{"id":2587,"date":"2024-03-13T12:53:49","date_gmt":"2024-03-13T16:53:49","guid":{"rendered":"https:\/\/dft.wiki\/?p=2587"},"modified":"2026-06-08T11:02:06","modified_gmt":"2026-06-08T15:02:06","slug":"binary-exploitation-cheat-sheet","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2587","title":{"rendered":"Reverse Engineering \/ Binary Exploitation Cheat Sheet"},"content":{"rendered":"<p><strong>Reverse Engineering Binaries<\/strong> is a critical set of techniques that enable attackers to extract sensitive information from, or inject code into, both local and remote executables.<\/p>\n<p><strong>Binary Exploitation Techniques<\/strong> are popular in <strong>CTF<\/strong> (Capture The Flag) competitions and less common in bug bounty programs, but they can be applied to enable more complex attack chains.<\/p>\n<p><strong>Mastering Reverse Engineering<\/strong> is crucial for cyber defense, uncovering vulnerabilities, and developing more secure software systems.<\/p>\n<hr \/>\n<p><strong>MEMORY LAYOUT OVERVIEW<\/strong><\/p>\n<p><strong>Memory<\/strong><\/p>\n<ul>\n<li><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4073\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/memory.png\" alt=\"\" width=\"640\" height=\"148\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/memory.png 640w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/memory-300x69.png 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><strong>Stack<\/strong>\n<ul>\n<li>Contains local variables, function parameters, and control flow information.<\/li>\n<li>Grows from higher to lower memory addresses.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Heap<\/strong>\n<ul>\n<li>Dynamically allocated memory (e.g. <code>malloc<\/code>).<\/li>\n<li>Grows from lower to higher memory addresses.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Data<\/strong>\n<ul>\n<li>Static and global variables.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Code<\/strong>\n<ul>\n<li>Executable instructions of the program.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Concepts<\/strong><\/p>\n<ul>\n<li>Endianness\n<ul>\n<li><strong>Big-Endian<\/strong>\n<ul>\n<li>The most significant byte (<strong>MSB<\/strong>) is stored first.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Little-Endian<\/strong>\n<ul>\n<li>The least significant byte (<strong>LSB<\/strong>) is stored first.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Functions<\/strong><\/p>\n<ul>\n<li><strong>Prologues<\/strong>\n<ul>\n<li>Prepare the function for execution, including setting up the stack frame.\n<ul>\n<li>Shortcut: <code>enter<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Epilogues<\/strong>\n<ul>\n<li>Clean up the stack and return from the function.\n<ul>\n<li>Shortcut: <code>leave<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Canary<\/strong> (aka Stack Cookie\/Guard)\n<ul>\n<li>Detects stack buffer overflows by checking whether the canary value has been altered, helping prevent the return address from being overwritten and control flow from being hijacked.<\/li>\n<\/ul>\n<\/li>\n<li><strong>ROP<\/strong> (Return Oriented Programming)\n<ul>\n<li>Exploits vulnerabilities by chaining together small snippets of existing code called <strong>Gadgets<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Gadgets<\/strong>\n<ul>\n<li>Small sequences of instructions ending in a <code>ret<\/code>, used to perform arbitrary operations.<\/li>\n<\/ul>\n<\/li>\n<li><strong>GOT<\/strong> (Global Offset Table)\n<ul>\n<li>A runtime address resolution table for global variables and functions in a shared library.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Lazy Binding<\/strong>\n<ul>\n<li>Resolves function addresses on their first call using the <strong>PLT<\/strong>, rather than at program startup.