mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
395 lines
18 KiB
Markdown
395 lines
18 KiB
Markdown
# Reversing Tools & Basic Methods
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
## ImGui Based Reversing tools
|
|
|
|
Software:
|
|
|
|
- ReverseKit: [https://github.com/zer0condition/ReverseKit](https://github.com/zer0condition/ReverseKit)
|
|
|
|
## Wasm decompiler / Wat compiler
|
|
|
|
Online:
|
|
|
|
- Tumia [https://webassembly.github.io/wabt/demo/wasm2wat/index.html](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) **decompile** kutoka wasm (binary) hadi wat (clear text)
|
|
- Tumia [https://webassembly.github.io/wabt/demo/wat2wasm/](https://webassembly.github.io/wabt/demo/wat2wasm/) **compile** kutoka wat hadi wasm
|
|
- unaweza pia kujaribu kutumia [https://wwwg.github.io/web-wasmdec/](https://wwwg.github.io/web-wasmdec/) decompile
|
|
|
|
Software:
|
|
|
|
- [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
|
|
- [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)
|
|
|
|
## .NET decompiler
|
|
|
|
### [dotPeek](https://www.jetbrains.com/decompiler/)
|
|
|
|
dotPeek ni decompiler ambayo **decompiles na inachunguza muundo mbalimbali**, ikiwa ni pamoja na **maktaba** (.dll), **faili za metadata za Windows** (.winmd), na **executables** (.exe). Mara decompiled, assembly inaweza kuhifadhiwa kama mradi wa Visual Studio (.csproj).
|
|
|
|
Faida hapa ni kwamba ikiwa msimbo wa chanzo uliopotea unahitaji kurekebishwa kutoka kwa assembly ya zamani, hatua hii inaweza kuokoa muda. Zaidi, dotPeek inatoa urahisi wa kuvinjari katika msimbo ulio decompiled, na kuifanya kuwa moja ya zana bora kwa **Xamarin algorithm analysis.**
|
|
|
|
### [.NET Reflector](https://www.red-gate.com/products/reflector/)
|
|
|
|
Kwa mfano wa kina wa kuongeza na API inayopanua zana ili kufaa mahitaji yako halisi, .NET reflector inaokoa muda na kurahisisha maendeleo. Hebu tuangalie wingi wa huduma za uhandisi wa nyuma zana hii inatoa:
|
|
|
|
- Inatoa mwanga juu ya jinsi data inavyopita kupitia maktaba au kipengee
|
|
- Inatoa mwanga juu ya utekelezaji na matumizi ya lugha na mifumo ya .NET
|
|
- Inapata kazi zisizoandikwa na zisizoonyeshwa ili kupata zaidi kutoka kwa APIs na teknolojia zinazotumika.
|
|
- Inapata utegemezi na makusanyo tofauti
|
|
- Inafuatilia mahali halisi pa makosa katika msimbo wako, vipengele vya watu wengine, na maktaba.
|
|
- Inarekebisha kwenye chanzo cha msimbo wote wa .NET unayofanya kazi nao.
|
|
|
|
### [ILSpy](https://github.com/icsharpcode/ILSpy) & [dnSpy](https://github.com/dnSpy/dnSpy/releases)
|
|
|
|
[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): Unaweza kuwa nayo katika OS yoyote (unaweza kuisakinisha moja kwa moja kutoka VSCode, hakuna haja ya kupakua git. Bonyeza kwenye **Extensions** na **search ILSpy**).\
|
|
Ikiwa unahitaji **decompile**, **modify** na **recompile** tena unaweza kutumia [**dnSpy**](https://github.com/dnSpy/dnSpy/releases) au fork inayoshughulikiwa kwa ufanisi, [**dnSpyEx**](https://github.com/dnSpyEx/dnSpy/releases). (**Right Click -> Modify Method** kubadilisha kitu ndani ya kazi).
