Security Slice

Tag: reverse engineering

Tools and posts related to reverse engineering

translate.py

Description

Translate bytes according to a Python expression.

PlatformN/A – Python
AuthorDidier Stevens
LicenseFree / Public Domain
URLhttps://blog.didierstevens.com/

Usage

Usage: translate.py [options] [file-in] [file-out] command [script]
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o OUTPUT, --output=OUTPUT
                        Output file (default is stdout)
  -s SCRIPT, --script=SCRIPT
                        Script with definitions to include
  -f, --fullread        Full read of the file
  -r REGEX, --regex=REGEX
                        Regex to search input file for and apply function to
  -R FILTERREGEX, --filterregex=FILTERREGEX
                        Regex to filter input file for and apply function to
  -m, --man             print manual

Examples

translate.py encoded.raw decoded.txt ‘byte ^ 0x5b’

XORs encoded.raw with the key 0x5b. Hex ASCII can be encoded as raw bytes by using the command “xxd -r -p encoded.hex > encoded.raw”.

translate.py -o svchost.exe.dec svchost.exe ‘byte ^ 0x10’

“byte” is the current byte in the file, ‘byte ^ 0x10’ does an XOR 0x10
Extra functions:
rol(byte, count)
ror(byte, count)
IFF(expression, valueTrue, valueFalse)
Variable “position” is an index into the input file, starting at 0

Blog Posts

FLOSS

Description

The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like `strings.exe` to enhance basic static analysis of unknown binaries.

PlatformWindows, Mac, Linux
AuthorFireEye Labs
LicenseApache License 2.0
URLhttps://github.com/fireeye/flare-floss/releases

Usage

Usage: floss [options] FILEPATH
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -n MIN_LENGTH, --minimum-length=MIN_LENGTH
                        minimum string length (default is 4)
  -f FUNCTIONS, --functions=FUNCTIONS
                        only analyze the specified functions (comma-separated)
  --save-workspace      save vivisect .viv workspace file in current directory
 
  Extraction options:
    Specify which string types FLOSS shows from a file, by default all
    types are shown
 
    --no-static-strings
                        do not show static ASCII and UTF-16 strings
    --no-decoded-strings
                        do not show decoded strings
    --no-stack-strings  do not show stackstrings
 
  Format Options:
    -g, --group         group output by virtual address of decoding functions
    -q, --quiet         suppress headers and formatting to print only
                        extracted strings
 
  Logging Options:
    -v, --verbose       show verbose messages and warnings
    -d, --debug         show all trace messages
 
  Script output options:
    -i IDA_PYTHON_FILE, --ida=IDA_PYTHON_FILE
                        create an IDAPython script to annotate the decoded
                        strings in an IDB file
    -r RADARE2_SCRIPT_FILE, --radare=RADARE2_SCRIPT_FILE
                        create a radare2 script to annotate the decoded
                        strings in an .r2 file
 
  Identification Options:
    -p PLUGINS, --plugins=PLUGINS
                        apply the specified identification plugins only
                        (comma-separated)
    -l, --list-plugins  list all available identification plugins and exit
 
  FLOSS Profiles:
    -x, --expert        show duplicate offset/string combinations, save
                        workspace, group function output

Examples

 floss –no-static-strings file.exe

The following example shows decoded and stack strings found in 9.exe. Although floss has the ability to show regular static strings as well, you’re typically only interested in seeing the encoded strings by the time you run floss.

remnux@remnux:~$ floss --no-static-strings file.exe
 
FLOSS decoded 16 strings
\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Fil
\system32\
.ocx
whh27018
WinSta0\Default
WinSta0\Default
WinSta0\Default
user32.dll
syst<
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user32.dll
systH
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
syst
\system32\AA
\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
FLOSS extracted 4 stackstrings
WinSta0\Default
user32.dll
\Program Files\Common Files\
rundll32.exe
 
Finished execution after 3.978650 seconds

Blog Posts

base64dump.py

Description

Extracts and decodes base64 strings (or other encodings) found inside the provided file. base64dump looks for sequences of base64 characters (or other encodings) in the provided file and tries to decode them.

PlatformN/A – Python
AuthorDidier Stevens
LicenseFree / Public Domain
URLhttps://blog.didierstevens.com/

Usage

Usage: base64dump.py [options] [file]
Extract base64 strings from file
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -e ENCODING, --encoding=ENCODING
                        select encoding to use (default base64)
  -s SELECT, --select=SELECT
                        select item nr for dumping (a for all)
  -d, --dump            perform dump
  -x, --hexdump         perform hex dump
  -a, --asciidump       perform ascii dump
  -S, --strings         perform strings dump
  -n NUMBER, --number=NUMBER
                        minimum number of bytes in decoded data
  -c CUT, --cut=CUT     cut data
  -w, --ignorewhitespace
                        ignore whitespace

Examples

base64dump.py file.txt

The following output shows the sections that base64dump.py has attempted to decode using base64. However, this file isn’t using the default base64 encoding so see the next example.