<\/li>\n<\/ul>\n<\/li>\n<li><strong>PLT<\/strong> (Procedure Linkage Table)\n<ul>\n<li>Facilitates dynamic linking by redirecting function calls to the <strong>GOT<\/strong> with the help of the Dynamic Linker\/Loader.<\/li>\n<\/ul>\n<\/li>\n<li><strong>ASLR<\/strong> (Address Space Layout Randomization)\n<ul>\n<li>Protects against buffer overflow attacks by randomizing the memory addresses used by system and program components.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Movaps<\/strong>\n<ul>\n<li>This x86 instruction requires operands to be 16-byte aligned. During exploitation, misalignment will raise an exception and potentially crash the program, making it a common pitfall.<\/li>\n<li>The workaround is to add an extra <code>ret<\/code> right before the function call.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>32-bit vs. 64-bit Architecture (x86)<\/strong><\/p>\n<ul>\n<li><strong>32-bit<\/strong>\n<ul>\n<li><strong>Parameter Passing<\/strong>: Via stack.<\/li>\n<li><strong>Calling Convention<\/strong>: Arguments are pushed onto the stack in reverse order (right to left).<\/li>\n<li><strong>System Calls:<\/strong>\n<ul>\n<li>Instruction: interrupt 128 (<code>int 0x80<\/code>).<\/li>\n<li>Arguments: register <code>eax<\/code> for the system call number (<strong>0x0b = execve<\/strong>), followed by <code>ebx<\/code>, <code>ecx<\/code>, <code>edx<\/code>, <code>esi<\/code>, <code>edi<\/code>, and <code>ebp<\/code>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Address Space<\/strong>: Uses the entire memory address space.<\/li>\n<li><strong>Words<\/strong>:\n<ul>\n<li>word (16 bits)<\/li>\n<li>dword (32 bits)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>64-bit<\/strong>\n<ul>\n<li><strong>Parameter Passing<\/strong>: Via registers (<strong>RDI, RSI, RDX, RCX, R8, R9<\/strong>), then the stack.<\/li>\n<li><strong>Calling Convention<\/strong>: Register order as listed above, followed by stack.<\/li>\n<li><strong>System Calls:<\/strong>\n<ul>\n<li>Instruction: <code>syscall<\/code><\/li>\n<li>Arguments: register <code>rax<\/code> for the system call number (<strong>0x3b = execve<\/strong>), followed by <code>rdi<\/code>, <code>rsi<\/code>, <code>rdx<\/code>, <code>r10<\/code>, <code>r8<\/code>, <code>r9<\/code>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Address Space<\/strong>:\n<ul>\n<li>Low canonical addresses: 0x<strong>0000<\/strong>000000000000 to 0x<strong>0000<\/strong>7FFFFFFFFFFF (<strong>User<\/strong> space)<\/li>\n<li>High canonical addresses: 0x<strong>FFFF<\/strong>800000000000 to 0x<strong>FFFF<\/strong>FFFFFFFFFFFF (<strong>Kernel<\/strong> space)<\/li>\n<li>Only 48 bits have meaningful virtual addresses.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Words<\/strong>:\n<ul>\n<li>word (16 bits)<\/li>\n<li>dword (32 bits)<\/li>\n<li>qword (64 bits)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>BASIC ASSEMBLY<\/strong><\/p>\n<ul>\n<li><strong>Registers<\/strong> and their <strong>Operands<\/strong>\n<ul>\n<li><strong>eip<\/strong> (32-bit) \/ <strong>rip<\/strong> (64-bit)\n<ul>\n<li>Points to the next instruction to be executed.<\/li>\n<\/ul>\n<\/li>\n<li><strong>ebp<\/strong> (32-bit) \/ <strong>rbp<\/strong> (64-bit)\n<ul>\n<li>Points to the base of the current stack frame, used for referencing local variables. While RBP does not hold the return address itself, it often points to the stack position where it is stored.<\/li>\n<\/ul>\n<\/li>\n<li><strong>esp<\/strong> (32-bit) \/ <strong>rsp<\/strong> (64-bit)\n<ul>\n<li>Points to the top of the stack (lowest memory address). Works in conjunction with <strong>push<\/strong> and <strong>pop<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Constructs<\/strong>\n<ul>\n<li><strong>mov<\/strong>\n<ul>\n<li>Copies data from source to destination. The pointer is dereferenced (<span style=\"text-decoration: underline;\">data value<\/span>).