Tuesday, September 29, 2015

Hex Plus - a very handy app

Downloaded this app to my phone today - really helpful. I would recommend it highly if you need to convert values frequently for networking or coding purposes. Reversing requires something like this all the time. I have put it to the test and it works just great. Very simple, fast and gives me exactly what I need from an app like this.

Get it for android from Google Play


Tuesday, September 22, 2015

Reverse Engineering: Assembly Instructions

Here is a list of main instructions that you could come across when reversing code:

push — Push Stack.
The push instruction places its operand onto the top of the hardware supported stack in memory. Specifically, push first decrements ESP by 4, then places its operand into the contents of the 32-bit location at address [ESP]. ESP (the stack pointer) is decremented by push since the x86 stack grows down - i.e. the stack grows from high addresses to lower addresses.

pop — Pop stack
The pop instruction removes the 4-byte data element from the top of the hardware-supported stack into the specified operand (i.e. register or memory location). It first moves the 4 bytes located at memory location [SP] into the specified register or memory location, and then increments SP by 4.

lea — Load effective address
The lea instruction places the address specified by its second operand into the register specified by its first operand. Note, the contents of the memory location are not loaded, only the effective address is computed and placed into the register. This is useful for obtaining a pointer into a memory region.

add — Integer Addition
The add instruction adds together its two operands, storing the result in its first operand. Note, whereas both operands may be registers, at most one operand may be a memory location.

sub — Integer Subtraction
The sub instruction stores in the value of its first operand the result of subtracting the value of its second operand from the value of its first operand. As with add

inc, dec — Increment, Decrement
The inc instruction increments the contents of its operand by one. The dec instruction decrements the contents of its operand by one.

and, or, xor — Bitwise logical and, or and exclusive or
These instructions perform the specified logical operation (logical bitwise and, or, and exclusive or, respectively) on their operands, placing the result in the first operand location.

not — Bitwise Logical Not
Logically negates the operand contents (that is, flips all bit values in the operand).

neg — Negate
Performs the two's complement negation of the operand contents.

shl, shr — Shift Left, Shift Right
These instructions shift the bits in their first operand's contents left and right, padding the resulting empty bit positions with zeros. The shifted operand can be shifted up to 31 places. The number of bits to shift is specified by the second operand, which can be either an 8-bit constant or the register CL. In either case, shifts counts of greater then 31 are performed modulo 32.

jmp — Jump

Transfers program control flow to the instruction at the memory location indicated by the operand.

jcondition — Conditional Jump
These instructions are conditional jumps that are based on the status of a set of condition codes that are stored in a special register called the machine status word. The contents of the machine status word include information about the last arithmetic operation performed. For example, one bit of this word indicates if the last result was zero. Another indicates if the last result was negative. Based on these condition codes, a number of conditional jumps can be performed. For example, the jz instruction performs a jump to the specified operand label if the result of the last arithmetic operation was zero. Otherwise, control proceeds to the next instruction in sequence.
A number of the conditional branches are given names that are intuitively based on the last operation performed being a special compare instruction, cmp (see below). For example, conditional branches such as jle and jne are based on first performing a cmp operation on the desired operands.

je <label> (jump when equal)
jne <label> (jump when not equal)
jz <label> (jump when last result was zero)
jg <label> (jump when greater than)
jge <label> (jump when greater than or equal to)
jl <label> (jump when less than)
jle <label> (jump when less than or equal to)

cmp eax, ebx
jle done

cmp — Compare
Compare the values of the two specified operands, setting the condition codes in the machine status word appropriately. This instruction is equivalent to the sub instruction, except the result of the subtraction is discarded instead of replacing the first operand.

call, ret — Subroutine call and return
These instructions implement a subroutine call and return. The call instruction first pushes the current code location onto the hardware supported stack in memory (see the push instruction for details), and then performs an unconditional jump to the code location indicated by the label operand. Unlike the simple jump instructions, the call instruction saves the location to return to when the subroutine completes.
The ret instruction implements a subroutine return mechanism. This instruction first pops a code location off the hardware supported in-memory stack (see the pop instruction for details). It then performs an unconditional jump to the retrieved code location.

Full article at: http://www.cs.virginia.edu/~evans/cs216/guides/x86.html


Malware Analysis: Commonly used Windows functions

WriteFile function
Writes data to the specified file or input/output (I/O) device.This function is designed for both synchronous and asynchronous operation. For a similar function designed solely for asynchronous operation, see WriteFileEx.

CreateProcess function
Creates a new process and its primary thread. The new process runs in the security context of the calling process.
If the calling process is impersonating another user, the new process uses the token for the calling process, not the impersonation token. To run the new process in the security context of the user represented by the impersonation token, use the CreateProcessAsUser or CreateProcessWithLogonW function.

LookupPrivilegeValue function
The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.

RegCloseKey function
Closes a handle to the specified registry key.

RegSetValue function
Sets the data for the default or unnamed value of a specified registry key. The data must be a text string.
Note:  This function is provided only for compatibility with 16-bit versions of Windows. Applications should use the RegSetValueEx function.

RegOpenKeyEx function
Opens the specified registry key. Note that key names are not case sensitive.
To perform transacted registry operations on a key, call the RegOpenKeyTransacted function.

GetCurrentProcess function
Retrieves a pseudo handle for the current process.

GetTickCount function
Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.

CreateFile function
Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe. The function returns a handle that can be used to access the file or device for various types of I/O depending on the file or device and the flags and attributes specified.
To perform this operation as a transacted operation, which results in a handle that can be used for transacted I/O, use the CreateFileTransacted function.

WriteFile function
Writes data to the specified file or input/output (I/O) device.
This function is designed for both synchronous and asynchronous operation. For a similar function designed solely for asynchronous operation, see WriteFileEx.


Using Putty to connect to Google Linux Instance

1. Create a linux instance on google compute. 

2. Download WinSCP and install it. This will give you PuttyGen, which is needed to create a key that we'll use to connect to the instance. 

3. Using PuttyGen, create a new key pair. 


4. Copy the public key like shown in the above image. Save both the public and private keys from this screen for future use. You will need the private key file to connect using Putty. 

5. Logon to the Google Developers Console and navigate to 'Compute > Compute Engine > Metadata > SSH Keys' and click on Edit. 

6. In the blank field, paste the public key that you copied from Puttygen and Save. 

7. Go to Putty now. 

8. In the host name, type in the username and IP of the instance in this format: username@ipaddress. Eg. matthew@

9. Leave everything else as default on this screen. 
10. Click on 'Connection' on the left and select SSH to expand it. 
11. Select 'Auth' under SSH and browse for the private key that you saved in PuttyGen.

12. This is it. You can save this session for future use if you want but at this point, you should be able to connect via ssh to your instance on Google Compute.