🪛 Reverse Engineering

📚 Basics

During forensics investigation it’s sometimes needed to reverse engineer some suspicious piece of code. This section is a reverse engineering dive-in section.

🎁 Packed Executables And Unpacking

There are several indicators that the executable is packed. Here they are (this list will be growing as I encounter new indicators):

Rabin2 rabin2 -I [progname] # main info about the prog rabin2 -z [progname] # the strings from the binary's data section rabin2 -zz [progname] # all strings from the binary rabin2 -zqq [progname] # strings only without additional info rabin2 -x iGoat-Swift # thin the binary R2 Info il # libs in use ii # or iiq to see imports r2 [progname] # launch radare2 > s main # seak main function and go to it > aa # find all strings > v # psedu GUI mode (Hex editor) > VV # graph mode > afvn user_input input # rename local var and all the places it was referenced # rename function > s function_old_name > afn function_new_name > c # show cursor in visual mode > afvd # print all local variables > u # back?

💱 Symbolic and Concrete Execution

References Expand… [1] Mobile Sec Guide [2] Symbolic execution on iOS with R2Frida & ESILSolve

🪛 Reverse Engineering

📚 Basics

🩻 Anatomy Of Executables

🎁 Packed Executables And Unpacking

📓 REFM

💱 Symbolic and Concrete Execution