<\/li>\n<\/ul>\n<\/li>\n<li><strong>lea<\/strong>\n<ul>\n<li>Loads the address of the source into the destination. Stores the <span style=\"text-decoration: underline;\">pointer value<\/span> itself, not the dereferenced data.<\/li>\n<\/ul>\n<\/li>\n<li><strong>ret<\/strong>\n<ul>\n<li>Pops the return address from the top of the stack into the instruction pointer, resuming execution there.<\/li>\n<\/ul>\n<\/li>\n<li><strong>push<\/strong>\n<ul>\n<li>Pushes a value onto the stack, decrementing the stack pointer.<\/li>\n<\/ul>\n<\/li>\n<li><strong>pop<\/strong>\n<ul>\n<li>Pops a value from the stack, incrementing the stack pointer.<\/li>\n<\/ul>\n<\/li>\n<li><strong>call<\/strong>\n<ul>\n<li>Calls a function by pushing the return address onto the stack and jumping to the function&#8217;s address.<\/li>\n<\/ul>\n<\/li>\n<li><strong>cmp<\/strong>\n<ul>\n<li>Works like an IF statement. Compares two values by subtracting the right operand from the left.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Operators<\/strong>\n<ul>\n<li><strong>or<\/strong>, <strong>and<\/strong>, and <strong>xor<\/strong>\n<ul>\n<li>Perform bitwise OR, AND, and XOR operations respectively.<\/li>\n<\/ul>\n<\/li>\n<li><strong>mul<\/strong>\n<ul>\n<li>Multiplies two operands.<\/li>\n<\/ul>\n<\/li>\n<li><strong>div<\/strong>\n<ul>\n<li>Divides one operand by another.<\/li>\n<\/ul>\n<\/li>\n<li><strong>shl<\/strong> and <strong>shr<\/strong>\n<ul>\n<li>Shift bits left and right respectively.<\/li>\n<\/ul>\n<\/li>\n<li><strong>rol<\/strong> and <strong>ror<\/strong>\n<ul>\n<li>Rotate bits left and right respectively.<\/li>\n<\/ul>\n<\/li>\n<li><strong>nop<\/strong>\n<ul>\n<li>No Operation. Does nothing; often used for timing or alignment purposes.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>INFORMATION GATHERING<\/strong><\/p>\n<pre><strong>file<\/strong> fileName<\/pre>\n<ul>\n<li><strong>ELF<\/strong>\n<ul>\n<li>Linux executable.<\/li>\n<\/ul>\n<\/li>\n<li><strong>80386\/i386<\/strong> or <strong>x86-64<\/strong>\n<ul>\n<li>32-bit or 64-bit architecture respectively.<\/li>\n<\/ul>\n<\/li>\n<li><strong>dynamically linked<\/strong>\n<ul>\n<li>Uses system libraries; the libraries are not bundled into the binary.<\/li>\n<\/ul>\n<\/li>\n<li><strong>not stripped<\/strong>\n<ul>\n<li>Easier to analyze because debugging information, including function names, is preserved in the binary.<\/li>\n<\/ul>\n<\/li>\n<li><strong>LSB<\/strong>\n<ul>\n<li>Least Significant Bit = Little-endian (bytes appear in reverse order).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>See also a list of file signatures that the <code>file<\/code> command uses to identify file types at [<a href=\"https:\/\/en.wikipedia.org\/wiki\/List_of_file_signatures\">Link<\/a>].<\/p>\n<pre><strong>checksec<\/strong> --file=fileName<\/pre>\n<ul>\n<li><strong>RELRO<\/strong>\n<ul>\n<li>&#8220;Relocation Read-Only&#8221; has the following levels:\n<ul>\n<li><strong>&#8220;Full RELRO&#8221;<\/strong> &#8211; GOT and PLT entries are resolved before startup and marked read-only, preventing overwrites.<\/li>\n<li><strong>&#8220;Partial RELRO&#8221;<\/strong> &#8211; Some entries remain read+write so they can be resolved at runtime, allowing partial overwrites.<\/li>\n<li><strong>&#8220;No RELRO&#8221;<\/strong> &#8211; No protection. Uncommon on modern systems.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Stack Canary<\/strong>\n<ul>\n<li>When disabled, shows &#8220;No canary found&#8221;, meaning there is no protection against buffer overflows overwriting the return address.