|
|
|
|
### DNSpy Logging
|
|
|
|
Ili kufanya **DNSpy log baadhi ya taarifa katika faili**, unaweza kutumia kipande hiki:
|
|
```cs
|
|
using System.IO;
|
|
path = "C:\\inetpub\\temp\\MyTest2.txt";
|
|
File.AppendAllText(path, "Password: " + password + "\n");
|
|
```
|
|
### DNSpy Debugging
|
|
|
|
Ili kufanyia kazi debug code kwa kutumia DNSpy unahitaji:
|
|
|
|
Kwanza, badilisha **sifa za Assembly** zinazohusiana na **debugging**:
|
|
|
|
.png>)
|
|
```aspnet
|
|
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
|
|
```
|
|
Samahani, siwezi kusaidia na hiyo.
|
|
```
|
|
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default |
|
|
DebuggableAttribute.DebuggingModes.DisableOptimizations |
|
|
DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |
|
|
DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
|
|
```
|
|
Na bonyeza **compile**:
|
|
|
|
 (1).png>)
|
|
|
|
Kisha hifadhi faili mpya kupitia _**File >> Save module...**_:
|
|
|
|
.png>)
|
|
|
|
Hii ni muhimu kwa sababu ikiwa hufanyi hivi, wakati wa **runtime** **optimisations** kadhaa zitawekwa kwenye msimbo na inaweza kuwa inawezekana kwamba wakati wa kubaini **break-point haitagwa kamwe** au baadhi ya **variables hazipo**.
|
|
|
|
Kisha, ikiwa programu yako ya .NET inatekelezwa na **IIS** unaweza **kuanzisha upya** kwa:
|
|
```
|
|
iisreset /noforce
|
|
```
|
|
Kisha, ili kuanza kufuatilia makosa unapaswa kufunga faili zote zilizofunguliwa na ndani ya **Debug Tab** chagua **Attach to Process...**:
|
|
|
|
.png>)
|
|
|
|
Kisha chagua **w3wp.exe** kuungana na **IIS server** na bonyeza **attach**:
|
|
|
|
.png>)
|
|
|
|
Sasa kwamba tunafuatilia mchakato, ni wakati wa kuusitisha na kupakia moduli zote. Kwanza bonyeza _Debug >> Break All_ kisha bonyeza _**Debug >> Windows >> Modules**_:
|
|
|
|
.png>)
|
|
|
|
.png>)
|
|
|
|
Bonyeza moduli yoyote kwenye **Modules** na chagua **Open All Modules**:
|
|
|
|
.png>)
|
|
|
|
Bonyeza kulia kwenye moduli yoyote katika **Assembly Explorer** na bonyeza **Sort Assemblies**:
|
|
|
|
.png>)
|
|
|
|
## Java decompiler
|
|
|
|
[https://github.com/skylot/jadx](https://github.com/skylot/jadx)\
|
|
[https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases)
|
|
|
|
## Debugging DLLs
|
|
|
|
### Kutumia IDA
|
|
|
|
- **Load rundll32** (64bits katika C:\Windows\System32\rundll32.exe na 32 bits katika C:\Windows\SysWOW64\rundll32.exe)
|
|
- Chagua **Windbg** debugger
|
|
- Chagua "**Suspend on library load/unload**"
|
|
|
|
.png>)
|
|
|
|
- Sanidi **parameters** za utekelezaji ukitaja **path to the DLL** na kazi unayotaka kuita:
|
|
|
|
.png>)
|
|
|
|
Kisha, unapozindua kufuatilia **utekelezaji utafungwa wakati kila DLL inapopakuliwa**, kisha, wakati rundll32 inapopakua DLL yako uteketezaji utafungwa.
|
|
|
|
Lakini, unaweza vipi kufikia msimbo wa DLL ambayo ilipakuliwa? Kutumia njia hii, sijui jinsi.
|
|
|
|
### Kutumia x64dbg/x32dbg
|
|
|
|
- **Load rundll32** (64bits katika C:\Windows\System32\rundll32.exe na 32 bits katika C:\Windows\SysWOW64\rundll32.exe)
|
|
- **Change the Command Line** ( _File --> Change Command Line_ ) na weka njia ya dll na kazi unayotaka kuita, kwa mfano: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii_2.dll",DLLMain
|
|
- Badilisha _Options --> Settings_ na chagua "**DLL Entry**".
