Reverse engineering notes

Table of Contents

  • 1. RE4B

    • :ID: b4e4ca0d-1cbf-422f-b523-3362bd034a8c

    0.1. http://dmitry.gr/index.php?r=05.Projects&proj=25.+VMU+Hacking

    0.2. REMaQE: Reverse Engineering Math Equations from Executables

    0.3. math

    https://eddrit.com/r/ReverseEngineering/comments/smf4u/reverser_wanting_to_develop_mathematically/

    0.4. CTFs & crackmes

    0.4.1. a CTF?

    0.5. ./arm assembly.html

    0.6. https://hellsite.site/@sys64738/107674844451982605

    0.7. JVM object code transformer library

    0.8. raw binary level

    0.8.1. hobbits

    A multi-platform GUI for bit-based analysis, processing, and visualization

    0.8.4. brailledump

    uses unicode braille for hex dumping

    0.8.5. memzoom

    a terminal memory visualizer / hexdumper

    0.9. languages

    0.10. symbolic / concolic execution

    0.10.2. angr

    1. angr for real-world use cases | volodya
    2. FOSDEM 2024 - CONFEDSS: Concolic execution and the puzzling practice of perip…

      symbolic branches are pruned in concrete emulation when they lead to infinite loops or other bad states

    0.11. web

    0.12. formats

    0.13. protocols

    0.14. game hacking

    0.15. hardware

    0.15.2. maskromtool

    A CAD tool for extracting bits from Mask ROM photographs

    0.16. CPU & ISA

    0.16.3. Soviet PDP reverse engineering

    • Apparently it was done based only on example code, and maybe on docs? So they knew what the code was supposed to do and they figured out the instruction set from that.

    0.17. academic tool but seems usable, if a "bit" resource hungry

    0.18. instrumentation

    0.18.1. debuggers

    1. GDB Enhanced Features
    2. PWNDBG

    0.18.2. Frida

    "it's essentially Greasemonky/Tampermonkey/Violentmonkey but for native apps"

    0.19. ./file formats.html

    0.20. IRIS: infrared based inspection of the insides of microchips

    0.21. embedded, firmware, etc

    0.21.8. writeups

    1. Thinkpad xDCI BIOS hack and RE

      A safer approach to reflashing an SPI chip is to unsolder it from the motherboard and directly connect it to an SPI programmer. This is more time-consuming but allows avoiding damaging the motherboard. In the worst case, you would just kill the SPI chip, which is easily replaceable.

    2. printer hacking live stream recording (fucking long but very informative)
      1. entropy

        can be very useful for finding compressed and/or encrypted areas

      2. reset vectors

        tend to have coprocessor stuff, likely to be entry point in firmware

      3. decompression

        Ghidra's generated C is very useful for leaf functions.

      4. constants

        GitHub search can help pinpoint what open source components are being used

      5. why not Binary Ninja

        terrible support for flat binaries and embedded stuff (at least as of the time the video was recorded)

    3. Reverse Engineering the Baofeng dm1702 codeplug - M0YNG.uk
    4. INC ransomware elemzés
    5. Hack The Emulated Planet: Vulnerability Hunting Planet WGS-804HPT Industrial …

    0.21.9. RTOS

    if it's from Japan, it might use micro ITRON standard

    0.22. function DB of old DOS and 16 bit Windows compilers stdlibs for Ghidra

    0.23. C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza — Möbius …

    0.24. dynamic analysis

    0.25. static analysis

    0.26. https://stacksmashing.net/

    0.27. SPI

    But before we got started we figured there might be another way. Many times SPI chips share the same “bus” with other SPI chips. It’s a technique hardware designers use to make connections simpler, save on cost, and make troubleshooting/programming easier. We started looking throughout the board for any other chip that might be on the same bus as the TPM. Maybe their pins would be larger and easier to use. After some probing and consulting the schematics, it turned out that the TPM shared a SPI bus with a single other chip, the CMOS chip, which definitely had larger pins. In fact, the CMOS chip had just about the largest pin size you can find on standard motherboards, it was a SOP-8 (aka SOIC-8).

    0.28. My hardware

    TP-Link R460 Casio PocketViewer ./windows-mobile.html

    0.29. RE for repair

    Air Con: $1697 for an on/off switch

    1. RE4B

    https://beginners.re/paywall/Challenges/

    Author: Csepp

    Created: 2025-03-09 v 03:06

    Validate