<\/li>\n<\/ul>\n<\/li>\n<li><strong>NX<\/strong>\n<ul>\n<li>Also known as the No-eXecute bit. When enabled, prevents shellcode from executing on the Stack or Heap.<\/li>\n<\/ul>\n<\/li>\n<li><strong>PIC<\/strong>\n<ul>\n<li>Also known as Position-Independent Code. When enabled, allows shared libraries to be loaded at relative memory addresses.<\/li>\n<\/ul>\n<\/li>\n<li><strong>PIE<\/strong>\n<ul>\n<li>Also known as Position-Independent Executable. When disabled, shows &#8220;No PIE&#8221;, meaning the program loads at the same memory address every time it runs.<\/li>\n<\/ul>\n<\/li>\n<li><strong>RUNPATH<\/strong>\n<ul>\n<li>At runtime, the dynamic linker searches for shared libraries in this path before falling back to standard locations such as <code>\/lib<\/code> and <code>\/usr\/lib<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><strong>strings<\/strong> fileName\r\n<strong>strings<\/strong> fileName -t x<\/pre>\n<ul>\n<li>Outputs any printable characters to the terminal.\n<ul>\n<li>Useful for quick information disclosure.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><strong>ldd<\/strong> fileName<\/pre>\n<ul>\n<li>Lists all shared libraries required by a dynamically linked binary.<\/li>\n<\/ul>\n<pre><strong>readelf<\/strong> -l fileName\r\n<strong>readelf<\/strong> -a fileName<\/pre>\n<ul>\n<li>Extracts information about the headers, sections, symbols, and other aspects of an ELF file.<\/li>\n<\/ul>\n<pre><strong>nm<\/strong> fileName<\/pre>\n<ul>\n<li>Lists symbols from object files (executables).<\/li>\n<\/ul>\n<pre><strong>objdump<\/strong> -d fileName &gt; decompiled.asm<\/pre>\n<ul>\n<li>Disassembles an executable.\n<ul>\n<li>Alternatively, use the GUI tool <strong>Ghidra<\/strong> [<a href=\"https:\/\/github.com\/NationalSecurityAgency\/ghidra\/releases\">Link<\/a>].\n<ul>\n<li>On Kali, install it with <code>sudo apt install -y ghidra<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><strong>ropper<\/strong> --file=fileName --search \"pop rdi\"<\/pre>\n<ul>\n<li>Finds all gadgets in the binary for use in ROP exploits [<a href=\"https:\/\/github.com\/JonathanSalwan\/ROPgadget\">Link<\/a>].<\/li>\n<\/ul>\n<pre>sudo -H python3 -m pip install ROPgadget\r\n<strong>ROPgadget<\/strong> --binary fileName<\/pre>\n<ul>\n<li>Locates gadgets using ROPgadget. Use Radare2 [<a href=\"https:\/\/rada.re\/\">Link<\/a>] to find register memory addresses.<\/li>\n<\/ul>\n<pre><strong>r2<\/strong> fileName<\/pre>\n<hr \/>\n<p><strong>DEBUGGING TOOLS<\/strong><\/p>\n<pre><strong>ltrace<\/strong> .\/fileName<\/pre>\n<ul>\n<li>Intercepts and displays <strong>library calls<\/strong> as the program runs.\n<ul>\n<li>E.g. <code>gets<\/code>, <code>puts<\/code>, or <code>printf<\/code> from <code>libc<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><strong>strace<\/strong> .\/fileName<\/pre>\n<ul>\n<li>Intercepts and displays <strong>system calls<\/strong> as the program runs.\n<ul>\n<li>E.g. <code>open<\/code>, <code>read<\/code>, <code>write<\/code>, <code>close<\/code>, <code>fork<\/code>, <code>execve<\/code>, <code>exit<\/code>, or <code>mmap<\/code> from the kernel.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><strong>gdb<\/strong> .\/fileName<\/pre>\n<ul>\n<li>A powerful debugger that deserves a cheat sheet of its own.<\/li>\n<li>A much better experience is available through the Python module <code>gdb-pwndbg<\/code> [<a href=\"https:\/\/github.com\/pwndbg\/pwndbg\">Link<\/a>].<\/li>\n<\/ul>\n<pre><strong>gdb-pwndbg<\/strong> fileName<\/pre>\n<ul>\n<li><strong>file<\/strong> fileName\n<ul>\n<li>Loads the binary to be debugged.<\/li>\n<\/ul>\n<\/li>\n<li><strong>info functions<\/strong>\n<ul>\n<li>Lists the functions in the binary.