reversing
about Corkami poster (2013/03/26) COM 101 - a DOS executable walkthrough doc (2012/02/22) Opcodes' tables of Java, .Net, Android, x86 - as either compact single-page cheat sheets, or full descriptive posters. article with PoCs (2012/03/18) curious encodings Explaining what’s a computer virus to grandma PoC Kernel31 , a trampoline DLL to enable >XpSp3 binaries work on previous OS. old crackmes solutions: PredatorPirupiru LilcwXor screencast OllyDbg Tracing (easy level) setting OllyDbg as a JIT debugger, tracing, optimizing tracing, finding bug, patching, saving as a new executable screencast reJava create a .class from scratch PoC (2013/01/30-2013/02/16) a one-solution random labyrinth 'dumb' generator, in python (also with optimized algorithm), 16b x86 .COM in 126/122 bytes (on Pouet ), GW-BASIC , Turbo Pascal 3.0 and x86 PE article with PoCs (2011/07/12-2013/03/15) a summary of PDF tricks - encodings, structures, JavaScript... ( Français 日本語 )
corkami - reverse engineering experiments and documentations
SWF Investigator | Flash security
Recent Updates December 4, 2012 — Preview 4 of the SWF Investigator is now available. This is a bug fix release. Download SWF Investigator Preview 4 Perform quick, comprehensive, analysis of SWF applications Adobe® SWF Investigator is the only comprehensive, cross-platform, GUI-based set of tools, which enables quality engineers, developers and security researchers to quickly analyze SWF files to improve the quality and security of their applications.
jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input: PDF files - samples/sample-pdf.file Packet Captures - samples/sample-http-exploit.pcap HTML files JavaScript files SWF files This project contains the source code which runs at the website http://jsunpack.jeek.org/ .
jsunpack-n - A generic JavaScript unpacker
peepdf - PDF Analysis Tool | eternal-todo.com
What is this? peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of Spidermonkey and Libemu it provides Javascript and shellcode analysis wrappers too.PDF Tools
I’m giving 2 days of training “Hacking PDF” at Hack In The Box Amsterdam 2013 . I produced screencasts for my pdfid and pdf-parser tools, you can find them on Didier Stevens Labs products page . There are translations of this page, see bottom .
Static analysis of a CVE-2011-2462 PDF exploit | eternal-todo.com
CVE-2011-2462 was published more than one month ago . It's a memory corruption vulnerability related to U3D objects in Adobe Reader and it affected all the latest versions from Adobe (<=9.4.6 and <= 10.1.1). It was discovered while it was being actively exploited in the wild, as some analysis say . Adobe released a patch for it 10 days after its publication.
And finally... Bokken 1.5
Once the development has finished, radare2 0.9 has been released and the project site has been updated, the moment has arrived: Bokken 1.5 is here! Take a look at the previous post to read some of the new features of this release and keep reading to see most of them in detail; for the rest... install Bokken and enjoy them! As mentioned before, one of the most important features added is the support of radare2 as backend. So now Bokken can work with either Pyew or Radare , each one having its own advantages and drawbacks. Most of the development efforts for this release have gone to improve the GUI in order to make it cleaner and easier to use.
Windows Disassembler
Download PEBrowse64 Professional . for Vista64, Windows 7 (64-bit) and Windows 8 (64-bit) MSI file, 1,003 KB SHA256: 798d29d377d4b1769fd3f75937252aa71d0c5875a209f5d0389ac36d0d9efb88 PEBrowse Professional . for all versions of Windows ZIP file, 1,665 KB SHA256: 7a81cb501fcdc473229b8c8b65fa2caebdefbc1a66cf8f7b99684e8d98becb5d PEBrowse64 Professional (v3.3) is a 64-bit executable and requires the .NET framework. It will display both Win32 and Win64 executables, native, managed and mixed. PEBrowse Professional (v10.1.4) is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies.
IDA: About
What is IDA all about? IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive.In part 2 of this series we found a SQL injection vulnerability using static analysis. However, it is often advantageous to debug a target application, a capability that we’ll need when working with more complex exploits later on. In this segment we won’t be discovering any new vulnerabilities, but instead we will focus on configuring and using our debugging environment. For this we will be using Qemu and the IDA Pro debugger. If you don’t have IDA you can use insight/ddd/gdb instead, but in my experience IDA is far superior when it comes to embedded debugging. Our target binaries from the TEW-654TR are little endian MIPS, so we need an emulator in order to run them on our host system.
IDA + gdb remote debugging
zynamics Bin Diff uses a unique graph-theoretical approach to compare executables by identifying identical and similar functions Description BinDiff is a comparison tool for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code. With BinDiff you can identify and isolate fixes for vulnerabilities in vendor-supplied patches. You can also port symbols and comments between disassemblies of multiple versions of the same binary or use BinDiff to gather evidence for code theft or patent infringement.
BinDiff
Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs. It is simple to use, fully scriptable, and can be easily extended via custom signatures, extraction rules, and plugin modules. Binwalk supports various types of analysis useful for inspecting and reverse engineering firmware, including: Embedded file identification and extraction Executable code identification Type casting Entropy analysis and graphing "Smart" strings analysis Binwalk's file signatures are (mostly) compatible with the magic signatures used by the Unix file utility, and include customized/improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, kernels, bootloaders, filesystems, etc. See the screenshots page for sample usage and output.
binwalk - Firmware Analysis Tool
eliben / pyelftools
Bitbucket is a code hosting site with unlimited public and private repositories. We're also free for small teams! Try Bitbucket, free Introduction: what is pyelftools? pyelftools is a pure-Python library for parsing and analyzing ELF files and DWARF debugging information.HyperDbg is a kernel debugger that leverages hardware-assisted virtualization . More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs . Compared to traditional kernel debuggers (e.g., WinDbg , SoftIce , Rasta R0 Debugger ) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel , even when the kernel is executing exception and interrupt handlers.