Binary

Site

Nightmare	Intro book to to binary exploitation / reverse engineering.
pwntools	Pwntools Cheatsheet
syscall_x64	Syscalls for x64
syscall_x86	Syscalls for x86
syscall_arm64	Syscalls for arm64
Decompiler Explorer	Compare tools on the forefront of static analysis in your web browser

Tools

objdump	Display information from object files like ELF
ldd	Print shared object dependencies
gdb	Debugger
pwndbg	gdb but with more features
Libdebug	A Python library to debug binary executables
ROPgadget	Extract ROP gadget
dnSpy	.NET debugger and assembly editor.

GDB

To be expanded with PEDA, GEF or PWNDBG.

Start

gdb <ELF>	Run gdb on that program. Be careful with addresses (it would be better to use PID).
gdb --pid <PID>	Run gdb on a process. Run the program in the background, get PID and provide it to gdb.
gdb --args <ELF> <ARGs>	Run gdb on that program passing it arguments.

Execution

file <ELF>	Load the program to analyze
set args <ARGs>	Set the arguments to use on each bugger run.
r	Run
r <ARGs>	Run with arguments
r ${python3 -c ‘print "\xBYTES"’}	Run with byte arguments using Python
r ${echo -e “\xBYTES”}	run with byte arguments using Echo

Breakpoints

b <function> b *<address>	Set a breakpoint. Also possible to do: b *main+10
i b	Info breakpoint
enable <ID>	Enable breakpoints. If no ID is specified, enable all breakpoints.
disable <ID>	Disable breakpoints. If no ID is specified, disable all breakpoints.
d <ID>	Delete breakpoint If no ID is specifyied, deletes all breakpoints.
c	Continue. Normal execution.
s	Step. IN function.
n	Next. NO IN function.
finish	Continue until the current function returns.
k	Kill. Stop the current execution.

Visualization

disassemble <FUNCTION>	Get assembly and their memory addresses.
i fu	Get the list of program functions with their addresses.
bt [full]	Show backtrace (function calls list). With full print even the local variables of each frame, if you have access to them.
i s	Info Stack Frame.
i f	Info Current Stack Frame. (ex. $RIP in BOF)
i r i all-r	Info Registers.
i dll	list of used DLLs
p/<F> <expr>	Print what you want in the specified format <F>. ex. p/x $esp p/x $esp+8 p <FUN> p <VAR>
x/<N><F><U> <addr>	Print and display memory only once. Specifies how many elements (<N>), in what format (<F>), and in what units (<U>) to display starting at address <addr>. ex. x/40x $esp x/5i $pc (next 5 instruction)
display/<N><F><U> <addr>	As x/ but are saved and printed/displayed at each step. i display undisplay <ID> enable display <ID> disable display <ID> If you don't put ID it applies to all. ex. display/5i $pc (next 5 instruction)

Format

Format

• a Pointer.

• c Read as integer, print as character.

• d Integer, signed decimal.

• f Floating point number.

• o Integer, print as octal.

• s String.

• t Integer, print as binary (t = "two").

• u Integer, unsigned decimal.

• x Integer, print as hexadecimal.

• i Disassembly.

Unit

Unit

• b Byte

• h Half-word (2 bytes)

• w Word (4 bytes)

• g Giant word (8 bytes)

Simbols

• variable Contents of a variable

• &variable Address of a variable

• *address Contents of an address

Edit memory

set {type}address = value	Change the value of the addresses. ex. set{int}0x650000 = 0x42 set{char[1]}0x650000 = 0x42
set variable = value	Change the value of variables
set $reg = value	Change the value of the registers
set *address = value	Change the value of an address

Utility

call <FUNCTION>()	Call function. ex. call (void)win()
echo $((16#<NUM>))	From bash convert hex to decimal.
r << <CommandFile>	It is possible to specify a file with the inputs that should be given to the program in read, scanf, etc. Like cat <CommandFile> | ./<ELF>

PwnTools

checksec <ELF>
pwn checksec <ELF>

Context

Architecture	context.arch = '<ARCH>' 'aarch64', 'arm', 'i386', 'amd64'
Log Output	context.log_level = '<VALUE>' 'debug', 'info', 'warn', 'error'
Endianness	context.endian = '<ENDIANNESS>' 'big', 'little'

Start

ELF	elf = ELF('<PATH_BINARY>') libc = ELF("./libc.so.6")
Process	p = process('<PATH_BINARY>')
Remote	p = remote('<IP/DOMAIN>', PORT)
Hybrid	elf = ELF('<PATH_BINARY>') p = elf.process()

Debugger

Debugger GDB	p = gdb.debug('<PATH_BINARY>', aslr=False, gdbscript='b *main+123')

Encoding e Packing

Hex	enhex(b'/flag') ('2f666c6167') unhex('2f666c6167') (b'/flag')
Base64	b64e(b'/flag') ('L2ZsYWc=') b64d('L2ZsYWc=') (b'/flag')
Packing	p32(0x41424344) (b'\x44\x43\x42\x41') p8, p16, p64
Unpacking	u32(b'\x44\x43\x42\x41') (0x41424344) u8, u16, u64

Address

Function address	address = elf.sym['<Name_Function>'] address = elf.symbols.<Name_Function> address = elf.plt[’<Name_Function>’] (in PLT) address = elf.got[’<Name_Function>’] (in GOT)
String address	address = next(elf.search(b'<STRING>')) Or with ghidra in .rodata, .text

Cyclic

Create Search String	cyclic(16) (b'aaaabaaacaaadaaa') cyclic(16, n=8) (b'aaaaaaaabaaaaaaa')
Find Offset	cyclic_find(0x61616164) (12) cyclic_find(0x6161616161616162, n=8) (8) cyclic_find(io.corefile.fault_addr, n=8) (in BOF) In BOF use setuid=False in p = process()

Shellcode

Shellcraft, must be NULL-free.