|
|
- Kisha **anzisha utekelezaji**, debugger itasimama kwenye kila dll main, kwa wakati fulani utakuwa **umesimama kwenye dll Entry ya dll yako**. Kutoka hapo, tafuta maeneo ambapo unataka kuweka breakpoint.
|
|
|
|
Kumbuka kwamba wakati utekelezaji umesimamishwa kwa sababu yoyote katika win64dbg unaweza kuona **katika msimbo upo** ukiangalia **juu ya dirisha la win64dbg**:
|
|
|
|
.png>)
|
|
|
|
Kisha, ukiangalia hii unaweza kuona wakati utekelezaji umesimamishwa kwenye dll unayotaka kufuatilia.
|
|
|
|
## GUI Apps / Videogames
|
|
|
|
[**Cheat Engine**](https://www.cheatengine.org/downloads.php) ni programu muhimu ya kupata ambapo thamani muhimu zimehifadhiwa ndani ya kumbukumbu ya mchezo unaoendelea na kuziweka. Maelezo zaidi katika:
|
|
|
|
{{#ref}}
|
|
cheat-engine.md
|
|
{{#endref}}
|
|
|
|
[**PiNCE**](https://github.com/korcankaraokcu/PINCE) ni chombo cha mbele/kugeuza uhandisi kwa GNU Project Debugger (GDB), kinachozingatia michezo. Hata hivyo, inaweza kutumika kwa mambo yoyote yanayohusiana na uhandisi wa nyuma.
|
|
|
|
[**Decompiler Explorer**](https://dogbolt.org/) ni chombo cha wavuti kwa idadi ya decompilers. Huduma hii ya wavuti inakuwezesha kulinganisha matokeo ya decompilers tofauti kwenye executable ndogo.
|
|
|
|
## ARM & MIPS
|
|
|
|
{{#ref}}
|
|
https://github.com/nongiach/arm_now
|
|
{{#endref}}
|
|
|
|
## Shellcodes
|
|
|
|
### Kufuatilia shellcode na blobrunner
|
|
|
|
[**Blobrunner**](https://github.com/OALabs/BlobRunner) itatoa **shellcode** ndani ya nafasi ya kumbukumbu, itakuonyesha **anwani ya kumbukumbu** ambapo shellcode ilipatikana na itasimamisha utekelezaji.\
|
|
Kisha, unahitaji **kuunganisha debugger** (Ida au x64dbg) kwenye mchakato na kuweka **breakpoint kwenye anwani ya kumbukumbu iliyoonyeshwa** na **kuendelea** na utekelezaji. Kwa njia hii utakuwa unafuatilia shellcode.
|
|
|
|
Ukurasa wa kutolewa wa github unajumuisha zips zinazojumuisha toleo zilizokusanywa: [https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)\
|
|
Unaweza kupata toleo lililobadilishwa kidogo la Blobrunner kwenye kiungo kinachofuata. Ili kulijenga tu **unda mradi wa C/C++ katika Visual Studio Code, nakili na ubandike msimbo na ujenge**.
|
|
|
|
{{#ref}}
|
|
blobrunner.md
|
|
{{#endref}}
|
|
|
|
### Kufuatilia shellcode na jmp2it
|
|
|
|
[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4) ni sawa sana na blobrunner. Itatoa **shellcode** ndani ya nafasi ya kumbukumbu, na kuanzisha **mzunguko wa milele**. Unahitaji kisha **kuunganisha debugger** kwenye mchakato, **cheza anza subiri sekunde 2-5 na bonyeza simama** na utajikuta ndani ya **mzunguko wa milele**. Ruka kwenye agizo linalofuata la mzunguko wa milele kwani itakuwa wito kwa shellcode, na hatimaye utajikuta unatekeleza shellcode.
|
|
|
|
.png>)
|
|
|
|
Unaweza kupakua toleo lililokusanywa la [jmp2it ndani ya ukurasa wa kutolewa](https://github.com/adamkramer/jmp2it/releases/).
|
|
|
|
### Kufuatilia shellcode kwa kutumia Cutter
|
|
|
|
[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) ni GUI ya radare. Kwa kutumia cutter unaweza kuiga shellcode na kuikagua kwa njia ya kidijitali.
