Uncategorized

ARMpwn and ARMpwn Challenge

“ARMPwn: Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team”

https://github.com/saelo/armpwn

ARMPWN challenge write-up:
A few weeks ago, I came accross @5aelo repo called armpwn for people wanting to have a bit of ARM fun. I had recently spent some time adding new features and perfectionning old ones to my exploit helper gdb-gef and I saw there a perfect practice case. On top of that, I had nothing better to do yesterday ☺ This challenge was really fun, and made so much easier thanks to gef especially to defeat real life protections (NX/ASLR/PIC/Canary), and on a different architecture (Intel is so ‘90). This is mostly why I’m doing this write-up, but feel curious and do it by yourself. Fun time ahead guaranteed ☺ […]

https://blahcat.github.io/2016/06/13/armpwn-challenge.html

Standard
Uncategorized

Hex-Rays Decompiler plugin for IDA, updated for OS X

If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.

http://www.surrendercontrol.com/2016/02/more-ida-pro-plugins-for-os-x.html
https://github.com/REhints/HexRaysCodeXplorer/tree/master/bin/v2.0%20%5BBlackHat%20Edition%5D/IDA%20v6.8/Mac

The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.

It has multiple experienced contributors:

Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)

 

Standard
Uncategorized

RET-Sync: multi-debugger tool for IDA Dissassembler

ret-sync stands for Reverse-Engineering Tools synchronization. It’s a set of plugins that help to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA disassembler. The underlying idea is simple: take the best from both worlds (static and dynamic analysis).

From debuggers and dynamic analysis we got:

    local view, with live dynamic context (registers, memory, etc.)
    built-in specialized features/API (ex: Windbg’s !peb, !drvobj, !address, etc.)

From IDA and static analysis we got:

    macro view over modules
    code analysis, signatures, types, etc.
    fancy graph view
    persistent storage of knowledge within IDBs

Keys features:

    Pass data (comment, command output) from debugger to disassembler (IDA)
    Multiple IDBs can be synced at the same time allowing to easily trace through multiple modules
    No need to deal with ALSR, addresses are rebased on-the-fly
    IDBs and debugger can be on different hosts

ret-sync is a fork of qb-sync that I developed and maintained during my stay at Quarkslab.

https://github.com/bootleg/ret-sync
https://github.com/quarkslab/qb-sync

Standard
Uncategorized

IDA 6.9 released

https://www.hex-rays.com/products/decompiler/news.shtml#151221
https://www.hex-rays.com/products/ida/6.9/index.shtml

It has AArch64 support!

There’s another comment on Twitter from The Rootless Monster, wondering about UEFI TE support in the latest release, unclear if TE support has changed in 6.9:

 

Standard
Uncategorized

Hex Rays contest results

We’ve had 7 contestants this year! All plugins were interesting, but we had to choose three. Here’s the final ranking:

*  First prize (1900 USD): Yaniv Balmas, Dynamic IDA Enrichment (DIE) framework
 * Second prize (950 USD): Steven H. H. Ding, Kam1n0
 * Third prize (450 USD): Alexander Matrosov, Eugene Rodionov, Rodrigo Branco & Gabriel Barbosa, HexRaysCodeXplorer

https://hex-rays.com/contests/2015/index.shtml

Note that one of the winners is from firmware security researchers! Congratulations!

https://hex-rays.com/contests/2015/codexplorer/CodeXplorer-Plugin_Contest_2015.zip

https://github.com/REhints/HexRaysCodeXplorer

Standard
Uncategorized

More IDA plugins for UEFI

The other day I posted a pointer to a new list of IDA plugins:

https://firmwaresecurity.com/2015/09/18/new-list-of-ida-plugins/

Here are a few more IDA plugins for UEFI, the new list only mentions Danse-Macbre’s IDA-EFItools project:

https://github.com/danse-macabre/ida-efitools

http://ho.ax/posts/2012/09/ida-pro-scripts-for-efi-reversing/
https://github.com/snare/ida-efiutils/

https://github.com/gdbinit/TELoader

http://www.hexblog.com/?p=116

http://bioshacking.blogspot.com/2012/06/ida-pro-support-for-efi-byte-code-ebc.html

Also see chapter 4 and 22 (at least) of this new book:
https://www.nostarch.com/rootkits

Does anyone know of any others? If so, please leave a Comment (see left) or send email (see upper right). Thanks.

Standard
Uncategorized

new list of IDA Plugins

There’s a new list of IDA Pro plugins:

Of the dozens on the list, besides the classics, I found a handful of interesting ones I’d never heard of, including these 3 ROM/firmware-related ones:

* Bootroom Analysis Library: IBAL is the IDA Pro Bootrom Analysis Library, which contains a number of useful functions for analyzing embedded ROMs.
* EFI Scripts: Some IDA scripts and tools to assist with reverse engineering EFI executables.
* Sega Genesis/Megadrive Tools: Special IDA Pro tools for the Sega Genesis/Megadrive romhackers. Tested work on v5.2, v6.6. Should work on other versions.

I’ve mentioned a few (3?) UEFI-centric IDA plugins in earlier blog posts, plugins I didn’t see on this list. I guess I need to track them down and help with this list.

https://github.com/onethawt/idaplugins-list/blob/master/README.md
https://github.com/onethawt/idaplugins-list/

Standard