Uncategorized

Unicorn-based EFI emulator?

OSX Reverser has a new blog post on Apple EFI firmware passwords:

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

Apple EFI firmware passwords and the SCBO myth

Apple EFI firmware passwords and the SCBO myth

Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦

Standard
Uncategorized

ARMpwn and ARMpwn Challenge

“ARMPwn: Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team”

https://github.com/saelo/armpwn

ARMPWN challenge write-up:
A few weeks ago, I came accross @5aelo repo called armpwn for people wanting to have a bit of ARM fun. I had recently spent some time adding new features and perfectionning old ones to my exploit helper gdb-gef and I saw there a perfect practice case. On top of that, I had nothing better to do yesterday ☺ This challenge was really fun, and made so much easier thanks to gef especially to defeat real life protections (NX/ASLR/PIC/Canary), and on a different architecture (Intel is so ‘90). This is mostly why I’m doing this write-up, but feel curious and do it by yourself. Fun time ahead guaranteed ☺ […]

https://blahcat.github.io/2016/06/13/armpwn-challenge.html

Standard
Uncategorized

Hex-Rays Decompiler plugin for IDA, updated for OS X

If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.

http://www.surrendercontrol.com/2016/02/more-ida-pro-plugins-for-os-x.html
https://github.com/REhints/HexRaysCodeXplorer/tree/master/bin/v2.0%20%5BBlackHat%20Edition%5D/IDA%20v6.8/Mac

The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.

It has multiple experienced contributors:

Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)

 

Standard
Uncategorized

RET-Sync: multi-debugger tool for IDA Dissassembler

ret-sync stands for Reverse-Engineering Tools synchronization. It’s a set of plugins that help to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA disassembler. The underlying idea is simple: take the best from both worlds (static and dynamic analysis).

From debuggers and dynamic analysis we got:

    local view, with live dynamic context (registers, memory, etc.)
    built-in specialized features/API (ex: Windbg’s !peb, !drvobj, !address, etc.)

From IDA and static analysis we got:

    macro view over modules
    code analysis, signatures, types, etc.
    fancy graph view
    persistent storage of knowledge within IDBs

Keys features:

    Pass data (comment, command output) from debugger to disassembler (IDA)
    Multiple IDBs can be synced at the same time allowing to easily trace through multiple modules
    No need to deal with ALSR, addresses are rebased on-the-fly
    IDBs and debugger can be on different hosts

ret-sync is a fork of qb-sync that I developed and maintained during my stay at Quarkslab.

https://github.com/bootleg/ret-sync
https://github.com/quarkslab/qb-sync

Standard
Uncategorized

IDA 6.9 released

https://www.hex-rays.com/products/decompiler/news.shtml#151221
https://www.hex-rays.com/products/ida/6.9/index.shtml

It has AArch64 support!

There’s another comment on Twitter from The Rootless Monster, wondering about UEFI TE support in the latest release, unclear if TE support has changed in 6.9:

 

Standard