- 12
- 21 765
Reverse Engineering with Peter
Belgium
เข้าร่วมเมื่อ 19 ก.ย. 2020
I am just a geek from Belgium, sharing what I know about reverse engineering, more especially RCE, Reverse Code Engineering. I love code, programming and everything around it. I think I learned programming around 1990, a few years later I was already debugging C/Assembly code using Borland's Turbo Debugger and I never stopped since. Recently, I also became interested in hardware hacking.
I will vlog about all the topics mentioned above.
Have fun and don't stop learning!
If you like the content, please subscribe.
Credits : The banner is from a photo by Markus Spiske from StockSnap.
I will vlog about all the topics mentioned above.
Have fun and don't stop learning!
If you like the content, please subscribe.
Credits : The banner is from a photo by Markus Spiske from StockSnap.
Displaying Strings in x64dbg - The Good, The Bad and The Ugly
It took me some time to upload a new video, but here we have it, another one about one of my favorite tools: x64dbg.
In this video I talk about some different methods you can use to output strings during your debugging sessions in the Log window. As you will see, not all methods are equally good.
In this video I talk about some different methods you can use to output strings during your debugging sessions in the Log window. As you will see, not all methods are equally good.
มุมมอง: 3 964
วีดีโอ
Compiling Unicorn Engine on Windows
มุมมอง 8552 ปีที่แล้ว
In this short video I show you how I compile/build Unicorn Engine. I prefer not to use the vcpkg package manager here, for more fine-grained control. The batch file itself can be downloaded here: github.com/Fibergeek/ucengine-build_all
Solving a simple Linux Go Crackme on Windows in IDA Free: "GO GO GO Harmfull logic by s0k1t"
มุมมอง 7902 ปีที่แล้ว
In this video I analyse a Go binary written for Linux. Once again I use IDA Free to do the analysis. While the Crackme is simple and can be solved very quickly, I did it slowly and put my attention on the stack and register usage. Compiled go binaries are different from regular binaries and produce some unique patterns I want to get used to. Paying close attention to some of the details is the ...
Solving a simple Go crackme (goCrackme by 0x0luk3) using IDA Freeware
มุมมอง 9K2 ปีที่แล้ว
In this video I demonstrate how I solve a simple crackme written in Go by 0x0luk3. This crackme has been published on crackmes.one. Crackme URL: crackmes.one/crackme/5fb1642933c5d424269a1850 Please note, I increased the audio level this time. If it is too loud; please provide this feedback so I can adjust for future videos.
Creating a simple x64dbg plugin in C
มุมมอง 8482 ปีที่แล้ว
In this short video I'll demonstrate how you can re-use an existing plugin to create a new plugin. This plugin implements the SetMemRights command, which acts as extension to the built-in SetPageRights command. The code of plugin can be found on my GitHub page: github.com/Fibergeek/setmemrights
x64dbg scripting: a short introduction
มุมมอง 3.2K3 ปีที่แล้ว
In this short x64dbg tutorial I demonstrate, in sequential steps, how to create a x64dbg script. I use the executable from my AsmJit Introduction video. A link to the AsmJit Introduction video : th-cam.com/video/F1TBamX4Qzs/w-d-xo.html
Introduction to AsmJit + Spying with x64dbg on the generated code
มุมมอง 1.1K3 ปีที่แล้ว
In this introduction video to AsmJit (C Library) I will demonstrate 6 things: 1) Installing vcpkg AsmJit (on Windows) 2) Compiling the example code (x86-32) 3) 32-bit: Modify the example code and introduce a bug 4) 64-bit Convert the example so it also runs on x86-64 5) Intercept the generated code using x64dbg and review the bug 6) Fix the bug and implement an AsmJit Error Handler The final co...
Manually installing the Ultima Online Demo on Windows 10 (64-bit edition)
มุมมอง 1833 ปีที่แล้ว
Hello, In this short tutorial I will show how we can manually install the Ultima Online Demo from 1998 on Windows 10 (64-bit). The regular installer doesn't work because it contains a 16-bit component which makes it incompatible with the 64-bit version of Windows.
"xchg eax, eax" does not equal "nop" in the x86 64-bit architecture
มุมมอง 6753 ปีที่แล้ว
While working with x64dbg, I noticed that the debugger was not capable of encoding "xchg eax, eax" correctly, this can cause an issue if you rely on Zero Extending EAX into RAX.
