Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

Overview

ScratchABit

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the efforts of the OpenSource reverse engineering community (reverse engineering to produce OpenSource drivers/firmware for hardware not properly supported by vendors, for hardware and software interoperability, for security research).

ScratchABit supports well-known in the community IDAPython API to write disassembly/extension modules.

ScratchABit is a work in progress, features are added on as needed basis, contributions are welcome.

ScratchABit is released under the terms of GNU General Public License v3 (GPLv3).

Requirements/manifesto

  1. Should not be written in an obfuscated language. These include languages which are too low-level, which allow to access non-initialized variables, which don't differentiate between variables and functions/procedures, which start array indexes from arbitrary numbers, etc., etc. ScratchABit is written in Python (modern version, Python3) for your pleasure and sanity.

  2. User interface framework should allow user interaction of the needed level, not add dependencies, bloat, issues, and incompatibilities between framework's versions. ScratchABit currently uses simple full-screen text user interface, using ANSI/VT100 terminal escape sequences (yes, even curses library was deemed too bloat a dependency to force upon users).

  3. Should leverage easy to use text formats to store "database", to facilitate easy reuse and tool writing, and storage in version control systems.

Installation

To use ScratchABit, you need Python3 installed (tested with Python 3.3 thru 3.7) and VT100 (minimum) or XTerm (recommended) terminal or terminal emulator (any Unix system should be compliant, like Linux/BSD/etc., see FAQ below for more).

Clone the code using:

git clone --recursive https://github.com/pfalcon/ScratchABit

If you cloned code without --recursive, run git submodule update --init in the ScratchABit directory.

ScratchABit now ships with Capstone Engine based CPU plugin(s), which allow access to a number of CPU architectures. To use it, recent Python bindings module for Capstone should be installed (in the preference to packages shipped by OS distributions, which are often outdated). The easiest way to install it is into the Python user packages directory:

pip3 install --no-cache-dir --user capstone

An alternative is to install it to a Python virtual environment within the ScratchABit directory:

python3 -m venv .venv
source .venv/bin/activate
pip3 install --no-cache-dir capstone

Whenever you open a new terminal session to work with ScratchABit, run source .venv/bin/activate command again to activate the virtual environment.

If nothing of the above works, you can try to install the capstone package system-wide (not recommended):

sudo pip3 install --system capstone

Quick start

If you want to disassemble a file in self-describing executable format (like ELF), just pass it as an argument to ScratchABit.py. The repository includes a number of example-*.elf files for various architectures for a quick start. For example, to try x86 32bit version:

python3 ScratchABit.py example-x86_32.elf

Alternatively, if you want to disassemble a raw binary file, you need to create a .def (definition) file, to specify what memory areas are defined for the code, at which address to load binary file, etc. (Note: a .def file may be useful for .elf and similar files too.) The repository includes a simple x86_64 raw binary code, and the corresponding example-x86_64.def file (look inside for description of available options):

python3 ScratchABit.py example-x86_64.def

Press F9 to access menus (mouse works too in XTerm-compatible terminals). Press F1 to get help about key bindings (most actions are also accessible via menu). The workflow of ScratchABit is similar to other interactive dissamblers (some previous experience or background reading may be helpful).

Using Plugins

IDAPython processor plugins can be loaded from anywhere on the Python module path. Alternatively, you can symlink/copy the plugin .py file(s) into the plugins/cpu/ subdirectory.

After the plugin is made available, create a new definition file based on example-x86_64.def that sets the plugin module name (without .py extenstion) in the cpu xxx line.

For a very simple example that uses an external plugin, see this esp8266.def file that works with the xtensa.py plugin from the ida-xtensa2 repository.

TODO/Things to decide

  • Currently uses multiple files for "database", each storing particular type of information. Switch to a single YAML file instead?
  • Add color (low priority, (unbloated!) patches welcome).
  • Few important UI commands to implement yet for comfortable work. ( All the most important commands should be there, other functionality is expected to be implemented using plugins).
  • Offer to save DB on quit if modified.
  • Git integration for DB saving.
  • Improve robustness (add exception handler at the main loop level, don't abort the application, show to user/log and continue).
  • Try to deal with code flow inconsistencies (e.g. within an instruction - low priority for intended usage) and data access inconsistencies (e.g. accessing individual bytes of previosly detected word - higher priority). (Improved in 1.4.)
  • See how to support other types of IDAPython plugins besides just processor modules.
  • Parse and use debugging information (e.g. DWARF) present in ELF (etc.) files.

