Reverse Overview
Tools
| Type | App | .NET | x86/x64 | Packer | Python | C | General |
|---|---|---|---|---|---|---|---|
| Description | <li> MobSF: Must run in python 3.8</li><li>ApkTool: Just follow the step in install guide</li> |
To decompile C#(.NET) | 指令:$ upx -d {filename}
|
一個可以把組語轉換成c pseudo code的線上工具 | 一個線上的decompiler,結合多種工具,只要上傳檔案(小於2MB)就可以呈現多種decompiler tools的結果 | ||
| Link | MobSF</br>ApkTools | dnSpy | x86模擬器</br>x86/x64 assembler/disassembler | UPX Packer | Pyc disassemble | Compiler Explorer | Decompiler Explorer |
IDA 常用快捷鍵
- IDA Interface
- 型別
- char(1 byte)
- WORD(2 bytes)
- DWORD(4 bytes)
- PDWORD(pointer of DWORD = DWORD *)
- 若是DWORD *name,代表name這個變數是一個pointer而且指向的地方是一個DWORD
- Space: 在 Text View / Graph View 切換
- Tab: 在視窗之間切換
- ;/Insert: 註解
- x: 秀出 Xrefs
- n: 改名
- y: 改型別
- h: 改表示方式 (dec / hex)
- u: 取消定義
- a: 當成字串
- c: 當成code
- p: 當成function
- t: set sizeof(XXX);如果已經確定目前的constant就是某個變數的length,那可以直接按t讓他變成sizeof(那個變數)
舉例:如果已經確定目前的
0x238就是PROCESSENTRY32W的size,就可以直接這樣用,會變得比較清楚- 結果
- 結果
- Shift+F1: show出Local Type視窗
- Local Types Screenshot
*
- Local Types Screenshot
- Shift+F12: 開啟Strings視窗
- Strings Screenshot
*
- Strings Screenshot
- 對某一個數值按m: ENUM這個功能就是在替換一些常見的windows API參數,讓原本的純數字可以用文字表示,這樣比較好懂API的操作,逆向會更順暢(補充說明:IDA有收錄很多MSDN上的一些API,他每一個參數表示的文字,例如這一篇底下有顯示很多Constant/value的對應,而正常情況下IDA會顯示的是value,如果要把它換成Constant文字的表達式就可以用到ENUM這個功能),又例如:
目前已經知道
CreateToolhelp32Snapshot(2, 0);中的2的意義是TH32CS_SNAPPROCESS(可以參考MSDN),此時就可以直接按m之後再選擇TH32CS_SNAPPROCESS*
* - \: 不顯示/顯示資料型別
- Alt+M/Ctrl+M: 前者是註冊書籤,後者是察看並選擇標籤,可以快速跑到標示的地址
- Ctrl+E: 如果是分析DLL file,可能會有很多不同的entry point,利用這個shortcut可以顯示目前有幾個entry point,很方便
* - 如何把bytes變成字串:
- 可以直接Alt+A
- 可以先把bytes的型別定義好(單獨的bytes變成array),變成array有兩種方法,第一種是直接用
Y定義他的型別成int dword_2008[32],前面的int就看每一個字元是來決定,後面[32]就代表有多少字元變成array;第二種方法就是直接按d改變一個字元的型態變成int,然後在edit/Array的地方可以叫出Convert to array的視窗(如果前面沒有先用d改變型態的話,他會以為所有字元都是一個byte,然後總共有128個字元這樣換算,但其實我們是總共32個字元,每一個字元是4個bytes,也就是int,這一點要特別注意)
- 接著就是在
Option/String literals視窗中設定用哪一個型態表示字串,這邊因為每一個字元都是4 bytes,也就是32 bits,所以選擇C-style
*
- 可以先把bytes的型別定義好(單獨的bytes變成array),變成array有兩種方法,第一種是直接用
- 完整流程
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128.rodata:0000000000002008 unk_2008 db 46h ; F ; DATA XREF: main+8↑o .rodata:0000000000002009 db 0 .rodata:000000000000200A db 0 .rodata:000000000000200B db 0 .rodata:000000000000200C db 4Ch ; L .rodata:000000000000200D db 0 .rodata:000000000000200E db 0 .rodata:000000000000200F db 0 .rodata:0000000000002010 db 41h ; A .rodata:0000000000002011 db 0 .rodata:0000000000002012 db 0 .rodata:0000000000002013 db 0 .rodata:0000000000002014 db 47h ; G .rodata:0000000000002015 db 0 .rodata:0000000000002016 db 0 .rodata:0000000000002017 db 0 .rodata:0000000000002018 db 7Bh ; { .rodata:0000000000002019 db 0 .rodata:000000000000201A db 0 .rodata:000000000000201B db 0 .rodata:000000000000201C db 68h ; h .rodata:000000000000201D db 0 .rodata:000000000000201E db 0 .rodata:000000000000201F db 0 .rodata:0000000000002020 db 33h ; 3 .rodata:0000000000002021 db 0 .rodata:0000000000002022 db 0 .rodata:0000000000002023 db 0 .rodata:0000000000002024 db 31h ; 1 .rodata:0000000000002025 db 0 .rodata:0000000000002026 db 0 .rodata:0000000000002027 db 0 .rodata:0000000000002028 db 31h ; 1 .rodata:0000000000002029 db 0 .rodata:000000000000202A db 0 .rodata:000000000000202B db 0 .rodata:000000000000202C db 4Fh ; O .rodata:000000000000202D db 0 .rodata:000000000000202E db 0 .rodata:000000000000202F db 0 .rodata:0000000000002030 db 5Fh ; _ .rodata:0000000000002031 db 0 .rodata:0000000000002032 db 0 .rodata:0000000000002033 db 0 .rodata:0000000000002034 db 