How to install the Ultima Online Demo from 1998 in Windows 10 (32-bit edition)
มุมมอง 1973 ปีที่แล้ว
In this tutorial I show you how to install the Ultima Online Demo from 1998 in Windows 10, the 32-bit edition. The demo only runs when we start it as Administrator. I do not like that idea and I prefer to modify the directory rights instead. This is demonstrated in this tutorial. I use the Ultima Online: Second Age CD to install.
Creating a portable version of Ghidra with a Java Environment for Microsoft Windows (Long version)
มุมมอง 7783 ปีที่แล้ว
Hello. In this video I will show you how you can create a directory which contains both Ghidra and a Java environment of your choice, including a batch file to start Ghidra with that Java environment. This allows you to always have Ghidra with you on a USB drive. I will demonstrate how to download 4 different releases of the Java Development Kit. I also have created a shorter version of this tu...
Quicky: Creating a portable version of Ghidra including OpenJDK (Java) for Microsoft Windows
มุมมอง 4513 ปีที่แล้ว
Hello. In this video I will show you how you can create a directory which contains both Ghidra and OpenJDK, including a batch file to start Ghidra with the Java environment. This allows you to always have Ghidra with you on a USB drive. I also have created a longer version of this tutorial where I explain the batch file in detail. The long version : th-cam.com/video/6CO-Dq0UZ1E/w-d-xo.html
i'm very interested in reverse engineering. when I download the crackme file, it's a ZIP and it's asking for password, do you perhaps know the password? edit: after reading the FAQ page i have found the password
Thank you for the video! You clearly explained the bugs and differences between different ways of logging strings and I made some improvements: - You can now specify an optional count of characters for the utf8/utf16 functions - You can now log 0-length strings everywhere ({s:ptr}, {utf8;0@ptr}, utf8(ptr, 0) all work) - Strings are logged escaped by default when using expression functions (use {s:utf8(addr)} to print the raw string) - The bug with heap strings logging to ??? has been fixed as well (previously a cache was used for performance and the newly-allocated heap pages were not known to x64dbg causing read failures)
Thank you. These improvements will definitely help.
I think you need to go a little faster and defiantly click the mouse a lot faster.
Very good. I am new learning C++. I am very interested in Reverse engineering. I have been watching a lot of videos. Can you please tell me the roadmaps which you took to gain all these knowledges? Thank you!
The initial step was just looking at my own programs with a debugger. There were no real books about the topic 30 years ago. Once the internet came around, things got easier. I think the main key is "reading" and mostly "being interested".
can asmjit be used in C??, :D
Hello, sadly no. It's a C++ solution only.
Reis nerdesin devam edelim lütfen
I got a question Is it possible to force the x64 instructions set in a 32bit target? ie, I want to write x64 instructions in my 32bit application. I couldn't find a way to do this as the init() function of codeholder needs the environment() initializer which automatically sets the instructions set based on target...
Yes it is possible, but will require some extra work. This is an older question about the inverse: github.com/asmjit/asmjit/issues/111 I've not done anything similar myself, but as suggested by the answers in Git, you will need to create a manual build of AsmJit.
@@RCE-With-Peter Thanks. Yeah, figured as much. I don't know why they did it that way. There are a couple of cases where this can be useful. I found that Keystone library or Fasm DLL is a better choice for this specific case.
From my own experience, I can only suggest you to be careful with Keystone Engine, especially for x64 output. Fasm DLL may be a much better choice depending on your specific use case. I'm referring to this open issue: github.com/keystone-engine/keystone/issues/433 --- which is really has been a deal-breaker for me.
@@RCE-With-Peter Oh wow, that's really odd. Such a critical bug that's been unresolved for over 3 years. Guess I'll stay away from that library then. Thanks for the heads up. 👍
Nice video!! 🔥
You are probably one of the most underrated channels out there.
Thank you for your kind words. It's probably my own fault for not putting more content online.
Yes
Hi, do you know how by scripting save {x:bswap(eax)} string to variable as integer and then use it? Then I can write this value to specific memory address.
Hello, I'm not sure I fully understand your question. You can do: mov $myvar, bswap(eax) and then later on do: mov [dword(esp)], $myvar I do not think there is already an existing function in x64dbg to convert a string to an integer such as strtoi. For such a feature you need to create plugin with your own custom expression function.
@@RCE-With-Peter Thank you u helped me a lot.
Great content! I really hope there is more to come! Especially on automation, reversing, beating malware defenses and so on! :)
Hey man can you crack a application in c# for me please, It's a Very Simple application than you think. Please Consider me ❤️
this was really great!
