File
File¶
Check for security features¶
CheckSec:
>>> ../../checksec.sh --dir=.
RELRO ,STACK CANARY ,NX ,PIE ,RPATH,RUNPATH ,Symbols,FORTIFY,Fortified,Fortifiable,Filename
No RELRO,No Canary found,NX enabled,No PIE,RPATH,No RUNPATH,Symbols,No ,0 ,3 ,./lwiod
Checksec, but for Windows
Windows:
> .\Release\winchecksec.exe C:\Windows\notepad.exe
Dynamic Base : true
ASLR : true
High Entropy VA : true
Force Integrity : false
Isolation : true
NX : true
SEH : true
CFG : true
RFG : false
SafeSEH : false
GS : true
Authenticode : false
Check for debug Symbols¶
Linux:
objdump --syms file.bin
OSX:
otool -Iv
Windows:
Get All Functions from a Executable¶
GDB
gdb libGameLogic.so
gef➤ info functions Player::
File Include/Player.h:
96: void IPlayer::AddRef();
148: void IPlayer::HideCountdown();
92: void IPlayer::IPlayer();
97: void IPlayer::Release();
386: bool Player::AddItem(IItem*, unsigned int, bool);
391: bool Player::AddLoadedAmmo(IItem*, IItem*, unsigned int);
425: void Player::AdvanceQuestToState(IQuest*, IQuestState*);
463: void Player::BuyItem(IActor*, IItem*, unsigned int);
339: bool Player::CanBeDamaged(IActor*);
354: bool Player::CanJump();
444: bool Player::CanReload();
485: void Player::Chat(char const*);
426: void Player::CompleteQuest(IQuest*);
345: void Player::Damage(IActor*, IItem*, int, DamageType);
457: void Player::EndNPCConversation();
436: void Player::EnterAIZone(char const*);
458: void Player::EnterNPCShop(NPC*);
468: void Player::EnterRegion(char const*);
396: void Player::EquipItem(unsigned long, IItem*);
437: void Player::ExitAIZone(char const*);
490: void Player::FastTravel(char const*, char const*);
417: void Player::FreeQuestList(IQuest**);
338: IActor *Player::GetActorInterface();
377: uint8_t Player::GetAvatarIndex();
470: const std::string &Player::GetChangeRegionDestination() const;
379: uint32_t Player::GetCharacterId() const;
[...]
Print out functions with objdump¶
objdump -d libGameLogic.so
[...]
000000000010cce0 <_ZN12ActorFactoryI4BearEC1Ev@plt>:
10cce0: ff 25 4a 24 3b 00 jmpq *0x3b244a(%rip) # 4bf130 <_ZN12ActorFactoryI4BearEC1Ev@@Base+0x31f830>
10cce6: 68 22 00 00 00 pushq $0x22
10cceb: e9 c0 fd ff ff jmpq 10cab0 <.plt>
[...]
C++ Demangling¶
Using CXXfilt to get human readable information:
>>> llvm-cxxfilt _ZThn168_N6Player8TeleportEPKc
non-virtual thunk to Player::Teleport(char const*)
>>> llvm-cxxfilt _ZN12ActorFactoryI4BearEC1Ev
ActorFactory<Bear>::ActorFactory()
Get Type Information from Binary¶
Get classes from Demangling:
gef➤ ptype Player
type = class Player : public Actor, public IPlayer {
private:
uint32_t m_characterId;
std::string m_playerName;
std::string m_teamName;
uint8_t m_avatarIndex;
uint32_t m_colors[4];
class std::map<IItem*, ItemAndCount, std::less<IItem*>, std::allocator<std::pair<IItem* const, ItemAndCount> > > m_inventory;
class std::set<std::basic_string<char>, std::less<std::basic_string<char> >, std::allocator<std::basic_string<char> > > m_pickups;
class std::map<IItem*, float, std::less<IItem*>, std::allocator<std::pair<IItem* const, float> > > m_cooldowns;
class std::map<std::basic_string<char>, unsigned int, std::less<std::basic_string<char> >, std::allocator<std::pair<std::basic_string<char> const, unsigned int> > > m_circuitInputs;
Getting the Offset for a Element in a class:
gdb -p $(pidof PwnAdventure3-Linux-Shipping) --batch
\ -ex "b _ZN6Player15GetWalkingSpeedEv" --ex "c" --ex "print &this->m_walkingSpeed"
\ -ex "print this" -ex "print (int)\$1-(int)\$2" -ex "quit" 2>/dev/null | awk '/\$3/ {print $3 }'
736
Debug Trace¶
ptrace(PTRACE_TRACEME)
Linux¶
Crash and dump core file of a process in Linux
ELF¶
https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/