pmeerw's blog

Sun, 16 Jun 2019

Assembler at your fingertips: rappel

rappel is a Linux-based assembly REPL (read-eval-print loop) supporting Intel syntax. Quite handy to try out various instructions:

rax: 0x0000000000000001	rbx: 0x0000000000000002	rcx: 0x0000000000000000	rdx: 0x0000000000000000
rsi: 0x0000000000000000	rdi: 0x0000000000000000	r8 : 0x0000000000000000	r9 : 0x0000000000000000
r10: 0x0000000000000000	r11: 0x0000000000000000	r12: 0x0000000000000000	r13: 0x0000000000000000
r14: 0x0000000000000000	r15: 0x0000000000000000
rip: 0x0000000000400006	rsp: 0x00007fffd64d8f10	rbp: 0x0000000000000000
flags: 0x0000000000000202 [cf:0, zf:0, of:0, sf:0, pf:0, af:0, df:0]
> add eax,ebx
rax: 0x0000000000000003	rbx: 0x0000000000000002	rcx: 0x0000000000000000	rdx: 0x0000000000000000
rsi: 0x0000000000000000	rdi: 0x0000000000000000	r8 : 0x0000000000000000	r9 : 0x0000000000000000
r10: 0x0000000000000000	r11: 0x0000000000000000	r12: 0x0000000000000000	r13: 0x0000000000000000
r14: 0x0000000000000000	r15: 0x0000000000000000
rip: 0x0000000000400003	rsp: 0x00007fffd64d8f10	rbp: 0x0000000000000000
flags: 0x0000000000000206 [cf:0, zf:0, of:0, sf:0, pf:1, af:0, df:0]

Under the hood, it just runs nasm and observes register values. FP/XMM is supported as well...

posted at: 23:00 | path: /programming | permanent link

Sat, 04 May 2019

Rewriting Windows binary with Python's pefile

Using Python module pefile to rewrite a Windows PE/PE+ file (I think both 32-bit and 64-bit are supported, tested 64-bit only). The goal is to append a new section, change the executable's entry point to the new section, jump back to the original entry point (OEP).

#!/usr/env python3

import pefile

def adjust_SectionSize(sz, align):
  if sz % align: sz = ((sz + align) // align) * align
  return sz

pe = pefile.PE('../hello.exe')

last_section = pe.sections[-1]

new_section = pefile.SectionStructure(pe.__IMAGE_SECTION_HEADER_format__)

# fill with zeros
new_section.__unpack__(bytearray(new_section.sizeof()))

# place section header after last section header (assume there is enough room)
new_section.set_file_offset(last_section.get_file_offset() + last_section.sizeof())

new_section.Name = b'.test'
new_section_size = 100

new_section.SizeOfRawData = adjust_SectionSize(new_section_size, pe.OPTIONAL_HEADER.FileAlignment)
new_section.PointerToRawData = len(pe.__data__)

new_section.Misc = new_section.Misc_PhysicalAddress = new_section.Misc_VirtualSize = new_section_size
new_section.VirtualAddress = last_section.VirtualAddress + adjust_SectionSize(last_section.Misc_VirtualSize, pe.OPTIONAL_HEADER.SectionAlignment)

new_section.Characteristics = 0x40000000 | 0x20000000 | 0x20 # read | execute | code

# create new section data containing jump to OEP
reljmp = pe.OPTIONAL_HEADER.AddressOfEntryPoint - (new_section.VirtualAddress + 5)
print('rel jmp %08x' % (reljmp))
new_section_data = bytearray(new_section.SizeOfRawData)
new_section_data[0] = 0xe9
new_section_data[1:4] = reljmp.to_bytes(4, byteorder='little', signed=True)

# change address of entry point to beginning of new section
pe.OPTIONAL_HEADER.AddressOfEntryPoint = new_section.VirtualAddress

# increase size of image
pe.OPTIONAL_HEADER.SizeOfImage += adjust_SectionSize(new_section_size, pe.OPTIONAL_HEADER.SectionAlignment)

# increase number of sections
pe.FILE_HEADER.NumberOfSections += 1

# append new section to structures
pe.sections.append(new_section)
pe.__structures__.append(new_section)

# add new section data to file
pe.__data__ = bytearray(pe.__data__) + new_section_data

pe.write('../hello_patched.exe')

posted at: 10:33 | path: /programming | permanent link

Fri, 03 May 2019

Running x64dbg on Linux (wine)

x64dbg is an open-source x64/x32 for Windows, somewhat following the famous OllyDbg, but a lot more modern. This is based on the latest version of April 30, 2019.

Trying with Ubuntu 18.04 (wine 3.0-1ubuntu1) fails, running winetricks vcrun2013 helps a bit, however, x64dbg then fails when loading an executable (see bug report).

Using the wine-development package provides wine 3.6, and x64dbg works somewhat -- hurray.

posted at: 23:56 | path: /programming | permanent link

Tue, 29 Jan 2019

git am on Windows

Note to self: on Windows use git am --whitespace=nowarn --keep-cr to apply commits previously created by format-patch. WTF?

posted at: 16:32 | path: /programming | permanent link

Mon, 30 Mar 2015

Counting newlines (quickly!)

Here are some thoughts on fefe's counting newlines problem (in German).

Bottom line: SIMD is nifty!

posted at: 14:27 | path: /programming | permanent link

Made with PyBlosxom