of data structures.
You may also want to check out API Hooking in addition to DLL Injection.
A small library that might be of value to you if you are interested in cooking up a small utility that hooks APIs would be MinHook. I would strongly urge you to read and understand the link on API Hooking however before you start with MinHook (as to ensure you fully understand what is going on).
You can try it yourself for free. Latest demo is https://binary.ninja/demo/
And cloud supports all the architectures as well as HLIL: https://binary.ninja/cloud
Cloud signups were temporarily disabled due to some signup spam but should be back up shortly.
I'd give you my opinion but I'm a biased developer so best to just try it yourself. 😉
Why choose between text or an image for disassembly? Have both! I added SVG support as a binary ninja export plugin a few weeks back. Join the mailing list (http://binary.ninja/support.html) to get the beta download and a license key.
Could probably adapt it for radare if you wanted (our example plugins are MIT licensed), but I don't know anything about the layout code there.
Though Binary Ninja itself is not open source, when the beta is done, we are aiming at a much lower price point than IDA (https://binary.ninja/purchase.html).
Depends how much detail you want on where it's coming from.
HTTP Toolkit can do HTTPS interception on its collected traffic, but you need to either run the software on a rooted device or emulator, or edit the software to trust the cert (more details in here: https://httptoolkit.tech/docs/guides/android). Stock Android won't trust custom certificate authorities without one of those. Sounds like neither will work for you though?
There still some hope anyway - if you're just looking to know who your software is talking to, you could use this VPN technique to collect every packets and check them for TLS handshakes (basically any TCP connection that starts with an 0x16 byte). Given that you immediately get the target IP for all encrypted traffic. You could also parse those handshakes and read out the SNI hostname, to know exactly which domain it is.
That won't give you a full URL or any other details, but it would tell you which server the update is coming from.
Try using a Java decompiler like jd-gui
It's not perfect but should go a long way for a first attempt.
After decompiling, export the code and open it in your favourite IDE. If the code is obfuscated, just use refactoring to rename things as you discover their purpose. For running/debugging, you probably need to fix some things the decompiler got wrong
They call it a template. I don't know if it's unique to 010 or what, but it's neat.
http://www.sweetscape.com/010editor/templates.html
They also have a similar function called a script, not sure what the different purpose is for it. If you download the demo they have some sample scripts and templates included, like a PE template so you can change things without necessarily screwing up the binary. I've been using it to try to reconstruct the format of a binary file for a PCB editor which is kicking my rear end. My biggest complaint is that there aren't enough how-to-style examples for people getting started - there's a quick getting started guide and then a bunch of complicated examples. The FAQ helps though.
One neat application is that you can write a template that lets you click on the hex dump and the template will "execute" from there. In my data file they use a lot of length-prefaced strings and apparently-poorly defined segments which this feature helps me recognize - just click and see if it's right or wrong, then recode the template to include them more permanently.
Since some of you trust anonymous pastebins and don't realize what an archive button really does, I've posted this too, thanks to fearless0 for posting the other link
If you are looking for a very specific sequence of bytes that never change and always modify them to another thing you can write a simpler patcher.
But I suppose it's harder than that. dnSpy supports plugins (although it seems like there are only a few available but you could create your own, search for the specific IL instructions and patch them (again this assumes the IL instructions do not change between versions).
IDA is the best there is for static analysis - but OllyDbg is quite good, especially if you get the right plug-ins for it. You can grab it at http://www.ollydbg.de/.
As for the algorithms, Cristina Cifuentes has written a ton of papers about reversing. One of her papers concerning various techniques can be found at http://www.zyloid.com/recomposer/files/decompilation_thesis.pdf.
Debugging Windows Applications with the IDA Bochs plugin could also be of interest to "run" small snippets. Also, I think the appcall feature (call certain functions inside the IDB from scripts as if they were standalone) needs this setup, but I'm not sure.
But to be honest, I haven't used either yet.
Oh and there's also a video for Bochs/IDA: Video
Ohhh! Hmm. It COULD be that they're just containers for windows resources. Whereas the .DLL is probably the code to do all the work, they're probably just storing the graphics in the .EXEs. So, you load them into IDA, but there's nothing there but a stub, and a bunch of resources.
To further investigate, use THIS tool: http://www.angusj.com/resourcehacker/
That should allow you to look at the resources in each file, save them out, or modify them.
The short blog posts were annoying, however the micro emulating 1-wire on the toner etched pub was worth it. I considered submitting it to hackaday but it was already there.
>male DE-9 connector
well thanks for the info. but how can I identify correct pins because I dont have electric knowledge despite basics. also can I use this female DE-9 on amazon https://www.amazon.com/Accessories-Db9-Female-Solder-Connector-5-PACK/dp/B007R2JKNW?
Thanks
Best bet would be to write some device drivers yourself. Here's a good resource from the guy who wrote the Windows Internals book, 7th edition. I think the book uses WinDbg also.
I can't help you with specifics but if you're looking for something in depth, the answers you're looking for may be in here.
Has anyone bought Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
As of now it has two good reviews and one very detailed negative review. I was anticipating the release of this book but now I'm not sure if I should buy it. Are there any other books/resources that are better?
Which book is better for very begginers? https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/
or
https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315
I think most is kind of a rough statement. Granted there were some truly gifted people in the 70's that rocked our world.
I think we have a LOT of research papers that we sift through and the legacy papers tend to stay highlighted in time. I can imagine if you sifted through everything that existed back then, you may be saying something similar.
I've found a few great ones and if you are heavy into software engineering, you may share the enthusiasm towards a book that came out several years ago: Greg Wilson - Making Software: What Works and Why we Believe it
He also has a talk where he references some of those papers: Greg Wilson talk
He comes off strong, but he backs it with research which I appreciate. It's more about bringing data to the table if you have something you'd like to discuss. Somewhat heavy handed, but there are good papers that I've read referenced there.
The continual evaluation of Conways law and it's research still holding true today is something that I continually enjoy (Although originating from a 1967 study reinforcing your point of seminal papers from that era)
Yes, that field is called "copy protection", "DRM", or "anti-reverse engineering". I could link many things at this point -- publications cracking DRM, and then DRM adapting to the publications as seen in subsequent publications; anything about obfuscation or deobfuscation; the history of white-box cryptography and anti-white-box cryptography; or perhaps the book Surreptitious Software. Point being, anti-reverse engineering is a huge field within software security, but it barely registers within the ordinary fields of software security. It's easy to attribute this to laws (such as the Digital Millenum Copyright Act, which legalizes* vulnerability research), prevalence (open-source sofware and plenty of commercial software are not obfuscated), and the difficulty of breaking obfuscation (whose constructions have been refined over decades and eventually studied academically toward the goal of making them as strong as cryptography).
*: Good luck interpreting the laws a priori
Windows via C/C++ sounds like what you're looking for.
Windows Internals is nice if you want to reverse engineer well-protected or malicious targets (and crucial if those targets operate in kernelmode). For clean targets that only operate in usermode, it's not so helpful.
This is a good starting point from which to learn the most common ways software protections are broken. It is a bit dated but is still a good read for any beginner.