├── .gitignore ├── The Rituals ├── Start Writing Malware.md ├── Malware Evasion Techniques.md └── Basics of Malware Obfuscation.md ├── .github ├── .translations │ └── .gitkeep ├── img.png ├── img_1.png ├── img_2.png ├── img_3.png ├── img_4.png ├── img_5.png ├── img_6.png ├── winapi.png ├── elf │ ├── img.png │ ├── img_1.png │ ├── img_2.png │ ├── img_3.png │ └── img_4.png ├── intro_to_re.jpg ├── winpe │ ├── img.png │ ├── img_1.png │ ├── img_2.png │ ├── img_3.png │ ├── img_4.png │ ├── img_5.png │ ├── img_6.png │ ├── img_7.png │ ├── img_8.png │ ├── img_9.png │ ├── img_10.png │ ├── img_11.png │ ├── img_12.png │ ├── img_13.png │ ├── img_14.png │ ├── img_15.png │ ├── img_16.png │ ├── img_17.png │ ├── img_18.png │ ├── img_19.png │ ├── img_20.png │ ├── img_21.png │ ├── img_22.png │ ├── img_23.png │ ├── img_24.png │ ├── img_25.png │ ├── img_26.png │ ├── img_27.png │ ├── img_28.png │ ├── img_29.png │ ├── img_30.png │ ├── img_31.png │ ├── img_32.png │ ├── img_33.png │ ├── img_34.png │ ├── img_35.png │ ├── img_36.png │ ├── img_37.png │ ├── img_38.png │ ├── img_39.png │ ├── img_40.png │ ├── img_41.png │ ├── header_1.png │ ├── header_10.png │ ├── header_11.png │ ├── header_2.png │ ├── header_3.png │ ├── header_4.png │ ├── header_5.png │ ├── header_6.png │ ├── header_7.png │ ├── header_8.png │ └── header_9.png ├── yara-rules.png ├── donate_button.png ├── keys │ ├── alt-key-48.png │ ├── ctrl-key-48.png │ ├── esc-key-48.png │ ├── enter-key-48.png │ └── shift-key-48.png ├── idapro-cheatsheet.jpg ├── malware_payload_1.png ├── radare2-cheatsheet.png ├── sponsor_images │ ├── MD.png │ ├── bb.png │ ├── gh.png │ ├── hv.png │ ├── qai.png │ ├── TG_Netflow_Ad_300_250.gif │ └── s2.svg ├── winpe_struct_logo.png ├── intro_re │ ├── interest_1.png │ ├── interest_2.png │ ├── interest_3.png │ ├── open_binja.png │ └── open_file_binja.png ├── intro_to_exploit_dev.png ├── exploit_dev_files │ ├── example_c │ ├── double_free │ ├── rop_chain_c │ ├── string_vuln │ ├── heap_overflow │ └── use_after_free ├── dynamic_analysis_difference.png └── sponsorships │ ├── images │ └── placeholder.png │ ├── sponsorship_package.md │ ├── supporter_example.md │ ├── patron_example.md │ └── contributor_example.md ├── the-malware-bible ├── the-rituals │ └── README.md ├── the-scriptures │ └── README.md ├── the-journey │ └── README.md └── the-beginning │ └── README.md ├── LICENSE ├── The Scriptures ├── evasion-tactics.md ├── windbg.md ├── radare2.md ├── yara_rules.md └── idapro.md ├── The Journey ├── iOS App Store File Structure.md ├── Android Package File Structure.md └── ELF PE Structure.md ├── SUMMARY.md ├── README.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md └── The Beginning ├── Introduction to Shellcode.md ├── Introduction to x86 Assembly.md ├── Introduction to Reverse Engineering.md └── Introduction to Python.md /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/* 2 | test* 3 | .venv/* -------------------------------------------------------------------------------- /The Rituals/Start Writing Malware.md: -------------------------------------------------------------------------------- 1 | Coming soon... -------------------------------------------------------------------------------- /.github/.translations/.gitkeep: -------------------------------------------------------------------------------- 1 | add all translations into this folder -------------------------------------------------------------------------------- /.github/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/img.png -------------------------------------------------------------------------------- /.github/img_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/img_1.png -------------------------------------------------------------------------------- /.github/img_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/img_2.png -------------------------------------------------------------------------------- /.github/img_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/img_3.png -------------------------------------------------------------------------------- /.github/img_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/img_4.png -------------------------------------------------------------------------------- /.github/img_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/img_5.png -------------------------------------------------------------------------------- /.github/img_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/img_6.png -------------------------------------------------------------------------------- /.github/winapi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winapi.png -------------------------------------------------------------------------------- /.github/elf/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/elf/img.png -------------------------------------------------------------------------------- /.github/elf/img_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/elf/img_1.png -------------------------------------------------------------------------------- /.github/elf/img_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/elf/img_2.png -------------------------------------------------------------------------------- /.github/elf/img_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/elf/img_3.png -------------------------------------------------------------------------------- /.github/elf/img_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/elf/img_4.png -------------------------------------------------------------------------------- /.github/intro_to_re.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/intro_to_re.jpg -------------------------------------------------------------------------------- /.github/winpe/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img.png -------------------------------------------------------------------------------- /.github/winpe/img_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_1.png -------------------------------------------------------------------------------- /.github/winpe/img_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_2.png -------------------------------------------------------------------------------- /.github/winpe/img_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_3.png -------------------------------------------------------------------------------- /.github/winpe/img_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_4.png -------------------------------------------------------------------------------- /.github/winpe/img_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_5.png -------------------------------------------------------------------------------- /.github/winpe/img_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_6.png -------------------------------------------------------------------------------- /.github/winpe/img_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_7.png -------------------------------------------------------------------------------- /.github/winpe/img_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_8.png -------------------------------------------------------------------------------- /.github/winpe/img_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_9.png -------------------------------------------------------------------------------- /.github/yara-rules.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/yara-rules.png -------------------------------------------------------------------------------- /.github/donate_button.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/donate_button.png -------------------------------------------------------------------------------- /.github/winpe/img_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_10.png -------------------------------------------------------------------------------- /.github/winpe/img_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_11.png -------------------------------------------------------------------------------- /.github/winpe/img_12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_12.png -------------------------------------------------------------------------------- /.github/winpe/img_13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_13.png -------------------------------------------------------------------------------- /.github/winpe/img_14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_14.png -------------------------------------------------------------------------------- /.github/winpe/img_15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_15.png -------------------------------------------------------------------------------- /.github/winpe/img_16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_16.png -------------------------------------------------------------------------------- /.github/winpe/img_17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_17.png -------------------------------------------------------------------------------- /.github/winpe/img_18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_18.png -------------------------------------------------------------------------------- /.github/winpe/img_19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_19.png -------------------------------------------------------------------------------- /.github/winpe/img_20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_20.png -------------------------------------------------------------------------------- /.github/winpe/img_21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_21.png -------------------------------------------------------------------------------- /.github/winpe/img_22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_22.png -------------------------------------------------------------------------------- /.github/winpe/img_23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_23.png -------------------------------------------------------------------------------- /.github/winpe/img_24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_24.png -------------------------------------------------------------------------------- /.github/winpe/img_25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_25.png -------------------------------------------------------------------------------- /.github/winpe/img_26.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_26.png -------------------------------------------------------------------------------- /.github/winpe/img_27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_27.png -------------------------------------------------------------------------------- /.github/winpe/img_28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_28.png -------------------------------------------------------------------------------- /.github/winpe/img_29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_29.png -------------------------------------------------------------------------------- /.github/winpe/img_30.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_30.png -------------------------------------------------------------------------------- /.github/winpe/img_31.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_31.png -------------------------------------------------------------------------------- /.github/winpe/img_32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_32.png -------------------------------------------------------------------------------- /.github/winpe/img_33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_33.png -------------------------------------------------------------------------------- /.github/winpe/img_34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_34.png -------------------------------------------------------------------------------- /.github/winpe/img_35.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_35.png -------------------------------------------------------------------------------- /.github/winpe/img_36.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_36.png -------------------------------------------------------------------------------- /.github/winpe/img_37.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_37.png -------------------------------------------------------------------------------- /.github/winpe/img_38.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_38.png -------------------------------------------------------------------------------- /.github/winpe/img_39.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_39.png -------------------------------------------------------------------------------- /.github/winpe/img_40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_40.png -------------------------------------------------------------------------------- /.github/winpe/img_41.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/img_41.png -------------------------------------------------------------------------------- /.github/keys/alt-key-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/keys/alt-key-48.png -------------------------------------------------------------------------------- /.github/keys/ctrl-key-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/keys/ctrl-key-48.png -------------------------------------------------------------------------------- /.github/keys/esc-key-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/keys/esc-key-48.png -------------------------------------------------------------------------------- /.github/winpe/header_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_1.png -------------------------------------------------------------------------------- /.github/winpe/header_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_10.png -------------------------------------------------------------------------------- /.github/winpe/header_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_11.png -------------------------------------------------------------------------------- /.github/winpe/header_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_2.png -------------------------------------------------------------------------------- /.github/winpe/header_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_3.png -------------------------------------------------------------------------------- /.github/winpe/header_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_4.png -------------------------------------------------------------------------------- /.github/winpe/header_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_5.png -------------------------------------------------------------------------------- /.github/winpe/header_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_6.png -------------------------------------------------------------------------------- /.github/winpe/header_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_7.png -------------------------------------------------------------------------------- /.github/winpe/header_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_8.png -------------------------------------------------------------------------------- /.github/winpe/header_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe/header_9.png -------------------------------------------------------------------------------- /.github/idapro-cheatsheet.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/idapro-cheatsheet.jpg -------------------------------------------------------------------------------- /.github/keys/enter-key-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/keys/enter-key-48.png -------------------------------------------------------------------------------- /.github/keys/shift-key-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/keys/shift-key-48.png -------------------------------------------------------------------------------- /.github/malware_payload_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/malware_payload_1.png -------------------------------------------------------------------------------- /.github/radare2-cheatsheet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/radare2-cheatsheet.png -------------------------------------------------------------------------------- /.github/sponsor_images/MD.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/sponsor_images/MD.png -------------------------------------------------------------------------------- /.github/sponsor_images/bb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/sponsor_images/bb.png -------------------------------------------------------------------------------- /.github/sponsor_images/gh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/sponsor_images/gh.png -------------------------------------------------------------------------------- /.github/sponsor_images/hv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/sponsor_images/hv.png -------------------------------------------------------------------------------- /.github/sponsor_images/qai.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/sponsor_images/qai.png -------------------------------------------------------------------------------- /.github/winpe_struct_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/winpe_struct_logo.png -------------------------------------------------------------------------------- /.github/intro_re/interest_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/intro_re/interest_1.png -------------------------------------------------------------------------------- /.github/intro_re/interest_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/intro_re/interest_2.png -------------------------------------------------------------------------------- /.github/intro_re/interest_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/intro_re/interest_3.png -------------------------------------------------------------------------------- /.github/intro_re/open_binja.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/intro_re/open_binja.png -------------------------------------------------------------------------------- /.github/intro_to_exploit_dev.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/intro_to_exploit_dev.png -------------------------------------------------------------------------------- /.github/exploit_dev_files/example_c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/exploit_dev_files/example_c -------------------------------------------------------------------------------- /.github/exploit_dev_files/double_free: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/exploit_dev_files/double_free -------------------------------------------------------------------------------- /.github/exploit_dev_files/rop_chain_c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/exploit_dev_files/rop_chain_c -------------------------------------------------------------------------------- /.github/exploit_dev_files/string_vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/exploit_dev_files/string_vuln -------------------------------------------------------------------------------- /.github/intro_re/open_file_binja.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/intro_re/open_file_binja.png -------------------------------------------------------------------------------- /.github/dynamic_analysis_difference.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/dynamic_analysis_difference.png -------------------------------------------------------------------------------- /.github/exploit_dev_files/heap_overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/exploit_dev_files/heap_overflow -------------------------------------------------------------------------------- /.github/exploit_dev_files/use_after_free: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/exploit_dev_files/use_after_free -------------------------------------------------------------------------------- /.github/sponsorships/images/placeholder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/sponsorships/images/placeholder.png -------------------------------------------------------------------------------- /.github/sponsor_images/TG_Netflow_Ad_300_250.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Perkins-Fund/Malware-Bible/HEAD/.github/sponsor_images/TG_Netflow_Ad_300_250.gif -------------------------------------------------------------------------------- /the-malware-bible/the-rituals/README.md: -------------------------------------------------------------------------------- 1 | # The Rituals 2 | 3 | And the Master of malware called to the architect and spoke from the core of the network, saying ... 4 | 5 | * [Start Writing Malware](<../../The Rituals/Start Writing Malware.md>) 6 | * [Malware Obfuscation Techniques](<../../The Rituals/Basics of Malware Obfuscation.md>) 7 | * [Malware Evasion Techniques](<../../The Rituals/Malware Evasion Techniques.md>) 8 | -------------------------------------------------------------------------------- /the-malware-bible/the-scriptures/README.md: -------------------------------------------------------------------------------- 1 | # The Scriptures 2 | 3 | Behold, these are the concise scrolls of knowledge. 4 | 5 | * [Yara Rules](<../../The Scriptures/yara_rules.md>) 6 | * [Radare2](<../../The Scriptures/radare2.md>) 7 | * [IDAPro](<../../The Scriptures/idapro.md>) 8 | * [Evasion Tactics](<../../The Scriptures/evasion-tactics.md>) 9 | * [WinDBG](<../../The Scriptures/windbg.md>) 10 | * [WinAPI](<../../The Scriptures/winapi.md>) 11 | -------------------------------------------------------------------------------- /the-malware-bible/the-journey/README.md: -------------------------------------------------------------------------------- 1 | # The Journey 2 | 3 | Behold, these are the courses of the malicious intents that will enter the network cloaked while carrying their payloads 4 | 5 | * [Windows PE File Structure](<../../The Journey/Windows PE Structure.md>) 6 | * [ELF PE Structures](<../../The Journey/ELF PE Structure.md>) 7 | * [Android Package File Structure](<../../The Journey/Android Package File Structure.md>) 8 | * [iOS App Store File Structure](<../../The Journey/iOS App Store File Structure.md>) 9 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | # License for Written Content 2 | This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. 3 | To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/. 4 | 5 | You must provide attribution when using this content. 6 | 7 | # License for Code 8 | This software is licensed under the Apache License, Version 2.0. 9 | You must include attribution when using this code. 10 | 11 | See the full license at https://www.apache.org/licenses/LICENSE-2.0 -------------------------------------------------------------------------------- /The Scriptures/evasion-tactics.md: -------------------------------------------------------------------------------- 1 | **Shameless plug** 2 | 3 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 4 | 5 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 6 | 7 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 8 | 9 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 10 | -------------------------------------------------------------------------------- /The Scriptures/windbg.md: -------------------------------------------------------------------------------- 1 | **Shameless plug** 2 | 3 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 4 | 5 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 6 | 7 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 8 | 9 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 10 | -------------------------------------------------------------------------------- /The Journey/iOS App Store File Structure.md: -------------------------------------------------------------------------------- 1 | **Shameless plug** 2 | 3 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 4 | 5 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 6 | 7 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 8 | 9 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 10 | -------------------------------------------------------------------------------- /The Rituals/Malware Evasion Techniques.md: -------------------------------------------------------------------------------- 1 | **Shameless plug** 2 | 3 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 4 | 5 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 6 | 7 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 8 | 9 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 10 | -------------------------------------------------------------------------------- /The Journey/Android Package File Structure.md: -------------------------------------------------------------------------------- 1 | **Shameless plug** 2 | 3 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 4 | 5 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 6 | 7 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 8 | 9 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 10 | -------------------------------------------------------------------------------- /The Rituals/Basics of Malware Obfuscation.md: -------------------------------------------------------------------------------- 1 | **Shameless plug** 2 | 3 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 4 | 5 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 6 | 7 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 8 | 9 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 10 | -------------------------------------------------------------------------------- /the-malware-bible/the-beginning/README.md: -------------------------------------------------------------------------------- 1 | # The Beginning 2 | 3 | In the beginning malware shaped the realms... 4 | 5 | * [Introduction to x86 Assembly](<../../The Beginning/Introduction to x86 Assembly.md>) 6 | * [Introduction to Shellcode](<../../The Beginning/Introduction to Shellcode.md>) 7 | * [Introduction to Python](<../../The Beginning/Introduction to Python.md>) 8 | * [Introduction to C](<../../The Beginning/Introduction to C.md>) 9 | * [So You Want to Write Malware](<../../The Beginning/Introduction to Malware.md>) 10 | * [Introduction to Exploit Development](<../../The Beginning/Intro to Exploit Dev.md>) -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [The Indoctrination](README.md) 4 | * [The Beginning](the-malware-bible/the-beginning/README.md) 5 | * [Introduction to x86 Assembly]() 6 | * [Introduction to Shellcode]() 7 | * [Introduction to Python]() 8 | * [Introduction to C]() 9 | * [So You Want to Write Malware?]() 10 | * [Introduction to Exploit Development]() 11 | * [The Journey](the-malware-bible/the-journey/README.md) 12 | * [Windows PE File Structure]() 13 | * [ELF Structures]() 14 | * [Android Package File Structure]() 15 | * [iOS App Store File Structure]() 16 | * [The Rituals](the-malware-bible/the-rituals/README.md) 17 | * [Start Writing Malware]() 18 | * [Malware Obfuscation Techniques]() 19 | * [Malware Evasion Techniques]() 20 | * [The Scriptures](the-malware-bible/the-scriptures/README.md) 21 | * [Yara Rules]() 22 | * [Radare2]() 23 | * [IDAPro]() 24 | * [Evasion Tactics]() 25 | * [WinDBG]() 26 | * [WinAPI]() -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The Indoctrination 2 | 3 |
4 | 5 | 6 | 7 |
8 | 9 | Welcome to the Malware Bible. Brought to you by The Perkins Cybersecurity Educational Fund. 10 | 11 | This sacred text was created specifically to guide you on your journey into the realm of cybersecurity. Whether you are seeking to understand, master, or dominate this craft, these sacred texts have been forged from the fires below to bestow this forbidden knowledge upon thee. 12 | 13 | Remember: "To conquer your enemy, walk in the shadow of their thoughts, and let their mind become as your own." 14 | 15 | -**-**- 16 | 17 | #### Support the Bible 18 | 19 | These courses are provided for free by The Perkins Cybersecurity Educational Fund! If you found this information valuable and want to support the continued development of the Malware Bible please consider: 20 | - Donating to the Malware Bible Fund → [Donate Here](https://donorbox.org/malware-bible-fund) 21 | - Or buy us a coffee → [Coffee](https://ko-fi.com/perkinsfund) 22 | 23 | #### Become a sponsor 24 | 25 | These courses reach thousands of cybersecurity professionals, researchers, students, and teachers worldwide who actively engage in learning and advancing the field. Sponsoring our educational initiative not only supports free cybersecurity education but also places your brand in front of a highly technical and security-conscious audience. 26 | 27 | Interested in partnering? Let's talk about how your organization can be featured in our future courses: [Contact us today!](https://perkinsfund.org/) Please view our [Sponsorship Packages](.github/sponsorships/sponsorship_package.md) for more details! 28 | -------------------------------------------------------------------------------- /.github/sponsorships/sponsorship_package.md: -------------------------------------------------------------------------------- 1 | # Sponsorship Tiers 2 | 3 | All sponsorships are a one-time payment, and your support will be displayed forever on the Malware Bible! Secure a permanent spot and gain lasting recognition in the cybersecurity community. 4 | 5 | | **Tier** | **Price** | **Description** | **Features** | **Example** | 6 | |-----------------|-----------|----------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------| 7 | | **Supporter** | $350 | Listed at the bottom of the page, right above the course outro. | - Small logo with a brief description of your choice. | [Example Placement](supporter_example.md) | 8 | | **Contributor** | $500 | Listed in the middle of the course for increased visibility. | - Medium-sized logo.
- Hyperlink to a URL of your choice in the sponsor section. | [Example Placement](contributor_example.md) | 9 | | **Patron** | $750 | Premium placement at the top of the sponsor section, right under the *Shameless Plug*. | - Large logo or banner.
