0xz0f / z0fcourse_reverseengineering Goto Github PK

The following link returns a 404 error code

https://docs.microsoft.com/en-us/windows/desktop/api/winternl/ns-winternl-_peb

You probably meant
https://docs.microsoft.com/en-us/windows/desktop/api/winternl/ns-winternl-peb

Thank you very much man, I really enjoyed this course.

First of all, thank you so much for writing this material, it is amazing.

I am a beginner with these low level topics so I might be wrong, but when I was reading the Stack explanation, these two parts seemed contradictory to me:

• When data is pushed onto the stack, the stack grows up, towards lower memory addresses.

• The stack pointer (RSP/ESP/SP) is used to keep track of the top of the stack and the base pointer (RBP/EBP/BP) is used to keep track of the base/bottom of the stack. This means that when data is pushed onto the stack, the stack pointer is increased since the stack grew towards higher addresses.

I think that the second quote should be,

The stack pointer (RSP/ESP/SP) is used to keep track of the top of the stack and the base pointer (RBP/EBP/BP) is used to keep track of the base/bottom of the stack. This means that when data is pushed onto the stack, the stack pointer is decreased since the stack grew towards lower addresses.

Let me know if I am getting it wrong :)

Topics to cover:

1. Logging function calls.
   • Hooking.
   • To console.
   • To file.
   • Using debugger.
2. Manually calling functions.
3. Providing a custom API/SDK for interoperability.
   • Useful for debugging.

please

README needs to be updated as well as various docs.

Why are you just focusing on teaching reversing for x64 windows? Why not ELF binaries?

In Section 3.5,

This space is going to be 32 bytes, 8 bytes for each of the 4 registers. Because of that, accessing parameters beyond the 4th parameter is done starting with the offset of 0x20. In other words, the fourth parameter is accessed via RSP+0x20, the third RSP+0x28, etc.

You say that fourth is at 0x20 and third at 0x28, is it not fifth at 0x20 and sixth at 0x28 and so on..?

I noticed you recommend Ghidra, but it is not the only one tool available.
Radare2 is a highly-portable cross-platform reverse engineering framework and a toolkit without dependencies. It has support for analyzing binaries, disassembling code, debugging programs, attaching to remote GDB/LLDB, WinDbg servers, rich plugin system (see r2pm), and integration with various decompilers. For example, ghidra decompiler plugin - r2ghidra-dec. It is actively developed and can be easily integrated in various open source and commercial products.

For general documentation I recommend our constantly updated Radare2 Book.
For documentation on writing plugins for radare2 see Scripting and Plugins Radare2 Book chapters.

Cutter is a crossplatform Qt/C++ GUI frontend to radare2:

For documentation on writing plugins for Cutter see the official tutorial and the curated list of various popular plugins.

in this section you mentioned that Linux is not backward compatible and that you cannot run 32bit applications on 64bit, but certainly you can when you install 32bit libs.
correct me if i'm wrong.
Good work though.

Hey 0xZ0F,
this is great tutorials for beginners like me. I want to suggest you to consider using Cutter or IDA (Freeware or Pro) for the assembly part.
Q. : Why..??? any particular reason..??
A. : Most of the malware analyst spent their time with IDA or students like me who want to learn malware analysis with opensource tools use Cutter for initial days in their learning journey and I see most of the exploit developers are using x64dgb.
So, adding IDA and Cutter examples would help in both MA and RE.
I know their would be no difference in assembly part. but, if we add, then it'd cover most probably entire RE and MA field.

in chapter 6.03:

Function overriding allows for multiple functions of the same name that take different parameters. For example, you might want to have a function for addition. You'll probably want the ability to add integers or floats.

In my opinion, this chapter confuses funciton overriding and function overloading.

Such as in wiki:

Method overriding:
The implementation in the subclass overrides (replaces) the implementation in the superclass by providing a method that has same name, same parameters or signature, and same return type as the method in the parent class.

Function overloading:
In some programming languages, function overloading or method overloading is the ability to create multiple functions of the same name with different implementations. Calls to an overloaded function will run a specific implementation of that function appropriate to the context of the call, allowing one function call to perform different tasks depending on context.

I am new to reverse engineering, so maybe I made a mistake. Let me know if I am getting it wrong.

As the title says, consider using github pages to have an improved interface for the course. You should be able to pretty much enable GH pages and forget about it, since it supports markdown.

This folder is not needed.