<\/li>\n<\/ul>\n<\/li>\n<li><strong>info registers<\/strong>\n<ul>\n<li>Shows the contents of all registers.<\/li>\n<\/ul>\n<\/li>\n<li><strong>info proc mappings<\/strong>\n<ul>\n<li>Displays memory mappings including start\/end addresses and permissions (rwx).<\/li>\n<\/ul>\n<\/li>\n<li><strong>disassemble<\/strong> main\n<ul>\n<li>Disassembles a function.<\/li>\n<\/ul>\n<\/li>\n<li><strong>info stack<\/strong>\n<ul>\n<li>Shows the stack of a running or crashed execution.<\/li>\n<\/ul>\n<\/li>\n<li><strong>backtrace<\/strong>\n<ul>\n<li>Similar to <code>info stack<\/code>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>break<\/strong> main\n<ul>\n<li>Adds a breakpoint to a function.<\/li>\n<\/ul>\n<\/li>\n<li><strong>break *<\/strong>0xffffffff\n<ul>\n<li>Adds a breakpoint at a memory address.<\/li>\n<\/ul>\n<\/li>\n<li><strong>delete break<\/strong>\n<ul>\n<li>Removes all breakpoints.<\/li>\n<\/ul>\n<\/li>\n<li><strong>x\/s 0xffffffff<\/strong>\n<ul>\n<li>Shows the contents of memory at the given address.<\/li>\n<\/ul>\n<\/li>\n<li><strong>cyclic<\/strong> 100\n<ul>\n<li>Generates a 100-character cyclic pattern for overflow testing.<\/li>\n<li>Similar online tool [<a href=\"https:\/\/wiremask.eu\/tools\/buffer-overflow-pattern-generator\/\">Link<\/a>].<\/li>\n<\/ul>\n<\/li>\n<li><strong>cyclic -l<\/strong> XXXX\n<ul>\n<li>Calculates the offset to the given pattern segment.<\/li>\n<\/ul>\n<\/li>\n<li><strong>run<\/strong>\n<ul>\n<li>Executes the binary.\n<ul>\n<li><code>n<\/code> steps to the next instruction.<\/li>\n<li><code>c<\/code> continues to the next breakpoint or runs freely.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>run &lt; payload<\/strong>\n<ul>\n<li>Feeds a payload file into standard input.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>See this tutorial for installing Pwndbg + GEF + Peda together [<a href=\"https:\/\/infosecwriteups.com\/pwndbg-gef-peda-one-for-all-and-all-for-one-714d71bf36b8\">Link<\/a>].<\/p>\n<hr \/>\n<p><strong>CRAFTING PAYLOADS MANUALLY<\/strong><\/p>\n<pre>python2 -c 'print \"A\"*4 + \"BBBB\" + \"\\xef\\xbe\\xad\\xde\"' &gt; payload<\/pre>\n<ul>\n<li>For 32-bit: creates <strong>AAAABBBB<\/strong> followed by the binary representation of address 0x<strong>deadbeef<\/strong>.<\/li>\n<\/ul>\n<pre>python2 -c 'print \"A\"*10 + \"\\xef\\xbe\\xad\\xde\\x00\\x00\\x00\\x00\"' &gt; payload<\/pre>\n<ul>\n<li>For 64-bit: creates <strong>AAAAAAAAAA<\/strong> followed by the binary representation of address 0x<strong>00000000deadbeef<\/strong>.<\/li>\n<\/ul>\n<pre>shellcraft -l<\/pre>\n<ul>\n<li>Lists available payloads (assembly instructions) for obtaining code execution or a shell within the application runtime.<\/li>\n<\/ul>\n<pre>shellcraft i386.linux.sh<\/pre>\n<ul>\n<li>Outputs the desired payload in hex.<\/li>\n<\/ul>\n<pre>shellcraft i386.linux.sh -f a<\/pre>\n<ul>\n<li>Outputs the payload in assembly.<\/li>\n<\/ul>\n<p>See also <code>msfvenom<\/code> for additional payloads at [<a href=\"https:\/\/dft.wiki\/?p=822#msfVenom\">Link<\/a>].<\/p>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<pre><strong>upx<\/strong> -h\r\n<strong>upx -d<\/strong> fileName<\/pre>\n<ul>\n<li>Tool for compressing and decompressing executable files.<\/li>\n<\/ul>\n<pre><strong>hexedit<\/strong> fileName<\/pre>\n<ul>\n<li>View and edit files in hexadecimal or ASCII.<\/li>\n<\/ul>\n<p><strong>Pwndbg + GEF + Peda<\/strong><\/p>\n<p>There is a tutorial for setting up all three tools at once [<a href=\"https:\/\/github.com\/apogiatzis\/gdb-peda-pwndbg-gef\">Link<\/a>]. Highly recommended to have ready in a Kali base image for pentesting or CTF work.<\/p>\n<pre>cd ~ &amp;&amp; git clone https:\/\/github.com\/apogiatzis\/gdb-peda-pwndbg-gef.git\r\ncd ~\/gdb-peda-pwndbg-gef\r\n.