手动去壳教程,疯狂膜大佬。原来我逆向其实连签到题都不会:)
去壳
- 运行程序
- 寻找改程序pid(pidof hide)
- 在/proc/[pid]/map可以看到段信息
- 直接拷贝出运行信息
- sudo dd if=/proc/$(pidof hide)/mem of=hide_dump1 skip=4194304 bs=1c count=827392
- sudo dd if=/proc/$(pidof hide)/mem of=hide_dump2 skip=7110656 bs=1c count=20480
- cat hide_dump1 hide_dump2 >hide_dump
非常规逆向手段
- any format file with any architecture
- lua/python/java/lua-jit/haskell/applescript/solidity/webassembly
- firmware/raw bin
- chip8/avr/clemency/risc-v
- Open IDA -> binarryfile
- binary Parser
- Disassembler
- disassembler is necessary
- Tracer
- disassembler + Tracer = Debugger
- tracer replay
- Debugger
- Decompiler
Find Binary Parser
- google
- parse the unknow binary format
- firmware
- rebase the binary
- recover the symbol table
- other unknow binary formats
- use strings/binwalk
- find any clues you can
- use IDA pro/radare2/binary.ninja interface/IDA loader
Find disassembler
- google “xxx disassembler/xxx IDA etc”
- human disassembler
- IDA Pro/radare2/binary.ninja.interface
Find tracer and Debugger
- google
- Tracer
- Debugger
- gdb-multiarch
- qemu
- emulator
- trace replay
how to audit assemble code
- find code pattern
- read assemble block by block
irregular RE Challenge Examples
- plaid CTF 2018 apl
- SECCON CTF 2017 printf_machine
- CodeGate CTF 2017 easy_serials
- CTF 2018 wasm
- Nuit du hack CTF Quals 2018 AssembllyMe
- QWB CTF qual 2018 re
- N1CTF 2018 patient
符号执行可以学习
汇编:左移一位相当于乘2,右移一位相当于除二