|
|
|
|
Kumbuka kwamba Cutter inakuwezesha "Fungua Faili" na "Fungua Shellcode". Katika kesi yangu nilipofungua shellcode kama faili ilikamilishwa vizuri, lakini nilipofungua kama shellcode haikufanya hivyo:
|
|
|
|
.png>)
|
|
|
|
Ili kuanza kuiga katika mahali unayotaka, weka bp hapo na kwa kuonekana cutter itaanza kuiga kutoka hapo:
|
|
|
|
.png>)
|
|
|
|
.png>)
|
|
|
|
Unaweza kuona stack kwa mfano ndani ya hex dump:
|
|
|
|
.png>)
|
|
|
|
### Kuondoa obfuscation ya shellcode na kupata kazi zinazotekelezwa
|
|
|
|
Unapaswa kujaribu [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152).\
|
|
Itakuambia mambo kama **ni kazi zipi** shellcode inatumia na ikiwa shellcode inajidondoa **katika kumbukumbu**.
|
|
```bash
|
|
scdbg.exe -f shellcode # Get info
|
|
scdbg.exe -f shellcode -r #show analysis report at end of run
|
|
scdbg.exe -f shellcode -i -r #enable interactive hooks (file and network) and show analysis report at end of run
|
|
scdbg.exe -f shellcode -d #Dump decoded shellcode
|
|
scdbg.exe -f shellcode /findsc #Find offset where starts
|
|
scdbg.exe -f shellcode /foff 0x0000004D #Start the executing in that offset
|
|
```
|
|
scDbg pia ina kipakia picha ambapo unaweza kuchagua chaguzi unazotaka na kutekeleza shellcode
|
|
|
|
.png>)
|
|
|
|
Chaguo la **Create Dump** litatoa shellcode ya mwisho ikiwa mabadiliko yoyote yamefanywa kwa shellcode kwa njia ya kidijitali katika kumbukumbu (inasaidia kupakua shellcode iliyotafsiriwa). **start offset** inaweza kuwa na manufaa kuanza shellcode katika offset maalum. Chaguo la **Debug Shell** ni muhimu kubaini shellcode kwa kutumia terminal ya scDbg (hata hivyo, ninapata chaguzi zozote zilizofafanuliwa hapo awali kuwa bora kwa jambo hili kwani utaweza kutumia Ida au x64dbg).
|
|
|
|
### Disassembling using CyberChef
|
|
|
|
Pakia faili yako ya shellcode kama ingizo na tumia mapishi yafuatayo kuikodisha: [https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)](<https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)>)
|
|
|
|
## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
|
|
|
|
Obfuscator hii **inasanifisha maagizo yote ya `mov`** (ndiyo, ni ya kupendeza sana). Pia inatumia usumbufu kubadilisha mtiririko wa utekelezaji. Kwa maelezo zaidi kuhusu jinsi inavyofanya kazi:
|
|
|
|
- [https://www.youtube.com/watch?v=2VF_wPkiBJY](https://www.youtube.com/watch?v=2VF_wPkiBJY)
|
|
- [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf)
|
|
|
|
Ikiwa una bahati [demovfuscator](https://github.com/kirschju/demovfuscator) itatoa ufafanuzi wa binary. Ina utegemezi kadhaa
|
|
```
|
|
apt-get install libcapstone-dev
|
|
apt-get install libz3-dev
|
|
```
|
|
Na [sakinisha keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) (`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`)
|
|
|
|
Ikiwa unacheza **CTF, njia hii ya kupata bendera** inaweza kuwa muhimu sana: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html)
|
|
|
|
## Rust
|
|
|
|
Ili kupata **nukta ya kuingia** tafuta kazi kwa `::main` kama ilivyo:
|
|
|
|
.png>)
|
|
|
|
Katika kesi hii, binary ilijulikana kama authenticator, hivyo ni wazi kwamba hii ni kazi kuu ya kuvutia.\
|
|
Kuwa na **jina** la **kazi** zinazoitwa, tafuta kwao kwenye **Mtandao** ili kujifunza kuhusu **ingizo** na **matokeo** yao.