\/install.sh<\/pre>\n<pre>.\/update.sh<\/pre>\n<p><strong>IDA Free<\/strong><\/p>\n<p>Not open-source, but this free tool, originally built for Windows and now available on Linux and macOS as well, is arguably the best visual decompiler [<a href=\"https:\/\/hex-rays.com\/ida-free\/#download\">Link<\/a>].<\/p>\n<pre>wget https:\/\/out7.hex-rays.com\/files\/idafree84_linux.run\r\nchmod +x idafree84_linux.run \r\n.\/idafree84_linux.run<\/pre>\n<p><strong>Radare2 Cutter<\/strong><\/p>\n<p>A graphical interface for the well-known Radare2 reverse engineering framework [<a href=\"https:\/\/github.com\/rizinorg\/cutter\">Link<\/a>].<\/p>\n<pre>sudo apt install radare2-cutter -y<\/pre>\n<p>Complete summary of the binary on the landing Dashboard:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4203\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-12-32.png\" alt=\"\" width=\"1261\" height=\"950\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-12-32.png 1261w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-12-32-300x226.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-12-32-1024x771.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-12-32-768x579.png 768w\" sizes=\"auto, (max-width: 1261px) 100vw, 1261px\" \/><\/p>\n<p>Disassemble with graphics:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4204\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-13-40.png\" alt=\"\" width=\"1261\" height=\"950\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-13-40.png 1261w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-13-40-300x226.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-13-40-1024x771.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-13-40-768x579.png 768w\" sizes=\"auto, (max-width: 1261px) 100vw, 1261px\" \/><\/p>\n<p>Two popular decompilers available out of the box:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4205\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-14-17.png\" alt=\"\" width=\"1261\" height=\"950\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-14-17.png 1261w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-14-17-300x226.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-14-17-1024x771.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-04-25-08-14-17-768x579.png 768w\" sizes=\"auto, (max-width: 1261px) 100vw, 1261px\" \/><\/p>\n<p>It has an impressively clean interface.<\/p>\n<p><strong>Decompiler Explorer<\/strong><\/p>\n<p>An online multi-decompiler [<a href=\"https:\/\/dogbolt.org\/\">Link<\/a>] [<a href=\"https:\/\/github.com\/decompiler-explorer\/decompiler-explorer\">Link<\/a>].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-4778 size-large\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-From-2025-04-11-18-11-58-1024x518.png\" alt=\"\" width=\"640\" height=\"324\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-From-2025-04-11-18-11-58-1024x518.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-From-2025-04-11-18-11-58-300x152.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-From-2025-04-11-18-11-58-768x389.png 768w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-From-2025-04-11-18-11-58.png 1249w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p><strong>Windows Reverse Engineering Tools<\/strong><\/p>\n<p>Binary Ninja is not open-source but offers a free version for Windows, macOS, and Linux [<a href=\"https:\/\/binary.ninja\/free\/\">Link<\/a>].<\/p>\n<p>PEStudio is also not open-source, but its free version is well suited for .NET applications [<a href=\"https:\/\/www.winitor.com\/download\">Link<\/a>].<\/p>\n<p><strong>ROP Emporium<\/strong><\/p>\n<p>A free collection of binary exploitation challenges [<a href=\"https:\/\/ropemporium.com\/\">Link<\/a>], with a walk-through that builds the knowledge needed to complete them.