remnux@remnux:~$ base64dump.py file.txt
ID  Size    Encoded          Decoded          MD5 decoded                    
--  ----    -------          -------          -----------                    
 1:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
 2:       8 wstwaxap         ��pk.�           b5d83e3988cda1f8e903e138131cba91
 3:       8 yaoduhc=         ɪ.�.            c2b2fd4a95ff2e8d6ed65268e8e0a7f7
 4:       8 DDpNVDfX         .:MT7�           9a6466eb801a8374f53d7102a7066290
 5:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
 6:       8 kzV0IivL         �5t"+�           a8c4a29cd68eb8da8e0bbe87b3a916c4
 7:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
 8:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
 9:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
10:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
11:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
12:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
13:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
14:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
15:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
16:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
17:       8 S3GBCRNU         Kq�..T           d04eae77c1362316d251db3a3af7a8d5
18:       8 ecBcfdoM         y�\}�.           b185fd8b77394b6c5902b8291c1aa2b6
19:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
20:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
21:       8 VWAbzxUP         U`.�..           e603829f07f2b06cbe2b53af4d94b716
22:       8 0x400000         �.4�M4           084838d4f4261ed700f3d5ca57681d9f
23:       8 WCoEYFdo         X*.`Wh           9e71afc328eab02982d2cd44d58697bc
24:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
25:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
26:       8 VWAbzxUP         U`.�..           e603829f07f2b06cbe2b53af4d94b716
27:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
28:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
29:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
30:       8 kzV0IivL         �5t"+�           a8c4a29cd68eb8da8e0bbe87b3a916c4
31:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
32:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
33:       8 jpwZA7Ef         ..�.           cd49f8f2c65a543daf4dca9899ebf1ea
34:       8 ecBcfdoM         y�\}�.           b185fd8b77394b6c5902b8291c1aa2b6
35:       8 0x400000         �.4�M4           084838d4f4261ed700f3d5ca57681d9f
36:       8 xEzYibKs         �L؉��           40ea154032b38b073adc25c546dba81d
37:       8 jpwZA7Ef         ..�.           cd49f8f2c65a543daf4dca9899ebf1ea
38:       8 DDpNVDfX         .:MT7�           9a6466eb801a8374f53d7102a7066290
39:       8 xEzYibKs         �L؉��           40ea154032b38b073adc25c546dba81d
40:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
41:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
42:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
43:       8 Qy9QDRgu         C/P...           16adea19ef8d17f9a2b3368f9e381e08
44:       8 S3GBCRNU         Kq�..T           d04eae77c1362316d251db3a3af7a8d5
45:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
46:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
47:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
48:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
49:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
50:       4 this             �.�              8e5a04323b343a97433a353a663678b3
51:      16 collectEmailInfo r�ey�D���"w�     128fa58edb7890e176d063411c06b917
52:       4 subj             ���              6214419727646d38fa39dc0c6bc72ee4
53:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
54:       8 Qy9QDRgu         C/P...           16adea19ef8d17f9a2b3368f9e381e08
55:      16 collectEmailInfo r�ey�D���"w�     128fa58edb7890e176d063411c06b917
56:       4 subj             ���              6214419727646d38fa39dc0c6bc72ee4
base64dump.py -e pu file.txt

This example shows how base64dump.py attempts to decode “percent u” encoded base64. You’re normally interested in the section with the largest size.

remnux@remnux:~$ base64dump.py -e pu file.txt
ID  Size    Encoded          Decoded                MD5 decoded                    
--  ----    -------          -------                -----------                    
 1:    1260 %u00e8%u0000%u5d �....]��.��...�=  889060967c0b481fa97ba2fb3447963c
 2:      12 %u9090%u9090     ����                a5cc288c0d8fad7eda458b7241548977
 3:      12 %u0c0c%u0c0c     ....                   d5aba5b36cbaf9dcb46a48418c3d6241
base64dump.py -e pu file.txt s 1 -d > file.bin

In this example, base64dump.py decodes and dumps section 1 from this file and outputs the results to a file named collab.bin. See the previous example for section definitions.

remnux@remnux:~$ base64dump.py -e pu file.txt -s 1 -d > file.bin
remnux@remnux:~$ ls -l file.bin
-rw-rw-r-- 1 remnux remnux 420 Aug 17 18:58 collab.bin
remnux@remnux:~$ file file.bin
collab.bin: data
, , , ,

procDOT

Description

ProcDOT takes output from Process Monitor (procmon) and a packet capture, and graphs the activity based on the selected process. It shows every file and registry key the process touched, every child process or thread spawned, and every file and registry key touched by the children. It also allows the activity to be played back sequentially.

PlatformWindows and Linux
AuthorChristian Wojner
LicenseISC
URLhttps://www.procdot.com/

Usage

In Procmon

  1. Configure the displayed columns in procmon to show TID and Sequence number.
  2. Under Filter, make sure “Enable Advanced Output” is disabled.
  3. Save the output as a CSV and make sure to save all events, not just filtered ones.

In ProcDOT

  1. Load the procmon CSV into procdot (and optionally the packet capture).
  2. Click the “…” next to Launcher and select the starting process you want to analyze.
  3. Click Refresh to update the graph.

Examples

In the following example, powershell was used to launch an executable while Procmon was recording. The output was then fed into ProcDOT so the file and registry interactions could be displayed visually.

Blog Posts

, , ,