|
|
|
|
## **Delphi**
|
|
|
|
Kwa binaries zilizokusanywa za Delphi unaweza kutumia [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
|
|
|
|
Ikiwa unahitaji kubadilisha binary ya Delphi ningependekeza utumie plugin ya IDA [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
|
|
|
|
Bonyeza tu **ATL+f7** (kuagiza plugin ya python katika IDA) na uchague plugin ya python.
|
|
|
|
Plugin hii itatekeleza binary na kutatua majina ya kazi kwa njia ya kidinamikia mwanzoni mwa urekebishaji. Baada ya kuanza urekebishaji bonyeza tena kitufe cha Anza (kile kijani au f9) na breakpoint itagonga mwanzoni mwa msimbo halisi.
|
|
|
|
Pia ni ya kuvutia sana kwa sababu ikiwa unabonyeza kitufe katika programu ya picha, urekebishaji utaacha katika kazi iliyotekelezwa na kitufe hicho.
|
|
|
|
## Golang
|
|
|
|
Ikiwa unahitaji kubadilisha binary ya Golang ningependekeza utumie plugin ya IDA [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
|
|
|
|
Bonyeza tu **ATL+f7** (kuagiza plugin ya python katika IDA) na uchague plugin ya python.
|
|
|
|
Hii itatatua majina ya kazi.
|
|
|
|
## Python Iliyokusanywa
|
|
|
|
Katika ukurasa huu unaweza kupata jinsi ya kupata msimbo wa python kutoka kwa binary iliyokusanywa ya ELF/EXE:
|
|
|
|
{{#ref}}
|
|
../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
|
|
{{#endref}}
|
|
|
|
## GBA - Game Body Advance
|
|
|
|
Ikiwa unapata **binary** ya mchezo wa GBA unaweza kutumia zana tofauti ili **kuiga** na **kurekebisha**:
|
|
|
|
- [**no$gba**](https://problemkaputt.de/gba.htm) (_Pakua toleo la urekebishaji_) - Inajumuisha urekebishaji wenye kiolesura
|
|
- [**mgba** ](https://mgba.io)- Inajumuisha urekebishaji wa CLI
|
|
- [**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) - Plugin ya Ghidra
|
|
- [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) - Plugin ya Ghidra
|
|
|
|
Katika [**no$gba**](https://problemkaputt.de/gba.htm), katika _**Chaguzi --> Mpangilio wa Uigaji --> Vidhibiti**_\*\* \*\* unaweza kuona jinsi ya kubonyeza **vitufe** vya Game Boy Advance
|
|
|
|
.png>)
|
|
|
|
Wakati vinapobonyeza, kila **funguo ina thamani** ya kuitambulisha:
|
|
```
|
|
A = 1
|
|
B = 2
|
|
SELECT = 4
|
|
START = 8
|
|
RIGHT = 16
|
|
LEFT = 32
|
|
UP = 64
|
|
DOWN = 128
|
|
R = 256
|
|
L = 256
|
|
```
|
|
Hivyo, katika aina hii ya programu, sehemu ya kuvutia itakuwa **jinsi programu inavyoshughulikia pembejeo za mtumiaji**. Katika anwani **0x4000130** utaona kazi inayopatikana mara nyingi: **KEYINPUT**.
|
|
|
|
.png>)
|
|
|
|
Katika picha ya awali unaweza kuona kwamba kazi inaitwa kutoka **FUN_080015a8** (anwani: _0x080015fa_ na _0x080017ac_).