- Custom description (up to 250 characters).
- Hyperlink to a URL of your choice.
- Added to the sponsor page on the **PCEF website** *(under construction)*.
- **Shoutout when the course is released**.
- **Bonus shoutout in the course outro**. | [Example Placement](patron_example.md) | 10 | 11 | -------------------------------------------------------------------------------- /.github/sponsorships/supporter_example.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless Plug** 6 | 7 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 8 | 9 | --- 10 | 11 | # What will be covered? 12 | - stuff1 13 | - stuff2 14 | - ... 15 | 16 | --- 17 | 18 | # stuff1 19 | 20 | # stuff2 21 | 22 | # ... 23 | 24 | --- 25 | 26 | #### Sponsor 27 | 28 | Special thanks to our sponsor of this course: YOU! 29 | 30 |

31 | 32 |

33 | 34 | Some random description you made 35 | 36 | --- 37 | # Outro 38 | 39 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 40 | 41 | #### Support the Bible 42 | 43 | Once again, this course is offered for free by The Perkins Cybersecurity Educational Fund! If you found this information valuable and want to support the continued development of the Malware Bible please consider: 44 | - Donating to the Malware Bible Fund → [Donate Here](https://donorbox.org/malware-bible-fund) 45 | - Registering for Malcore → [Sign Up](https://m4lc.io/courses/register) 46 | - Joining the Malcore Discord → [Join Today](https://m4lc.io/courses/discord) 47 | 48 | #### Become a sponsor 49 | 50 | These courses reach thousands of cybersecurity professionals, researchers, students, and teachers worldwide who actively engage in learning and advancing the field. Sponsoring our educational initiative not only supports free cybersecurity education but also places your brand in front of a highly technical and security-conscious audience. 51 | 52 | Interested in partnering? Let's talk about how your organization can be featured in our future courses: [Contact us today!](https://perkinsfund.org/index.html#contact-us) Please view our [Sponsorship Packages](https://perkinsfund.org/donations#sponsor-table) for more details! 53 | -------------------------------------------------------------------------------- /.github/sponsorships/patron_example.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless Plug** 6 | 7 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 8 | 9 | --- 10 | 11 | #### Sponsor 12 | 13 | Special thanks to our sponsor of this course: [YOU](https://https://perkinsfund.org)! 14 | 15 |

16 | 17 |

18 | 19 | Some random description you made 20 | 21 | --- 22 | 23 | --- 24 | 25 | # What will be covered? 26 | - stuff1 27 | - stuff2 28 | - ... 29 | 30 | --- 31 | 32 | # stuff1 33 | 34 | # stuff2 35 | 36 | # ... 37 | 38 | --- 39 | 40 | # Outro 41 | 42 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 43 | 44 | #### Support the Bible 45 | 46 | Once again, this course is offered for free by The Perkins Cybersecurity Educational Fund! If you found this information valuable and want to support the continued development of the Malware Bible please consider: 47 | - Donating to the Malware Bible Fund → [Donate Here](https://donorbox.org/malware-bible-fund) 48 | - Registering → [Sign Up](https://m4lc.io/courses/register) 49 | - Joining the Discord → [Join Today](https://m4lc.io/courses/discord) 50 | - Exploring our incredible sponsor [YOU](https://https://perkinsfund.org)! 51 | 52 | #### Become a sponsor 53 | 54 | These courses reach thousands of cybersecurity professionals, researchers, students, and teachers worldwide who actively engage in learning and advancing the field. Sponsoring our educational initiative not only supports free cybersecurity education but also places your brand in front of a highly technical and security-conscious audience. 55 | 56 | Interested in partnering? Let's talk about how your organization can be featured in our future courses: [Contact us today!](https://perkinsfund.org/index.html#contact-us) Please view our [Sponsorship Packages](https://perkinsfund.org/donations#sponsor-table) for more details! 57 | -------------------------------------------------------------------------------- /.github/sponsorships/contributor_example.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless Plug** 6 | 7 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 8 | 9 | --- 10 | 11 | # What will be covered? 12 | - stuff1 13 | - stuff2 14 | - ... 15 | 16 | --- 17 | 18 | # stuff1 19 | 20 | --- 21 | 22 | #### Sponsor 23 | 24 | Special thanks to our sponsor of this course: [YOU](https://perkinsfund.org)! 25 | 26 |

27 | 28 |

29 | 30 | Some random description you made 31 | 32 | --- 33 | 34 | # stuff2 35 | 36 | # ... 37 | 38 | --- 39 | 40 | # Outro 41 | 42 | Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 43 | 44 | #### Support the Bible 45 | 46 | Once again, this course is offered for free by The Perkins Cybersecurity Educational Fund! If you found this information valuable and want to support the continued development of the Malware Bible please consider: 47 | - Donating to the Malware Bible Fund → [Donate Here](https://donorbox.org/malware-bible-fund) 48 | - Registering for Malcore → [Sign Up](https://m4lc.io/courses/register) 49 | - Joining the Malcore Discord → [Join Today](https://m4lc.io/courses/discord) 50 | - Exploring our incredible sponsor [YOU](https://https://perkinsfund.org)! 51 | 52 | #### Become a sponsor 53 | 54 | These courses reach thousands of cybersecurity professionals, researchers, students, and teachers worldwide who actively engage in learning and advancing the field. Sponsoring our educational initiative not only supports free cybersecurity education but also places your brand in front of a highly technical and security-conscious audience. 55 | 56 | Interested in partnering? Let's talk about how your organization can be featured in our future courses: [Contact us today!](https://perkinsfund.org/index.html#contact-us) Please view our [Sponsorship Packages](https://perkinsfund.org/donations#sponsor-table) for more details! 57 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Code of Conduct 2 | 3 | As contributors and maintainers of the **Malware Bible**, we are committed to fostering an open, respectful, and harassment-free environment for everyone—regardless of experience level, background, identity, or role. 4 | 5 | We value collaboration from all corners of the cybersecurity community: reverse engineers, analysts, educators, students, researchers, hackers, and defenders alike. Contributions come in many forms—reporting bugs, submitting writeups, proposing ideas, sharing tools, improving documentation, and participating in discussions. 6 | 7 | --- 8 | 9 | ## Expected Behavior 10 | 11 | All participants are expected to: 12 | 13 | - Treat others with respect and professionalism. 14 | - Support constructive discussion and mutual learning. 15 | - Attribute content appropriately and avoid plagiarism. 16 | - Maintain a focus on education, legality, and ethics. 17 | 18 | --- 19 | 20 | ## Unacceptable Behavior 21 | 22 | Examples of behavior that will not be tolerated include: 23 | 24 | - Use of sexualized language or imagery 25 | - Personal attacks, insults, or harassment 26 | - Trolling, inflammatory comments, or gatekeeping 27 | - Public or private harassment, including DMs or off-platform actions 28 | - Publishing private or identifying information without consent 29 | - Any promotion of illegal activity or unethical hacking 30 | - Disruptive behavior that undermines the educational mission 31 | 32 | --- 33 | 34 | ## Enforcement 35 | 36 | Project maintainers have the right to take appropriate actions, including: 37 | 38 | - Removing, editing, or rejecting contributions (comments, issues, PRs, etc.) 39 | - Issuing warnings or temporary bans 40 | - Permanently banning repeat or egregious offenders 41 | 42 | All enforcement decisions will be made fairly and consistently. Maintainers who violate or fail to uphold this Code of Conduct may be removed from the project team. 43 | 44 | --- 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies within all project spaces, including: 49 | 50 | - GitHub repositories 51 | - Documentation and wiki pages 52 | - Discord and community chat spaces 53 | - Any public representation of the project 54 | 55 | --- 56 | 57 | ## Reporting Issues 58 | 59 | If you witness or experience any behavior that violates this Code of Conduct, please report it to the maintainers at: 60 | 61 | **contact@perkinsfund.org** 62 | 63 | All reports will be handled confidentially. We will investigate and respond as appropriate to the circumstances. 64 | 65 | --- 66 | 67 | This Code of Conduct is based on the [Contributor Covenant](https://www.contributor-covenant.org), version 1.3.0, available at 68 | [contributor-covenant.org/version/1/3/0/](https://www.contributor-covenant.org/version/1/3/0/) 69 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to the Malware Bible 2 | 3 | Welcome, and thank you for your interest in contributing to the Malware Bible! 4 | This project is an open-source cybersecurity resource dedicated to the study, documentation, and education of cybersecurity. We welcome contributions from reverse engineers, analysts, educators, students, researchers, hackers, and defenders worldwide. 5 | 6 | --- 7 | 8 | ## Guiding Principles 9 | 10 | - **Educational Focus** 11 | All contributions must align with our mission of cybersecurity education, threat analysis, malware research, and reverse engineering. Content promoting illegal activity, unethical behavior, or the creation of live threats will not be accepted. 12 | 13 | - **Respect and Professionalism** 14 | Treat fellow contributors with respect. This is a collaborative learning space. Harassment, gatekeeping, or toxic behavior will not be tolerated. 15 | 16 | - **Accuracy and Attribution** 17 | Contributions should be technically sound, well-organized, and properly attributed if based on prior work or publications. 18 | 19 | --- 20 | 21 | ## What You Can Contribute 22 | 23 | - **Malware Family Writeups** 24 | Static/dynamic analysis, behavioral patterns, known variants, IOCs, and tooling used. 25 | 26 | - **Reverse Engineering Tutorials** 27 | Guides covering unpacking, debugging, decompilation, tooling walkthroughs, and analysis workflows. 28 | 29 | - **Threat Actor Profiles** 30 | Information on APT groups, TTPs (MITRE ATT&CK), infrastructure, and campaigns. 31 | 32 | - **Indicators and Signatures** 33 | YARA rules, Sigma rules, Suricata rules, PCAPs, and IOC datasets. 34 | 35 | - **Educational Tools** 36 | Analysis scripts, safe emulation environments, setup guides, and curated resources. 37 | 38 | - **Cybersecurity Learning Materials** 39 | Any educational content that helps learners of all levels — from basic network security to advanced exploit development. 40 | 41 | --- 42 | 43 | ## How to Contribute 44 | 45 | 1. **Fork the Repository** 46 | Create a new branch from the latest `main` branch and make your changes there. 47 | 48 | 2. **Write Clearly and Consistently** 49 | Use Markdown for documents, follow consistent structure, and ensure clarity. Check for spelling, grammar, and formatting. 50 | 51 | 3. **Ensure Safe Code** 52 | All code must be safe to run in educational or sandbox environments. Include documentation, sample input/output, and comments. 53 | 54 | 4. **Open a Pull Request (PR)** 55 | Describe your changes clearly. Link to any relevant issues or resources. 56 | 57 | 5. **Engage in Review** 58 | Be responsive to feedback and willing to make revisions to align with the project’s goals and style. 59 | 60 | --- 61 | 62 | ## Prohibited Content 63 | 64 | - Live malware samples or binaries (zipped and encrypted is okay) 65 | - Obfuscation or packing scripts for live malware 66 | - Undisclosed or unpatched exploit code 67 | - Offensive security content not explicitly educational 68 | - Any material promoting unethical, harmful, or illegal activity 69 | - Content unrelated to our mission of cybersecurity education 70 | 71 | --- 72 | 73 | ## Licensing 74 | 75 | By contributing, you agree that your submissions fall under the terms of our [LICENSE](LICENSE). 76 | Note: We maintain a **dual license model** — one for written educational content and another for code contributions. 77 | 78 | --- 79 | 80 | ## Join the Community 81 | 82 | Get involved, ask questions, or share ideas with us: 83 | 84 | - **Discord**: [Join the Conversation](https://discord.gg/X8NrbVXCEv) 85 | 86 | Thank you for supporting the Malware Bible. Let’s build the future of open cybersecurity education together. 87 | -------------------------------------------------------------------------------- /The Journey/ELF PE Structure.md: -------------------------------------------------------------------------------- 1 | # THIS IS A WORK IN PROGRESS AND IS NOT PUBLICLY RELEASED YET 2 | 3 |

4 | 5 |

6 | 7 | **Shameless plug** 8 | 9 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 10 | 11 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 12 | 13 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 14 | 15 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 16 | 17 | --- 18 | 19 | # What will be covered? 20 | - [What is an ELF file?](#what-is-an-elf-file) 21 | - [Detailed breakdown](#breakdown-of-the-elf-file) 22 | - [Header](#elf-header) 23 | - [Program header](#program-header) 24 | - [Section header](#section-header) 25 | - [ELF sections](#elf-sections) 26 | - [Section overview](#elf-file-sections-overview) 27 | - [Dynamic sections](#dynamic-sections) 28 | - [Relocation sections](#relocation-sections) 29 | - [Note section](#note-section) 30 | - [Core dump section](#core-dump-section) 31 | - [Tables](#elf-file-tables) 32 | - [Symbol table](#symbol-table) 33 | - [String table](#string-table) 34 | - [That's it](#in-closing) 35 | 36 | # What is an ELF file? 37 | 38 | The executable and linkable format (ELF) is a standard file format for executables, object code, shared libraries, and core dumps. ELF format is widely used on Unix based operating systems. It is designed to be flexible and extensible. 39 | 40 | --- 41 | 42 | # Breakdown of the ELF file 43 | 44 | To visualize the file format we have created a basic ascii representation of the file 45 | 46 | ```shell 47 | ─────────────────────────────────────────────────────────────────── 48 | 00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............ ─┐ 49 | 00000010: 0200 3e00 0100 0000 0000 0000 0000 0000 ..>............. │── ELF Header 50 | 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 51 | 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ─┘ 52 | ─────────────────────────────────────────────────────────────────── 53 | ─────────────────────────────────────────────────────────────────── 54 | 00000040: 0100 0000 0000 0000 4000 0000 0000 0000 ........@....... ─┐ 55 | 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │─ Program Header Table (PHT) 56 | 00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 57 | 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ─┘ 58 | ─────────────────────────────────────────────────────────────────── 59 | ─────────────────────────────────────────────────────────────────── 60 | 00000080: 0100 0000 0000 0000 0000 0000 0000 0000 ................ ─┐ 61 | 00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 62 | 000000A0: 2e74 6578 7400 0000 1200 0000 0100 0000 .text........... │────── Sections 63 | 000000B0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 64 | 000000C0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 65 | 000000D0: 2e64 6174 6100 0000 1200 0000 0000 0000 .data.......... ─┘ 66 | ─────────────────────────────────────────────────────────────────── 67 | ─────────────────────────────────────────────────────────────────── 68 | 000000E0: 0300 0000 0000 0000 2e73 796d 7461 6200 .........symtab. ─┐ 69 | 000000F0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │── Symbol Table 70 | 00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 71 | 00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ─┘ 72 | ─────────────────────────────────────────────────────────────────── 73 | ─────────────────────────────────────────────────────────────────── 74 | 00000120: 0300 0000 0000 0000 2e73 7472 7461 6200 .........strtab. ─┐ 75 | 00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │── String Table 76 | 00000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 77 | 00000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ─┘ 78 | ─────────────────────────────────────────────────────────────────── 79 | ─────────────────────────────────────────────────────────────────── 80 | 00000160: 0400 0000 0000 0000 2e72 656c 6f63 2e64 .........reloc.d ─┐ 81 | 00000170: 6174 6100 0000 0000 0000 0000 0000 0000 ata.............. │── Relocation Section 82 | 00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │ 83 | 00000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ─┘ 84 | ─────────────────────────────────────────────────────────────────── 85 | ─────────────────────────────────────────────────────────────────── 86 | 000001A0: 0500 0000 0000 0000 2e6e 6f74 6500 0000 .........note... ─┐ 87 | 000001B0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ │── Note Section 88 | 000001C0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ─┘ 89 | ─────────────────────────────────────────────────────────────────── 90 | ``` 91 | 92 | ### ELF header 93 | 94 | The header is located at the beginning of the file: 95 | 96 | ![Header](../.github/elf/img.png) 97 | 98 | Contained within this header are multiple pieces of information. This information provides essential data to tell the system what kind of ELf file this is. 99 | 100 | - `e_ident` 101 | - Contains the magic number to identify the file as an ELF, also holds info on the class/architecture (32 or 64), encoding, and ELF version 102 | - 16 bytes long 103 | - Magic number (`7F 45 4C 46` -> `.ELF`) 104 | - Class (or architecture) 105 | - `0x02` == 64bit 106 | - `0x01` == 32bit 107 | - Data encoding 108 | - `0x01` == little endian 109 | - `0x02` == big endian 110 | - ELF version (usually `0x01`) 111 | - Padding bytes 112 | 113 | ![e_ident](../.github/elf/img_1.png) 114 | 115 | - `e_type` 116 | - Specifies the file type, such as: relocatable, executable, shared object, or core. 117 | - Possible types: 118 | 119 | | Bytes | Description | 120 | |--------|-------------------------------| 121 | | `0x00` | System V | 122 | | `0x01` | HP-UX | 123 | | `0x02` | NetBSD | 124 | | `0x03` | Linux | 125 | | `0x04` | GNU Hurd | 126 | | `0x06` | Solaris | 127 | | `0x07` | AIX (Monterey) | 128 | | `0x08` | IRIX | 129 | | `0x09` | FreeBSD | 130 | | `0x0A` | Tru64 | 131 | | `0x0B` | Novell Modesto | 132 | | `0x0C` | OpenBSD | 133 | | `0x0D` | OpenVMS | 134 | | `0x0E` | NonStop Kernel | 135 | | `0x0F` | AROS | 136 | | `0x10` | FenixOS | 137 | | `0x11` | Nuxi CloudABI | 138 | | `0x12` | Stratus Technologies OpenVOS | 139 | 140 | ![e_type](../.github/elf/img_2.png) 141 | 142 | - `e_machines` 143 | - Indicates what class/architecture the ELF files is 144 | - Most common types: 145 | 146 | | `e_machine` Value | Constant | Description | 147 | |-------------------|----------------|---------------------------------------| 148 | | `0x00` | `EM_NONE` | No machine | 149 | | `0x02` | `EM_M32` | AT&T WE 32100 | 150 | | `0x03` | `EM_SPARC` | SPARC | 151 | | `0x07` | `EM_68K` | Motorola 68000 | 152 | | `0x08` | `EM_88K` | Motorola 88000 | 153 | | `0x14` | `EM_860` | Intel 80860 | 154 | | `0x16` | `EM_R3000` | MIPS I Architecture (R3000) | 155 | | `0x28` | `EM_ARM` | ARM | 156 | | `0x2A` | `EM_SUPERH` | Hitachi SH | 157 | | `0x32` | `EM_IA_64` | Intel Itanium | 158 | | `0x3E` | `EM_X86_64` | AMD x86-64 (x64) | 159 | | `0xB7` | `EM_AARCH64` | ARM 64-bit (AArch64) | 160 | | `0xF3` | `EM_RISCV` | RISC-V | 161 | 162 | - Other notable types: 163 | 164 | | `e_machine` Value | Constant | Description | 165 | |-------------------|------------------|-----------------------------------------| 166 | | `0x13` | `EM_386` | Intel 80386 | 167 | | `0x15` | `EM_PARISC` | HP/PA RISC | 168 | | `0x2B` | `EM_ECOG2` | Cyan Technology eCOG2 | 169 | | `0x42` | `EM_ALPHA` | DEC Alpha | 170 | | `0x8C` | `EM_AVR` | Atmel AVR | 171 | | `0xA2` | `EM_MSP430` | Texas Instruments MSP430 | 172 | | `0xA3` | `EM_BLACKFIN` | Analog Devices Blackfin | 173 | | `0xDC` | `EM_TI_C6000` | Texas Instruments TMS320C6000 DSP family| 174 | | `0xF7` | `EM_BPF` | Berkeley Packet Filter | 175 | 176 | ![e_machine](../.github/elf/img_3.png) 177 | 178 | - `e_version` 179 | - This indicates the version of ELF that is being used. There are really only two different version: 180 | - `0x00000000` 181 | - `EV_NONE` 182 | - Invalid version 183 | - `0x00000001` 184 | - `EV_CURRENT` 185 | - Current version (original version 1) 186 | 187 | ![e_version](../.github/elf/img_4.png) 188 | 189 | 190 | ### Program header 191 | 192 | ### Section header 193 | 194 | --- 195 | 196 | # ELF sections 197 | 198 | ### ELF file sections overview 199 | 200 | ### Dynamic sections 201 | 202 | ### Relocation sections 203 | 204 | ### Note section 205 | 206 | ### Core dump section 207 | 208 | --- 209 | 210 | # ELF file tables 211 | 212 | ### Symbol table 213 | 214 | ### String table 215 | 216 | --- 217 | 218 | # In closing -------------------------------------------------------------------------------- /The Beginning/Introduction to Shellcode.md: -------------------------------------------------------------------------------- 1 | # Introduction to Shellcode 2 | 3 |
