Reverse engineering notes
Table of Contents
- 0.1. http://dmitry.gr/index.php?r=05.Projects&proj=25.+VMU+Hacking
- 0.2. REMaQE: Reverse Engineering Math Equations from Executables
- 0.3. math
- 0.4. CTFs & crackmes
- 0.5. ./arm assembly.org
- 0.6. https://hellsite.site/@sys64738/107674844451982605
- 0.7. JVM object code transformer library
- 0.8. raw binary level
- 0.9. languages
- 0.10. symbolic / concolic execution
- 0.11. web
- 0.12. formats
- 0.13. protocols
- 0.14. game hacking
- 0.15. hardware
- 0.16. CPU & ISA
- 0.17. academic tool but seems usable, if a "bit" resource hungry
- 0.18. instrumentation
- 0.19. ./file formats.org
- 0.20. IRIS: infrared based inspection of the insides of microchips
- 0.21. embedded, firmware, etc
- 0.21.1. embedded hacking wiki
- 0.21.2. https://github.com/ninakali/chip_scavenger/blob/main/src/scavenge/008_tv/index.md
- 0.21.3. iPod bootrom exploit
- 0.21.4. UEFI rootkits, firmware dumping
- 0.21.5. backplane RE to enable deeper network monitoring
- 0.21.6. Thinkpad xx30 series BIOS patching
- 0.21.7. https://hackaday.com/2016/06/30/transcend-wifi-sd-card-is-a-tiny-linux-server/
- 0.21.8. writeups
- 0.21.9. RTOS
- 0.22. function DB of old DOS and 16 bit Windows compilers stdlibs for Ghidra
- 0.23. C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza — Möbius …
- 0.24. static analysis
- 0.25. https://stacksmashing.net/
- 0.26. SPI
- 0.27. My hardware
- 0.28. RE for repair
:ID: b4e4ca0d-1cbf-422f-b523-3362bd034a8c
0.3. math
0.5. ./arm assembly.html
0.8. raw binary level
0.8.1. hobbits
A multi-platform GUI for bit-based analysis, processing, and visualization
0.8.4. brailledump
uses unicode braille for hex dumping
0.8.5. memzoom
a terminal memory visualizer / hexdumper
0.9. languages
0.10. symbolic / concolic execution
0.10.1. symbolic executor for r2
0.10.2. angr
- angr for real-world use cases | volodya
- FOSDEM 2024 - CONFEDSS: Concolic execution and the puzzling practice of perip…
symbolic branches are pruned in concrete emulation when they lead to infinite loops or other bad states
0.12. formats
0.15. hardware
0.15.1. http://szetszedtem.hu/
0.15.2. maskromtool
A CAD tool for extracting bits from Mask ROM photographs
0.15.4. Switch Lite Boardview
0.15.5. fault injection
0.16. CPU & ISA
0.16.2. jazelle reversing
0.16.3. Soviet PDP reverse engineering
- Apparently it was done based only on example code, and maybe on docs? So they knew what the code was supposed to do and they figured out the instruction set from that.
0.18. instrumentation
0.18.2. Frida
"it's essentially Greasemonky/Tampermonkey/Violentmonkey but for native apps"
0.19. ./file formats.html
0.21. embedded, firmware, etc
0.21.1. embedded hacking wiki
0.21.3. iPod bootrom exploit
0.21.4. UEFI rootkits, firmware dumping
0.21.8. writeups
- Thinkpad xDCI BIOS hack and RE
A safer approach to reflashing an SPI chip is to unsolder it from the motherboard and directly connect it to an SPI programmer. This is more time-consuming but allows avoiding damaging the motherboard. In the worst case, you would just kill the SPI chip, which is easily replaceable.
- printer hacking live stream recording (fucking long but very informative)
- entropy
can be very useful for finding compressed and/or encrypted areas
- reset vectors
tend to have coprocessor stuff, likely to be entry point in firmware
- decompression
Ghidra's generated C is very useful for leaf functions.
- constants
GitHub search can help pinpoint what open source components are being used
- why not Binary Ninja
terrible support for flat binaries and embedded stuff (at least as of the time the video was recorded)
- entropy
- Reverse Engineering the Baofeng dm1702 codeplug - M0YNG.uk
- INC ransomware elemzés
- Hack The Emulated Planet: Vulnerability Hunting Planet WGS-804HPT Industrial …
0.21.9. RTOS
if it's from Japan, it might use micro ITRON standard
0.24. static analysis
0.24.2. binary diffing
0.24.3. decompilers
- LLVM based
- McSema has an (outdated) overview of other LLVM lifters
- remill (asm->LLVM)
- rellic (llvm->C)
- game emulation focused
- Dogbolt
a decompiler comparison tool, similar to Godbolt
- Ghidra
0.26. SPI
But before we got started we figured there might be another way. Many times SPI chips share the same “bus” with other SPI chips. It’s a technique hardware designers use to make connections simpler, save on cost, and make troubleshooting/programming easier. We started looking throughout the board for any other chip that might be on the same bus as the TPM. Maybe their pins would be larger and easier to use. After some probing and consulting the schematics, it turned out that the TPM shared a SPI bus with a single other chip, the CMOS chip, which definitely had larger pins. In fact, the CMOS chip had just about the largest pin size you can find on standard motherboards, it was a SOP-8 (aka SOIC-8).