FAQ

Q: What processors/architectures are supported?

A: ScratchABit doesn't support any processor architectures on its own, it is fully retargettable using IDAPython API plugins. Many plugins are available, writing a new plugin is easy. To let users test-drive ScratchABit, a simple x86 processor plugin is included in the distribution, using Pymsasid disassembler under the hood.

From version 2.0, Capstone plugin is also included, allowing access to a number of architectures, including x86, ARM, MIPS, PowerPC, SPARC, etc. (architecture support is enabled gradually based on user testing).

You can read about the plugins shipped together with ScratchABit in the README for plugins/cpu/ dir.

Q: Debugger?

A: ScratchABit is dedicated to static analysis and easy support for new CPU architectures (just code up an new CPU plugin in Python - you can get initial results in few hours). Dynamic analysis wasn't conceived to be a core feature and there're no immediate plans to implement it. Patches are welcome though.

Q: Decompiler?

A: There is a related project, called ScratchABlock for deep program analysis, transformation and decompilation. It's expected that as ScratchABlock matures, some of its functionality will be available within ScratchABit (perhaps via plugins).

Q: I'm not on Linux, how can I run ScratchABit?

A: Install Linux in an emulator/VM on your system and rejoice.

Q: Mandatory screenshot?

A: Sure:

screenshot

Comments
  • Database: Single YAML file vs multiple line-oriented files?

    Database: Single YAML file vs multiple line-oriented files?

    From current README:

    Currently uses multiple files for "database", each storing particular type of information. Switch to a single YAML file instead?

    This tickets is for discussion of this issue, opinions welcome!

    opened by pfalcon 13
  • Capstone may return negative addresses for arguments of jump instructions

    Capstone may return negative addresses for arguments of jump instructions

    It seems that addresses beyond 0x80000000 are interpreted as negative numbers, even on a 64-bit python3. The address -2147360092 or -0x7ffe1d5c is actually 0x8001E2A4 which is a valid address:

    ./ScratchABit.py EXT0CB6Q.dec.P2.def --script import Loading CPU plugin arm_32_capstone Adding area: Area(0x0-0x1ffff, {'name': '.bin', 'access': 'RWX'}) Adding area: Area(0x808000-0x80ffff, {'name': '.bin', 'access': 'RWX'}) Adding area: Area(0x80000200-0x800301ff, {'name': '.bin', 'access': 'RWX'}) Loading EXT0CB6Q.dec.P21.frmw @0x0 Loading EXT0CB6Q.dec.P22.frmw @0x808000 Loading EXT0CB6Q.dec.P23.frmw @0x80000200 Processing section: entrypoints Performing initial analysis... 3000 Traceback (most recent call last): File "./ScratchABit.py", line 1030, in call_script(script) File "./ScratchABit.py", line 949, in call_script mod = import(script) File "/home/user/scratch/ScratchABit/import.py", line 2464, in SetRegEx(0x8000855A,"T",1,2) File "/home/user/scratch/ScratchABit/idc.py", line 65, in SetRegEx engine.analyze() File "/home/user/scratch/ScratchABit/scratchabit/engine.py", line 947, in analyze if not _processor.emu(): File "/home/user/scratch/ScratchABit/plugins/cpu/_any_capstone.py", line 176, in emu assert GetReg(op.addr, "T") == 0 File "/home/user/scratch/ScratchABit/idc.py", line 28, in GetReg if engine.ADDRESS_SPACE.get_flags(ea, engine.AddressSpace.ALT_CODE): File "/home/user/scratch/ScratchABit/scratchabit/engine.py", line 245, in get_flags raise InvalidAddrException(addr) scratchabit.defs.InvalidAddrException: (-2147360092, '-0x7ffe1d5c')

    opened by thesourcerer8 7
  • KeyError: 'r_addend' on Ubuntu 14.04 Python3.4.3

    KeyError: 'r_addend' on Ubuntu 14.04 Python3.4.3

    Hi,

    I'm having trouble running ScratchABit on my machine:

