🦠

MRE

Use Little Endian

For more accurate answers use IDA PRO

Artihmetic Instructions
  • ADD
    • Add source to dest. Example:
      • MOV EAX, 3
      • MOV EBX, 2
      • ADD EAX, EBX
      • EAX = 5
  • SUB
    • Subtracts source from dest. Example:
      • MOV EAX, 3
      • MOV EBX, 2
      • SUB EAX, EBX
      • EAX = 1
  • INC
    • Increments the destination by 1. Example:
      • MOV EAX, 3
      • INC EAX
      • EAX = 4
  • DEC
    • decrements the destination by 1. Example:
      • MOV EAX, 3
      • DEC EAX
      • EAX = 2
  • MUL
    • Multiples with operand results to store at EAX:EDX. Example:
      • MOV EAX, 3
      • MOV EBX, 2
      • MUL EBX
      • EAX:EBX = 6
  • DIV
    • Divides register with operand the results. Example:
      • MOV EAX, 32771
      • MOV EBX, 256
      • DIV EBX
      • EDX = 3 (Remainder) , EAX 128
  • SHL/SHR (Shifting Left/Shifting Right)
    • Shifts the destination to the left or right by filling with 0
    • SHL/SHR dest, src
  • ROL/ROR (Rotate Left/Rotate Right)
    • ROR β€” Right most bit move to left most bit + into the CF flag
    • ROL β€” Left most bit move to the right most bit + into the CF flag
Boolean Instructions
  • OR
    • EAX = 1001
    • EBX = 0110
    • OR EAX, EBX
    • EAX = 1111, EBX = 0110
  • NEG
    • NEG EAX, 0101
    • EAX = 1010
  • TEST
    • Does AND operation and changes flag (no change for source and dest)
  • AND
    • EAX = 1011
    • EBX = 1101
    • AND EAX, EBX
    • EAX = 1001, EBX = 1101
  • NOT
  • XOR
    • EAX = 1111 0000 0000 1111
    • EBX = 0000 0000 0001 1111
    • XOR EAX, EBX
    • EAX = 1111 0000 0001 0000
  • CMP
    • Does subtraction opereation and changes flag (no change for source and dest)
Flags
  • Zero flag (Z)
    • -----z--- - Zero flag
  • Overflow flag (O)
    • o-------- - Overflow flag
  • Carry flag (C)
    • --------c - Carry flag
  • Sign flag (S)
    • ----s---- - Sign flag
  • Parity flag (P)
    • -------p- - Parity flag
Control Instructions
  • LEA
  • JMP
  • LOOP
  • PUSH
  • POP
  • CALL
  • RETN
  • REP
  • REPXX
  • SCAS
  • NOP
  • JXX
    • General
      • JE
      • JZ
      • JC
      • JCXZ
      • JP
      • JMP
      • JECXZ
      • JNC
      • JNZ
      • JNE
    • Unsigned comparison jump
      • JA
      • JNBE
      • JAE
      • JNB
      • JB
      • JNAE
      • JBE
      • JNA
    • Signed comparison jumps
      • JG
      • JNLE
      • JGE
      • JNL
      • JL
      • JNGE
      • JNG
      • JLE
      • JS
      • JNS
      • JO
      • JNO
General use
  • C# decompilers
    • ILSpy
    • dotPeek

    Do not forget to drag the DLL files

  • ollydbg
    • To view memory map click on
    • To vire content of the PE headers double click PE header
    • Something similar should show up
    • To jump to a certain address press Ctrl + G or right click in the dump and select the following
    • To view registers and flags click on view β†’ CPU or (Alt + C)
    • To set breakpoints press F2 or right click on where uw set the breakpoint β†’ breakpoint β†’ toggle
    • click on play button to start debugging
    • For line by line debugging press F7
    • To execute until return go to Debug β†’ Execute until return
    • Press F9 to run application through
    • To restart application press Ctrl + F2
  • IDA Pro

    To set breakpoint press F2

    To stepover press F8

    To change inbetween code block and regular view press spacebar

    To jump to stored value double click the value

Binary Patching
  • Ollydby

    To patch a program double click an instruction you would like to patch, a window should open

    • To save right click on the list of code and click save file
    • Click yes and provide the file name
  • IDA Pro

    edit idagui.cfg with notepad at C:\Program Files\IDA Free\cfg\idagui.cfg, restart IDA once done

    Uncheck make import segment

    Click no when prompted

    Select view β†’ open submenu β†’ segments to see imported segments

    To import scripts to IDA pro go to select β†’ IDC files β†’ <script> then click open (Scripts are normally at C:\Program Files\IDA free\idc

    To edit the line u would like to and select Edit β†’ Patch Program β†’ Assemble

    To patch binary select Edit β†’ Patch program β†’ change byte

    To save the patched binary select File β†’ IDC Files β†’ pe_write.idc then click on open

Anti Disassembly
  • use CFF explorer and check section headers
    As you can see the virtual size is bigger than the Raw Size

    we can don’t load that portion of the application in IDA pro by checking the following.

    or we can change the raw size of the portion with its virtual size

    • if the above doesn’t work try this instead

      As the second portion of the header address is at 1400 and the first header address is at 400 we can deduce that the header size is 1000

ASCII table (for easy access)
DecHexChar
000NUL
101SOH
202STX
303ETX
404EOT
505ENQ
606ACK
707BEL
808BS
909HT
100ALF
110BVT
120CFF
130DCR
140ESO
150FSI
1610DLE
1711DC1
1812DC2
1913DC3
2014DC4
2115NAK
2216SYN
2317ETB
2418CAN
2519EM
261ASUB
271BESC
281CFS
291DGS
301ERS
311FUS
3220space
3321!
3422"
3523#
3624$
3725%
3826&
3927'
4028(
4129)
422A*
432B+
442C,
452D-
462E.
472F/
48300
49311
50322
51333
52344
53355
54366
55377
56388
57399
583A:
593B;
603C<
613D=
623E>
633F?
6440@
6541A
6642B
6743C
6844D
6945E
7046F
7147G
7248H
7349I
744AJ
754BK
764CL
774DM
784EN
794FO
8050P
8151Q
8252R
8353S
8454T
8555U
8656V
8757W
8858X
8959Y
905AZ
915B[
925C\
935D]
945E^
955F_
9660`
9761a
9862b
9963c
10064d
10165e
10266f
10367g
10468h
10569i
1066Aj
1076Bk
1086Cl
1096Dm
1106En
1116Fo
11270p
11371q
11472r
11573s
11674t
11775u
11876v
11977w
12078x
12179y
1227Az
1237B{
1247C|
1257D}
1267E~
1277FDEL
Useful websites

https://shell-storm.org/x86doc/

https://www.rapidtables.com/code/text/ascii-table.html

www.gnu.org/software/libc/manual/pdf/libc.pdf

Data Structures

How to identify arrays in IDA pro?

How to identify for loops in IDA pro?

How to identify local array in IDA pro?

How to view data stored in array in IDA pro?

Stack Layout