4 | 5 | 6 | 7 |
8 | 9 | **Shameless plug** 10 | 11 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 12 | 13 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 14 | 15 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 16 | 17 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 18 | 19 | 20 | **NOTE: This course assumes that you understand the basics of x86 assembly and C code.** 21 | 22 | *** 23 | 24 | ## What will be covered? 25 | 26 | * [What the f\*ck is shellcode?]() 27 | * [How does it work?]() 28 | * [Let's write some]() 29 | * [Compiling shellcode]() 30 | * [Adding it to your executable]() 31 | * [We out g]() 32 | 33 | *** 34 | 35 | ## What the f\*ck is shellcode? 36 | 37 | In a nutshell shellcode is a small piece of code used as a payload for exploitation of software. 38 | 39 | Typically, shellcode is written in assembly language and is designed to be injected into memory. Its primary use is arbitrary code execution; however, it can be used for multiple other functions. 40 | 41 | The purpose of using shellcode is to gain control of a system by injecting the said shellcode into the vulnerable process. It is usually carefully constructed and designed specifically for the individual attack it accomplishes. This is important because a lot of the time, shellcode must be refined per system. 42 | 43 | *** 44 | 45 | ## How does Shellcode work? 46 | 47 | To explain how shellcode works I first need to provide you with an exploitable program. For this we will use a basic program that is vulnerable to a buffer overflow due to not checking lengths passed. The code is below: 48 | 49 | ```c 50 | #include 51 | #include 52 | 53 | 54 | void no_length_check_function(char *input) { 55 | // add a buffer 56 | char buffer[100]; 57 | // do not check the length of the input and copy 58 | strcpy(buffer, input); 59 | } 60 | 61 | // create the 'entrypoint' for the program that takes argc (argument count) and argv (argument variables) as the arguments 62 | int main(int argc, char *argv[]) { 63 | // pass the first argv (argv[1]) which will be the second argument IE: file.exe ARGUMENT1 to the vulnerable function 64 | no_length_check_function(argv[1]); 65 | // return becuase it's an int 66 | return 0; 67 | } 68 | ``` 69 | 70 | This program, when compiled allows an attacker to control the EIP by passing more than 100 characters as the argument. We can create a pseudo shellcode to overwrite the EIP with the following: 71 | 72 | ```asm 73 | xor eax, eax ;"\x31\xc0" 74 | push eax ;"\x50" 75 | push "//sh" ;"\x68\x2f\x2f\x73\x68" 76 | push "/bin" ;"\x68\x2f\x62\x69\x6e" 77 | mov ebx, esp ;"\x89\xe3" 78 | push eax ;"\x50" 79 | push ebx ;"\x53" 80 | mov ecx, esp ;"\x89\xe1" 81 | cdq ;"\x99" 82 | mov al, 0xb ;(execve syscall number) ;"\xb0\x0b" 83 | int 0x80 ;(trigger syscall) ;"\xcd\x80" 84 | ``` 85 | 86 | In theory what would happen is the following: 87 | 88 | * The attacker fills the buffer; in this case it is 100 characters with whatever they want. In the scenario you could easily fill the buffer using something like `python -c 'print("A"*100)'`. 89 | * The attacker overwrites the return address or EIP to point to the location of their shellcode. 90 | * The overwritten EIP address now contains the shellcode address and the shellcode is executed. 91 | 92 | It is important to note this explanation will most likely not be able to be compiled and most likely will not work. This is a pseudo example designed to explain to you how shellcode works and why it works. 93 | 94 | *** 95 | 96 | ## Let's write some shellcode! 97 | 98 | Now that you have got the basic idea, we will start writing our own. We will write a basic assembly program to launch calc.exe. We will then convert the assembly into shellcode and call it through a C program. Let's get started: 99 | 100 | ```asm 101 | section .text 102 | global _start 103 | 104 | _start: 105 | ; push a null terminated string containing 'calc.exe' onto the stack 106 | xor eax, eax 107 | push eax 108 | push 0x6578652e ; "exe." 109 | push 0x636c6163 ; "calc" 110 | mov ebx, esp 111 | 112 | ; get WinExec address from kernel32.dll (typical system might be different for your system) 113 | mov eax, 0x76c76360 114 | 115 | push 1 116 | push ebx ; "calc.exe" 117 | call eax ; call WinExec(lpCmdLine="calc.exe", SW_SHOWNORMAL) 118 | 119 | ; exit cleanly 120 | xor eax, eax 121 | push eax 122 | mov al, 0x1 123 | int 0x80 124 | ``` 125 | 126 | Now that we have this shellcode what we need to do is compile it. To do so you will need two things: 127 | 128 | 1. [NASM](https://www.nasm.us/) -> NASM is an assembler/disassembler for the Intel x86 architecture. 129 | 2. [MinGW](https://www.mingw-w64.org/downloads/) -> MinGW is "Minimalist Gnu for Windows" and provides you with commands like gcc on Windows. 130 | 131 | You can download both using Chocolatey or the respective links included above. Once you have these installed make sure to add them both to your ENV Path. 132 | 133 | *** 134 | 135 | ## Compiling it! 136 | 137 | Now that you have what you need, we can continue with the compilation. What we need to do first is compile the shellcode into an object (`.o`) file. Save the above code into `test_calc.asm` and follow the below steps: 138 | 139 | 1. Compile the assembly using the `nasm` command: 140 | 141 | ```bash 142 | nasm -f win32 .\test_calc.asm -o test_calc.o 143 | ``` 144 | 145 | You should get no output from this command indicating that you just compiled assembly successfully. What we just did was compile the raw assembly file into `win32` (`-f win32`) format and create the object file named `test_calc.o` (`-o test_calc.o`). 146 | 147 | 2. Link the object file using the `gcc` command: 148 | 149 | **NOTE: This command may be different dependent on your system and architecture** 150 | 151 | ```bash 152 | gcc -m32 -o test_calc.exe .\test_calc.o "-Wl,-e,_start" -nostdlib 153 | ``` 154 | 155 | What the above commands does is tells the `gcc` compiler to link the output as a 32bit (`-m32`) application, specifies the entrypoint to the `_start` section (`-Wl,_-e,_start`), and prevents us from including standard libraries (`-nostdlib`). Congratulations! You have successfully compiled your own shellcode! 156 | 157 | *** 158 | 159 | ## Adding shellcode to your attack 160 | 161 | If this is the first time you've done this, you're probably thinking: "Well that's cool but it's not in the normal '\xnn' format I see all the time" and you are completely right! That is because we have not taken our shellcode and turned it into the correct format we need! If you see the above you notice that we compiled the shellcode into an `exe` file at the end which is great and awesome! But we don't need to complete that step in order to get the shellcode. What we need is the `object` file, and the disassembly of that file. We can get this using something like `objdump` on the object file: 162 | 163 | ```bash 164 | PS C:\Users\xxx> objdump -d .\test_calc.o 165 | 166 | .\test_calc.o: file format pe-i386 167 | 168 | 169 | Disassembly of section .text: 170 | 171 | 00000000 <_start>: 172 | 0: 31 c0 xor %eax,%eax 173 | 2: 50 push %eax 174 | 3: 68 2e 65 78 65 push $0x6578652e 175 | 8: 68 63 61 6c 63 push $0x636c6163 176 | d: 89 e3 mov %esp,%ebx 177 | f: b8 60 63 c7 76 mov $0x76c76360,%eax 178 | 14: 6a 01 push $0x1 179 | 16: 53 push %ebx 180 | 17: ff d0 call *%eax 181 | 19: 31 c0 xor %eax,%eax 182 | 1b: 50 push %eax 183 | 1c: b0 01 mov $0x1,%al 184 | 1e: cd 80 int $0x80 185 | ``` 186 | 187 | Now we can convert the above to the correct format by copying the opcodes and converting them into the `\xnn` format like so: 188 | 189 | ```bash 190 | \x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\xb8\x60\x63\xc7\x76\x6a\x01\x53\xff\xd0\x31\xc0\x50\xb0\x01\xb0\x01\xcd\x80 191 | ``` 192 | 193 | You're probably thinking: "my fucking God there has to be a better way" and yes there is! However, it is important that you understand how all this takes place before looking for the shortcuts. Now that we have the correct format the most common way to run shellcode is by inserting it into a file call. We will use C for this: 194 | 195 | ```c 196 | unsigned char code[] = "\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\xb8\x60\x63\xc7\x76\x6a\x01\x53\xff\xd0\x31\xc0\x50\xb0\x01\xb0\x01\xcd\x80"; 197 | 198 | int main (void) { 199 | (*(void(*)()) code)(); 200 | } 201 | ``` 202 | 203 | The above C code calls the `unsigned char` variable as a function and runs it directly, in a nutshell this part of the function: `(*(void(*)()) code)();` is a type cast to treat the code as a function pointer without any arguments. This allows us to execute the shellcode without need for injection into a vulnerable process. 204 | 205 | *** 206 | 207 | 208 | 209 | ## In closing 210 | 211 | This course has provided you with the basics of how shellcode works, how to compile it, and how to launch it from within a C program. This course was designed specifically for starters to understand the basic concepts of shellcode and what it does. We hope you have found this course useful and understand it. 212 | 213 | There is a high probability that this shellcode will not launch calc.exe on your system, that is most likely because the hardcoded address of WinExec (`0x76c76360`) is incorrect. To fix this you will need to perform actions such as `LoadLibraryA` and find the correct location of the addresses. Unfortunately, that is out of scope for this introduction and will need to be shown later. We encourage readers to try and figure this out themselves. 214 | 215 | #### Support the Bible 216 | 217 | Once again, this course is offered for free by The Perkins Cybersecurity Educational Fund! If you found this information valuable and want to support the continued development of the Malware Bible please consider: 218 | - Donating to the Malware Bible Fund → [Donate Here](https://donorbox.org/malware-bible-fund) 219 | 220 | #### Become a sponsor 221 | 222 | These courses reach thousands of cybersecurity professionals, researchers, students, and teachers worldwide who actively engage in learning and advancing the field. Sponsoring our educational initiative not only supports free cybersecurity education but also places your brand in front of a highly technical and security-conscious audience. 223 | 224 | Interested in partnering? Let's talk about how your organization can be featured in our future courses: [Contact us today!](https://perkinsfund.org/index.html#contact-us) Please view our [Sponsorship Packages](https://perkinsfund.org/donations#sponsor-table) for more details! 225 | -------------------------------------------------------------------------------- /The Scriptures/radare2.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless plug** 6 | 7 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 8 | 9 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 10 | 11 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 12 | 13 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 14 | 15 | --- 16 | 17 | ### Index 18 | 19 | - [Command Line Options](#command-line-options) 20 | - [Configuration Properties](#configuration-properties) 21 | - [Basic Commands](#basic-commands) 22 | - [Positioning](#positioning) 23 | - [Block Size](#block-size) 24 | - [JSON Output](#json-output) 25 | - [Analyze](#analyze) 26 | - [Information](#information) 27 | - [Write](#write) 28 | - [Flags](#flags) 29 | - [Yank & Paste](#yank-and-paste) 30 | - [Visual Mode](#visual-mode) 31 | - [ROP](#rop) 32 | - [Searching](#searching) 33 | - [Comments & Defines](#comments-and-defines) 34 | - [Magic Files](#magic-files) 35 | - [Yara](#yara) 36 | - [Zignatures](#zignatures) 37 | - [Compare Files](#compare-files) 38 | - [Graphs](#graphs) 39 | - [Debugger](#debugger) 40 | - [WebGUI (Enyo)](#webgui-enyo) 41 | - [Radare2 Suite Commands](#radare2-suite-commands) 42 | - [Shellcode Generator (ragg2)](#shellcode-generator-ragg2) 43 | - [Executable Analysis (rabin2)](#executable-analysis-rabin2) 44 | - [Program Launcher (rarun2)](#program-launcher-rarun2) 45 | 46 | --- 47 | 48 | ### Command Line Options 49 | 50 | | **Commands** | Details | 51 | |--------------|----------------------------------------------------------------------| 52 | | `-L` | List of supported IO plugins | 53 | | `-q` | Exit after processing commands | 54 | | `-w` | Write mode enabled | 55 | | `-i [file]` | Interprets an r2 script | 56 | | `-A` | Analyze executable at load time | 57 | | `-n` | Bare load, do not load executable info as the entrypoint | 58 | | `-c 'cmds'` | Run r2 and execute commands | 59 | | `-p [prj]` | Creates a project for the file being analyzed | 60 | | `-` | Opens r2 with the malloc plugin that provides a 512-byte memory area | 61 | 62 | [Back to Index](#index) 63 | 64 | --- 65 | 66 | ### Configuration Properties 67 | 68 | | **Commands** | Details | 69 | |------------------------|-------------------------------------| 70 | | `e` | Returns configuration properties | 71 | | `e ` | Check specific property | 72 | | `e =` | Change property value | 73 | | `e?` | Help about a configuration property | 74 | 75 | [Back to Index](#index) 76 | 77 | --- 78 | 79 | ### Basic Commands 80 | 81 | | **Commands** | Details | 82 | |--------------------------|----------------------------------------------| 83 | | Command chaining | `x 3;s+3;pi 3;s+3;pxo 4;` | 84 | | Pipe with shell commands | pd | less | 85 | | Run shell commands | `!cat /etc/passwd` | 86 | | Escape to shell | `!!command` and pass output to Radare buffer | 87 | 88 | [Back to Index](#index) 89 | 90 | --- 91 | 92 | ### Positioning 93 | 94 | | **Commands** | Details | 95 | |--------------|----------------------------------| 96 | | `s address` | Move cursor to address or symbol | 97 | | `s-5` | Move 5 bytes backward | 98 | | `s-` | Undo seek | 99 | | `s+` | Redo seek | 100 | 101 | [Back to Index](#index) 102 | 103 | --- 104 | 105 | ### Block Size 106 | 107 | | **Commands** | Details | 108 | |--------------|-------------------| 109 | | `b size` | Change block size | 110 | 111 | [Back to Index](#index) 112 | 113 | --- 114 | 115 | ### JSON Output 116 | 117 | | **Commands** | Details | 118 | |--------------|---------------------------------------------------------------| 119 | | `j` | Most commands accept `j` to print their output in JSON format | 120 | 121 | [Back to Index](#index) 122 | 123 | --- 124 | 125 | ### Analyze 126 | 127 | | **Commands** | Details | 128 | |--------------|----------------------------------------| 129 | | `aa` | Analyze all functions and basic blocks | 130 | | `af` | Analyze functions | 131 | | `afl` | List all functions | 132 | | `afi` | Info on current function | 133 | | `afr` | Rename function | 134 | 135 | [Back to Index](#index) 136 | 137 | --- 138 | 139 | ### Information 140 | 141 | | **Commands** | Details | 142 | |--------------|-------------------------| 143 | | `iI` | File info | 144 | | `iz` | Strings in data section | 145 | | `iS` | Sections | 146 | | `is` | Symbols | 147 | | `il` | Linked libraries | 148 | | `ii` | Imports | 149 | | `ie` | Entrypoint | 150 | 151 | [Back to Index](#index) 152 | 153 | --- 154 | 155 | ### Write 156 | 157 | | **Commands** | Details | 158 | |--------------|------------------------------------------------| 159 | | `wx` | Write hex values at the current offset | 160 | | `wa` | Write assembly | 161 | | `wc` | Write cache commit | 162 | | `wv` | Write value with endian conversion and padding | 163 | 164 | [Back to Index](#index) 165 | 166 | --- 167 | 168 | ### Flags 169 | 170 | | **Commands** | Details | 171 | |--------------------|-----------------------------------| 172 | | `f` | List flags | 173 | | `f label @ offset` | Define a flag at an offset | 174 | | `fr` | Rename flag | 175 | | `fd` | Return position from nearest flag | 176 | 177 | [Back to Index](#index) 178 | 179 | --- 180 | 181 | ### Yank and Paste 182 | 183 | | **Commands** | Details | 184 | |--------------|--------------------------------------------| 185 | | `y n` | Copy `n` bytes from current position | 186 | | `yp` | Print yank buffer | 187 | | `yy offset` | Paste contents of yank buffer at an offset | 188 | 189 | [Back to Index](#index) 190 | 191 | --- 192 | 193 | ### Visual Mode 194 | 195 | | **Commands** | Details | 196 | |--------------|----------------------------------| 197 | | `V` | Enter visual mode | 198 | | `q` | Exit visual mode | 199 | | `hjkl` | Move around while in visual mode | 200 | | `o` | Go to offset | 201 | 202 | [Back to Index](#index) 203 | 204 | --- 205 | 206 | ### ROP 207 | 208 | | **Commands** | Details | 209 | |--------------|------------------------------| 210 | | `/R opcodes` | Search for opcodes | 211 | | `/a` | Search for assembly | 212 | | `pda` | Returns a library of gadgets | 213 | 214 | [Back to Index](#index) 215 | 216 | --- 217 | 218 | ### Searching 219 | 220 | | **Commands** | Details | 221 | |------------------|-----------------------------| 222 | | `/ bytes` | Search for bytes | 223 | | `/m [magicfile]` | Search magic number headers | 224 | 225 | [Back to Index](#index) 226 | 227 | --- 228 | 229 | ### Comments and Defines 230 | 231 | | **Commands** | Details | 232 | |--------------|-----------------------------------| 233 | | `Cd [size]` | Define as data | 234 | | `C- [size]` | Define as code | 235 | | `CC` | Add a new comment in console mode | 236 | 237 | [Back to Index](#index) 238 | 239 | --- 240 | 241 | ### Magic Files 242 | 243 | | **Commands** | Details | 244 | |------------------|-----------------------------| 245 | | `pm` | Print Magic files analysis | 246 | | `/m [magicfile]` | Search magic number headers | 247 | 248 | [Back to Index](#index) 249 | 250 | --- 251 | 252 | ### Yara 253 | 254 | | **Commands** | Details | 255 | |--------------|-----------------------------------------| 256 | | `:yara scan` | Scan with Yara for detecting signatures | 257 | 258 | [Back to Index](#index) 259 | 260 | --- 261 | 262 | ### Zignatures 263 | 264 | | **Commands** | Details | 265 | |-------------------------------|------------------------| 266 | | `zg ` | Generate zignatures | 267 | | `z` | Show loaded zignatures | 268 | 269 | [Back to Index](#index) 270 | 271 | --- 272 | 273 | ### Compare Files 274 | 275 | | **Commands** | Details | 276 | |----------------------------|-------------------------------------| 277 | | `r2 -m 0xf0000 /etc/fstab` | Open source file | 278 | | `cc offset` | Diff by columns between two offsets | 279 | 280 | [Back to Index](#index) 281 | 282 | --- 283 | 284 | ### Graphs 285 | 286 | | **Commands** | Details | 287 | |------------------|------------------------------------------------| 288 | | `ag $$ > a.dot` | Dump basic block graph to a file named `a.dot` | 289 | | `agc $$ > b.dot` | Dump call graph to a file named `b.dot` | 290 | 291 | [Back to Index](#index) 292 | 293 | --- 294 | 295 | ### Debugger 296 | 297 | | **Commands** | Details | 298 | |-----------------------------------------------|-----------------------------------------------------------------------| 299 | | r2 -d [pid|cmd|ptrace] | Start r2 in debugger mode (if the comamnd contains spaces use quotes) | 300 | | `dp` | Show processes and threads | 301 | | `dc` | Continue execution | 302 | | `db address` | Set a breakpoint | 303 | 304 | [Back to Index](#index) 305 | 306 | --- 307 | 308 | ### WebGUI (Enyo) 309 | 310 | | **Commands** | Details | 311 | |--------------|--------------------------| 312 | | `=h` | Start the server | 313 | | `=H` | Start server and browser | 314 | 315 | [Back to Index](#index) 316 | 317 | --- 318 | 319 | ### Radare2 Suite Commands 320 | 321 | | **Commands** | Details | 322 | |----------------------|-----------------------------------| 323 | | `rax2 -e` | Base conversion and endian change | 324 | | `rahash2 -a entropy` | Show entropy per block | 325 | | `radiff2 -C` | Code diffing | 326 | | `rasm2 -d` | Disassemble data | 327 | 328 | [Back to Index](#index) 329 | 330 | --- 331 | 332 | ### Shellcode Generator (ragg2) 333 | 334 | | **Commands** | Details | 335 | |------------------------------|-------------------------------| 336 | | `ragg2 -a x86 -b 32 -i exec` | Generate 32-bit x86 shellcode | 337 | 338 | [Back to Index](#index) 339 | 340 | --- 341 | 342 | ### Executable Analysis (rabin2) 343 | 344 | | **Commands** | Details | 345 | |--------------|-----------------| 346 | | `rabin2 -I` | Executable info | 347 | | `rabin2 -s` | Symbols | 348 | 349 | [Back to Index](#index) 350 | 351 | --- 352 | 353 | ### Program Launcher (rarun2) 354 | 355 | | **Commands** | Details | 356 | |-----------------------------------------------------------|---------------------------------------------------------------| 357 | | `r2 -b 32 -d rarun2 program=exp1 arg1=$(ragg2 -P 200 -r)` | Launch a program with args inside r2's debugger | 358 | | `r2 -d rarun2 program=/bin/cat stdin=$(python e.py)` | runs /bin/cat with the output of exploit.py directed to stdin | 359 | 360 | [Back to Index](#index) 361 | 362 | --- 363 | 364 | -------------------------------------------------------------------------------- /The Scriptures/yara_rules.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless plug** 6 | 7 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 8 | 9 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 10 | 11 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 12 | 13 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 14 | 15 | --- 16 | 17 | # Index 18 | 19 | - [Overview](#yara-rule-overview) 20 | - [Keywords and sections](#keywords-and-sections) 21 | - [Import overview](#imports-overview) 22 | - [Meta overview](#meta-overview) 23 | - [Strings overview](#strings-overview) 24 | - [Conditions overview](#conditions-overview) 25 | 26 | # Yara rule overview 27 | 28 | ``` 29 | ┌───────────────────────────── Rule Header ───────────────────────────────┐ 30 | │ ┌──────────────── Imports ───────────────┐ 31 | │ │ import "pe" <- Import modules 32 | │ └─────────────────────────────────────────┘ 33 | │ 34 | │ rule : ... 35 | │ { [ Start the rule with a open bracket ] 36 | │ ┌──────────────── Section: Meta ────────────┐ 37 | │ │ meta: 38 | │ │ description = "..." <- Freeform comments 39 | │ │ author = "..." 40 | │ │ date = "YYYY-MM-DD" 41 | │ └────────────────────────────────────────────┘ 42 | │ 43 | │ ┌──────────────── Section: Strings ───────┐ 44 | │ │ strings: 45 | │ │ $text1 = "malicious string" <- Plaintext 46 | │ │ $hex1 = { 6D 61 6C 77 61 72 65 } <- Hex pattern 47 | │ │ $re1 = /evil[\d]+/ <- Regex pattern 48 | │ └───────────────────────────────────────────┘ 49 | │ 50 | │ ┌───────────── Section: Condition ────────┐ 51 | │ │ condition: 52 | │ │ any of them <- Trigger logic 53 | │ │ // other examples: 54 | │ │ all of ($text1, $hex1) 55 | │ │ $re1 and filesize < 1MB 56 | │ └───────────────────────────────────────────┘ 57 | │ } [ End the rule with a close bracket ] 58 | └─────────────────────────────────────────────────────────────────────────┘ 59 | ``` 60 | 61 | --- 62 | 63 | # Keywords and sections 64 | 65 | - `import` 66 | - Use to import modules 67 | - `meta:` 68 | - Used for comments and metadata, this section is not used in the logic of the rule 69 | - `strings:` 70 | - Where you define the context you're looking for 71 | - `condition:` 72 | - Where the logic is defined, you set your condition here to determine matches 73 | 74 | --- 75 | 76 | # Imports overview 77 | 78 | Imports allow you to access modules within the Yara framework. To use imports all you have to do is `import "module"` at the start of the rule. 79 | 80 | | Module | Use case examples | 81 | |-----------|--------------------------------------------| 82 | | `pe` | Analyze PE headers, entry point, etc. | 83 | | `math` | Use math functions in conditions | 84 | | `dotnet` | Gather attributes out of .NET files | 85 | | `cuckoo` | Use dynamic analysis from Cuckoo sandbox | 86 | | `lnk` | Get lnk file attributes | 87 | | `console` | Provides the ability to log to the console | 88 | 89 | You can find an exhaustive breakdown [here](https://yara.readthedocs.io/en/stable/modules.html) 90 | 91 | --- 92 | 93 | # Meta overview 94 | 95 | Meta sections contain the metadata of the rule and are not used within the logic of the rule. It is filled with key/value pairs and can contain pretty much anything. 96 | 97 | ``` 98 | ... 99 | meta: 100 | author = "Some Author" 101 | copyright = "PCEF" 102 | something = "something 103 | ... 104 | ``` 105 | 106 | --- 107 | 108 | # Strings overview 109 | 110 | This is the section where you create your strings to determine if it is the same file or not. All strings must start with a `$` character. These are used in the conditions section to refer to the string. The strings section is not actually needed to make a complete rule as long as the conditions section doesn't rely on any strings. 111 | 112 | ``` 113 | ... 114 | strings: 115 | # This is a regular string 116 | $s1 = "This is a test string" 117 | 118 | # This is a hexidecimal string 119 | # ?? == Any bytes match 120 | # [1-50 == Indicate a jump from 1 to 5 match 121 | # ~ == This is a not operator, any value but the defined 122 | # ~? == Not operator with an any bytes to indicate any but 123 | # defined 124 | # [1-] == Indicates and unbound jump, there is not an end 125 | # (90 89 | 12) == This provides alternatives for the bytes either the 126 | # first two or the second one 127 | $s2 = { ?? 90 90 [1-5] ~00 ~?0 [1-] (90 89 | 12) } 128 | 129 | # This is the regular expression. All regular expressions are in the 130 | # Perl programming language format. 131 | $s3 = /some.magic\.regex\"/ 132 | 133 | # Strings are able to take "modifiers" to make them match more 134 | # types of the string. This specific one means that there is 135 | # no character case constraint. For example this will match 136 | # bot 'test string' and 'TEST STRING' and any variation 137 | $s4 = "test string" nocase 138 | ... 139 | ``` 140 | 141 | #### Text strings 142 | 143 | Text strings are able to contain subsets of the C language escape sequences such as: 144 | 145 | | Sequence | Description | 146 | |----------|---------------------| 147 | | `\"` | Double quote | 148 | | `\\` | Backslash | 149 | | `\r` | Carriage return | 150 | | `\t` | Tab space | 151 | | `\n` | New line | 152 | | `\xdd` | Hexadecimal bytes | 153 | 154 | #### Modifiers 155 | 156 | You can also use modifiers for text string as seen in the above example. Modifiers include: 157 | 158 | | Modifier | Description | 159 | |------------|----------------------------------------------------------------------------------------------------------------------| 160 | | `nocase` | No character case constraints | 161 | | `wide` | Matches strings encoded with two up to bytes per character | 162 | | `ascii` | Standard ascii characters | 163 | | `xor` | Single byte Xor applied to the string | 164 | | `base64` | Look for the string in a base64 encoding (`base64wide` exists as well, you can also set the charset of the encoding) | 165 | | `fullword` | Guarantees full word match | 166 | | `private` | Will never be included in the output of Yara | 167 | 168 | #### Regular expressions 169 | 170 | Regular expressions can take the following metacharacters: 171 | 172 | | Meta | Description | 173 | |---------|----------------------------------------------------------| 174 | | `\` | Quote the next character | 175 | | `^` | Match the beginning | 176 | | `.` | Matches any single character except new lines | 177 | | ` | Alteration | 178 | | `()` | Group | 179 | | `[]` | Set of characters | 180 | | `*` | Match 0 or more times | 181 | | `+` | Match 1 or more times | 182 | | `?` | Match 0 or 1 times | 183 | | `{n}` | Match exactly n amount times | 184 | | `{n,}` | Match at least n amount times | 185 | | `{,n}` | Match at most n amount times | 186 | | `{n,n}` | Match at least n amount times and at most n amount times | 187 | | `\w` | Alphanumeric word character | 188 | | `\W` | Any non-word character | 189 | | `\s` | Whitespace character | 190 | | `\S` | Non-whitespace character | 191 | | `\d` | Digit character | 192 | | `\D` | Non-digit character | 193 | | `\b` | Word boundaries | 194 | | `\B` | Except at a word boundary | 195 | 196 | # Conditions overview 197 | 198 | Conditions are basically just boolean expressions used to establish if the rule matches your comparison. 199 | 200 | ``` 201 | ... 202 | condition: 203 | # Three of any of the strings that start with $s 204 | 3 of ($s*) 205 | ... 206 | ``` 207 | 208 | #### Operators 209 | 210 | 211 | | Meta | Description | 212 | |-----------------|---------------------------------------------------------------------| 213 | | `[]` | Quote the next character | 214 | | `~` | Bitwise not | 215 | | `-` | Subtraction | 216 | | `.` | Structure member access | 217 | | `*` | Multiplication | 218 | | `/` | Division | 219 | | `%` | Remainder | 220 | | `+` | Addition | 221 | | `<<` | Bitwise left shift | 222 | | `>>` | Bitwise right shift | 223 | | `&` | Bitwise AND | 224 | | `^` | Bitwise XOR | 225 | | `\|` | Bitwise OR (minus `\`) | 226 | | `<` | Less than | 227 | | `>` | Greater than | 228 | | `<=` | Less than or equal to | 229 | | `>=` | Greater than or equal to | 230 | | `==` | Equal to | 231 | | `!=` | Not equal to | 232 | | `[i]contains` | String contains substring, adding `i` makes it non-case sensitive | 233 | | `[i]startswith` | String startswith substring, adding `i` makes it non-case sensitive | 234 | | `[i]endswith` | String ends with substring, adding `i` makes it non-case sensitive | 235 | | `iequals` | Non-case sensitive string comparison | 236 | | `matches` | String matches regular expression | 237 | | `not defined` | Logical NOT check for non-defined expression | 238 | | `and` | Logical AND | 239 | | `or` | Logical OR | 240 | | `filesize` | Checks the file size | 241 | | `at` | String offset or virtual address search | 242 | | `entrypoint` | Special variable to check the Pe or ELF entrypoint (deprecated) | 243 | 244 | #### Accessing data at specific locations 245 | 246 | You may need to access data at a certain locations and read 16, 32, or 64bit integers using an offset, use one of the following to read data from them: 247 | 248 | ``` 249 | int8() 250 | int16() 251 | int32() 252 | 253 | uint8() 254 | uint16() 255 | uint32() 256 | 257 | int8be() 258 | int16be() 259 | int32be() 260 | 261 | uint8be() 262 | uint16be() 263 | uint32be() 264 | ``` 265 | -------------------------------------------------------------------------------- /.github/sponsor_images/s2.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /The Scriptures/idapro.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless plug** 6 | 7 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 8 | 9 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 10 | 11 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 12 | 13 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 14 | 15 | --- 16 | 17 | ## Index 18 | 19 | - [Keys](#keys) 20 | - [Navigation](#navigation) 21 | - [Search](#search) 22 | - [Graphing](#graphing) 23 | - [Comments](#comments) 24 | - [Data Format Options](#data-format-options) 25 | - [Open Subviews](#open-subviews) 26 | - [File Operations](#file-operations) 27 | - [Debugger](#debugger) 28 | - [Breakpoints](#breakpoints) 29 | - [Watches](#watches) 30 | - [Tracing](#tracing) 31 | - [Misc](#miscellaneous) 32 | - [Edit](#edit-data-types--etc) 33 | - [Operand Type](#operand-type) 34 | - [Segments](#segments) 35 | - [Structs](#structs) 36 | - [Functions](#functions) 37 | 38 | --- 39 | 40 | ## Keys 41 | 42 | | Image | Description | 43 | |---------------------------------------------------------------------|-------------| 44 | | | Shift key | 45 | | | Alt key | 46 | | | Control key | 47 | | | Escape key | 48 | | | Enter key | 49 | 50 | --- 51 | 52 | ## Navigation 53 | 54 | | Action | Shortcut | 55 | |---------------------------|----------------------------------------------------------------------------------------------------------------------------------------| 56 | | Jump to operand | | 57 | | Jump in new window | + | 58 | | Jump to previous position | | 59 | | Jump to Next position | + | 60 | | Jump to address | G | 61 | | Jump by name | +L | 62 | | Jump to function | +P | 63 | | Jump to segment | +S | 64 | | Jump to segment register | +G | 65 | | Jump to problem | +Q | 66 | | Jump to cross reference | +X | 67 | | Jump to xref to operand | X | 68 | | Jump to entry point | +E | 69 | | Mark Position | +M | 70 | 71 | --- 72 | 73 | ## Search 74 | 75 | | Action | Shortcut | 76 | |------------------------|----------------------------------------------------------------------| 77 | | Next code | +C | 78 | | Next data | +D | 79 | | Next explored | +A | 80 | | Next unexplored | +U | 81 | | Immediate value | +I | 82 | | Next immediate value | +I | 83 | | Text | +T | 84 | | Next text | +T | 85 | | Sequence of bytes | +B | 86 | | Next sequence of bytes | +B | 87 | | Not function | +U | 88 | 89 | --- 90 | 91 | ## Graphing 92 | 93 | | Action | Shortcut | 94 | |----------------|------------------------------------------------------------------------| 95 | | Flow chart | F12 | 96 | | Function calls | +F12 | 97 | 98 | --- 99 | 100 | ## Comments 101 | 102 | | Action | Shortcut | 103 | |---------------------------|-------------------------------------------------------------------------| 104 | | Enter comment | +; | 105 | | Enter repeatable comment | ; | 106 | | Enter anterior lines | Ins | 107 | | Enter posterior lines | +Ins | 108 | | Insert predefined comment | +F1 | 109 | 110 | --- 111 | 112 | ## Data Format Options 113 | 114 | | Action | Shortcut | 115 | |---------------------|---------------------------------------------------------------------| 116 | | ASCII strings style | +A | 117 | | Setup data types | +D | 118 | 119 | --- 120 | 121 | ## Open Subviews 122 | 123 | | Action | Shortcut | 124 | |-------------------|-------------------------------------------------------------------------| 125 | | Names | +F4 | 126 | | Functions | +F3 | 127 | | Strings | +F12 | 128 | | Segments | +F7 | 129 | | Segment registers | +F8 | 130 | | Signatures | +F5 | 131 | | Type libraries | +F11 | 132 | | Structures | +F9 | 133 | | Enumerations | +F10 | 134 | 135 | --- 136 | 137 | ## File Operations 138 | 139 | | Action | Shortcut | 140 | |---------------------|-----------------------------------------------------------------------| 141 | | Parse C header file | +F9 | 142 | | Create ASM file | +F10 | 143 | | Save database | +W | 144 | 145 | --- 146 | 147 | ## Debugger 148 | 149 | | Action | Shortcut | 150 | |-------------------|-----------------------------------------------------------------------| 151 | | Start process | F9 | 152 | | Terminate process | +F2 | 153 | | Step into | F7 | 154 | | Step over | F8 | 155 | | Run until return | +F7 | 156 | | Run to cursor | F4 | 157 | 158 | --- 159 | 160 | ## Breakpoints 161 | 162 | | Action | Shortcut | 163 | |-----------------|----------------------------------------------------------------------------------------------------------------------------------------| 164 | | Breakpoint list | ++B | 165 | 166 | --- 167 | 168 | ## Watches 169 | 170 | | Action | Shortcut | 171 | |--------------|----------| 172 | | Delete watch | Del | 173 | 174 | --- 175 | 176 | ## Tracing 177 | 178 | | Action | Shortcut | 179 | |-------------|----------------------------------------------------------------------------------------------------------------------------------------| 180 | | Stack trace | ++S | 181 | 182 | --- 183 | 184 | ## Miscellaneous 185 | 186 | | Action | Shortcut | 187 | |--------------------------|---------------------------------------------------------------------------| 188 | | Calculator | +/ | 189 | | Cycle through open views | +Tab | 190 | | Select tab | + [1…N] | 191 | | Close current view | +F4 | 192 | | Exit | +X | 193 | | IDC Command | +F2 | 194 | 195 | --- 196 | 197 | ## Edit (Data Types – etc) 198 | 199 | | Action | Shortcut | 200 | |--------------------|------------------------------------------------------------------------| 201 | | Copy | +Ins | 202 | | Begin selection | +L | 203 | | Manual instruction | +F2 | 204 | | Code | C | 205 | | Data | D | 206 | | Struct variable | +Q | 207 | | ASCII string | A | 208 | | Array | Num * | 209 | | Undefine | U | 210 | | Rename | N | 211 | 212 | --- 213 | 214 | ## Operand Type 215 | 216 | | Action | Shortcut | 217 | |--------------------------|-----------------------------------------------------------------------| 218 | | Offset (data segment) | O | 219 | | Offset (current segment) | +O | 220 | | Offset by (any segment) | +R | 221 | | Offset (user-defined) | +R | 222 | | Offset (struct) | T | 223 | | Number (default) | +3 | 224 | | Hexadecimal | Q | 225 | | Decimal | H | 226 | | Binary | B | 227 | | Character | R | 228 | | Segment | S | 229 | | Enum member | M | 230 | | Stack variable | K | 231 | | Change sign | +- | 232 | | Bitwise negate | +` | 233 | | Manual | +F1 | 234 | 235 | --- 236 | 237 | ## Segments 238 | 239 | | Action | Shortcut | 240 | |-------------------------------|---------------------------------------------------------------------| 241 | | Edit segment | +S | 242 | | Change segment register value | +G | 243 | 244 | --- 245 | 246 | ## Structs 247 | 248 | | Action | Shortcut | 249 | |-------------------------|----------------------------------------------------------------------| 250 | | Struct var | +Q | 251 | | Force zero offset field | +Z | 252 | | Select union member | +Y | 253 | 254 | --- 255 | 256 | ## Functions 257 | 258 | | Action | Shortcut | 259 | |----------------------|----------------------------------------------------------------------| 260 | | Create function | P | 261 | | Edit function | +P | 262 | | Set function end | E | 263 | | Stack variables | +K | 264 | | Change stack pointer | +K | 265 | | Rename register | V | 266 | | Set function type | Y | 267 | 268 | 269 | -------------------------------------------------------------------------------- /The Beginning/Introduction to x86 Assembly.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless plug** 6 | 7 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 8 | 9 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 10 | 11 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 12 | 13 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 14 | 15 | 16 | ##### NOTE: This course assumes that you are using Linux and have nasm installed. 17 | 18 | --- 19 | 20 | #### Sponsor 21 | 22 | Special thanks to the sponsor of this course: [Maldev Academy](https://maldevacademy.com/?referrer=perkinsfund)! 23 | 24 |

25 | 26 |

27 | 28 | Offensive security and malware development training academy 29 | 30 | --- 31 | 32 | # What will be covered? 33 | - [What is x86 Assembly?](#what-is-x86-assembly) 34 | - [Breakdown of the Registers](#registers) 35 | - [Breakdown of the Stack](#the-stack) 36 | - [Writing Code in x86 Assembly](#writing-code-in-x86-assembly) 37 | - [Compiling x86 Assembly Files](#compiling-assembly-code) 38 | - [That's all Folks](#in-closing) 39 | 40 | --- 41 | 42 | # What is x86 Assembly? 43 | 44 | In a nutshell assembly is a low-level programming language to write instructions that a CPU can directly execute. Each instruction in assembly is composed of a mnemonic (opcode), operand, and an address. Some instructions come with a prefix, suffix or flag. 45 | 46 | x86 in the name specifies the architecture of the language. There are multiple types of assembly languages for each CPU architecture and for each CPU. For example, Intel chips have different instructions than ARM chips. 47 | 48 | This course is a semi deep dive into the x86 programming language and should provide the user with enough information on how assembly works to build a program successfully. 49 | 50 | --- 51 | 52 | # Registers 53 | 54 | In a sentence: registers are small storage locations in a CPU that's used to hold temporary data during execution. 55 | 56 | Each register has a purpose. However, most of them can be used for general purposes or for various operations. In this section we will provide information on the registers in the x86 architecture. 57 | 58 | ### General purpose registers 59 | - `EAX` 60 | - Purpose: 61 | - The Accumulator register. 62 | - Common usage: 63 | - It is normally used for arithmetic operations, such as: `add`, `sub`, `mul`. Also used to store calculations results. 64 | - Example of usage: 65 | ```asm 66 | mov eax, 15 ; loads 15 into EAX register 67 | add eax, 15 ; EAX register now holds 30 68 | ``` 69 | - `EBX` 70 | - Purpose: 71 | - The Base register 72 | - Common usage: 73 | - Usually used as a pointer to data in memory, but can also be used for arithmetic purposes. 74 | - Example of usage: 75 | ```asm 76 | mov ebx, 0x6D616C636F7265 ; loads the memory address 0x6D616C636F7265 into EBX 77 | ``` 78 | - `ECX` 79 | - Purpose: 80 | - The Counter register 81 | - Common usage: 82 | - Mostly used as a loop counter or for string/memory operations 83 | - Example of usage: 84 | ```asm 85 | mov ecx, 10 ; load 10 in ec 86 | loop_start: ; create a loop 87 | dec ecx ; decrement from ecx (ecx = ecx - 1) 88 | jnz loop_start ; jump to the start of the loop and remove if ecx != 0 89 | ``` 90 | - `EDX` 91 | - Purpose: 92 | - The Data register 93 | - Common usage: 94 | - Works with the `eax` register for multiplication/division. Holds parts of large results/data. 95 | - Example of usage: 96 | ```asm 97 | mov eax, 20 ; loads 20 in eax 98 | mov edx, 4 ; loads 4 into edx 99 | mul edx ; multiply eax by edx 100 | ``` 101 | 102 | ##### NOTE: It is worth mentioning that 32bit is smaller than 64bit to store which is why sometimes edx, and eax are used together to hold values. 103 | 104 | --- 105 | ### Pointer and index registers 106 | - `ESI` 107 | - Purpose: 108 | - The Source register 109 | - Common usage: 110 | - Mostly used for string operations to hold source address of mnemonics like: `movsb`, `movsw`, `movsd` 111 | - Example of usage: 112 | ```asm 113 | mov esi, 0x6D616C636F7265 ; load source address into ESI 114 | ``` 115 | - `EDI` 116 | - Purpose: 117 | - The Destination Index register 118 | - Common usage: 119 | - String operations to hold the destination address in similar instructions 120 | - Example of usage: 121 | ```asm 122 | mov edi, 0x6D616C636F7265 ; load destination address into EDI 123 | ``` 124 | - `EBP` 125 | - Purpose: 126 | - Base Pointer register 127 | - Common usage: 128 | - Generally points to base of current stack frame. References function parameters and variables. 129 | - Example of usage: 130 | ```asm 131 | push ebp ; save old base pointer 132 | mov ebp, esp ; set new base pointer to the current stack pointer 133 | ``` 134 | - `ESP` 135 | - Purpose 136 | - Stack Pointer register 137 | - Common usage: 138 | - Points to the top of the stack, automatically updated. 139 | - Example of usage: 140 | ```asm 141 | lea eax, [msg] ; loads 'msg' address into eax 142 | push eax ; push the eax address onto stack 143 | mov ebx, [esp] ; reference the top of the stack using esp 144 | ``` 145 | --- 146 | ### Special Purpose Registers 147 | - `EIP` 148 | - Purpose: 149 | - Instruction pointer 150 | - Common usage: 151 | - Holds the address of the next instruction to be executed. This register is not directly modifiable by most instructions. Can only be modified through control flow instructions such as: `jmp`, `call`, `ret`. 152 | 153 | - `EFLAGS` 154 | - Purpose 155 | - Flag register 156 | - Common usage: 157 | - Stores status flags that indicate operation results. 158 | - Flags: 159 | - Zero Flag (ZF): operation is zero 160 | - Carry Flag (CF): operation results in a carry or borrow 161 | - Sign Flag (SF): operation is negative 162 | --- 163 | ### Table breakdown: 164 | 165 | | Register | Purpose | 166 | |----------|----------------------------| 167 | | `EAX` | Accumulator (arithmetic) | 168 | | `EBX` | Base register | 169 | | `ECX` | Counter (loops, shifts) | 170 | | `EDX` | Data register | 171 | | `ESI` | Source index | 172 | | `EDI` | Destination index | 173 | | `ESP` | Stack pointer | 174 | | `EBP` | Base pointer (stack frame) | 175 | | `EIP` | Instruction pointer | 176 | 177 | --- 178 | # The Stack 179 | 180 | Now that we've gotten the registers out of the way, we need to learn about the stack. What's the stack? Well, the stack is basically a piece of memory that operates by doing the last in first out (LIFO) principle. This principle is a data structure where the last item added is the first item to be removed. 181 | 182 | The stack is used to store temporary data such as addresses, local variables, and register states. The below image should provide you with a better understanding of the stack: 183 | 184 | 
185 | +------------------+ ; the top of the stack (ESP)
186 | |  Return Address  | ; return address pushed when function is called
187 | +------------------+
188 | | Local Variable 1 | ; local variable pushed into the stack
189 | +------------------+
190 | | Local Variable 2 | ; more temporary data is pushed
191 | +------------------+
192 | |       ...        | ; The stack grows downwards in memory
193 | +------------------+
194 | |   Previous EBP   | ; old base saved while entering new function
195 | +------------------+
196 | |  Function Arg 1  | ; arguments passed are placed on the stack
197 | +------------------+ ; bottom of the stack
198 |
199 | 200 | Now if you don't fully understand this yet that's okay there's a lot of information quickly. Let's go through it. Basic principles are as follows: 201 | - The stack grows downwards in memory, from higher address to lower address 202 | - The `PUSH` mnemonic adds an item to the top of the stack. 203 | - The `POP` mnemonic removes the most recent item that was added. For example: 204 | ```asm 205 | ; push mnemonic example 206 | mov eax, 10 ; loads 10 into eax register 207 | push eax ; push eax (10) onto the top of the stack 208 | 209 | ; current stack: 210 | ; TOP OF STACK -> 10 211 | 212 | mov ebx, 20 ; loads 20 into ebx register 213 | push ebx ; push ebx (20) onto the stack top of the stack 214 | 215 | ; curent stack: 216 | ; TOP OF STACK -> 20 217 | ; 10 218 | 219 | ; pop mnemonic example 220 | pop ecx ; pop the last item off the top of the stack 221 | 222 | ; current stack: 223 | ; TOP OF STACK -> 10 224 | 225 | pop edx ; pop the last item off the top of the stack 226 | 227 | ; curent stack: 228 | ; TOP OF STACK -> 229 | 230 | ; the stack is now empty 231 | ``` 232 | - The `ESP` register is the stack pointer. This register tracks the top of the stack. So in the above example at the end, the register is `10` because we pushed 20 off the stack. 233 | - When a function is called the arguments and the return address of the function is pushed to the stack as well. 234 | 235 | So basically, as the stack grows downward in memory the `push` and `pop` mnemonics manage the stack by adding and removing items from the top of the stack while the `esp` register automatically tracks the top of the stack. 236 | 237 | --- 238 | 239 | # Writing code in x86 Assembly 240 | 241 | When writing code in assembly you will be adding sections to the assembly code. These sections are used to organize the code into specific areas of memory. These areas of memory have different purposes during runtime. Let's go through the sections and their responsibilities: 242 | 243 | ### Common Section Information 244 | 245 | | Section Name | Description | Info | Notes | 246 | |--------------|----------------------------------------------------------------------------|----------------------------------------------------------------------|-------------------------------------------------------------| 247 | | `.text` | Contains the code of the program | Executable by the CPU | Read-only to prevent modification | 248 | | `.data` | Houses the static data of the program that will be modified by the program | Usually stores globals and initialized data | Most likely will be read-write | 249 | | `.bss` | Stores uninitialized data | Variables sizes in the section are known but values are 0 at runtime | Saves memory because you don't need to initialize variables | 250 | | `.rdata` | Stores read only data | Data is not modified during execution | Primary purpose is to hold constant data | 251 | 252 | By breaking a program apart into sections, it allows the processor to access each type more efficiently. Such as how modern processors cache information differently to optimize speed. 253 | 254 | When the operating system loads the program it does the following: 255 | - Loads the code marked as executable into memory 256 | - Loads the data into memory segments that's marked as writeable 257 | - Sets the permissions accordingly to help with performance and security 258 | 259 | Basically, sections assemble code into readable, writeable, or readable and writeable segments to help the processor efficiently use memory, obtain higher levels of security, and provide easier management for both the assembler and the operating system. An example of sections is the following: 260 | 261 | ```asm 262 | ; initalized data section (data that will be used) 263 | section .data 264 | message db 'Hello, World!', 0 ; contains a null terminated string 265 | ... 266 | 267 | ; uninitialized data section (data that may be used) 268 | section .bss 269 | buffer resb 128 ; saves 128 bytes of memory for future use 270 | ... 271 | 272 | ; code section (data that will be executed) 273 | section .text 274 | global _start ; contains the instructions that will be called 275 | 276 | _start: 277 | ... ; the 'function' 278 | ``` 279 | 280 | ### Writing the code 281 | 282 | Now that we understand sections and what they are for, we can start writing some code. For this course we will write a basic 'Hello, World!' program using x86 assembly. 283 | 284 | ```asm 285 | ; declare the entrypoint of the program itself 286 | global _start 287 | ; 288 | ; the keyword global makes the label (in this case _start) accessible from outside the current program. 289 | ; This keyword tells the linker where the program starts 290 | ; 291 | 292 | ; initialized data section (readable and writeable data) 293 | section .data 294 | ; align the data in a 2-byte boundary - allows better memory access 295 | align 2 296 | 297 | ; define a string followed by a newline character 298 | hello: db 'Hello world!', 0xa 299 | 300 | ; calculate the length of the string by subtracing from the current address 301 | helloLen: equ $-hello 302 | ; 303 | ; this section stores the data that will be used through the program. The align mnemonic ensures that the 304 | ; string 'Hello, World!' is aligned on a 2-byte boundary for easier memory access. It also houses the length 305 | ; of the string. 306 | ; 307 | 308 | ; store uninitialized data 309 | section .bss 310 | ; 311 | ; since there is no data that "may" be used, this section is empty 312 | ; 313 | 314 | ; store the actual code of the program 315 | section .text 316 | 317 | ; define the entrypoint where the program starts execution 318 | _start: 319 | 320 | ; syscall for sys_write 321 | mov eax, 0x4 322 | 323 | ; file descriptor for stdout 324 | mov ebx, 0x1 325 | 326 | ; address of the initialized string 327 | mov ecx, hello 328 | 329 | ; length of the intialized string 330 | mov edx, helloLen 331 | 332 | ; interrupt to make linux syscall 333 | int 0x80 334 | 335 | ; syscall for sys_exit 336 | mov eax, 0x1 337 | 338 | ; exit status 0 339 | xor ebx, ebx 340 | 341 | ; interrupt to make syscall 342 | int 0x80 343 | ; 344 | ; this intruction is used to trigger and interrupt and allows you to invoke a system call from 345 | ; user space to kernel space. Basically we are requesting the OS for services. 346 | ; This stops the processing and switches into kernel mode (ring0). 347 | ; 348 | ; 349 | ; this section contains the actual program code. It starts with the _start label as the entrypoint 350 | ; and makes multiple sys_calls. It then exits the program with an interrupt. 351 | ; 352 | ``` 353 | 354 | --- 355 | 356 | # Compiling Assembly Code 357 | 358 | Now that we have written the program, we need to compile it. To compile it you will need NASM. You can see installation instructions on how to install NASM [here](https://www.nasm.us/). Assembly code needs to be compiled, and then linked to the correct format, save the above code into `hello.asm` and follow the below steps: 359 | 360 | ```bash 361 | salty@Loki:/tmp/asm_stuff$ nasm -f elf32 -o hello.o hello.asm 362 | salty@Loki:/tmp/asm_stuff$ ld -m elf_i386 -o hello hello.o 363 | salty@Loki:/tmp/asm_stuff$ ./hello 364 | Hello world! 365 | salty@Loki:/tmp/asm_stuff$ 366 | ``` 367 | Let’s breakdown what we just did starting with `nasm -f elf32 -o hello.o hello.asm`: 368 | ``` 369 | nasm # the program to run like running any linux program 370 | -f elf32 # -f format, in this case we are compiling it into a 32bit ELF file 371 | -o hello.o # -o is the output file we want to use, by default it will be compiled to a.out if it is not passed 372 | hello.asm # now we take the keyword argument that is the name of the assembly file we want to compile 373 | ``` 374 | There are plenty of other formats you can compile into. By running `nasm -hf` you can see all of them. The next command is `ld -m elf_i386 -o hello hello.o`. Same thing, lets break it down: 375 | ``` 376 | ld # same concept as above, just like running any other linux command 377 | -m elf_i386 # -m EMULATION this allows us to set the emulation, meaning it is linked 32bit system calls 378 | -o hello # -o FILE specify the ouput filename 379 | hello.o # the keyword argument specifies that input filename to link 380 | ``` 381 | Once all these are done you will be able to call your output file by running it like so: `./hello`. This means that you have now successfully compiled and run an assembly program. 382 | 383 | --- 384 | 385 | #### Sponsor 386 | 387 | Special thanks to the sponsor of this course: [TorGuard](https://torguard.net/)! 388 | 389 |

390 | 391 |

392 | 393 | Surf safely [now](https://torguard.net/) 394 | 395 | --- 396 | 397 | # In Closing 398 | That's all there is to it! Assembly code can be daunting at times but is pretty simple once you get the grasp of it. In this course we have gone through the stack, the registers, building a simple program, and compiling that program successfully. We hope that this course has been useful to you and that you have learned something from it. Once again: 399 | 400 | #### Support the Bible 401 | 402 | Once again, this course is offered for free by The Perkins Cybersecurity Educational Fund! If you found this information valuable and want to support the continued development of the Malware Bible please consider: 403 | - Donating to the Malware Bible Fund → [Donate Here](https://donorbox.org/malware-bible-fund) 404 | - Explore our incredible sponsor [Maldev Academy](https://maldevacademy.com/?referrer=perkinsfund)! 405 | 406 | #### Become a sponsor 407 | 408 | These courses reach thousands of cybersecurity professionals, researchers, students, and teachers worldwide who actively engage in learning and advancing the field. Sponsoring our educational initiative not only supports free cybersecurity education but also places your brand in front of a highly technical and security-conscious audience. 409 | 410 | Interested in partnering? Let's talk about how your organization can be featured in our future courses: [Contact us today!](https://perkinsfund.org/index.html#contact-us) Please view our [Sponsorship Packages](https://perkinsfund.org/donations#sponsor-table) for more details! 411 | -------------------------------------------------------------------------------- /The Beginning/Introduction to Reverse Engineering.md: -------------------------------------------------------------------------------- 1 | # Introduction to Reverse Engineering 2 | 3 |
4 | 5 | 6 | 7 |
8 | 9 | **Shameless plug** 10 | 11 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 12 | 13 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 14 | 15 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 16 | 17 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 18 | 19 | ##### NOTE: This course assumes that you know the PE file format, and know how to use Ghidra 20 | 21 | # What will be covered? 22 | 23 | - [What are we reversing](#what-are-we-reversing) 24 | - [Getting started](#getting-started) 25 | - [Needed tools](#the-tools-you-will-need) 26 | - [First steps](#your-first-steps) 27 | - [The files](#the-files) 28 | - [monitor](#monitor) 29 | 30 | # What are we reversing? 31 | 32 | This course will take you through the process of reverse engineering the internals of a heart monitor. This heart monitor is the Contect-CMS8000. We decided to use the heart monitor because there has never been a course for introduction to reverse engineering on analyzing the firmware of a heart monitor. You can find all the files needed to reverse engineer this here: [https://github.com/Perkins-Fund/Introduction-to-RE](https://github.com/Perkins-Fund/Introduction-to-RE) 33 | 34 | We will not be extracting the firmware and reversing the hardware, our focus will be on the internals after extraction. After you have cloned the above repository you will have the following files with the following hashes: 35 | 36 | ``` 37 | 82f86a1a7d52e5d0506d3967aa9a5ef06a7e9bfdca5511a217dec62667820e9e ./bin/000000r_.ratr 38 | 2fa8172208b9c59226454fbaddac468174572f4a2b9926dcd7f607cd86de5fa7 ./bin/cmddog 39 | 12869c50efe637f2b137c6cb53f9d7ff23b755710812ba78ac748207bf566c2b ./bin/data/bm_demo_data 40 | ced3f1abe9fae2a01ccd8c1925bfc57ad0891a189fd0bb265d4c6f6b3e12ac10 ./bin/data/co21 41 | 4eb4d16f9ec39f339810d3888df428a8333502f5be773ee4b7c167f3f31bf308 ./bin/data/codemo 42 | cd7ef3ccd969fcd9d7c4c5b4d00339cb52a2b89e6bc4875afb552aba580c999d ./bin/data/ecgdata 43 | c510954d6b93fa64d4e7d7c465b28cde4b102864295a334b94cfd37a349313a2 ./bin/data/ecgdataarr 44 | a91a929c6fb0cbbb5afc0d9e4ac369b144af4fa45aca0ca24cdc92b77e30ed4f ./bin/data/lang/bulgarian 45 | ad421eecd8fd8f55a4f1b3175a16c583e85261000ee1ffe31cadcc022c6156b5 ./bin/data/lang/chinese 46 | d8bc062929e0fd527df5c9b69d04e7092c3a85e927a9a81f30b3afcdbf928a04 ./bin/data/lang/Czech 47 | 9ed9561c4426743bd15aadd2ad229208cc02b68ff861a9fb27fd908f9c5ead33 ./bin/data/lang/Dutch.lan 48 | 58f39915075f606573dad64046521e2602a84b5b6187a291ee6014fb0f01757c ./bin/data/lang/english 49 | b25b6c6a10b5186cd1e94b0b711a18d5e41afc4ce259f72289fe80a53586e690 ./bin/data/lang/french 50 | b8c14f50cac5c32e02641a658f65f6f2345c2349caf511f1b8c29329f23298ba ./bin/data/lang/German 51 | f1e176e29815403f833ece39fff8e3f154a06626c8b1b46f51815508b0767d27 ./bin/data/lang/Italian 52 | 906aafd48a389b08858dba7eec047143df126a157c344ce3e31533ea27a7649e ./bin/data/lang/kz 53 | 435add8585dc80d77e3b325a65ab2f77c93fde1729f464f4fe3a3eb82944cc77 ./bin/data/lang/Polish.lan 54 | 901b70053afcc8299207f49727a3585741d5e5273d49acda1e34e0ff60bb92d6 ./bin/data/lang/Portuguese 55 | 85137bb0507bac47f5b95596b2ba284075306e9dc8850e40ffb82b084327fadc ./bin/data/lang/roumania 56 | d21b850f4586f2e95dc4ec5f2d15bc55e1303fdf442d59d8d27b767b65f70b60 ./bin/data/lang/Russian 57 | dd825661eaf9e4f044600af80f88b530d38043412f86e7006048484ef6a3fa8f ./bin/data/lang/Spanish.lan 58 | c94ba5da880ed740da6bf2e80a22e2a2946bb84a3f6276ed888ab6021ca7ae8e ./bin/data/lang/Spanish_sa 59 | c1eab9ca0bede8ba8666b33c00ee54f9c66c44b470e21d74c39c82b914fe1fd7 ./bin/data/lang/Turkish 60 | c343a3abc26eb445549de9c2ee506b853ff7a037d3868c33addb84994f5745c4 ./bin/data/lang/Ukraine 61 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ./bin/data/nibp 62 | fb5e512425fc9449316ec95969ebe71e2d576dbab833d61e2a5b9330fd70ee02 ./bin/data/port 63 | 777c57571aad0beaa27a8f7151b381cb74c0db154d7bc25e5325484f9b126cf3 ./bin/data/printer/iso8859-2_16_16_cu.DZK 64 | 799f1fc3e008009ce2ecaa53f8d2bee8681623de1d650eb50e00d7225ce101e7 ./bin/data/printer/iso8859-5_16_16_cu.DZK 65 | b32b77e7f7c45c3696705dafd4ec614404a1b9a791116df741757b859dea5f69 ./bin/data/printer/iso8859-9_16_16.DZK 66 | c6b125b33f29cd43052c2665e16ce11c9c2636fc5444ee6c68bf7e2c2bc8173e ./bin/data/printer/iso8859-9_16_16_cu.DZK 67 | ac4aa945876a3a0b95bf8a0832c02a981d7bb323bc133407880d52cbd04d5484 ./bin/data/printer/kaiti_16_16.DZK 68 | 384cf77a324a6d2ff380f5e365837e2b298111af28cec8106929bd3256f16d92 ./bin/data/printer/kaiti_ft_16_16.DZK 69 | 6465fcd43cb8627294b63399bb693552fc1dc8a006c32caee24807e177eae351 ./bin/data/printer/song_16_16_cu.DZK 70 | 9224864d43fa86bbd6393bd2ee923e65c12e75eca434899c22c518d68c89c60b ./bin/data/spo2demo 71 | 4659d2f1318810966890190338b747c90e9fdd2cf3e6262a70df0f025566ee27 ./bin/data/st1 72 | 9438ff468f168dcb13828c098b0727eb59cdd480dd44ac1f38e390782324cf44 ./bin/data/st2 73 | 0d6bf46785b0d10a90c32f23d9da71e84c5ba22bc885e83e9de08372c999eac0 ./bin/data/technicalrec 74 | 30ac07c74a595e1ec61892468a891428f5645c46a3091754fc2c352591b73720 ./bin/data/twdata.bat 75 | f136ccaa60a856cd0ac8d5d5b30eae836de2c230a344e3bb11dc139eda065106 ./bin/libiconv.so.2 76 | 680e0ea9e6e32e258caf613539465536d02f38d1490ff15b1460d16972c45433 ./bin/libMachineDetection.so 77 | 614c431cfc1ad3b1258c0483085edad1d9e759b8ee5c553aebaf4bfd96852a7c ./bin/libminigui-1.6.so.8 78 | 2c978bf59922748843d4a335cc53c75d2f2538d6c04261d2a16e53c8dac1de4e ./bin/libNicas.so.1 79 | 066234753eaf5446cb7063935cbbbffa784d6519dd0d918cf7925764c6806918 ./bin/libstdc++.so.6 80 | 052c8963239744437f3f850c8a3a26ef767780ade3de1f8036af135f7bcaa35d ./bin/monitor 81 | f5e6c351cdfb8576507c8fa29776927c7e94f93b0671d5cd6ceeac30def7f521 ./bin/res/3dhear.bmp 82 | 47602cb941eb0fc69d3086a33ced7c5dfb75a85f077656cd68992cfe3967610f ./bin/res/allalmclose.bmp 83 | d2f929bd1725efa995cf083c2ec616b3fe513b615ac0ae3a4a2b1983b591ab36 ./bin/res/almsound.bmp 84 | 18f8d063242d6a9355b3f3e83e1ea6e5c915fb43944770b93de7fbdef492385f ./bin/res/almsoundclose.bmp 85 | 1393c620891ec461466441b3e8c647b305300141c242d910a87072831482a8a7 ./bin/res/almsoundcloseyellow.bmp 86 | b200d693877939374709f0ca837a943155d96dd938f50274d56647b32b871e0a ./bin/res/almsoundclose_16.bmp 87 | d6f992a2e296cac3cc0ef3322d6ef0d1914f7ab100461709dd88034166359836 ./bin/res/almsound_16.bmp 88 | 6e01182c5b86312dd8e6636e4cc6a280e1c88472d89e0c55c9625ab90a7b0fde ./bin/res/almsound_16_8.bmp 89 | ec2c2ffc6f1cdb11509a8f4e187ab62888708a7a84af10f4be18a752dfb4ff23 ./bin/res/almsound_8.bmp 90 | 9553edd67ece4ece36d723bdd70bfe4d5d20378c960ebda76090f213a686d093 ./bin/res/arrow_right.bmp 91 | a9c682b8925eb934e65449985439fa513457fb4f1dff65c004e84d3637a3df3b ./bin/res/arrow_up.bmp 92 | 4b1c5640eb9b5f606092a5239b8b05bcf20be9b570a9c7bd639e987de4f388e7 ./bin/res/battery.bmp 93 | bb532d9b35b3cd2f1b3e28ef70046404c14c4ddeebfa8c7401b163289833fda8 ./bin/res/battery1.bmp 94 | 6545fc8d7ed3bd1a2940ef4d6495f759b3c34fd6c683cd5d4b1c3cc994cddbca ./bin/res/battery1_8.bmp 95 | 134e39cc561c1c9b4eb01d674b859aa064fd289c26a602e77c4a7877bf131f6e ./bin/res/battery2.bmp 96 | ac4354f44d4b33ace6e3e1aa650be3e37fabb1135321379ba8d3d2b573eee688 ./bin/res/battery2_8.bmp 97 | a98b7e396012eed45d9ebedb63d2adc51bcd518a25968facf2226f9a7d6d60fc ./bin/res/battery3.bmp 98 | d8c17722889ba8bd3aee10bed1be88f34b24a598e0518229547c20cf8e84faa1 ./bin/res/battery3_8.bmp 99 | ea34755697442a598a387206c7e0b89f0991d9f9f79e0747628e26102c9dd4fd ./bin/res/batteryno.bmp 100 | 5a880d31486ee6f1fcacd1fa8176000656f2d84f9b8001224d8addae03c7dc5e ./bin/res/batteryno_8.bmp 101 | ea2672f54b34cdd8f8a888e1f540adbb5a7c5062a0d9fe52eb2553457050a9ec ./bin/res/battery_8.bmp 102 | 289ee823060367135b64fc973c66c9a472492024e7934b4c915cada6c10f3467 ./bin/res/bt0.bmp 103 | c1bf05ff2b542e9054db895952af578e296ebf469e51758153ae22d8d9e67fd7 ./bin/res/bt1.bmp 104 | c27e1b02adb03d5ad7b3f0eb20d6f5debf878a668361cb1668d9735944a02446 ./bin/res/bt2.bmp 105 | e872d31fbe63eff5a7929ffef360869efc5744b1fb1204aa26a62df3fcc84599 ./bin/res/bt3.bmp 106 | 3a7dee01bd8345d335bcbfe96e856acac0536460f18039ddf27ac987d6ce9355 ./bin/res/bt4.bmp 107 | 3bd4f0136d86efaec66200e82ee9c9eb19ed9d08fd073add8d432b041b1c1041 ./bin/res/btno.bmp 108 | 830ac5732ee26e98cc290e5c3f10f26fc467bf40ced92e5ab09dec510d07e89a ./bin/res/button-flat.bmp 109 | 9958b05ff4526693185a16c6ea9eda0e723726f8ce21e484f0babf65fc4c4f45 ./bin/res/check.bmp 110 | 4d1164d0dd8edd4e2dd4a1f38bae75a881b419754b9c3a6cc6167373f35fdfe2 ./bin/res/cursor_down.bmp 111 | 0f24d8f8e7b9822753f4fcee27bc2874d1a1515a8288bf38b2e863f15fe6e091 ./bin/res/cursor_left.bmp 112 | df089efb6cf8d2429e89d5f329d50bb6c8a0b01e870e40370e90b384091cf647 ./bin/res/cursor_right.bmp 113 | 3440c6b4f09934beffdfa1093ddcbadc41ebed0edc24a3de6f666377ab60be12 ./bin/res/cursor_up.bmp 114 | f810d24d31f759c5ff9822c486e04b57eb5d9c059856bd13d5526946ba17a472 ./bin/res/cvs/Entries 115 | 1d3ccaeeb9208935b97c2bcafe05f5998146de5f528a2842712b9ee1d1702aee ./bin/res/cvs/Repository 116 | cb074598733e34c712699e1732c8db68ecc34f625c1c506c61c0f8e2585580b5 ./bin/res/cvs/Root 117 | 197c0ba8a85876986d117723836418d17cca2b0819ca97c51e747792603ef3fd ./bin/res/demo.bmp 118 | 37e2b2f46e0755d0aa9aac9581d92c6d8ae5a67c7bd8d5992d2a4f16233ff32e ./bin/res/freezearrow.bmp 119 | 925d6571381fe1124c58dbcb57f586418346d0e348ce4f516bd29d8e403aa510 ./bin/res/hear.bmp 120 | 2a539ad3611beaac77cbc172386e367be066342ef6dd0d4a96807b06c692b2ac ./bin/res/hear.pbm 121 | e29dc4f29bed3a622915ca1cf107df852e7ade1f7e9a3fb56a5e5ec1c3b080a9 ./bin/res/hornclose.bmp 122 | a81915bbafa57a8086d6e9d908369b47dad72e28997b9e385917fc203afa2b2e ./bin/res/hornOFF.bmp 123 | 08f95415444a44e643dd02f1692b1067357bf50d06046af1760af3e6b0f089b6 ./bin/res/rescyan/0.bmp 124 | 768227b50d98aa1b8bef9820eb5ea255429fe6bd2438fbf1ce5d544b98bb3e28 ./bin/res/rescyan/1.bmp 125 | d986cb206ee8f118bc9173380b1ebc41bfcf57af74f388c164c16aecc380e872 ./bin/res/rescyan/2.bmp 126 | ed5f96ad804c755fed323bcfea457f8ad7ac2057384b73a362c39d38d4dfdecb ./bin/res/rescyan/3.bmp 127 | 1081c4061a8f36a74c239080b067810adcb45b6ae000ca2a218601102d2ae780 ./bin/res/rescyan/4.bmp 128 | d211d51cdc2fdea340489cad98e0c359090fdbe1bca3395a65f8c053a1ce3cba ./bin/res/rescyan/5.bmp 129 | e118b2fe6752972c0ddb30793e33aec67fb4f613044fe214d7bace1d57ceddfc ./bin/res/rescyan/6.bmp 130 | 6f6f015623bab0bcd542c786a5a0e40339bc08b5c6e1e8ad7e4bc761d7b721d4 ./bin/res/rescyan/7.bmp 131 | 0436b0bc767d9a7913f3bc93f7e884a4e85ec0113c9a550ba80bbcf2930d85ab ./bin/res/rescyan/8.bmp 132 | d245b28cab44e625f1004ef9b38eec642792a09511e55eab74e6c3e8094ac097 ./bin/res/rescyan/9.bmp 133 | 31d5b3c07c81ed000789b801363a62d592cc7a46f89d99428325b40366a6654f ./bin/res/rescyan/cvs/Entries 134 | 0661e70f3b269dd2a65a6a4dba0b4d5fb607dc58355e053ade63e458e0adc307 ./bin/res/rescyan/cvs/Repository 135 | cb074598733e34c712699e1732c8db68ecc34f625c1c506c61c0f8e2585580b5 ./bin/res/rescyan/cvs/Root 136 | a437cf1ffceb313feb3d82b3d884fa441736d579a92098a3a9d53a021bc9dc28 ./bin/res/rescyan/left.bmp 137 | 9e66a40889acab2f3648c376f47ddf6fe28a20e1cb233cb60c837dd9b3ed7b43 ./bin/res/rescyan/right.bmp 138 | ce01fa3b36a529b6227d019a0ebbd91ad3816602644d84601750fe5b748ec49f ./bin/res/rescyan/root.bmp 139 | 55a50981c5e744e0f8e28d7ce259b6d7127350c01e9985a5b413034cfc488f65 ./bin/res/resgreen/0.bmp 140 | 1550e5964ec28fd330e2871cdeff0583803df45330c7741a3748dfca0248b0c7 ./bin/res/resgreen/1.bmp 141 | 06d0473e3ccd7eb6fa9848900c976e2e869047aae58679c165581a8ee5322971 ./bin/res/resgreen/2.bmp 142 | 77d5187ae20be85d3076ddc6e41defa566bb4ef8b68cf747c1c899393c1b1055 ./bin/res/resgreen/3.bmp 143 | 03126cd6e571678d9d14ea2f13ebccd0741f8ddf43113fbbcf311be8c126733f ./bin/res/resgreen/4.bmp 144 | bd3ce533764177f258a65b8c401bf7f0e1361c4118dd7d8b48216d7c74a82521 ./bin/res/resgreen/5.bmp 145 | 6d7caf0dccb101e07b64d91b77b0588190edbb05a56ece09db7c169a42195bfd ./bin/res/resgreen/6.bmp 146 | 5951fd4f8b6baf4c282b037e6615f095e1644e9de8baaafa1d158117bdf90da8 ./bin/res/resgreen/7.bmp 147 | eec762e14c62b51b494679f3b382e646ca236e07e95974572648250227d4b297 ./bin/res/resgreen/8.bmp 148 | 55de8a49554a505d13a719182597bd05e22ad4858db1964f3bb769713562b8eb ./bin/res/resgreen/9.bmp 149 | 31d5b3c07c81ed000789b801363a62d592cc7a46f89d99428325b40366a6654f ./bin/res/resgreen/cvs/Entries 150 | e6a0f9b44a269f8d2ca9b7a28cc0872ab81205fe7d09a5fe7ff92e2063d87b53 ./bin/res/resgreen/cvs/Repository 151 | cb074598733e34c712699e1732c8db68ecc34f625c1c506c61c0f8e2585580b5 ./bin/res/resgreen/cvs/Root 152 | 002dcb47b84104d8e7c24b2525eaeb13710f0df28a863418d698413259f9ad75 ./bin/res/resgreen/left.bmp 153 | adaf5480f04c5397b32767655ccbbeea981ffc7fab480fc0f6c82096e6cb7cec ./bin/res/resgreen/right.bmp 154 | 34d98a72c03ea3bef50a15ccd1ab733b2b75dbe66e53073466ece7e1d4cbcbd0 ./bin/res/resgreen/root.bmp 155 | 39deed9c3b28910dc7d300e02d8eb4dd82e7b09b71b083fc5bc521d6f118de79 ./bin/res/respline.bmp 156 | 6a8abd8b4f6fe717c5e64c94cb5f6ac8b9f70987b4cebcf66af6211e5ab5cd22 ./bin/res/resred/0.bmp 157 | 142d12698778108c1cc65ad74ce8d456b37817ddbf051016db57a39bcbec5e74 ./bin/res/resred/1.bmp 158 | bb353e7e625b0fd34e51a1df31d52f684dac8019d5b977060097adca9f0bd40e ./bin/res/resred/2.bmp 159 | 37fb09d7649eaafc3f642854c9deb5ade62ac6ef25626d8270e886b5fbd9d74d ./bin/res/resred/3.bmp 160 | f48f39da7e7433783200d90a1796cca0463bcfcbd9867a32b0327e1994d6a12c ./bin/res/resred/4.bmp 161 | fea146fc87b5e1555c67a338c2900e591417c5fae60220e377fabe9c8bc5fc17 ./bin/res/resred/5.bmp 162 | a355282c892367aa36b6daf3fb49dd21e986fbe4f840b7ad19cee304dd1aca17 ./bin/res/resred/6.bmp 163 | acd441bedd4b704765e3dbcf62153d50f8188f9c0da3f4caa40dc0c8a2680a7e ./bin/res/resred/7.bmp 164 | da13bfec9a2a6d704c1e2d787ed27d17ce869a7d7851287b78e3f75277f64d78 ./bin/res/resred/8.bmp 165 | 698eb38b60a1d8e825d226b848d7a9ee9eb94c51cb1264ab59ba3fe7d0b7ec58 ./bin/res/resred/9.bmp 166 | 31d5b3c07c81ed000789b801363a62d592cc7a46f89d99428325b40366a6654f ./bin/res/resred/cvs/Entries 167 | f9fb00404abe870f4bde8a7eb3b31907a9357973d97b0e28149f4bee4fccc68c ./bin/res/resred/cvs/Repository 168 | cb074598733e34c712699e1732c8db68ecc34f625c1c506c61c0f8e2585580b5 ./bin/res/resred/cvs/Root 169 | 271b35702e8174f2044c5a2e05e6b63658320492a094a7ba620ec3f818a74744 ./bin/res/resred/left.bmp 170 | 6b75ffa33baa9dd85c6aafe4eceba7322f7b9d73683339fc894fc66925996896 ./bin/res/resred/right.bmp 171 | 87736c1d129ba80b1169916fec1eb64f5a1e7113722de37f3f3513220d1ce60b ./bin/res/resred/root.bmp 172 | 08f5cb22150a5d9d03b40c671f87e0e22f1181c6b2d1b32003a5fc03bad66a09 ./bin/res/reswhite/0.bmp 173 | 8de10c8bc5773b8b8be71a5a0eec2de402db45c62b1578822ff0cbc1f737025e ./bin/res/reswhite/1.bmp 174 | f51b145461122461f6ffadea64bd17f27a3c84a05a1e1236df959efe0acf440f ./bin/res/reswhite/2.bmp 175 | 85d1983d2ed6dc9408323411482b3a7d90eb22d5fb48135fb4c9035523c7072a ./bin/res/reswhite/3.bmp 176 | c77b159637eaf8dc6a66305876ec9c7afb443c12e43072d42910102e0a0f235d ./bin/res/reswhite/4.bmp 177 | 0e98071805dea01dbc22e5708f26c8295ceb60cb072e1c72a0da5476079c3a1f ./bin/res/reswhite/5.bmp 178 | efaf7302e64b5da42f01a0147c8e3cf2d78c5f0df45b8fdebffc8e7ca9d0c432 ./bin/res/reswhite/6.bmp 179 | 7c782ce034d13473ef1142e51ecba0d322b9a3a3bf7668b35f4f4a46d96896eb ./bin/res/reswhite/7.bmp 180 | 9c24a993b928090b5dc4578acdf44720c1c9017dc11c3b1686667f0f415766d9 ./bin/res/reswhite/8.bmp 181 | e11258c8da87f1ae23cc6b011deec9a0410f9ed9ec60d86bf218b27a18dfa62a ./bin/res/reswhite/9.bmp 182 | 31d5b3c07c81ed000789b801363a62d592cc7a46f89d99428325b40366a6654f ./bin/res/reswhite/cvs/Entries 183 | f9f6ec0a5977e0a4224e23a8e81ed90c5481f76c5c196e711138a983cef7bc10 ./bin/res/reswhite/cvs/Repository 184 | cb074598733e34c712699e1732c8db68ecc34f625c1c506c61c0f8e2585580b5 ./bin/res/reswhite/cvs/Root 185 | 562b3f05980666d957e7b1d7dffceb480b8a22d2510742f6ab018489ee05ec1c ./bin/res/reswhite/left.bmp 186 | 0d5b0b0c9e4877a1d9fa809c94389976778593ec1b6945032a052b03de48cdb5 ./bin/res/reswhite/right.bmp 187 | e0ae0249ed83bcb0321652fdf6374b46739cd3b785f2aa9981c6512708784739 ./bin/res/reswhite/root.bmp 188 | 9553f3afa51b6d24352256e1ceef70a21565c0a761466d17a58c757830ec4c27 ./bin/res/resyellow/0.bmp 189 | 77a3f6876861faae652531b8766e0a07f3c19f24297b155174cbbe46346e524d ./bin/res/resyellow/1.bmp 190 | ce1319a649f893c0e2c61cedbc1f6d71e1b9ee57016d33ff69b925aaa0510144 ./bin/res/resyellow/2.bmp 191 | b413a5a7221ef8d07df8ab8503ff1f5e6ee5ad22c7eef847f7db3da784d4377c ./bin/res/resyellow/3.bmp 192 | 240da68e0ab81748057ce4c4e28aad189ca496dd2204b06f1d4bc955d8471cb8 ./bin/res/resyellow/4.bmp 193 | 3f62e483f183a9bd4ba28aa3ba66506598ff9d718d3e04e5d8e3aeafd92775f4 ./bin/res/resyellow/5.bmp 194 | ebd1fe7023b6f04b20f375a9cc84ae6aaada38f73e448c4a4661178f92e8fef4 ./bin/res/resyellow/6.bmp 195 | 47914f5695da85f309aee1b862c59ae475cd22611f7f88038ec19c2612d9b6a9 ./bin/res/resyellow/7.bmp 196 | cd22ab922dff6885da7c6576cfda9a1f0fe486b6d8df057b47df64591886ea83 ./bin/res/resyellow/8.bmp 197 | ec732a120f622b8ca54f8141b4f0df300ca3e069e98bd8d8fe6bf77054b9a1e5 ./bin/res/resyellow/9.bmp 198 | e45fe9927563c4509dfd12e01a4574f1aca105d6899126f5066c82aa57bb6b72 ./bin/res/resyellow/cvs/Entries 199 | 6acd3aafc7158a8e0e69d79ed3b5dcc65b8d89d28314e300b94b2e140d37595c ./bin/res/resyellow/cvs/Repository 200 | cb074598733e34c712699e1732c8db68ecc34f625c1c506c61c0f8e2585580b5 ./bin/res/resyellow/cvs/Root 201 | fcb152a2fb0bf8899e292b8be7828b40a09ffe0316d078d517ec8a5d053c0ad8 ./bin/res/resyellow/left.bmp 202 | f9e1ddcd63aa4e3bf7217028b2e150207081c47e86697e8d3c3e0bb13d63aa1c ./bin/res/resyellow/right.bmp 203 | 9749734c1f469b291c37ba872f61c6e1b02195dccbde20827e72debcad66db68 ./bin/res/resyellow/root.bmp 204 | 4b4e35fca80f0b285d429471a01f2bbdafd43b85102201a4af5401aedd22cc05 ./bin/res/TempC.bmp 205 | ef1474db704cd56222afb53691138d3d2d2d46e8c22f34e7a5f5c1fcd0742cca ./bin/res/TempF.bmp 206 | f9d3a144ad7c160fe1863b966efb083114834e6f10ba019afce86cfe33cdea5b ./bin/res/TTc.bmp 207 | 4622b0ead212f9d9a3818bded50c243447ed24121b8fa90714c737832e9b8231 ./bin/res/TTf.bmp 208 | a37326dbdb234f514fdac667e297b54281b7e01a27453dd4fd60cbd2c4916925 ./bin/shutdown 209 | fca4b44565988e6024cf1d94c055ee2b06f75f865ef44bb7317a801cc843d469 ./bin/shutdown.conf 210 | 7847fd0cfc0ef3b1a9bcb0d6aea955f979b2967734631b768d101074b446cf25 ./bin/startppp 211 | 6ac4accff907ea59be81c908d7332e758eafc2b6a2bd5d6215a29226f5a8b801 ./bin/startppptd 212 | 0f3a534a8241dea7a2bbedcb70d5c3cd11c1a7a3750126f2baa2981511ebcbcb ./bin/startpppw 213 | 9fdc0676d24fcfd68c93a677db7e6d49c5fdf0dc8d62b37042963e93901631f3 ./bin/SysSetup.rc 214 | 5853e815038fd69fa93541cb65b4f8d5f0fd9ec1c8c36f20fd3c8bacfc5cb3bd ./bin/SysSetup.rc.bak 215 | 5853e815038fd69fa93541cb65b4f8d5f0fd9ec1c8c36f20fd3c8bacfc5cb3bd ./bin/SysSetup.rc.org 216 | e3a774744a8549d65c7e07fda23cfb12b51945eafee64f254ed205d5ebb397f5 ./bin/udhcpc 217 | c6f66c8360b02adff9c730679056f8182e78e99b0f9a4b4972682ff3b572461a ./bin/update 218 | b2d7818d6ed827841cef61670ade26a2b197fe84883b6719edfd852abc9874b6 ./bin/update_module 219 | 491964247d9d566a59aabc665aebdacc3e449d67be6f66528cb62e9a522c2936 ./bin/update_spo2 220 | 4b33d72f7649d05e6d12bde87e8f520b71ad2c98deb0e9b1df884a31669d8011 ./bin/UsrAduConf.rc 221 | bbed9ca7664265fdaef39dc67fb45a043409cad31d34e1d90fc83d06473313b3 ./bin/wifi_init 222 | 2a1a67cdcfb4ade65c4dfcf48bce0d29ae2c6e2b66a2ad99dcaebd25218d7545 ./bin/wpa_supplicant 223 | 2e70d569f9c8ce7cf6273a6ed789fe1dd94737fccdd1a42d78f8551084bd143f ./cmdline1 224 | 41b6a1d00ff4317aca5580bdcd9e5d1a2c05b7c6dd48c542b4a705dd54a4bfff ./ppp/chat 225 | 9dcf747dfc5452828a938e4407b68be5e292deb4ca09c11badf88c7ad3c144ec ./ppp/evdo-connect-chat 226 | 5f587884b74d1d1336d267516ee87ff5974d68933ea1c765f4534b90f1e2389d ./ppp/peers/evdo 227 | 2049bc92f5af8b036eb743f508df8629ed242707710bfb2e0ebc6e403859be8e ./ppp/peers/tdscdma 228 | 7ca272b12e87aaff5b44ad23dc272d2fc319f3d147b2ad0fa5730cd4aa33406f ./ppp/peers/wcdma 229 | 0c4cd9a9b58f156d385b94b7b2d5f6e3763695ae9c95ec9a34579ceb6af6bd16 ./ppp/pppd 230 | fc29135ddc3beeb0c489a19f6e9b87785ee1791cf2edc1f0c28d44476ffa246f ./ppp/resolv.conf 231 | 7847fd0cfc0ef3b1a9bcb0d6aea955f979b2967734631b768d101074b446cf25 ./ppp/startppp 232 | 6ac4accff907ea59be81c908d7332e758eafc2b6a2bd5d6215a29226f5a8b801 ./ppp/startppptd 233 | 0f3a534a8241dea7a2bbedcb70d5c3cd11c1a7a3750126f2baa2981511ebcbcb ./ppp/startpppw 234 | b1d68954771830b3103ec8572c6ef7aee88c511ef8f10997f9d3732be7a98f93 ./ppp/tdscdma-chat 235 | 6539821c78ffe7ad486b50c20aabf992dd18c6c230a49b49632a31c8880ee869 ./ppp/usb_modeswitch 236 | ad9aecbba6f149a7537fbf6ad6a2981bd1b65903bb0401cc92d5ba2c87354090 ./ppp/usb_modeswitch.conf 237 | 22a2f9b69941c600e993ccfc5614bb50968d0fba7d6e3784a2ef4e621a1da6d3 ./ppp/wcdma-chat 238 | 7c94093f9d27ffa9ef992c66c9378025742dc1662eebf6dc4a100439f033c65b ./shasums.txt 239 | 1488618e638258d573e7d9a6b919d6521f426eee57a1ea83964130ca494aff68 ./startmonitor 240 | 0c9f3ace35ce8b36d2d5e2debf7338d2de481d477bff0cf5a32ad0e17ccb4704 ./Wireless/8188eu.ko 241 | 706a7637bc17543100efed3587019ded687e78edca36f633910dd6ae8ac2a274 ./Wireless/8192cu.ko 242 | 3866adec81746ac087d556b240d63b79fd4a665a1561cb17c9059fc4cb092139 ./Wireless/8712u.ko 243 | bd2371cbb09937d709e3ea05f4ad0d3104c06d651fd52fc017aa7f305350eec1 ./Wireless/ath.ko 244 | fbe468cffdf7c7e6cab048cce4d40778d29b12609b8b25def7e7882d1f2c171b ./Wireless/ath9k.ko 245 | 45a1bb10519829cd8d6a9d617e332d1c63a7df2a13e44ba48ccbbba64a78f9f4 ./Wireless/ath9k_common.ko 246 | c96859dc456432c758636eae25095f6ae184fc9100d8e04bad142f367b604605 ./Wireless/ath9k_htc.ko 247 | 5e9450e56885441d66808f24b5f783ef1c7afb3221657ac14f94ca8d63df1684 ./Wireless/ath9k_hw.ko 248 | 24e64ea518b0b73ed05ee174afbd41b83f7ace03d3782e4fa50159865be0f966 ./Wireless/cfg80211.ko 249 | 481ff1aa44c779b976e890606834cebf4d90678a6a9b0d166c747753971dd8d8 ./Wireless/compat.ko 250 | cd3c8f1ce7003e1f419953469d3014774f1c505e53cd979f3eb99d481cd4a956 ./Wireless/compat_firmware_class.ko 251 | 1b4917ab14b482fa82d3a7df3d9b34cebea34ce555265603cbed2f01c023372f ./Wireless/htc_7010.fw 252 | 93c0d9c3121f9615a20a129965c1142a1def79aecaa682228caea3063ea67225 ./Wireless/htc_9271.fw 253 | 7ec21463f861b43abac8a0453468a3209de686aa22a6e07964b65a5de3821a1c ./Wireless/install.sh 254 | c9d496d1ffc30df77d4bac2d4abd02aa3b0a333e6bb397c585860230a8c92875 ./Wireless/mac80211.ko 255 | 109bdfd287321a8a6231c676569d4fd40aea67f1868a6756ee745a84b5e01d30 ./Wireless/rfkill_backport.ko 256 | 8d6e82dbac633237e30dceed7389e65675e48dbbd658c6d7939f1c08d14156cc ./Wireless/RT2870STA.dat 257 | 49fb672447664072cd9010718ea02e7f4bcfab829b28e37af5e36f228d276c6d ./Wireless/RT2870STACard.dat 258 | e25bc235712c2b8362acadc4168b463d5cc84bcf3d227b81fc7064042159428d ./Wireless/rt3070sta.ko 259 | ``` 260 | 261 | Yes, this looks like a lot but don't worry it's not going to be as bad as you think it is! 262 | 263 | # Getting started 264 | 265 | ### The tools you will need 266 | 267 | You will need the following tools to do this course: 268 | 269 | - Binary Ninja, get it here: [https://binary.ninja/free/](https://binary.ninja/free/) 270 | - The extracted firmware from the Contec heart monitor, get it here: [https://github.com/Perkins-Fund/Introduction-to-RE](https://github.com/Perkins-Fund/Introduction-to-RE) 271 | - 272 | 273 | ### Your first steps 274 | 275 | To get started you need to download the files from [here](https://github.com/Perkins-Fund/Introduction-to-RE.git) and get Binary Ninja from [here](https://binary.ninja/free/). Once you have Binary Ninja installed we can start the process. The first thing you're going to want to do is open the `startmonitor` file in Binary Ninja, drag and dropping the file will automatically detect the file type and start the process, you should see something similar to this: 276 | 277 | ![Open Binary Ninja](../.github/intro_re/open_binja.png) 278 | 279 | Clicking the `Open` button will open the file in Binary Ninja: 280 | 281 | ![Opened File](../.github/intro_re/open_file_binja.png) 282 | 283 | Now there is a lot of information there. For the simplicity of this course we will be focusing on the following interesting features shown: 284 | 285 | - `cp /opt/bin/shutdown` 286 | 287 | ![Interesting 1](../.github/intro_re/interest_1.png) 288 | 289 | - `mount -t tmpfs none /opt/bin/data/freezedata -o size=1m cd /opt/bin ./update_module` 290 | 291 | ![Interesting 2](../.github/intro_re/interest_2.png) 292 | 293 | - `/wifi_init cd /opt/Wireless ./install.sh cd /tmp ./shutdown & cd /opt/bin ./cmddog &` 294 | 295 | ![Interesting 3](../.github/intro_re/interest_3.png) 296 | 297 | 298 | So that we save time and since this is an introduction course we will not dive into absolutely everything. Instead, we will only pay attention to the following file: 299 | 300 | - cmddog 301 | 302 | ### The files 303 | 304 | #### monitor 305 | 306 | The update_module file can be found in `./bin/monitor`. Grab that file and throw it into BinaryNinja, you should see the following: 307 | 308 | ![monitor](../.github/intro_re/monitor.png) 309 | -------------------------------------------------------------------------------- /The Beginning/Introduction to Python.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | **Shameless plug** 6 | 7 | This course is given to you for free by The Perkins Cybersecurity Educational Fund: [https://perkinsfund.org/](https://perkinsfund.org/) 8 | 9 | Please consider donating to [The Perkins Cybersecurity Educational](https://donorbox.org/malware-bible-fund) Fund 10 | 11 | You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee 12 | 13 | [!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://ko-fi.com/perkinsfund)** 14 | 15 | 16 | **NOTE: This course assumes that you have Python installed and can successfully run Python programs.** 17 | 18 | # What will be covered? 19 | - [Why Python?](#why-python) 20 | - [Breakdown of syntax](#syntax) 21 | - [Breakdown of data types](#data-types) 22 | - [Control structures](#control-structures) 23 | - [What the f*ck is a function?](#functions) 24 | - [Writing a program](#writing-a-program) 25 | - [That's all there is](#thats-all-there-is-to-it) 26 | 27 | 28 | # Why Python? 29 | Most of the time you'll probably hear people talking shit about Python or telling you that you should learn another language entirely. Which is fair, there are plenty of programming languages in the world and a lot of them function the exact same way: you write the code, you compile/interpret the code, the code runs and does what you want it to do. So why should you choose Python? Well first of all this course is not an argumentative essay. I personally don't care what you use, but if you're going to use Python here's some key factors of why it's a decent language: 30 | 31 | - Easy to learn 32 | - Python's syntax is pretty straight forward and is designed to be readable and intuitive. Once you grasp it, you can pretty much read any code thrown at you. 33 | - Versatile 34 | - Python is actually extremely widely used, its compatible with multiple operating systems and architectures, and can basically do anything that any other language can do, including running assembly code directly inline. 35 | - Multiple paradigms 36 | - Basically this just means that Python can be object-oriented programming (OOP) or functional oriented (using functions over classes) 37 | 38 | This course will be designed to teach you the basics of Python and provide you with the basic understanding of it. The hope is that after this course you'll be able to pickup an editor and start coding successfully. 39 | 40 | ##### NOTE: This course assumes that you have Python preinstalled and have a basic understanding of programming. 41 | 42 | # Syntax 43 | 44 | ### Variables 45 | To start we should talk about variables. A variable is basically just a piece of code that stores something for later usage. Variable names must be `a-zA-Z` and can contain an underscore (`_`). An example of a Python variable: 46 | ```python 47 | # syntax for creating a variable is 48 | # variable_name = value 49 | name = "Malcore" 50 | ``` 51 | The above provides a decent example of a variable. We created a variable named `name` that equals `=` the string `Malcore`. Now later on down the road we can call that variable by using the variable name `name`. You can also create variables using integers: 52 | ```python 53 | age = 5 54 | ``` 55 | This variable `age` contains the integer: `5`. But what if you want to be able to tell if a variable is `True` or `False`? Well, those are called booleans and look something like this: 56 | ```python 57 | is_young = True 58 | is_old = False 59 | ``` 60 | As you can see we set the variable `is_young` to `True` and the variable `is_old` to `False`. As an added bonus Python inherits it's boolean structure from earlier languages like C, what this means is that booleans are also equal to integers: 61 | ```python 62 | print(True + 1) # True will always equal 1 63 | # 2 64 | print(False + 1) # False will always equal 0 65 | # 1 66 | True == 1 67 | # True 68 | False == 0 69 | # True 70 | ``` 71 | So if you're feeling really fancy or just want to piss people off, you can use booleans in place of integers or integers in place of booleans. 72 | 73 | ### Variable renaming 74 | 75 | In Python you can reassign variables to another name. For example: 76 | ```python 77 | one = 1 78 | two = 0 79 | one = two 80 | two = one 81 | print(one, two) 82 | # 0 0 83 | ``` 84 | What we just did was set variable `one` to the integer `1` and set variable `two` to the integer `0` so that `one` equals `1` and `two` equals `0`. Now we set variable `one` to the value of variable `two` (or `0`) and set variable `two` to the new value of variable `one` (which is `0`) we then `print` both variables to display the values. Being able to rename variables dynamically is useful for things like avoiding conflicting names. 85 | 86 | ### Using variables 87 | As you have already seen above using variables is pretty straight forward, so we will give you an indepth example of variable usage: 88 | ```python 89 | # set the variable x to the integer 5 90 | x = 5 91 | 92 | # set the variable y to the integer 10 93 | y = 10 94 | 95 | # set the variable z to x + y 96 | z = x + y 97 | # => 15 98 | 99 | # set the variable a to z + y 100 | a = z + y 101 | # 25 102 | 103 | # set the variable b to a + z 104 | b = a + z 105 | # 40 106 | 107 | # Rename the variable x to the value of the variable b 108 | x = b 109 | # 40 110 | ``` 111 | The above provides a good overview of what we have already talked about, including renaming variables. So at the end the variable `x` is equal to the value of the variable `b` which is the integer `40`. 112 | 113 | A cool thing about variables is that you can perform multiple variable assignments on one line of code in multiple different ways: 114 | 115 | ```python 116 | # set the variables a, b, and c to 1 so that all the variables have the same value 117 | a = b = c = 1 118 | 119 | # set the variables a, b, and c on one line to different values 1, 2, and 3 120 | a, b, c = 1, 2, 3 121 | ``` 122 | This provides a quick way to set variables in line with one another. 123 | 124 | ### Variables best practices 125 | 126 | Of course, with everything there comes rules or "best practices". Before we get into the best practices, I want you to really understand programming is about doing what you want to do. Yes, readable and maintained code is important, but you should never be a slave to the rules. If you find something that works better for you, you should do that instead. 127 | 128 | - Variable names should always describe their purpose. If you're adding multiple prices together and the end value is `x` you should set the end value to `total_price` to clearly show what you are trying to accomplish. 129 | - Always use consistent naming conventions. In Python variable name conventions are `snake_case` all lowercase using underscores (`_`) as spaces. 130 | 131 | ### Print statements 132 | The `print` statement is one of the most used functions in Python. It is a built-in function that allows you to print data to the console, or display output to the user. The print function also can handle unicode characters. It is extremely easy to understand so this section will be short: 133 | 134 | ```python 135 | age = 5 136 | name = "Malcore" 137 | print(age) 138 | print(name) 139 | ``` 140 | 141 | ### Arithmetic syntax 142 | 143 | Python has built-in syntax to help with doing math and arithmetic operations. The are as follows: 144 | 145 | ##### Addition 146 | 147 | Addition in Python is pretty straight forward 148 | ```python 149 | # set the variable 'a' to the integer 15 150 | a = 15 151 | 152 | # set the variable 'b' to the integer 20 153 | b = 20 154 | 155 | # set the variable 'result' to 'a' plus 'b' 156 | result = a + b 157 | 158 | # print the results 159 | print(result) 160 | # => 35 161 | ``` 162 | 163 | It is also possible to perform addition by adding to an already declared variable: 164 | ```python 165 | # set the variable 'result' to 0 166 | result = 0 167 | 168 | # set the variable 'a' to 0 169 | a = 10 170 | 171 | # set the variable 'b' to 5 172 | b = 5 173 | 174 | # add the sum of 'a' plus 'b' to the preset 'result' variable integer 175 | result += (a + b) 176 | 177 | # print the results 178 | print(result) 179 | # => 15 180 | ``` 181 | 182 | ##### Subtraction 183 | 184 | Subtraction, much like addition, is pretty straight forward. You can also perform the same concept as in addition by using a preset variable to subtract from. In this example we will do both: 185 | ```python 186 | # set the variable 'result1' to 30 187 | result1 = 30 188 | 189 | # set variable 'a' to 10 190 | a = 10 191 | 192 | # set variable 'b' to 5 193 | b = 5 194 | 195 | # subtract the result of 'a' minus 'b' from the variable 'result1' 196 | result1 -= (a - b) 197 | 198 | # print the results 199 | print(result1) 200 | # => 25 201 | 202 | # set the variable 'a' to 7 overwriting the current variable 'a' 203 | a = 7 204 | 205 | # set the variable 'b' to 3 overwriting the current variable 'b' 206 | b = 3 207 | 208 | # set the variable 'result2' to the result of 'a' minus 'b' 209 | result2 = (a - b) 210 | 211 | # print the results 212 | print(result2) 213 | # => 4 214 | ``` 215 | 216 | ##### Arithmetic syntax table 217 | 218 | There are plenty more arithmetic operators but for this course we will not be going into them. Below is a table of all the operators and information about them if you want to understand more: 219 | 220 | | operator | use case | example | 221 | |----------|-------------------------------------------------------------------------------------------|------------| 222 | | `+` | Adds two numbers | `10 + 10` | 223 | | `-` | Subtracts two numbers | `3 - 1` | 224 | | `*` | Multplies two numbers | `2 * 2` | 225 | | `/` | Divdes the first number by the second number, will return a float | `9 / 3` | 226 | | `//` | Divides the first number by the second number and rounds down to the nearest whole number | `3 // 2` | 227 | | `%` | Returns the remainder of the division between the first and second number | `100 % 10` | 228 | | `**` | Raises the first number to the power of the second number | `3 ** 3` | 229 | 230 | 231 | # Data types 232 | 233 | Python itself has multiple data types. Data types are categories of values (or data) that you can work with in a program. The understanding of data types is crucial for any developer, new or seasoned, to determine what kind of operations can be done on that data. For example, an integer cannot be treated like a string. 234 | 235 | #### Numeric 236 | - Types: ints, floats, complex 237 | - Ints: 238 | - Whole numbers without decimal points: `3` 239 | - Floats: 240 | - Numbers with decimal points: `3.12` 241 | - Complex: 242 | - Numbers that have both real and imaginary parts: `3j` 243 | - NOTE: Imaginary numbers are denoted by `j` in Python. 244 | #### Strings 245 | - Types: single line, multi line 246 | - Single line: 247 | - A single line string that is between `"` or `'`: `"this is a string" + 'this is also a string'` 248 | - Multi line: 249 | - A string that takes up multiple lines between either `"""` or `'''`: 250 | ```python 251 | """ This is 252 | a multi line 253 | string """ 254 | ''' this is 255 | also a 256 | multi line string ''' 257 | ``` 258 | - NOTE: strings are immutable objects. This means that once a string is created, you cannot directly change their characters. However, it is possible to edit strings in line using something like the following: 259 | ```python 260 | s = "this is a string" 261 | s.replace("i", "n") 262 | # => 'thns ns a strnng' 263 | ``` 264 | #### Booleans 265 | - Types: True, False 266 | - True: 267 | - This expression is often used for conditional statements 268 | - False: 269 | - Same as `True` 270 | #### List 271 | - Lists are ordered collections of data and are mutable. This means they can be directly accessed and changed. You create lists using square brackets: `[]`. You might also know these as `arrays`. 272 | ```python 273 | nums = [1, 2, 3] 274 | nums.append(4) 275 | print(nums) 276 | # => [1, 2, 3, 4] 277 | nums.pop() 278 | # => 4 279 | print(nums) 280 | # => [1, 2, 3] 281 | ``` 282 | #### Tuple 283 | - Tuples are immutable lists, meaning that you cannot directly change them after the element is created 284 | ```python 285 | a = (1, 2, 3) 286 | a.append(4) 287 | # Traceback (most recent call last): 288 | # File "", line 1, in 289 | # AttributeError: 'tuple' object has no attribute 'append' 290 | a.add(4) 291 | # Traceback (most recent call last): 292 | # File "", line 1, in 293 | # AttributeError: 'tuple' object has no attribute 'add' 294 | ``` 295 | - NOTE: tuples are used for when the data needs to remain constant and should never be changed 296 | #### Dicts (dictionary) 297 | - A dict is an unordered collection of key and value pairs. Each key must be unique and are used to access the values associated with them. You call a dict by using: `{}` 298 | ```python 299 | my_dict = {'a': 1, 'b': 2, 'c': 3} 300 | print(my_dict['a']) 301 | # => 1 302 | my_dict['d'] = 4 303 | print(my_dict) 304 | # => {'a': 1, 'c': 3, 'b': 2, 'd': 4} 305 | ``` 306 | #### Set 307 | - A set is an unordered collection of unique items. There are no duplicates allowed in a set. You create a set by using: `{}` or `set()` 308 | ```python 309 | a = {1, 1, 2, 3, 4} 310 | print(a) 311 | # => set([1, 2, 3, 4]) 312 | b = set() 313 | b.add(1) 314 | b.add(1) 315 | b.add(2) 316 | print(b) 317 | # => set([1, 2]) 318 | ``` 319 | #### NoneType 320 | - `None` is a special type that represents the absence of data. Much like `null`. This signifies that something is empty 321 | ```python 322 | a = None 323 | print(a == 0) 324 | # => False 325 | print(a == None) 326 | # => True 327 | ``` 328 | 329 | It is possible to determine what type an object is by using the following: 330 | ```python 331 | x = 10 332 | print(type(x)) 333 | # => 334 | ``` 335 | 336 | You can also determine if an object is an instance of a type by doing the following: 337 | ```python 338 | x = 5j 339 | print(isinstance(x, complex)) 340 | # => True 341 | ``` 342 | 343 | These help determine the types and allow you to make decisions based off that type. 344 | 345 | # Control structures 346 | 347 | Control structures allow you to control the flow of the program based on conditions, repetitions, and other logical indicators. These will help make decisions on what to do with the code. 348 | 349 | #### Conditional statements 350 | 351 | These allow you to make decisions based on certain conditions: 352 | ```python 353 | a = 10 354 | b = 5 355 | 356 | # if the variable 'a' is equal to the variable 'b' 357 | # this can never be True because: 358 | # the variable 'a' is the integer 10 359 | # the variable 'b' is the integer 5 360 | if a == b: 361 | print("This will never be True") 362 | 363 | # if the variable 'a' does not equal the variable 'b' 364 | elif a != b: 365 | print("This will always be True") 366 | 367 | # this can never be called because the above condition is always True 368 | else: 369 | print("How did we get here?") 370 | ``` 371 | 372 | The above example provides a decent explanation of how conditional statements work. There is not a limit to how many `elif` conditions there can be. 373 | 374 | #### Loops 375 | 376 | Loops allow you to execute a block of code multiple times. There are `for` loops and `while` loops. 377 | - `for` loop 378 | - This loop iterates of a sequence of data 379 | ```python 380 | items = [1, 2, 3] 381 | for i in items: 382 | print(i) 383 | # 1 384 | # 2 385 | # 3 386 | ``` 387 | This loop will always stop after the sequence of data is finished. It will run its code block for each sequence of data presented. You can use `lists`, `tuples`, or `strings` with a `for` loop. 388 | - `while` loop 389 | - This loop continuously runs until the condition set forth is False 390 | ```python 391 | count = 10 392 | while count != 0: 393 | count -= 1 394 | print(count) 395 | # 9 396 | # 8 397 | # 7 398 | # 6 399 | # 5 400 | # 4 401 | # 3 402 | # 2 403 | # 1 404 | # 0 405 | ``` 406 | This loop above will subtract 1 from `count` every iteration until `count` does not equal 0. It is worth mentioning that `while` loops can be dangerous. The incorrect condition can create a forever loop that will continuously run and eat resources forever. An example of a forever loop is: 407 | ```python 408 | while True: 409 | print("1") 410 | ``` 411 | This loop will NEVER end. 412 | 413 | Now that we understand the basics of loops we should start talking about how to break out of them earlier, skipping iterations, and loop controls. We will use `for` loops for the remainder of these examples. You should always use `for` loops unless you absolutely have to use a `while` loop (I'm sure I'll get a lot of hate for that, I don't care). 414 | 415 | #### Breaking out of loops 416 | 417 | To break out of loops you use the `break` statement. This statement allows you to stop the iterations of a loop immediately. 418 | ```python 419 | l = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] 420 | for i in l: 421 | if i == 4: 422 | print("Break the loop") 423 | break 424 | else: 425 | print(i) 426 | # 1 427 | # 2 428 | # 3 429 | # Break the loop 430 | ``` 431 | 432 | The above code shows you exactly how the `break` statement works. It runs through the code until a condition with an `if/else` statement is met, it will then print to the screen and break the iterations. 433 | 434 | #### Skipping iterations 435 | To skip iterations all you have to do is use the `continue` or the `pass` statement. The difference between these two statements is that a `pass` statement indicates there is nothing to execute and acts as a type of `nop`. A `continue` statement forcibly skips the iteration of the loop. `pass` is usually used to indicate future code. 436 | 437 | Using the `pass` statement: 438 | ```python 439 | l = [1, 2, 3, 4, 5] 440 | for i in l: 441 | pass 442 | # absolutely nothing happens. 443 | ``` 444 | 445 | Using the `continue` statement: 446 | ```python 447 | l = [1, 2, 3, 4, 5, 6] 448 | for i in l: 449 | if i == 3: 450 | continue 451 | else: 452 | print(i) 453 | # 1 454 | # 2 455 | # 4 456 | # 5 457 | # 6 458 | ``` 459 | 460 | #### Loop control 461 | 462 | Sometimes in a loop you need to execute something right after the loop finishes normally. When there is no break statement encountered. You can accomplish this by using an `else` in the loop. For example: 463 | ```python 464 | l = [1, 2, 3, 4, 5, 6] 465 | for i in l: 466 | if i == 7: 467 | print("Break statement hit") 468 | break 469 | else: 470 | print(i) 471 | else: 472 | print("No break caught") 473 | # 1 474 | # 2 475 | # 3 476 | # 4 477 | # 5 478 | # 6 479 | # No break caught 480 | ``` 481 | 482 | Now if we do the same thing and make the list longer: 483 | ```python 484 | l = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] 485 | for i in l: 486 | if i == 7: 487 | print("Break statement hit") 488 | break 489 | else: 490 | print(i) 491 | else: 492 | print("No break caught") 493 | # 1 494 | # 2 495 | # 3 496 | # 4 497 | # 5 498 | # 6 499 | # Break statement hit 500 | ``` 501 | 502 | # Functions 503 | 504 | A function is a reusable block of code that performs a specific task. They help to organize your code and make it more modular while allowing you to reuse the function itself to perform the same block of code. Functions should solve one problem, and solve it well. The key concepts of a function are: the definition of it (declaring the function), the execution of the function itself (what does it do), the parameters that can be taken by the function (arguments that you can pass to it), the return value (what does the function return if anything). To define a function in Python you use the `def` statement. Here is an example: 505 | ```python 506 | def create_list(length=7): 507 | """ 508 | create a list that takes a `length` argument. 509 | this length is defaulted to `7` if no argument is passed 510 | 511 | this is called a 'keyword' argument 512 | """ 513 | # this function returns a list of data the same length as the keyword argument 514 | return range(length) 515 | 516 | 517 | def iter_list(l): 518 | """ 519 | take a list and run a for loop on it to 520 | iterate through the list 521 | 522 | this is called a 'positional' argument. 523 | """ 524 | for piece in l: 525 | print(piece) 526 | 527 | 528 | # use the function and keep the keyword argument defaulted at 7 529 | l1 = create_list() 530 | 531 | # reuse the same function and change the keyword argument to 15 532 | l2 = create_list(length=15) 533 | 534 | # in order to run the `iter_list` function it is required to pass the positional argument 535 | # iterate through the first list by passing the created list to the function 536 | iter_list(l1) 537 | # 0 538 | # 1 539 | # 2 540 | # 3 541 | # 4 542 | # 5 543 | # 6 544 | 545 | # reuse the function and iterate through the second list by passing the second list to the function 546 | iter_list(l2) 547 | # 0 548 | # 1 549 | # 2 550 | # 3 551 | # 4 552 | # 5 553 | # 6 554 | # 7 555 | # 8 556 | # 9 557 | # 10 558 | # 11 559 | # 12 560 | # 13 561 | # 14 562 | ``` 563 | It is worth mentioning that functions can take multiple positional arguments as well as multiple keyword arguments. There are a couple ways to do this: 564 | ```python 565 | def arg_func(arg1, arg2, arg3, arg4=4, arg5=5, arg6=6): 566 | """ 567 | this function takes multiple positional and keyword arguments 568 | """ 569 | print(arg1, arg2, arg3, arg4, arg5, arg6) 570 | 571 | 572 | def arg_func_2(*args, **kwargs): 573 | """ 574 | this function takes multiple positional and keyword arguments 575 | """ 576 | print(args, kwargs) 577 | 578 | 579 | arg_func(1, 2, 3) 580 | # (1, 2, 3, 4, 5, 6) 581 | arg_func_2(1, 2, 3, arg4=4, arg5=5, arg6=6) 582 | # ((1, 2, 3), {'arg4': 4, 'arg5': 5, 'arg6': 6}) 583 | ``` 584 | As you can see the `**kwargs` arg is a `dict` where you can access the keyword argument by using the `key`, and the positional arguments are tuple of data. 585 | 586 | # Writing a program 587 | 588 | Now that you have a basic grasp on how all this works we will write a basic program that incorporates all the information we have gone through. We will be writing a basic calculator: 589 | ```python 590 | def add(a, b): 591 | """ 592 | take two positional arguments and add them together. 593 | return the value 594 | """ 595 | return a + b 596 | 597 | 598 | def subtract(a, b): 599 | """ 600 | take two positional arguments and subtract them. 601 | return the value. 602 | """ 603 | return a - b 604 | 605 | 606 | def display_menu(): 607 | """ 608 | create a display menu that will show to the user 609 | this function uses the `\n` or newline character to keep it on one line 610 | """ 611 | print("select operation:\n1. Add\n2. Subtract\n9. Exit") 612 | 613 | 614 | def calculator(): 615 | """ 616 | create a main function that will house the logic of the calculator 617 | """ 618 | # use a forever loop 619 | while True: 620 | # display the help menu 621 | display_menu() 622 | 623 | # get input from the user using the `input` statement 624 | choice = input("enter your choice: ") 625 | 626 | # since the integers are passed from the console they will be strings 627 | if choice == '9': 628 | print("exiting the calculator.") 629 | # break out of the loop 630 | break 631 | 632 | # check if the choice is in the list of available options or not 633 | if choice not in ['1', '2', '9']: 634 | print("invalid input! please select a valid operation.") 635 | # continue the process 636 | continue 637 | 638 | # try to change the arguments from a string to an integer 639 | try: 640 | num1 = float(input("enter first number: ")) 641 | num2 = float(input("enter second number: ")) 642 | except ValueError: 643 | # if it errors out catch the error and throw that its invalid 644 | print("invalid input! please enter valid numbers.") 645 | # continue the process 646 | continue 647 | 648 | # these outputs are being formatted using the `f` at the start of the string. 649 | # this allows you to add variables into the string 650 | if choice == '1': 651 | print(f"the result of {num1} + {num2} is: {add(num1, num2)}") 652 | elif choice == '2': 653 | print(f"the result of {num1} - {num2} is: {subtract(num1, num2)}") 654 | else: 655 | print("invalid option!") 656 | # no operation 657 | pass 658 | 659 | 660 | # this special statement means that if the name of the called program 661 | # is equal to this file, start the process 662 | if __name__ == "__main__": 663 | # call the main function 664 | calculator() 665 | ``` 666 | 667 | Let's break down this code to fully understand what is happening: 668 | ```python 669 | def add(a, b): 670 | """ 671 | take two positional arguments and add them together. 672 | return the value 673 | """ 674 | return a + b 675 | ... 676 | ``` 677 | This function takes two arguments and adds those two arguments together. For example `add(2, 2)` will equal `4`. 678 | 679 | ```python 680 | ... 681 | def subtract(a, b): 682 | """ 683 | take two positional arguments and subtract them. 684 | return the value. 685 | """ 686 | return a - b 687 | ... 688 | ``` 689 | This function also takes two arguments and subtracts them from one another. For example `subtract(3, 1)` will equal `2`. 690 | ```python 691 | ... 692 | def display_menu(): 693 | """ 694 | create a display menu that will show to the user 695 | this function uses the `\n` or newline character to keep it on one line 696 | """ 697 | print("select operation:\n1. Add\n2. Subtract\n9. Exit") 698 | ... 699 | ``` 700 | This function creates a basic help menu for the user to see by adding newlines it makes it on a single line. 701 | 702 | ```python 703 | ... 704 | def calculator(): 705 | """ 706 | create a main function that will house the logic of the calculator 707 | """ 708 | # use a forever loop 709 | while True: 710 | # display the help menu 711 | display_menu() 712 | 713 | # get input from the user using the `input` statement 714 | choice = input("enter your choice: ") 715 | 716 | # since the integers are passed from the console they will be strings 717 | if choice == '9': 718 | print("exiting the calculator.") 719 | # break out of the loop 720 | break 721 | 722 | # check if the choice is in the list of available options or not 723 | if choice not in ['1', '2', '9']: 724 | print("invalid input! please select a valid operation.") 725 | # continue the process 726 | continue 727 | 728 | # try to change the arguments from a string to an integer 729 | try: 730 | num1 = float(input("enter first number: ")) 731 | num2 = float(input("enter second number: ")) 732 | except ValueError: 733 | # if it errors out catch the error and throw that its invalid 734 | print("invalid input! please enter valid numbers.") 735 | # continue the process 736 | continue 737 | 738 | # these outputs are being formatted using the `f` at the start of the string. 739 | # this allows you to add variables into the string 740 | if choice == '1': 741 | print(f"the result of {num1} + {num2} is: {add(num1, num2)}") 742 | elif choice == '2': 743 | print(f"the result of {num1} - {num2} is: {subtract(num1, num2)}") 744 | else: 745 | print("invalid option!") 746 | # no operation 747 | pass 748 | ... 749 | ``` 750 | This function is the main logic of the program and has the control flow for the entire program. It has an infinite `while` loop that will never end that wraps all the other logic. The first thing it does is display the help menu and take the users input to take the appropriate action. 751 | 752 | --- 753 | 754 | #### Sponsor 755 | 756 | Special thanks to the sponsor of this course! Guided Hacking! 757 | 758 |

759 | 760 |

761 | 762 | GH is a website devoted to producing high quality educational content related to game hacking, reverse engineering & ethical hacking. 763 | 764 | --- 765 | 766 | # That's all there is to it 767 | 768 | That's all there is to it! You have learned the basics of Python and successfully built your own calculator program. We hope this course has given you the basic understandings of programming in Python and you have learned something. 769 | 770 | #### Support the Bible 771 | 772 | Once again, this course is offered for free by The Perkins Cybersecurity Educational Fund! If you found this information valuable and want to support the continued development of the Malware Bible please consider: 773 | - Donating to the Malware Bible Fund → [Donate Here](https://donorbox.org/malware-bible-fund) 774 | 775 | #### Become a sponsor 776 | 777 | These courses reach thousands of cybersecurity professionals, researchers, students, and teachers worldwide who actively engage in learning and advancing the field. Sponsoring our educational initiative not only supports free cybersecurity education but also places your brand in front of a highly technical and security-conscious audience. 778 | 779 | Interested in partnering? Let's talk about how your organization can be featured in our future courses: [Contact us today!](https://perkinsfund.org/index.html#contact-us) Please view our [Sponsorship Packages](https://perkinsfund.org/donations#sponsor-table) for more details! 780 | --------------------------------------------------------------------------------