https://www.debugxp.com/ Technical research and education focusing on C/C++, Windows, reverse engineering, binary exploitation, and development. Reverse engineering course. Z0F 0xZ0F. 2025-03-01T12:54:41-05:00 0xZ0F https://www.debugxp.com/ Jekyll © 2025 0xZ0F /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png 2025-03-01T07:00:00-05:00 2025-03-01T07:00:00-05:00 https://www.debugxp.com/posts/WinAFL_EXE_Fuzzing/ 0xZ0F

The relevant code for this post can be found here: https://github.com/0xZ0F/WinAFLEXEHarness There are a handful of great guides on performing fuzzing using WinAFL (and various other fuzzers). The article written by Angelystor has been particularly helpful, as well as this one by 2ourc3 and this one by Antonio Morales. The major issue I was running into, however, is that existing guides fo...

2024-05-07T09:00:00-04:00 2024-05-07T09:00:00-04:00 https://www.debugxp.com/posts/ExtendingPESections/ 0xZ0F

A basic understanding of the PE header is assumed. Source code referenced can be found under my “PESENT” project on GitHub. I was recently looking into post-build configuration for binaries and I was curious about the modification of PE sections. I already knew how to enlarge the last section of the PE, but I wanted more. I didn’t like having to search my own binary for data that I pu...

2024-05-06T20:08:04-04:00 2024-05-06T20:08:04-04:00 https://www.debugxp.com/posts/RECourse_CH08_04_GetElement/ 0xZ0F

Now let’s look at a function that has to do with looking data up in the table. Remember, it doesn’t matter which functions we reverse first. I’m choosing based on what I think will be a good order to go in. Multiple functions might get something from the table: RtlEnumerateGenericTable, RtlGetElementGenericTable, RtlLookupElementGenericTable, and some others. Based on the names, I think RtlGet...

2024-05-06T20:08:03-04:00 2024-05-06T20:08:03-04:00 https://www.debugxp.com/posts/RECourse_CH08_03_IsGenericTableEmpty/ 0xZ0F

Next up let’s take a look at RtlIsGenericTableEmpty. This is yet another potentially easy function to reverse that may give us valuable information. Once again, let’s try to predict how it could work. The table may contain a member that is set or changed when it’s not empty. Another possibility is that it uses the member we found previously that has to do with the number of table elements, wha...

2024-05-06T20:08:02-04:00 2024-05-06T20:08:02-04:00 https://www.debugxp.com/posts/RECourse_CH08_02_NumberGenericTableElements/ 0xZ0F

We’ve taken a look at the initialization function and have a good idea of the base layout. Let’s continue with what are probably the more simple functions to gather as much easy information as possible, then work on the more complicated functions. Let’s start with RtlNumberGenericTableElements. Think about how this function could work. One possible way is that the function will loop over the t...