<\/p>\n<p><strong>Pwnables<\/strong><\/p>\n<p>Started as a private CTF and became an OpenToAll CTF [<a href=\"https:\/\/pwnable.xyz\/\" target=\"_blank\" rel=\"noopener\">Link<\/a>]. It now contains more than 50 challenges that progressively increase in difficulty.<\/p>\n<p><strong>Libc Database Search<\/strong><\/p>\n<p>A linked memory address can reveal the version of a library in use, which in turn exposes available functions. This database includes a search feature and provides the libraries themselves for local exploitation testing before targeting a remote system.<\/p>\n<ul>\n<li>libc database search [<a href=\"https:\/\/libc.blukat.me\/?q=_rtld_global%3A0\">Link<\/a>]<\/li>\n<li>libc-database [<a href=\"https:\/\/libc.rip\/\">Link<\/a>]<\/li>\n<li>Search engine source code [<a href=\"https:\/\/github.com\/niklasb\/libc-database\/tree\/master\/searchengine\">Link<\/a>]<\/li>\n<\/ul>\n<p><strong>More Vulnerabilities to Consider<\/strong><\/p>\n<ul>\n<li><strong>Integer Overflow<\/strong>\/Underflow\n<ul>\n<li>Occurs when an arithmetic operation exceeds the maximum binary value a type can hold, causing the value to <span style=\"text-decoration: underline;\">wrap around<\/span>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Format String<\/strong> Vulnerability\n<ul>\n<li>Specific to languages like C and the <code>printf<\/code> family of functions (the <code>f<\/code> stands for Format). Without proper input sanitization, this can lead to <span style=\"text-decoration: underline;\">arbitrary memory reads or writes<\/span>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Fast-Paced Reverse Engineering for CTFs<\/strong><\/p>\n<ul>\n<li><strong>PatchELF<\/strong> [<a href=\"https:\/\/github.com\/NixOS\/patchelf\">Link<\/a>]\n<ul>\n<li>Modifies ELF binaries and libraries to add, remove, or alter paths and dependencies.<\/li>\n<\/ul>\n<\/li>\n<li><strong>PwnInit<\/strong> [<a href=\"https:\/\/github.com\/io12\/pwninit\">Link<\/a>]\n<ul>\n<li>Automates binary exploit challenge setup: marks the binary as executable, downloads the linker and debug symbols, unstrips libc, patches the binary&#8217;s RPATH, and fills in a pwntools solve script template.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>BONUS OF THE BONUS<\/strong><\/p>\n<p>Running and debugging x86-32, ARM, and MIPS applications on x86-64:<\/p>\n<pre>sudo apt update\r\nsudo apt-get install qemu-user -y\r\nsudo apt install libc6-i386 gdb-multiarch -y<\/pre>\n<pre>sudo apt install libc6-<strong>arm<\/strong>el-cross -y\r\nsudo mkdir \/etc\/qemu-binfmt -p\r\nsudo ln -s \/usr\/<strong>arm<\/strong>-linux-gnueabi \/etc\/qemu-binfmt\/<strong>arm<\/strong>\r\nqemu-<strong>arm<\/strong>-static .\/armv5.bin\r\nqemu-<strong>arm<\/strong> .\/armv5.bin<\/pre>\n<pre>sudo apt install libc6-<strong>mipsel<\/strong>-cross -y\r\nsudo mkdir \/etc\/qemu-binfmt -p\r\nsudo ln -s \/usr\/<strong>mipsel<\/strong>-linux-gnu \/etc\/qemu-binfmt\/<strong>mipsel<\/strong>\r\nqemu-<strong>mipsel<\/strong>-static .\/armv5.bin\r\nqemu-<strong>mipsel<\/strong> .\/armv5.bim<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Reverse Engineering Binaries is a critical set of techniques that enable attackers to extract sensitive [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-2587","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2587","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2587"}],"version-history":[{"count":59,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2587\/revisions"}],"predecessor-version":[{"id":5631,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2587\/revisions\/5631"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2587"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}