mikesmullin

Mike's x86-64 Assembly (ASM) Notes

Assembling Binary Machine Code

Operating Modes:

These determine the assumed/default size of instruction operands, and restricts which opcodes are available, and how they are used.

Modern operating systems, booted inside Real mode,

jackoalan

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys

def demangleNode(node):
    pointer = False
    ref = False
    const = False
    unsigned = False

wayspurrchen

History

Show file at certain commit

git show <hash>:<file>

Show history of a file

git log -p <filename>

spaze

2023 update

ℹ️ Please note this research is from 2016 when Opera has first added their browser "VPN", even before the "Chinese deal" was closed. They have since introduced some real VPN apps but this below is not about them.

🕵️ Some folks also like to use this article to show a proof that the Opera browser is a spyware or that Opera sells all your data to 3rd parties or something like that. This article here doesn't say anything like that.

---

When setting up (that's immediately when user enables it in settings) Opera VPN sends few API requests to https://api.surfeasy.com to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.

The browser then talks to a proxy de0.opera-proxy.net (when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's 185.108.219.42 (or similar, see below). It's an HTTP/S proxy which requires auth.

Drup

(* Code extracted from:
   SAT-MICRO: petit mais costaud !
   by Sylvain Conchon, Johannes Kanig, Stéphane Lescuyer
*)

module type VARIABLES = sig
  type t
  val compare : t -> t -> int
end

georgexsh

import sys

def j(lineno):
    frame = sys._getframe().f_back
    called_from = frame

    def hook(frame, event, arg):
        if event == 'line' and frame == called_from:
            try:
                frame.f_lineno = lineno

patois

1. Install TRACE32 for Tricore from https://www.lauterbach.com/frames.html?download_demo.html
2. place ida.cmm into the TRACE32 installation folder
3. overwrite config.t32 found in the TRACE32 installation folder with the one provided
4. change the "SYS" variable of this config.t32 file to point to your TRACE32 install folder
5. edit %IDADIR%\cfg\gdb_arch.cfg as described in the provided "gdb_arch.cfg" file
6. open the file "demo.elf" from the TRACE32 installation folder with IDA
7. In IDA, go to "Debugger -> Select debugger", pick "Remote GDB debugger"
8. Go to "Debugger -> Debugger options -> Set specific options", tick the
   "Run a program..." checkbox, then click "choose a configuration" (which should fill
   the "command line" edit field) and confirm.

raplin

Cortex M CPU searchable IRQ/peripheral list

Goal: Use this when reverse engineering a binary for an unknown Cortex M CPU to help figure out exactly what you're looking at

Simple usage:
Load the binary into IDA/Ghidra
Find the vector table (usually the first 256-ish bytes right at the start of the file), and find some 'interesting' IRQ vectors that point to real code.
(The first 16 vectors are internal Cortex M stuff (reset vector, NMI etc) and will not be useful)
In the IRQ handler code pointed to by the vector, you will very often soon encounter an obvious peripheral address being loaded into a register.
Search this file for "[XXXX:YYYYYYYY]" where X = last 4 hex address of the IRQ vector, and YYYYYYYY=hex peripheral address.

bazad

#
# arm64_sysregs_ios.py
# Brandon Azad
#
# Based on https://github.com/gdelugre/ida-arm-system-highlight by Guillaume Delugre.
#

import idautils
import idc

dougallj

# IDA (disassembler) and Hex-Rays (decompiler) plugin for Apple AMX
#
# WIP research. (This was edited to add more info after someone posted it to
# Hacker News. Click "Revisions" to see full changes.)
#
# Copyright (c) 2020 dougallj


# Based on Python port of VMX intrinsics plugin:
# Copyright (c) 2019 w4kfu - Synacktiv