| Nightmare | Intro book to to binary exploitation / reverse engineering. |
| pwntools | Pwntools Cheatsheet |
| syscall_x64 | Syscalls for x64 |
| syscall_x86 | Syscalls for x86 |
| syscall_arm64 | Syscalls for arm64 |
| Decompiler Explorer | Compare tools on the forefront of static analysis in your web browser |
| objdump | Display information from object files like ELF |
| ldd | Print shared object dependencies |
| gdb | Debugger |
| pwndbg | gdb but with more features |
| Libdebug | A Python library to debug binary executables |
| ROPgadget | Extract ROP gadget |
| dnSpy | .NET debugger and assembly editor. |
| macOS | ~/Library/Application Support/Binary Ninja |
| Linux | ~/.binaryninja |
| Windows | %APPDATA%\\Binary Ninja |
lldb-server p --server --listen 0.0.0.0:31337
gdb <ELF> | Run gdb on that program. Be careful with addresses (it would be better to use PID). |
gdb --pid <PID> | Run gdb on a process. Run the program in the background, get PID and provide it to gdb. |
gdb --args <ELF> <ARGs> | Run gdb on that program passing it arguments. |
file <ELF> | Load the program to analyze |
set args <ARGs> | Set the arguments to use on each bugger run. |
r | Run |
r <ARGs> | Run with arguments |
r ${python3 -c ‘print "\xBYTES"’} | Run with byte arguments using Python |
r ${echo -e “\xBYTES”} | run with byte arguments using Echo |
b <function> b *<address> | Set a breakpoint. Also possible to do: b *main+10 |
i b | Info breakpoint |
enable <ID> | Enable breakpoints. If no ID is specified, enable all breakpoints. |
disable <ID> | Disable breakpoints. If no ID is specified, disable all breakpoints. |
d <ID> | Delete breakpoint If no ID is specifyied, deletes all breakpoints. |
c | Continue. Normal execution. |
s | Step. IN function. |
n | Next. NO IN function. |
finish | Continue until the current function returns. |
k | Kill. Stop the current execution. |
disassemble <FUNCTION> | Get assembly and their memory addresses. |
i fu | Get the list of program functions with their addresses. |
bt [full] | Show backtrace (function calls list). With full print even the local variables of each frame, if you have access to them. |
i s | Info Stack Frame. |
i f | Info Current Stack Frame. (ex. $RIP in BOF) |
i r i all-r | Info Registers. |
i dll | list of used DLLs |
p/<F> <expr> | Print what you want in the specified format <F>.ex. p/x $esp p/x $esp+8 p <FUN> p <VAR> |
x/<N><F><U> <addr> | Print and display memory only once. Specifies how many elements (<N>), in what format (<F>), and in what units (<U>) to display starting at address <addr>.ex. x/40x $esp x/5i $pc (next 5 instruction) |
display/<N><F><U> <addr> | As x/ but are saved and printed/displayed at each step.i displayundisplay <ID>enable display <ID>disable display <ID>If you don't put ID it applies to all. ex. display/5i $pc (next 5 instruction) |
set {type}address = value | Change the value of the addresses. ex. set{int}0x650000 = 0x42 set{char[1]}0x650000 = 0x42 |
set variable = value | Change the value of variables |
set $reg = value | Change the value of the registers |
set *address = value | Change the value of an address |
call <FUNCTION>() | Call function. ex. call (void)win() |
echo $((16#<NUM>)) | From bash convert hex to decimal. |
r << <CommandFile> | It is possible to specify a file with the inputs that should be given to the program in read, scanf, etc. Like cat <CommandFile> | ./<ELF> |
j *<EXPRESSION> | Jump and force execution to a specific address (*addr, *$reg, function). |
pwndbg [<TOPIC>] | Print info about pwndbg commands |
vmmap | Display memory mappings information |
context [<SECTION>]
|
Display context or a given context section
(regs, disasm, args, code, stack, backtrace, expressions, ghidra, threads) |
search <WHAT> | Search memory for a given value |
telescope <WHERE> [<COUNT>] | Examine memory dereferencing valid pointers |
hexdump <WHERE> [<COUNT>] | Print hexdump of given address |
xinfo <WHERE> | Show offsets of the specified address from
various useful locations |
retaddr | Print return addresses on the stack |
canary | Print the global stack canary/cookie value
and finds canaries on the stack |
xuntil
| Continue until an address or function |
nextcall | Continue to next call instruction |
nextjmp | Continue to next jump instruction |
nextret | Continue to next return-like instruction |
stepret | Step until a ret instruction is found |
checksec | Print binary mitigations status |
piebase | Print the relocated binary base address |
got | Print symbols in the .got section |
gotplt | Print symbols in the .got.plt section |
plt | Print symbols in the .plt section |
tls | Print thread local storage address |
distance <WHERE1> <WHERE2> | Compute difference between two addresses |
procinfo | Display process information |
heap_config | Show glibc allocator hacking configuration |
heap | Iteratively print chunks on heap (glibc only) |
vis_heap_chunks | Visualize chunks on a heap |
try_free <ADDRESS> | Check what would happen if free was called
with given address |
| Architecture | context.arch = '<ARCH>' 'aarch64', 'arm', 'i386', 'amd64' |
| Log Output |
|
| Endianness |
|
| ELF | elf = ELF('<PATH_BINARY>')libc = ELF("./libc.so.6") |
| Process | p = process('<PATH_BINARY>') |
| Remote | p = remote('<IP/DOMAIN>', PORT) |
| Hybrid |
|
| Debugger GDB | p = gdb.debug('<PATH_BINARY>', aslr=False, gdbscript='b *main+123') |
| Hex | enhex(b'/flag') ('2f666c6167')unhex('2f666c6167') (b'/flag') |
| Base64 |
|
| Packing |
|
| Unpacking |
|
| Function address | address = elf.sym['<Name_Function>']address = elf.symbols.<Name_Function>address = elf.plt[’<Name_Function>’] (in PLT)address = elf.got[’<Name_Function>’] (in GOT) |
| String address | address = next(elf.search(b'<STRING>')) Or with ghidra in .rodata, .text |
| Create Search String | cyclic(16) (b'aaaabaaacaaadaaa')cyclic(16, n=8) (b'aaaaaaaabaaaaaaa') |
| Find Offset |
|
| Assembly | code = shellcraft.cat('/flag') code = shellcraft.amd64.linux.sh() |
| Bytecode | shellcode = asm(code) (use the context architecture)shellcode = asm(code, arch='x86_64') |
| Start |
|
| Extract Gadget |
|
| ROP chain |
|
| Set Base Address (ex. libc) | libc = ELF(<PATH_LIBC>) (ex ./glibc/libc.so.6)libc.address = <INT_ADDRESS_BASE> rop_libc = ROP(libc) (after set base libc) |
%p | Pointer |
%s | String |
%d | Int |
%x | Hex |
%c | Char |
%n | Writes the number of characters printed in the specified pointer.%n = int (8 byte)%hn = short (4 byte)%hhn = byte (1 byte) |
%<P>x | Specifies the precision <P> (filled with 0) |
%<N>$x | Take the <N>-th argument |
| fmtstr_payload |
Note: Set the right |