Coding & Hacking

Last updated 8 months ago

You should definitely forget about Windows Notepad, that doesn't make automatic backups, nor open multiple files.

Instead, to write your code snippets and notes, I'd strongly recommend one of the following text editors:

  • Notepad++ (it has an hex editor plugin!)

  • Sublime

  • Visual Studio Code

But you may want to compile code too. This is particularly useful when rewriting the logic of a disassembled program, for example. If you have a programming language of choice you probably already have a good editor or full IDE (Integrated Development Environment) to use. My preferred language is C and I don't use IDE's because I think they take too long to load. :)

C is scriptable!

The first one I want to show you is tcc, available for Linux and OS X. Let's say we found in the binary a string encoded with algorithm that has added 4 to each byte of its characters, so a become e, b become f and so on. The string is xgg$mw$gve~}% and with tcc it is easy to subtract back 4 bytes from each character:

echo 'main(){ char *s="xgg$mw$gve~}%"; while (*s){putchar((*s++)-4);} }' | tcc -run -
tcc is crazy!

tcc also supports "C scripts":

$ cat strdecode.c
#!/usr/local/bin/tcc -run
int main(int argc, char *argv[]) {
char *s;
if (argc < 2)
return 1;
s = argv[1];
while (*s) {
putchar(*s - 4);
s++;
}
return 0;
}
$ ./strdecode.c 'xgg$mw$gve~}%'
tcc is crazy!

You even have some extensions like inline assembly, new expressions and more. One example is the binary representation:

$ echo 'main(){printf("%d\n", 0b1000);}' | tcc -run -
8

See the tcc docs for more information.

Of course you could have done that with Python, Perl, Bash or any other language you like. I just wanted to give C speakers a script-like option.

Still in the world of C, if you need a full IDE for your programs, you may want to try Orwell DevC++ fork of original Dev-C++ from Bloodshed. Orwell's fork is constantly updated, can build 64-bits binaries and has a lot of improvements. Visual Studio also has a free version that you can download and use to compile programs at no cost.

Bash hacking

Bash is the default shell in Linux and OS X systems. It's also available for Windows through Cygwin and other similar projects. You can hack a lot with Bash and it can, together with tools like file, objdump, hexdump, etc, definitely help the work of binary analysis.

Instead of writing about what I learned to do with Bash, I'm gonna introduce a project of mine called bashacks where I put everything that I use daily together in the form of functions for other people to use.

For example to convert string to hexadecimal equivalent, you could use bh_str2hex() function like this:

$ bh_str2hex Fernando
46 65 72 6e 61 6e 64 6f
$ bh_str2hex -c Fernando
{0x46, 0x65, 0x72, 0x6e, 0x61, 0x6e, 0x64, 0x6f}
$ bh_str2hex -x Fernando
\x46\x65\x72\x6e\x61\x6e\x64\x6f

If you have a Bash terminal handy, this is much faster - and safer - than going to an online conversion tool.

Let's say you need a UTF-8 talbe:

$ bh_utf8table
Hex Hex Hex Hex Hex Hex Hex Hex
c2 a0 c2 ac ¬ c2 b8 ¸ c3 84 Ä c3 90 Ð c3 9c Ü c3 a8 è c3 b4 ô
c2 a1 ¡ c2 ad ­ c2 b9 ¹ c3 85 Å c3 91 Ñ c3 9d Ý c3 a9 é c3 b5 õ
c2 a2 ¢ c2 ae ® c2 ba º c3 86 Æ c3 92 Ò c3 9e Þ c3 aa ê c3 b6 ö
c2 a3 £ c2 af ¯ c2 bb » c3 87 Ç c3 93 Ó c3 9f ß c3 ab ë c3 b7 ÷
c2 a4 ¤ c2 b0 ° c2 bc ¼ c3 88 È c3 94 Ô c3 a0 à c3 ac ì c3 b8 ø
c2 a5 ¥ c2 b1 ± c2 bd ½ c3 89 É c3 95 Õ c3 a1 á c3 ad í c3 b9 ù
c2 a6 ¦ c2 b2 ² c2 be ¾ c3 8a Ê c3 96 Ö c3 a2 â c3 ae î c3 ba ú
c2 a7 § c2 b3 ³ c2 bf ¿ c3 8b Ë c3 97 × c3 a3 ã c3 af ï c3 bb û
c2 a8 ¨ c2 b4 ´ c3 80 À c3 8c Ì c3 98 Ø c3 a4 ä c3 b0 ð c3 bc ü
c2 a9 © c2 b5 µ c3 81 Á c3 8d Í c3 99 Ù c3 a5 å c3 b1 ñ c3 bd ý
c2 aa ª c2 b6 ¶ c3 82 Â c3 8e Î c3 9a Ú c3 a6 æ c3 b2 ò c3 be þ
c2 ab « c2 b7 · c3 83 Ã c3 8f Ï c3 9b Û c3 a7 ç c3 b3 ó c3 bf ÿ

The number of functions is constantly increasing. Another useful example, although not related to programming, is a function we have to rename files to their MD5 hashes:

$ ls
donotopenme.exe longname.exe noidea.exe
$ bh_md5rename *
$ ls
66d23ef313df5fd126a9c3a1132c943e aba0f47afec9a5d52812ace09d226641 f0ff432346eb19d72dc172b64bd01663
md5 *
MD5 (66d23ef313df5fd126a9c3a1132c943e) = 66d23ef313df5fd126a9c3a1132c943e
MD5 (aba0f47afec9a5d52812ace09d226641) = aba0f47afec9a5d52812ace09d226641
MD5 (f0ff432346eb19d72dc172b64bd01663) = f0ff432346eb19d72dc172b64bd01663

Read the docs to get a full lists of available functions and if you have some daily binary analysis task you'd like to see automated, let me know. ;)