    $ python scratchabit.py example-elf
    Traceback (most recent call last):
      File "scratchabit.py", line 721, in <module>
        load_target_file(loader, sys.argv[1])
      File "scratchabit.py", line 623, in load_target_file
        entry = loader.load(engine.ADDRESS_SPACE, fname)
      File "/home/user/esp/virtenv/ScratchABit/plugins/loader/elf.py", line 407, in load
        return load_sections(aspace, elffile)
      File "/home/user/esp/virtenv/ScratchABit/plugins/loader/elf.py", line 280, in load_sections
        if reloc["r_addend"] != 0:
      File "/home/user/esp/virtenv/ScratchABit/plugins/loader/pyelftools/elftools/elf/relocation.py", line 35, in __getitem__
        return self.entry[name]
      File "/home/user/esp/virtenv/ScratchABit/plugins/loader/pyelftools/elftools/construct/lib/container.py", line 35, in __getitem__
        return self.__dict__[name]
    KeyError: 'r_addend'
    

    Am I missing something? I use Ubuntu 14.04 with Python 3.4.3 Thanks

    opened by sheinz 7
  • Recommended way to add plugins?

    Recommended way to add plugins?

    Hi Paul,

    I just wanted to check if this is the recommended way to add a new plugin: http://www.esp8266.com/viewtopic.php?f=13&t=3756&p=22201#p22200

    If you let me know the recommended way, I'll submit a PR with an addition to the README about adding plugins.

    Cheers,

    Angus

    opened by projectgus 6
  • Saving slow

    Saving slow

    Saving (File->Save) seems to be slow on slow terminals, since it outputs the current location quite often. I would suggest to ouput the position less often to speed it up.

    opened by thesourcerer8 5
  • Handling invalid (cross-)references

    Handling invalid (cross-)references

    Hi, I'm writing a CPU plugin which calls ua_add_dref(0, xxx, dr_O) based on a value that's loaded into a register. Sometimes these values don't point into a valid address range, leading to a an error when I try to save the project:

    2017-05-26 21:45:56,666 Exception processing user command
    Traceback (most recent call last):
      File "/.../ScratchABit.py", line 123, in handle_input
        return super().handle_input(key)
      File "/.../ScratchABit/picotui/basewidget.py", line 69, in handle_input
        res = self.handle_key(inp)
      File "/.../ScratchABit/picotui/editor.py", line 208, in handle_key
        return self.handle_edit_key(key)
      File "/.../ScratchABit.py", line 543, in handle_edit_key
        saveload.save_state(project_dir)
      File "/.../ScratchABit/scratchabit/saveload.py", line 32, in save_state
        engine.ADDRESS_SPACE.save_addr_props(project_dir + "/project.aprops")
      File "/.../ScratchABit/scratchabit/engine.py", line 680, in save_addr_props
        fl = self.get_flags(addr)
      File "/.../ScratchABit/scratchabit/engine.py", line 247, in get_flags
        raise InvalidAddrException(addr)
    scratchabit.engine.InvalidAddrException: (57259, '0xdfab')
    

    Should I fix this in my plugin or should SAB handle this case and avoid adding the reference? What does IDA do?

    [ An alternative or complement to my approach would be to create a data item with the loaded value, and let the engine add the reference automatically. AFAICS this feateure hasn't been implemented in SAB so far, though. ]

    opened by neuschaefer 5
  • Corrupted database after crashing on save

    Corrupted database after crashing on save

    While working with ScratchABit I saved my database, during the save (I think) an unhandled exception occurred and scratchabit exited. My database doesn't open any more, the stack trace on opening is:

    (Snip many lines of relocation information)
    <Relocation (RELA): Container({'r_info_sym': 1, 'r_offset': 7, 'r_addend': 268, 'r_info_type': 11, 'r_info': 267})>
    Loading state...
    Traceback (most recent call last):
      File "/home/gus/scripts/scratchabit.py", line 587, in <module>
        load_state(project_dir)
      File "/home/gus/scripts/scratchabit.py", line 539, in load_state
        engine.ADDRESS_SPACE.load_funcs(f)
      File "/home/gus/dev/ScratchABit/engine.py", line 487, in load_funcs
        start, end = l.split()
    ValueError: need more than 1 value to unpack
    

    I tried renaming the *.bak files over the newer database files, but I get the same error.