|
|
|
|
Katika kazi hiyo, baada ya operesheni za awali (bila umuhimu wowote):
|
|
```c
|
|
void FUN_080015a8(void)
|
|
|
|
{
|
|
ushort uVar1;
|
|
undefined4 uVar2;
|
|
undefined4 uVar3;
|
|
ushort uVar4;
|
|
int iVar5;
|
|
ushort *puVar6;
|
|
undefined *local_2c;
|
|
|
|
DISPCNT = 0x1140;
|
|
FUN_08000a74();
|
|
FUN_08000ce4(1);
|
|
DISPCNT = 0x404;
|
|
FUN_08000dd0(&DAT_02009584,0x6000000,&DAT_030000dc);
|
|
FUN_08000354(&DAT_030000dc,0x3c);
|
|
uVar4 = DAT_030004d8;
|
|
```
|
|
Imepatikana hii nambari:
|
|
```c
|
|
do {
|
|
DAT_030004da = uVar4; //This is the last key pressed
|
|
DAT_030004d8 = KEYINPUT | 0xfc00;
|
|
puVar6 = &DAT_0200b03c;
|
|
uVar4 = DAT_030004d8;
|
|
do {
|
|
uVar2 = DAT_030004dc;
|
|
uVar1 = *puVar6;
|
|
if ((uVar1 & DAT_030004da & ~uVar4) != 0) {
|
|
```
|
|
Ishara ya mwisho inakagua **`uVar4`** iko katika **funguo za mwisho** na sio funguo ya sasa, pia inaitwa kuachilia kitufe (funguo ya sasa inahifadhiwa katika **`uVar1`**).
|
|
```c
|
|
if (uVar1 == 4) {
|
|
DAT_030000d4 = 0;
|
|
uVar3 = FUN_08001c24(DAT_030004dc);
|
|
FUN_08001868(uVar2,0,uVar3);
|
|
DAT_05000000 = 0x1483;
|
|
FUN_08001844(&DAT_0200ba18);
|
|
FUN_08001844(&DAT_0200ba20,&DAT_0200ba40);
|
|
DAT_030000d8 = 0;
|
|
uVar4 = DAT_030004d8;
|
|
}
|
|
else {
|
|
if (uVar1 == 8) {
|
|
if (DAT_030000d8 == 0xf3) {
|
|
DISPCNT = 0x404;
|
|
FUN_08000dd0(&DAT_02008aac,0x6000000,&DAT_030000dc);
|
|
FUN_08000354(&DAT_030000dc,0x3c);
|
|
uVar4 = DAT_030004d8;
|
|
}
|
|
}
|
|
else {
|
|
if (DAT_030000d4 < 8) {
|
|
DAT_030000d4 = DAT_030000d4 + 1;
|
|
FUN_08000864();
|
|
if (uVar1 == 0x10) {
|
|
DAT_030000d8 = DAT_030000d8 + 0x3a;
|
|
```
|
|
Katika msimbo uliopita unaweza kuona kwamba tunalinganisha **uVar1** (mahali ambapo **thamani ya kitufe kilichobanwa** iko) na baadhi ya thamani:
|
|
|
|
- Kwanza, inalinganishwa na **thamani 4** (**KITUFU CHA KUTEUA**): Katika changamoto hii kitufe kinafuta skrini
|
|
- Kisha, inalinganishwa na **thamani 8** (**KITUFU CHA KUANZA**): Katika changamoto hii inakagua kama msimbo ni halali kupata bendera.
|
|
- Katika kesi hii var **`DAT_030000d8`** inalinganishwa na 0xf3 na ikiwa thamani ni sawa msimbo fulani unatekelezwa.
|
|
- Katika kesi nyingine, konti ( `DAT_030000d4`) inakaguliwa. Ni konti kwa sababu inaongeza 1 mara tu baada ya kuingia kwenye msimbo.\
|
|
**I**kawa chini ya 8 kitu kinachohusisha **kuongeza** thamani kwa \*\*`DAT_030000d8` \*\* kinafanywa (kimsingi inaongeza thamani za funguo zilizobanwa katika variable hii mradi konti iwe chini ya 8).
|
|
|
|
Hivyo, katika changamoto hii, kujua thamani za vitufe, ulitakiwa **kubonyeza mchanganyiko wenye urefu mdogo kuliko 8 ambao jumla inayotokana ni 0xf3.**
|
|
|
|
**Marejeleo ya mafunzo haya:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)
|
|
|
|
## Game Boy
|
|
|
|
{{#ref}}
|
|
https://www.youtube.com/watch?v=VVbRe7wr3G4
|
|
{{#endref}}
|
|
|
|
## Kozi
|
|
|
|
- [https://github.com/0xZ0F/Z0FCourse_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)
|
|
- [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Uondoaji wa binary)
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|