In case of a difference, __stack_chk_fail() is called and usually the program is aborted or some other security operation is performed
Difference flags:
fstack-protector :
Enables canary for functions that use arrays or local buffers
fstack-protector-strong :
Much larger coverage includes more functions
fstack-protector-all :
Protects all functions Higher performance cost
Limitations:
Canary does not prevent all techniques. If an attacker can obtain the canary value, info leak or guess it, the protection is lost
Canary does not stop attacks such as ROP attacks, heap-based attacks or logical vulnerabilities
Canary is part of a layered defense mechanism and should be used in conjunction with ASLR, DEP/NX and other mechanisms
@reverseengine
Difference flags:
fstack-protector :
Enables canary for functions that use arrays or local buffers
fstack-protector-strong :
Much larger coverage includes more functions
fstack-protector-all :
Protects all functions Higher performance cost
Limitations:
Canary does not prevent all techniques. If an attacker can obtain the canary value, info leak or guess it, the protection is lost
Canary does not stop attacks such as ROP attacks, heap-based attacks or logical vulnerabilities
Canary is part of a layered defense mechanism and should be used in conjunction with ASLR, DEP/NX and other mechanisms
@reverseengine
❤1
🔹 Red Zone
در سیستم های x86-64 بر اساس ABI لینوکس پایین RSP اشارهگر استک یک محدودهی 160 بایتی وجود داره که به اون Red Zone میگن
🔸 این فضا مخصوص برای چیه؟
کامپایلر اجازه داره بدون تغییر RSP از این 160 بایت برای ذخیره موقت متغیر ها استفاده کنه
🔸 چرا مهمه؟
اگر بخاید اکسپلویت بنویسید:
ممکنه دادهای پایین RSP قرار گرفته باشه اما هنوز با SUB RSP رزرو نشده باشه
اشتباه در فهمیدن Red Zone میتونه POC رو کرش کنه یا مانع نوشتن ROP Chain درست بشه
🔹 Red Zone
On x86-64 systems based on the Linux ABI, there is a 160-byte area below the RSP stack pointer called the Red Zone
🔸 What is this special space for?
The compiler is allowed to use these 160 bytes to temporarily store variables without changing the RSP
🔸 Why is it important?
If you want to write an exploit:
There may be data below the RSP that has not yet been reserved by the SUB RSP
A misunderstanding of the Red Zone can crash the POC or prevent the correct ROP Chain from being written
@reverseengine
در سیستم های x86-64 بر اساس ABI لینوکس پایین RSP اشارهگر استک یک محدودهی 160 بایتی وجود داره که به اون Red Zone میگن
🔸 این فضا مخصوص برای چیه؟
کامپایلر اجازه داره بدون تغییر RSP از این 160 بایت برای ذخیره موقت متغیر ها استفاده کنه
🔸 چرا مهمه؟
اگر بخاید اکسپلویت بنویسید:
ممکنه دادهای پایین RSP قرار گرفته باشه اما هنوز با SUB RSP رزرو نشده باشه
اشتباه در فهمیدن Red Zone میتونه POC رو کرش کنه یا مانع نوشتن ROP Chain درست بشه
🔹 Red Zone
On x86-64 systems based on the Linux ABI, there is a 160-byte area below the RSP stack pointer called the Red Zone
🔸 What is this special space for?
The compiler is allowed to use these 160 bytes to temporarily store variables without changing the RSP
🔸 Why is it important?
If you want to write an exploit:
There may be data below the RSP that has not yet been reserved by the SUB RSP
A misunderstanding of the Red Zone can crash the POC or prevent the correct ROP Chain from being written
@reverseengine
❤4
Structs & Data Layout Assembly
مثال در C:
معادل اسمبلی:
دستورات:
پس اگر در اسمبلی ببینید [reg + 4] و ورودی rdi هست احتمالا در حال دسترسی به فیلد دوم یک struct هست
Structs & Data Layout Assembly
Example in C:
Assembly equivalent:
Commands:
@reverseengine
مثال در C:
struct Point {
int x;
int y;
};
int getY(struct Point *p) {
return p->y;
}
معادل اسمبلی:
getY:
mov eax, DWORD PTR [rdi + 4] ; offset of y = 4 بایت
ret
دستورات:
rdi = آدرس ساختار (p)
x در offset 0 بایته ([rdi + 0])
y در offset 4 بایته ([rdi + 4])
پس اگر در اسمبلی ببینید [reg + 4] و ورودی rdi هست احتمالا در حال دسترسی به فیلد دوم یک struct هست
Structs & Data Layout Assembly
Example in C:
struct Point {
int x;
int y;
};
int getY(struct Point *p) {
return p->y;
}
Assembly equivalent:
getY:
mov eax, DWORD PTR [rdi + 4] ; offset of y = 4 bytes
ret
Commands:
rdi = address of structure (p)So if you see [reg + 4] in assembly and the input is rdi, you are probably accessing the second field of a struct
x is at offset 0 bytes ([rdi + 0])
y is at offset 4 bytes ([rdi + 4])
@reverseengine
❤1
Collection of ATM Attacks
https://github.com/PT-CyberAnalytics/collection-of-ATM-attacks
@reverseengine
https://github.com/PT-CyberAnalytics/collection-of-ATM-attacks
@reverseengine
GitHub
GitHub - PT-CyberAnalytics/collection-of-ATM-attacks: A curated list of common ATM (automated teller machines) vulnerabilities…
A curated list of common ATM (automated teller machines) vulnerabilities complete with mitigation recommendations and step-by-step checks for security assesment. - PT-CyberAnalytics/collection-of-A...