    Here are the relevant files: http://projectgus.com/misc/esp8266/xtensa_vectors.zip

    Working from current git master 74323e9d2c4 and pfalcon/ida-xtensa@cbe43ba3c3b (one commit before current master in your fork).

    There's a related bug to the database corruption bug, which is that the stack trace from the unhandled exception on save was printed "inside" ncurses, so it wasn't readable (got interleaved with the UI elements). Also following exit the console mode was set wrong, needed a reset.

    Sorry I don't have time to investigate this further right now.

    opened by projectgus 5
  • plugins/cpu/arm_thumb: Supports only Thumb, not Thumb2

    plugins/cpu/arm_thumb: Supports only Thumb, not Thumb2

    Continuing from #23 . See "orr/mov.w", "sub.w", "ldr" below.

    │0802cf44 9878         ldrb     r0, [r3, #2]                                                                                           │
    │0802cf46 5978         ldrb     r1, [r3, #1]                                                                                           │
    │0802cf48 f268         ldr      r2, [r6, #12]                                                                                          │
    │0802cf4a 41ea0021     orr/mov.w                                                                                                       │
    │0802cf4e 0333         add      r3, #3                                                                                                 │
    │0802cf50 0b44         add      r3, r1                                                                                                 │
    │0802cf52 043a         sub      r2, #4                                                                                                 │
    │0802cf54 7360         str      r3, [r6, #4]                                                                                           │
    │0802cf56 f260         str      r2, [r6, #12]                                                                                          │
    │0802cf58 fff732ba     b.w      0xa02c3c0                                                                                              │
    │0802cf5c 5b10         asr      r3, r3, #1                                                                                             │
    │0802cf5e 012b         cmp      r3, #1                                                                                                 │
    │0802cf60 a5f10401     sub.w                                                                                                           │
    │0802cf64 5ed0         beq      loc_0802d024                                                                                           │
    │0802cf66 55f8042c     ldr                                  
    
    opened by pfalcon 4
  • Various little cleanups; idapython comment API

    Various little cleanups; idapython comment API

    Hi, this patch set is mostly cosmetics, but also one functional change: I implemented get_cmt/set_cmt so disassembler plugins can manipulate comments in the disassembly.

    Please review, thanks.

    opened by neuschaefer 4
  • plugins/cpu/arm_thumb: Condition codes in b.w don't appear to be decoded

    plugins/cpu/arm_thumb: Condition codes in b.w don't appear to be decoded

    Example of disasm:

    │08020036          nlr_jump:                                                                                                           │
    │08020036 0d4b         ldr      r3, [pc, #52]                                                                                          │
    │08020038 1a68         ldr      r2, [r3, #0]                                                                                           │
    │0802003a 002a         cmp      r2, #0                                                                                                 │
    │0802003c 0df0de83     b.w      nlr_jump_fail                                                                                          │
    │08020040 50           unk     0x50 ; 'P'                                                                                              │
    │08020041 60           unk     0x60 ; '`'                                                                                              │
    │08020042 10           unk     0x10                                                                                                    │
    │08020043 68           unk     0x68 ; 'h'                                                                                              │
    │08020044 18           unk     0x18                                                                                                    │
    │08020045 60           unk     0x60 ; '`'                                                 
    

    That b.w can't be right, should be conditional.