Assembly	code = shellcraft.cat('/flag') code = shellcraft.amd64.linux.sh()
Bytecode	shellcode = asm(code) (use the context architecture) shellcode = asm(code, arch='x86_64')

ROP

Start	rop = ROP(elf) rop = ROP(elf, badchars=b'\n') (char not to be used in the chain) rop = ROP([elf, libc]) (specify double elf)
Extract Gadget	pop_ = rop.find_gadget(['pop <REG>', 'ret']).address pop_ = rop.<REG>.address or ROPgadget.
ROP chain	rop.call(<ADDR_FUNCTION>, [<ADDR_ARG1>, ... ]) rop.puts(); rop.main() (adds puts and main to the chain) rop.chain() (builds the chain with the elements called before) rop.dump() (text representation, to be put in log.info(X)) rop.clear() (clears the rop chain) rop.execve(next(libc.search(b'/bin/sh\0')), 0, 0) (calls execv with parameters)
Set Base Address (ex. libc)	libc = ELF(<PATH_LIBC>) (ex ./glibc/libc.so.6) libc.address = <INT_ADDRESS_BASE> rop_libc = ROP(libc) (after set base libc)

Format String

Format

%p	Pointer
%s	String
%d	Int
%x	Hex
%c	Char
%n	Writes the number of characters printed in the specified pointer. %n = int (8 byte) %hn = short (4 byte) %hhn = byte (1 byte)
%<P>x	Specifies the precision <P> (filled with 0)
%<N>$x	Take the <N>-th argument

Read

Find the buffer in which you are writing with %<N>$x where N increments. When you reach the buffer take note of N which will be the OFFSET

<ADDR_little> %<OFFSET>$x

Write

Find the buffer in which you are writing with %<N>$x where N increments. When you reach the buffer take note of N which will be the OFFSET VAL is the value that you want to write.

<ADDR_little>%<VAL-len(ADDR)>c%<OFFSET>$n

%<VAL>c%<OFFSET>$n<ADDR_little> 
BUT for every 8 characters you insert, increase the offset by 1

fmtstr_payload	fmtstr_payload(offset, writes, numbwritten=0, write_size='byte') offset: Offset to the buffer writes: Dictionary with address:value {addr: value, addr2: value2, etc.} numbwritten: Number of bytes already written by printf() ex. printf(hello <VAR>) = 6 write_size: The write size: byte, short or int (hhn, hn or n) Note: Set the right <ARCH>

ANGR

import angr
import claripy
import sys

FILE        = './<ELF>'
FLAG_LENGTH = 30
FLAG_KNOW   = 'FLAG{'
FIND_ADDR   = 0x1def 
AVOID_ADDR  = 0x1df8

# Define program
project = angr.Project(FILE, main_opts={"base_addr": 0x0}) # auto_load_libs=False

# Define the initial state simply
OPTION_NO_ERROR = {angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY, angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS}
initial_state = project.factory.entry_state(add_options = OPTION_NO_ERROR)

# ---------------- OR ----------------
# OPTIONAL: Define variable format 
# known_chars = [claripy.BVV(FLAG_KNOW[i]) for i in range(len(FLAG_KNOW))]
# flag_chars  = [claripy.BVS(f"flag_{i}",8) for i in range(FLAG_LENGTH-len(FLAG_KNOW))]
# flag_input  = claripy.Concat(*known_chars+flag_chars)

# OPTIONAL: Define how to make the input
# Define initial state with interactive input
# initial_state = project.factory.entry_state(stdin=flag_input, add_options = OPTION_NO_ERROR)
# Define initial state with input from argument
# initial_state = project.factory.entry_state(args=[FILE, flag_input], add_options = OPTION_NO_ERROR)
# ------------------------------------

# Create a simulator with the initial state
simgr = project.factory.simulation_manager(initial_state)

# Start the exploration of the program path
simgr.explore(find=FIND_ADDR, avoid=AVOID_ADDR)

# If Angr finds a path that meets the success criterion.
if simgr.found:
    # Extract the input that led to the path to success
    flag_solution = simgr.found[0].posix.dumps(0)
    print("Flag found:", flag_solution.decode())
else:
    print("No flag found.")

# ---------------- OR ----------------
# If there are multiple inputs
# if simgr.found:
#     print("[+] Input:")
#     for state in simgr.found:
#         solution = state.posix.dumps(0)
#         print(solution.decode())
# else:
#     print("No solution found.")
# ------------------------------------