Category: Reversing

Debugging, Edb-debugger, Reversing

edb-debugger on Debian

Dependencies sudo apt-get install libqt5svg5-dev libgraphviz-dev pkg-config cmakesudo apt-get install libqt5svg5-dev libgraphviz-dev pkg-config cmake sudo apt-get install \ cmake \ build-essential \ libboost-dev \ libqt5xmlpatterns5-dev \ qtbase5-dev \ qt5-default \ libgraphviz-dev \ libqt5svg5-devsudo apt-get install \ cmake \ build-essential \ libboost-dev \ libqt5xmlpatterns5-dev \ qtbase5-dev \ qt5-default \ libgraphviz-dev \ libqt5svg5-dev Capstone git clone –depth=50 …

Malware, Reversing

Open source .NET deobfuscator and unpacker

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part …

Malware, Reversing

Automatically extract obfuscated strings from malware

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility …

Radare2, Reversing

Install latest radare2 on Kali

Uninstall installed radare2(if any) apt-get purge radare2apt-get purge radare2 Install prerequisites apt-get install valac libvala-0.xx-dev swigapt-get install valac libvala-0.xx-dev swig pip install r2pipepip install r2pipe pip install –upgrade xdotpip install –upgrade xdot Download git clone clone radare2 Installation cd radare2cd radare2 sys/install.shsys/ valabind Installation Remove the installed version first apt-get purge valabindapt-get …

Disassembling, Radare2, Reversing

Disassembling functions with Radare2

Analyze binary file and its symbols Method 1 radare2 -A c:\Windows\SysWOW64\ntdll.dllradare2 -A c:\Windows\SysWOW64\ntdll.dll Method 2 radare2 c:\Windows\SysWOW64\ntdll.dllradare2 c:\Windows\SysWOW64\ntdll.dll Inside radare2 terminal, type: aaaaaa and hit enter. Disassembling a function Inside radare2 terminal, type: pdf @ sym.ntdll.dll_RtlCreateRegistryKeypdf @ sym.ntdll.dll_RtlCreateRegistryKey You can use tab completion here. Try this instead: pdf @ sym.ntdll.dll_RtlCreateRpdf @ sym.ntdll.dll_RtlCreateR and hit Tab.