    (Disassembling MicroPython's bare-arm port.)

    opened by pfalcon 3
  • Crash in Keyboard handler

    Crash in Keyboard handler

    File "scratchabit.py", line 506, in e.loop() "ScratchABit/pyedit/editor.py", line 254, in loop res = self.handle_key(key) File "scratchabit.py", line 314, in handle_key if '0' <= e.value[0] <= '9': IndexError: string index out of range

    opened by thesourcerer8 3
  • ESP Firmware Image Support

    ESP Firmware Image Support

    I have some firmware images dumped from the flash of a few IOT devices whose functionality I'm trying to re-implement using ESPHomeLib. They all appear to be in esp8266 v1 format. It appears that the esptool.py 'elf2image' command grabs various parts of the ELF binary (IROM, TEXT, etc) and packs them into the format that the on-chip bootloader wants. It does not appear to have any code to do the reverse - convert the flash image back to an ELF binary for analysis.

    Is there any way I can analyze these files with ScratchABit, or is it pretty well dependent on having an ELF binary?

    opened by brandond 3
  • Add support for elf SHN_COMMON sections

    Add support for elf SHN_COMMON sections

    opened by GrahamM 0
  • Add support for loader plugins

    Add support for loader plugins

    Quoting the README:

    See how to support other types of IDAPython plugins besides just processor modules.

    Loader plugins would be highly appreciated. The problem is that Python loaders are hard to find. The existing loaders, covering widespread binary executable formats, are usually written in C++ so they need to be ported to IDAPython first. Fortunately, stand-alone Python libraries for parsing several common executable formats exist:

    Creating basic loader plugins ontop of them should be easy. The existing pyelftools based ELF loader serves as a good example of how to do that. The first step is to enable support for loader plugins in ScratchABit...

    opened by maximumspatium 1
  • Add support for different endianness

    Add support for different endianness

    PowerPC CPU is capable of running in either little-endian or big-endian modes. The required mode is usually specified in the executable itself. ELF container, for example, uses EI_DATA field of the ELF header for that purpose, see here.

    The precise endianness mode must be set before disassembling.

    I therefore propose to extend the CPU plugin interface with a possibility to specify the required endian mode as well as a way to retrieve endianness from container loaders.

    BTW, it's not clear how IDA processor modules deal with this requirement. It looks like there is no consistent way to specify/retrieve endianness information in IDA, see this discussion.

    opened by maximumspatium 2
  • Enable more Capstone-supported archs

    Enable more Capstone-supported archs

    With 2.0, Capstone-based ARM support went online, and Capstone supports several more architectures. Fairly speaking, ARM support enablement took a bunch of effort (and isn't really complete), but the cornerstone was supporting 2nd ISA for the code in the same address space. Beyond that, Capstone seems to over pretty weak semantic characterization of instructions, so bunch of that needs to be handled in arch-specific manner in the ScratchABit plugin.

    Still, it shouldn't be a rocket science to enable more archs, and this ticket is submitted in the hope to find people who'd be interested to give it a try and share feedback.

    References:

    • https://github.com/pfalcon/ScratchABit/blob/master/plugins/cpu/_any_capstone.py (and git log -p --follow on it)
    • https://github.com/pfalcon/ScratchABit/blob/master/Makefile.examples
    opened by pfalcon 8
Releases(v2.0)
  • v2.0(Jan 25, 2018)

    • Capstone-based CPU plugin for x86 and ARM. (Follow README for Capstone installation intructions.)
    • Support for "alternative ISA" during disassembly (used e.g. for handling Thumb mode for ARM).
    • Update version of Pymsasid3 disassembly library with 64-bit mode fixes.
    • Switch off some assertions by default, making end users' experience better (exceptions are still logged to scratchabit.log).
    • More idaapi and idc modules functions.
    • Documentation improvements.
    • Example ELF files for the supported architectures and subarchitectures are provided (extending on a few out of the box examples available previously).

    (Note: Don't install ScratchABit from tarballs automatically generated by Github - they miss git submodules. Instead, follow the README to clone directly from git.)