72h ; r .rodata:0000000000002035 db 0 .rodata:0000000000002036 db 0 .rodata:0000000000002037 db 0 .rodata:0000000000002038 db 65h ; e .rodata:0000000000002039 db 0 .rodata:000000000000203A db 0 .rodata:000000000000203B db 0 .rodata:000000000000203C db 76h ; v .rodata:000000000000203D db 0 .rodata:000000000000203E db 0 .rodata:000000000000203F db 0 .rodata:0000000000002040 db 65h ; e .rodata:0000000000002041 db 0 .rodata:0000000000002042 db 0 .rodata:0000000000002043 db 0 .rodata:0000000000002044 db 72h ; r .rodata:0000000000002045 db 0 .rodata:0000000000002046 db 0 .rodata:0000000000002047 db 0 .rodata:0000000000002048 db 73h ; s .rodata:0000000000002049 db 0 .rodata:000000000000204A db 0 .rodata:000000000000204B db 0 .rodata:000000000000204C db 31h ; 1 .rodata:000000000000204D db 0 .rodata:000000000000204E db 0 .rodata:000000000000204F db 0 .rodata:0000000000002050 db 6Eh ; n .rodata:0000000000002051 db 0 .rodata:0000000000002052 db 0 .rodata:0000000000002053 db 0 .rodata:0000000000002054 db 67h ; g .rodata:0000000000002055 db 0 .rodata:0000000000002056 db 0 .rodata:0000000000002057 db 0 .rodata:0000000000002058 db 5Fh ; _ .rodata:0000000000002059 db 0 .rodata:000000000000205A db 0 .rodata:000000000000205B db 0 .rodata:000000000000205C db 33h ; 3 .rodata:000000000000205D db 0 .rodata:000000000000205E db 0 .rodata:000000000000205F db 0 .rodata:0000000000002060 db 6Eh ; n .rodata:0000000000002061 db 0 .rodata:0000000000002062 db 0 .rodata:0000000000002063 db 0 .rodata:0000000000002064 db 67h ; g .rodata:0000000000002065 db 0 .rodata:0000000000002066 db 0 .rodata:0000000000002067 db 0 .rodata:0000000000002068 db 69h ; i .rodata:0000000000002069 db 0 .rodata:000000000000206A db 0 .rodata:000000000000206B db 0 .rodata:000000000000206C db 6Eh ; n .rodata:000000000000206D db 0 .rodata:000000000000206E db 0 .rodata:000000000000206F db 0 .rodata:0000000000002070 db 65h ; e .rodata:0000000000002071 db 0 .rodata:0000000000002072 db 0 .rodata:0000000000002073 db 0 .rodata:0000000000002074 db 65h ; e .rodata:0000000000002075 db 0 .rodata:0000000000002076 db 0 .rodata:0000000000002077 db 0 .rodata:0000000000002078 db 72h ; r .rodata:0000000000002079 db 0 .rodata:000000000000207A db 0 .rodata:000000000000207B db 0 .rodata:000000000000207C db 35h ; 5 .rodata:000000000000207D db 0 .rodata:000000000000207E db 0 .rodata:000000000000207F db 0 .rodata:0000000000002080 db 7Dh ; } .rodata:0000000000002081 db 0 .rodata:0000000000002082 db 0 .rodata:0000000000002083 db 0 .rodata:0000000000002084 db 0 .rodata:0000000000002085 db 0 .rodata:0000000000002086 db 0 .rodata:0000000000002087 db 0$\downarrow$
1
2
3.rodata:0000000000002008 dword_2008 dd 46h, 4Ch, 41h, 47h, 7Bh, 68h, 33h, 2 dup(31h), 4Fh, 5Fh, 72h, 65h, 76h, 65h, 72h, 73h, 31h, 6Eh, 67h .rodata:0000000000002008 ; DATA XREF: main+8↑o .rodata:0000000000002008 dd 5Fh, 33h, 6Eh, 67h, 69h, 6Eh, 2 dup(65h), 72h, 35h, 7Dh, 0$\downarrow$
1
.rodata:0000000000002008 text "UTF-32LE", 'FLAG{h311O_revers1ng_3ngineer5}',0
- 可以直接Alt+A
- 如何快速把bytes dump出來
- 選擇要輸出的bytes
- 按Shift+E,跳出的視窗選擇想要的格式,再直接複製即可
- 選擇要輸出的bytes
- 如果函式沒有return東西的話,可以右鍵該函示,選擇
Remove return value或是Shift+Del
- 如果function中的宣告很多,可以右鍵選擇
Collapse declarations
x64dbg 常用快捷鍵
- F2: 設定中斷點
- F9: 繼續執行
- F8: 步過
- F7: 步入
- Ctrl+F9: 執行到 ret
- ==Ctrl+G==: goto
- ==Space==: 修改組譯
靜態分析
- PEview
- PEViewer
- PE-bear
動態分析
- OllyDbg
- x64dbg
- IDA
- Ghidra
- Windbg
- PEtool
Process相關的操作與資訊
- Procexp & Process Hacker 好看版的工作管理員
- Procmon 監控程序行為 Registry File system Network Process/Thread
好用的解題工具
-
angr - cheatsheet:
$ pip install angr claripy - z3:
$ pip install z3-solver