❤2
ReverseEngineering
🔹 Red Zone در سیستم های x86-64 بر اساس ABI لینوکس پایین RSP اشارهگر استک یک محدودهی 160 بایتی وجود داره که به اون Red Zone میگن 🔸 این فضا مخصوص برای چیه؟ کامپایلر اجازه داره بدون تغییر RSP از این 160 بایت برای ذخیره موقت متغیر ها استفاده کنه 🔸 چرا…
ساختار دقیق Red Zone
از RSP رو به پایین: 160 بایت آزاد
تابع اجازه داره از اون استفاده کنه
تا زمانی که سیگنال / interrupt نیاد این فضا دست نخورده میمونه
@reverseengine
از RSP رو به پایین: 160 بایت آزاد
تابع اجازه داره از اون استفاده کنه
تا زمانی که سیگنال / interrupt نیاد این فضا دست نخورده میمونه
@reverseengine
❤2
ReverseEngineering
ساختار دقیق Red Zone از RSP رو به پایین: 160 بایت آزاد تابع اجازه داره از اون استفاده کنه تا زمانی که سیگنال / interrupt نیاد این فضا دست نخورده میمونه @reverseengine
Detailed structure of Red Zone
From RSP down: 160 bytes free
Function is allowed to use it
This space remains untouched until signal/interrupt arrives
@reverseengine
From RSP down: 160 bytes free
Function is allowed to use it
This space remains untouched until signal/interrupt arrives
@reverseengine
❤2
IDA Pro Plugins For Malware Reverse Engineering
https://www.youtube.com/watch?v=pfBA6y4VLwM
@reverseengine
https://www.youtube.com/watch?v=pfBA6y4VLwM
@reverseengine
YouTube
IDA Pro Plugins For Malware Reverse Engineering
Here are our 5 most used IDA plugins for reverse engineering malware. Expand for more...
-----
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
OALABS PATREON
https://www.patreon.com/oalabs
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs…
-----
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
OALABS PATREON
https://www.patreon.com/oalabs
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs…
❤2
zer0ptsCTF 2023 Reverse Engineering Writeups
https://fazect.github.io/zer0ptsctf2023-rev
@reverseengine
https://fazect.github.io/zer0ptsctf2023-rev
@reverseengine
❤2
amateursCTF 2023 Reverse Engineering Writeups
https://fazect.github.io/amateursctf2023-rev
@reverseengine
https://fazect.github.io/amateursctf2023-rev
@reverseengine
❤2
لطفا تا جایی که میتونید پست ها رو فوروارد کنید تا کانال دیده بشه اینجوری به منم کمک بزرگی میکنید و محتواها رفته رفته بهتر و خفن تر میشه ممنون 🩶
Please forward as many posts as you can so that the channel can be seen. This way, you will be a great help to me and the content will gradually become better and more interesting. Thank you 🖤
Please forward as many posts as you can so that the channel can be seen. This way, you will be a great help to me and the content will gradually become better and more interesting. Thank you 🖤
❤9👍1
❤2
Exploit Development: Building Your Own Fuzzer with Bash
https://hackers-arise.com/exploit-development-building-your-own-fuzzer-with-bash
@reverseengine
https://hackers-arise.com/exploit-development-building-your-own-fuzzer-with-bash
@reverseengine
❤2
Detect-it-easy: Program for determining types of files or Windows, Linux and MacOS
https://github.com/horsicq/Detect-It-Easy
@reverseengine
https://github.com/horsicq/Detect-It-Easy
@reverseengine
GitHub
GitHub - horsicq/Detect-It-Easy: Program for determining types of files for Windows, Linux and MacOS.
Program for determining types of files for Windows, Linux and MacOS. - horsicq/Detect-It-Easy
❤2
Reverse Engineering WebAssembly
https://medium.com/%40pnfsoftware/reverse-engineering-webassembly-ed184a099931
@reverseengine
https://medium.com/%40pnfsoftware/reverse-engineering-webassembly-ed184a099931
@reverseengine
Medium
Reverse Engineering WebAssembly
This is an abridged version of http://www.pnfsoftware.com/reversing-wasm.pdf. For additional details, including footnotes, as well as…
❤1
Time Trvel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing
https://cloud.google.com/blog/topics/threat-intelligence/time-travel-debugging-using-net-process-hollowing?linkId=17730646
@reverseengine
https://cloud.google.com/blog/topics/threat-intelligence/time-travel-debugging-using-net-process-hollowing?linkId=17730646
@reverseengine
Google Cloud Blog
Time Travel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing Case Study | Google Cloud Blog
The basics of WinDbg and Time Travel Debugging necessary to start incorporating it into your analysis.
❤1
UPX Unpacking: Manual Reverse Engineering
https://guidedhacking.com/threads/how-to-unpack-upx-using-x64dbg.20985
@reverseengine
https://guidedhacking.com/threads/how-to-unpack-upx-using-x64dbg.20985
@reverseengine
❤1