Skip to content

Commit

Permalink
add reverse info
Browse files Browse the repository at this point in the history
  • Loading branch information
@xanhacks
xanhacks committed Dec 15, 2022
1 parent 6e0b12f commit 6b07fcc
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 10 deletions.
21 changes: 11 additions & 10 deletions docs/reverse/ghidra.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,19 @@ description: Ghidra tool cheatsheet

# Ghidra

## Actions
## Tips

### Change base address
- Show symbols : `Window` -> `Symbol References`
- Replace constant with variable name : `Rigth click` -> `Set Equate`
- Show functions graph : `Window` -> `Function Call Graph`

- `Window` -> `Memory map` -> `Set Image Base (house icon)`
## Settings

### Dark mode
- Change base address : `Window` -> `Memory map` -> `Set Image Base (house icon)`
- Dark mode (invert colors) : `Edit` -> `Tool Options...` -> `Tool` -> Enable `Use Inverted Colors`
- Highlight registers on click : `Edit` -> `Tool Options...` -> `Listing Fields` (`Cursor Text Highlight`) -> Set `Mouse Button To Activate` to `LEFT`

From the launcher window :
## References

- `Edit` -> `Tool Options...` -> `Tool` -> Enable `Use Inverted Colors`

### Highlight registers on click

- `Edit` -> `Tool Options...` -> `Listing Fields` (`Cursor Text Highlight`) -> Set `Mouse Button To Activate` to `LEFT`
- [blogs.blackberry.com -
Code Analysis With Ghidra: An Introduction](https://blogs.blackberry.com/en/2019/07/an-introduction-to-code-analysis-with-ghidra)
25 changes: 25 additions & 0 deletions docs/reverse/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Reverse Engineering

Reverse engineering is the process of analyzing a product, system, or piece of software in order to understand how it works.

## Disable ASLR

### Linux

Disable ASLR on the whole system :

```bash
# Turn OFF
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
# Turn ON
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
```

### Windows

The value is stored on [IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#dll-characteristics) at offset 0x40.

Disable ASLR on a binary (2 options) :

1. Open the binary with [PEStudio](https://pestudio.en.lo4d.com/windows), go to `optional-header` and set `address-space-layout-randomization (ASLR)` to `false`.
2. Open the binary with [CFFExplorer](https://ntcore.com/?tag=cff-explorer), go to `Optional Header`, click on `DllCharateristics` and uncheck `DLL can move`.

0 comments on commit 6b07fcc

Please sign in to comment.