Thursday, June 25, 2015

Disassemblers / decompilers

W32DASM was an excellent 16/32 bit disassembler for Windows, it seems it is no longer developed. the latest version available is from 2003
Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
Some of ts features are
  • multi-architectures: Arm, Arm64 (Armv8), Mips, PowerPC, Sparc, SystemZ, XCore & Intel
  • Clean/simple/lightweight/intuitive architecture-neutral API.
  • Provide details on disassembled instruction (called “decomposer” by some others).
  • Provide some semantics of the disassembled instruction, such as list of implicit registers read & written.
  • Implemented in pure C language, with bindings for Python, Ruby, C#, NodeJS, Java, GO, OCaml & Vala available.
  • Native support for Windows & *nix (with Mac OSX, iOS, Android, Linux, *BSD & Solaris confirmed).
  • Thread-safe by design.
  • Special support for embedding into firmware or OS kernel.
  • Distributed under the open source BSD license.
BORG Disassembler
BORG is an excellent Win32 Disassembler with GUI.
DSM Studio Disassembler
DSM Studio is an easy-to-use yet comprehensive application that can aid you in the disassembly and inspection of executables built for the Intel x86 architecture.
Decompiler is an easy to use and simply application designed to read program binaries and decompile executable or DLL files. The application is designed to decompile executables for any processor architecture and not be tied to a particular instruction set. Although currently only a x86 front end is implemented, there is nothing preventing you from implementing a 68K, Sparc, or VAX front end if you need one.
Lida - linux interactive disassembler
lida is a fast feature packed interactive ELF disassembler / code-/cryptoanalyzer based on bastards libdisasm
BugDbg x64 v0.7.5
BugDbg x64 is a user-land debugger designed to debug native 64-bit applications. BugDbg is released as Freeware.
A lightweight, Easy-to-Use and Fast Disassembler/Decomposer Library for x86/AMD64
Udis86 is an easy-to-use, minimalistic disassembler library (libudis86) for the x86 class of instruction set architectures. It has a convenient interface for use in the analysis and instrumentation of binary code.
This project is a package with a multi-platform x86 and x64 disassembler library (Solaris, MAC OSX, AIX, Irix, OS/2, Linux, Windows)
C4 Decompiler
  • General Machine Code to C Decompiler
  • Free Windows I64 target edition
  • Interactive Windows GUI

REC Studio 4 - Reverse Engineering Compiler
REC Studio is an interactive decompiler. It reads a Windows, Linux, Mac OS X or raw executable file, and attempts to produce a C-like representation of the code and data used to build the executable file. It has been designed to read files produced for many different targets, and it has been compiled on several host systems.
Retargetable Decompiler
A retargetable decompiler that can be utilized for source code recovery, static malware analysis, etc. The decompiler is supposed to be not bounded to any particular target architecture, operating system, or executable file format.
Miasm is a a free and open source (GPLv2) reverse engineering framework written in python. Miasm aims at analyzing/modifying/generating binary programs.
Free Code Manipulation Library
This is a general purpose machine code manipulation library for IA-32 and Intel 64 architectures. The library supports UNIX-like systems as well as Windows and is highly portable. The FCML library is free for commercial and non-commercial use as long as the terms of the LGPL license are met. Currently it supports such features as:
  • A one-line disassembler
  • A one-line assembler
  • An experimental multi-pass load-and-go assembler (Multi line!)
  • Support for the Intel and AT&T syntax
  • An instruction renderer
  • An instruction parser
  • Instructions represented as generic models
  • UNIX/GNU/Linux and Windows support
  • Portable - written entirely in C (no external dependencies)
  • Supported instruction sets: MMX, 3D-Now!, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, AVX, AVX2, AES, TBM, BMI1, BMI2, HLE, ADX, CLMUL, RDRAND, RDSEED, FMA, FMA4, LWP, SVM, XOP, VMX, SMX

Examining an ELF binary with binutils

strings:       strings /usr/bin/who
dependencies:  ldd /usr/bin/yes
symbols:       nm -D -l -S /usr/bin/yes
sections:      objdump -h /usr/bin/who
data:          objdump -s -j .rodata /usr/bin/who
code:          objdump -d -r -j .text /usr/bin/who

linux: mounting dirty ext3 filesystems

# mount -o loop,ro,noexec,noload diskimage.img /media/

Thursday, June 4, 2015

moongen: fully scriptable high-speed packet generator

MoonGen is a fully scriptable high-speed packet generator built on DPDK and LuaJIT. It can saturate a 10 GBit connection with 64 byte packets on a single CPU core while executing user-provided Lua scripts for each packet.

Multi-core support allows for even higher rates. It also features precise and accurate timestamping and rate control

echo 128 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
mkdir /mnt/huge
mount -t hugetlbfs nodev /mnt/huge

Installation steps

  1.  Install the dependencies (see below)
  2.  git submodule update --init
  3.  ./
  4.  ./
  5.  Run MoonGen from the build directory

## Dependencies
  • * gcc
  • * make
  • * cmake
  • * kernel headers (for the DPDK igb-uio driver)


root@aliokan-xubuntu:/usr/src/MoonGen/build# uname -a
Linux aliokan-xubuntu 3.13.0-53-generic #89-Ubuntu SMP Wed May 20 10:34:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

root@aliokan-xubuntu:/usr/src/MoonGen/build# lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:    14.04
Codename:    t

# ./MoonGen quality-of-service-test.lua
EAL: Detected lcore 0 as core 0 on socket 0
EAL: Detected lcore 1 as core 1 on socket 0
EAL: Detected lcore 2 as core 2 on socket 0
EAL: Detected lcore 3 as core 3 on socket 0
EAL: Support maximum 64 logical core(s) by configuration.
EAL: Detected 4 lcore(s)
EAL: No free hugepages reported in hugepages-2048kB
PANIC in rte_eal_init():
Cannot get hugepage information
11: [./MoonGen() [0x416c23]]
10: [/lib/x86_64-linux-gnu/ [0x7fb133556ec5]]
9: [./MoonGen(main+0x7c) [0x41693c]]
8: [/usr/src/MoonGen/deps/luajit/usr/local/lib/ [0x7fb1344570cd]]
7: [/usr/src/MoonGen/deps/luajit/usr/local/lib/ [0x7fb1344485d3]]
6: [/usr/src/MoonGen/deps/luajit/usr/local/lib/ [0x7fb13449ae66]]
5: [/usr/src/MoonGen/deps/luajit/usr/local/lib/ [0x7fb134487084]]
4: [/usr/src/MoonGen/deps/luajit/usr/local/lib/ [0x7fb13444a6d0]]
3: [./MoonGen(rte_eal_init+0xf83) [0x427173]]
2: [./MoonGen(__rte_panic+0xc9) [0x4167a9]]
1: [./MoonGen(rte_dump_


root@aliokan-xubuntu:/usr/src/MoonGen/build# grep Huge /proc/meminfo
AnonHugePages:    223232 kB
HugePages_Total:       0
HugePages_Free:        0

HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 k

root@aliokan-xubuntu:/usr/src/MoonGen/build# echo 20 > /proc/sys/vm/nr_hugepages

root@aliokan-xubuntu:/usr/src/MoonGen/build# grep Huge /proc/meminfo
AnonHugePages:    223232 kB
HugePages_Total:      20
HugePages_Free:       20

HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB