Tag: reversing

Debugging, Edb-debugger, Reversing

edb-debugger on Debian

Dependencies sudo apt-get install libqt5svg5-dev libgraphviz-dev pkg-config cmakesudo apt-get install libqt5svg5-dev libgraphviz-dev pkg-config cmake sudo apt-get install \ cmake \ build-essential \ libboost-dev \ libqt5xmlpatterns5-dev \ qtbase5-dev \ qt5-default \ libgraphviz-dev \ libqt5svg5-devsudo apt-get install \ cmake \ build-essential \ libboost-dev \ libqt5xmlpatterns5-dev \ qtbase5-dev \ qt5-default \ libgraphviz-dev \ libqt5svg5-dev Capstone git clone –depth=50 …

Malware, Malware Analysis

Extract patterns of interest from suspicious files

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns. Balbuzard tools balbuzard is a tool to extract patterns …

Malware, Reversing

Open source .NET deobfuscator and unpacker

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part …

Malware, Reversing

Automatically extract obfuscated strings from malware

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility …

Malware, Malware Analysis

Analyze multi-byte xor cipher

A tool to do some xor analysis guess the key length (based on count of equal chars) guess the key (base on knowledge of most frequent char) Download https://github.com/hellman/xortool git clone https://github.com/hellman/xortool.gitgit clone https://github.com/hellman/xortool.git Usage xortool [-h|–help] [OPTIONS] [filename] Options: -l,–key-length length of the key (integer) -c,–char most possible char (one char or hex code) …

Radare2, Reversing

Install latest radare2 on Kali

Uninstall installed radare2(if any) apt-get purge radare2apt-get purge radare2 Install prerequisites apt-get install valac libvala-0.xx-dev swigapt-get install valac libvala-0.xx-dev swig pip install r2pipepip install r2pipe pip install –upgrade xdotpip install –upgrade xdot Download https://github.com/radare/radare2 git clone https://github.com/radare/radare2git clone https://github.com/radare/radare2 radare2 Installation cd radare2cd radare2 sys/install.shsys/install.sh valabind Installation Remove the installed version first apt-get purge valabindapt-get …

Capstone, Edb-debugger, Reverse Engineering

Install latest edb-debugger on Kali

edb is a cross platform x86/x86-64 debugger. It was inspired by Ollydbg, but aims to function on x86 and x86-64 as well as multiple OS’s. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality. Uninstall installed edb-debugger(if any) apt-get purge …

Disassembling, Radare2, Reversing

Disassembling functions with Radare2

Analyze binary file and its symbols Method 1 radare2 -A c:\Windows\SysWOW64\ntdll.dllradare2 -A c:\Windows\SysWOW64\ntdll.dll Method 2 radare2 c:\Windows\SysWOW64\ntdll.dllradare2 c:\Windows\SysWOW64\ntdll.dll Inside radare2 terminal, type: aaaaaa and hit enter. Disassembling a function Inside radare2 terminal, type: pdf @ sym.ntdll.dll_RtlCreateRegistryKeypdf @ sym.ntdll.dll_RtlCreateRegistryKey You can use tab completion here. Try this instead: pdf @ sym.ntdll.dll_RtlCreateRpdf @ sym.ntdll.dll_RtlCreateR and hit Tab.

Debugging, Disassembler, Disassembling, Reverse Engineering

Radare – a portable reversing framework

Radare is a portable reversing framework that can… Disassemble (and assemble for) many different architectures Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbg, windbg) Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku Perform forensics on filesystems and data carving Be scripted in Python, Javascript, Go and more Support …