    Screenshot:

    screenshot

    Source code(tar.gz)
    Source code(zip)
  • v1.8(Nov 24, 2017)

    • Implemented disassembly export as cross-referenced HTML.
    • Added builtin ARM Thumb (not Thumb2) CPU plugin (contributed by Damien George).
    • Compatibility improvements and additions for IDAPython API.
    • Various bugfixes and reliability improvements in analysis engine.
    Source code(tar.gz)
    Source code(zip)
  • v1.7(Mar 27, 2017)

    • Added color to user interface and beginnings of syntax highlighting to disassembler listing (see screenshot below).
    • Warn if there're unsaved changes on quit.

    screenshot

    Source code(tar.gz)
    Source code(zip)
  • v1.6(Feb 25, 2017)

    • Improvements to memory map display (shows current position by default, can switch it using memory map, etc.)
    • Cosmetic UI improvements (more choices in menu, help, menu works better, etc.)
    • Continued refactoring of the codebase to make plugin writing easier.
    • Fixed few cases of exceptions being thrown.
    Source code(tar.gz)
    Source code(zip)
  • v1.5(Jan 27, 2017)

    • Add "Make function" to menu and help.
    • tools: Add indircalls plugin and map2scratchabit script.
    • Add AddressSpace.memcpy() function to be used by plugins.
    • Convert source code to Python package, for easier usage by plugins.
    • Rename main start script to "ScratchABit.py".
    Source code(tar.gz)
    Source code(zip)
  • v1.4(Jan 3, 2017)

    • Updates and fixes to UI.
    • Add Preferences dialog.
    • Add "Run plugin" command.
    • Add "Next non-function code" command (Ctrl+F).
    • Introduce a concept of subareas, an additional way to partition analysed binary (besides function). They can be used e.g. to represent object files from which a binary was linked.
    • Improvements to automatic label management during analysis.
    • Improvements to preciseness and reliability of control flow analysis.
    • For cross-references, show a containing function.
    • Improve reliability/exception handling.
    • Development to allow writing scripts/plugins for ScratchABit.
    • With v1.4, ScratchABit reaches the level of functionality which was originally intended for it (took 1.5 years of intermittent development). (Note that part of this functionality is being able to write plugins/scripts for less frequently used functionality. That works, but needs a lot of API refactoring to make it easier/more scalable.)
    Source code(tar.gz)
    Source code(zip)
  • v1.3(Sep 2, 2016)

    • Added menus support using picotui 0.8, all commands are exposed via menus.
    • Switched dialogs to picotui (better and more consistent look and feel).
    • More precise cursor positioning for "Search text" command.
    • Add support for command line arguments --script (run script/plugin on startup) and --save (run script fully in batch mode, don't go to UI).
    • Save format change: information now saves split per memory area (more friendly for human reviewer and git, potentially allows to reuse information for same memory area in different projects). Old save format is recognized and upgraded.
    • Many small improvements to user experience (better progress indication, terminal deinitialization, avoiding overwriting comments from different stages of loading process, etc.)
    Source code(tar.gz)
    Source code(zip)
  • v1.2(Aug 15, 2016)

    • "Make filler" command, allowing to mark undefined bytes as unimportant filler.
    • "Next undefined" command. Together with "Make filler" allows to follow reductionistic workflow, where a user searches for next undefined byte sequence and categorizes it (or skips for now, easily findable later).
    • ELF loader: Fix loading of executable with REL relocations (e.g. x86) and generalize to easier support architecture-specific features.
    • Number of minor UX improvements.
    • Continue switching to picotui widget set.
    Source code(tar.gz)
    Source code(zip)
  • v1.1(May 28, 2016)

    • New commands: "Show address map", "Save listing for the current function", etc.
    • Save viewer address stack on quit/load on restart.
    • Add "default plugins" map, for more automatic loading of bare executables. Add Xtensa plugin to this map.
    • Various small UI improvements.
    • Better handling of disassembly of objects.
    • Engine: clean up handling of "offset" operands.
    • Detailed changelog: https://github.com/pfalcon/ScratchABit/compare/v1.0...v1.1
    Source code(tar.gz)
    Source code(zip)
  • v1.0(Oct 7, 2015)

    • Switched to picotui (https://github.com/pfalcon/picotui) for widgets, enabling better and easier to maintain UI
    • Write disassembly listing to a file command ("W")
    Source code(tar.gz)
    Source code(zip)
  • v0.9(Oct 7, 2015)

  • v0.8(Aug 10, 2015)

  • v0.7(Aug 10, 2015)

  • v0.6(Aug 10, 2015)

