Artificial Intelligence / Reverse Engineering / Internet of Things / Full Stack Developer
General:
– MUltimate Assembler is a multiline (and ultimate) assembler (and
disassembler)
– To disassemble code, select it, and choose “MUltimate Assembler” from
the right click menu
– To assemble code, click the Assemble button in the assembler window
其实这个标题并不确切,其实应该是ImmDbg调试器加载的文件哪里去了。加载文件脚本还是下面的样子:
"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby. http: //www.h4ck.org.cn}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")
DESC="""Load Binary file test!"""
import immlib
import immutils
import os
def main(args):
imm = immlib.Debugger()
imm.log ("--------------------------------------------------------------------------------" )
imm.log ("[*] Start Loading file " )
imm.log ("--------------------------------------------------------------------------------" )
rcFileHandle = open ('C:\\test.bin','rb')
rcFileData = rcFileHandle.read()
rcFileLength = len(rcFileData)
imm.log ("[*] FileLength is 0x%08x and filedata is loaded at address 0x%08x" %(rcFileLength,id(rcFileData)))
imm.log ("[*] Finished Loading " )
imm.log ("--------------------------------------------------------------------------------" )
return "[*] Data has been Loaded!"
When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience.
Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc…. Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules… Not an easy task.
It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them to work, and would still not solve some issues I was having while writing exploits.
OllyDbg and Immunity Debugger are quite different than windbg. Not only the GUI is very much different, the number of plugins for these debuggers is substantially higher. After evaluating both of them (they pretty much have the same look and feel), and evaluating the way plugins can be added, I made the decision to focus on Immunity Debugger.
That does not mean OllyDbg is a bad debugger or is limited in what you can do in terms of writing plugins… I just found it harder to “quickly tweak a plugin” while building an exploit. OllyDbg plugins are compiled into dll’s, so changing a plugin would require me to recompile and test. Immunity Debugger uses python scripts. I can go into the script, make a little change, and see the results right away. Simple.
基于IDA的逆向分析协同工具目前还没有发现比较好用的东西,而像传统的基于源代码的开发IDE则有比较多的选择。对于大型项目和代码的分析,仅靠一人之力其实是比较困难的,并且需要分析的内容太多。这也是这个插件开发出来的原因。
公开ida sync plugin源代码,项目地址:http://code.google.com/p/ida-sync-plugin/。
对于OC的程序逆向IDA直接解析的代码并不是十分清晰,有太多的_objc_msgSend之类的函数,而根本不知道具体调用的函数是个什么鸟东西。用这个插件可以修正诸如 _objc_msgSend之类的名字。
早在很久之前就写过一个导入Unicode字符串注释的脚本,但是脚本操作还是有自己的局限性。每次都要通过其他的分析工具搜索定位到字符串,然后导出,在然后倒入。这是多么蛋疼的时间事情啊。 😎
(关于插图:
Augusta Ada King, Countess of Lovelace (10 December 1815 – 27 November 1852), born Augusta Ada Byron, was an English writer chiefly known for her work on Charles Babbage’s early mechanical general-purpose computer, the analytical engine. Her notes on the engine include what is recognised as the first algorithm intended to be processed by a machine; thanks to this, she is sometimes considered the “World’s First Computer Programmer”
She was the only legitimate child of the poet Lord Byron (with Anne Isabella Milbanke). She had no relationship with her father, who died when she was nine. As a young adult, she took an interest in mathematics, and in particular Babbage’s work on the analytical engine. Between 1842 and 1843, she translated an article by Italian mathematician Luigi Menabrea on the engine, which she supplemented with a set of notes of her own. These notes contain what is considered the first computer programme — that is, an algorithm encoded for processing by a machine. Though Babbage’s engine has never been built, Lovelace’s notes are important in the early history of computers. She also foresaw the capability of computers to go beyond mere calculating or number-crunching while others, including Babbage himself, focused only on these capabilities.)
到网上随便搜了搜发现hexrays曾经发布过一个处理unicode字符串的插件,猛击此处访问插件页面。插件的名字叫做unispector。并且在插件页面提供了相关的源代码下载,但是偶下载编译之后在新版的ida下无法成功加载,并且没有出现应有的效果。