OH MY GOD THAT WAS AWESOME TO WATCH !
can you please continue x64 tutorial. that will be helpful
Thank you. I am working on it! Taking more time than anticipated but new content will come.
@@RCE-With-Peter thanks
is it possible to log what actually GetSystemTime api value returns ? thanks in advance .
Yes, of course it is. in 32-bit you can get the pointer from the stack on return, in 64-bit you need 2 breakpoints: one at the start to store the pointer, one at the 'ret' to log the returned value It's a nice question actually, I'll make a video on it to clarify it better.
@@RCE-With-Peter thank you sir
I keep getting: MSBUILD : error MSB1009: Project file does not exist. Switch: unicorn.sln
Difficult to tell what the exact problem is. If the "cmake" command succeeded, than I think that the msbuild is executed with the wrong directory set as current directory.
where can I find the build_all.cmd file?
Hello. It looks like I forgot to add the batch file to the description. I've added it now. You can find a direct link here: github.com/Fibergeek/ucengine-build_all/blob/main/build_all.cmd
I'd recommend taking advantage of "SETLOCAL" and setting that from the very start of the batch file, that way you don't have to worry about setting and reverting paths. Ghidra's own launch.bat even changes the local paths to it's location during startup as well, so you can just call "~dp0ghidra_[YOURVERSION]_PUBLIC/support/launch.bat" directly, rather than calling ghidraRun.bat, since all "ghidraRun.bat" does is SETLOCAL and call "support/launch.bat" anyways.
Thank you for the recommendation. It simplifies the batch file itself enormously.
Hello sir, I'm learning reverse engineering as an emerging interest. May I ask if IDA would work for softwares written in Python?
Hi I think IDA isn't the best choice for Python based projects. You're better of with dedicated tools written in Python itself, such as : github.com/rocky/python-decompile3 pypi.org/project/uncompyle6/
@@RCE-With-Peter I understand it may be too much to ask but we'll you consider having a vid on it?
Thank you for the idea. I'll consider it and look out for a good crackme/CTF written in Python.
Great job. Learned a few things !
You're welcome. It took me some time, but I finally finished my next "Solving a Go Crackme" video. I take a more in-depth look of Go stack and register usage: th-cam.com/video/_kV1vMyf8qY/w-d-xo.html
This worked and it is working like a charm and thanks for the great expectations of the code 🙂🙂🙂😊😊😊
Wow, I was thinking of developing a x64dbg plugin that intercepts VirtualAlloc/ VirtualProtect calls and removes Execution bit if present in the memory protection argument. Thought if can be doable with a script I shouldn't bother with a plugin, but now I see there's a setpageright command itself? Have you played around with this command and know how much it can be trusted as opposed to manually removing the execution bit (like something you did at the beginning of the video)? One thing I was also thinking the memory protection constant can be anything from PAGE_EXECUTE/ PAGE_EXECUTE_READ/ PAGE_EXECUTE_READWRITE etc so the protection change needs to be clever with removing the EXECUTE option which would mean ANDing different values with the memory protection argument depending on its original value. So is there a way to set such a conditional command text in the conditional breakpoint windows or from someplace else?
Hello, thank you for your comment. It have prepared some video about this SetPageRights command and creating a custom plugin, but due to a lack of energy I never really finished that video :(. I think that coding a plugin makes more sense than using a script. Plugins are not that difficult if you know C. If you code a plugin, you can create your own command and then use a script to call your command and do other clever things. With a plugin, you can also create your own function, that will help in solving "removing the EXECUTE option". My own plugin which extends SetPageRights : github.com/Fibergeek/setmemrights
8:20 you say this code is too low. You say this because it should represent a heximal representation of 4 characters?
Thank you for watching. To answer your question, yes indeed. The code is printed using std::cout without the std::hex modifier. So it's decimal by default, 969342 is 0xECA7E. I was expecting a bigger decimal number. Let's assume we input "AAAA" aka 0x41414141, then the expected value should be atleast 1094795585 (0x41414141) in decimal. To look at it in another way, 0x40000000 is one fourth of the maximum value a 32-bit unsigned integer can hold. 4GB / 4 = 1GB. Which is 1 billion rounded down. The initial value 969342 is not even 1 million. Too low. :)
very useful..thank you.
Hello, this all should be fixed by now - please open an issue next time you spot a bug, thank you :)