  • v0.5(Jul 3, 2015)

    • Initial release
    • Ability to load raw binary files
    • Ability to load non-relocatable ELF files
    • Monochrome TextUI for VT100/XTerm terminals
    • Basic direct-manipulation user interface: ability to mark bytes as code/data/unknown, follow address references in instructions, mark arguments as value/address, add comments, etc.
    • Save/load state
    • Basic support for IDAPython CPU plugin API
    • x86 disassembler plugin based on PyMsasid3 is included.
    • Also tested with 3rd-party Xtensa plugin: https://github.com/themadinventor/ida-xtensa
    Source code(tar.gz)
    Source code(zip)
Owner
Paul Sokolovsky
Long-time open-source developer. Contributed to many projects out there. In my own free time, I prefer to work on principled, minimalist projects.
Paul Sokolovsky
The disassembler parses evm bytecode from the command line or from a file.

EVM Bytecode Disassembler The disassembler parses evm bytecode from the command line or from a file. It does not matter whether the bytecode is prefix

alpharush 22 Dec 27, 2022
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)

neeraj 95 Dec 26, 2022
The First Python Compatible Camera Hacking Tool

ZCam Hack webcam using python by sending malicious link. FEATURES : [+] Real-time Camera hacking [+] Python compatible [+] URL Shortener using bitly [

Sanketh J 109 Dec 28, 2022
HashDB API hash lookup plugin for IDA Pro

HashDB IDA Plugin Malware string hash lookup plugin for IDA Pro. This plugin connects to the OALABS HashDB Lookup Service. Adding New Hash Algorithms

OALabs 237 Dec 21, 2022
a cool, easily usable and customisable subdomains scanner

Subdah ?? another subdomains scanner. Installation ⚠️ Python 3.10 required ⚠️ $ git clone https://github.com/traumatism/subdah $ cd subdah $ pip3 inst

toast 14 Oct 18, 2022
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

mitmproxy mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. mitmdump is the

mitmproxy 29.7k Jan 4, 2023
Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell

Unauthenticated Sqlinjection that leads to dump database but this one impersonated Admin and drops a interactive shell

sam 16 Nov 9, 2022
Generate MIPS reverse shell shellcodes easily !

MIPS-Reverse MIPS-Reverse is a tool that can generate shellcodes for the MIPS architecture that launches a reverse shell where you can specify the IP

null 29 Jul 27, 2021
An intranet tool for easily intranet pentesting

IntarKnife v1.0 a tool can be used in intarnet for easily pentesting moudle hash spray U can use this tool to spray hash on a webshell IntraKnife.exe

null 4 Nov 24, 2021
An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.

TMOHS1 Root Utility Description An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several

null 40 Dec 29, 2022
Patching - Interactive Binary Patching for IDA Pro

Patching - Interactive Binary Patching for IDA Pro Overview Patching assembly code to change the behavior of an existing program is not uncommon in ma

null 589 Dec 30, 2022
IDA Pro Python plugin to analyze and annotate Linux kernel alternatives

About This is an IDA Pro (Interactive Disassembler) plugin allowing to automatically analyze and annotate Linux kernel alternatives (content of .altin

Open Source Security, Inc. 16 Oct 12, 2022
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.

Driver Buddy Reloaded Quickstart Table of Contents Installation Usage About Driver Buddy Reloaded Finding DispatchDeviceControl Labelling WDM & WDF St

Paolo 'VoidSec' Stagno 199 Jan 4, 2023
D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.

Introduction fork from https://gitlab.com/eshard/d810 What is D-810 D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation

Banny 30 Dec 6, 2022
A burp-suite plugin that extract all parameter names from in-scope requests

ParamsExtractor A burp-suite plugin that extract all parameters name from in-scope requests. You can run the plugin while you are working on the targe

null 29 Nov 9, 2022
A small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.

Dumpulator-IDA Currently proof-of-concept This project is a small POC plugin for launching dumpulator emulation within IDA, passing it addresses from

Michael 9 Sep 21, 2022
CVE-log4j CheckMK plugin

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue. To discover this

null 4 Jan 8, 2022