about Corkami

graphics

• Graphics and cheat sheets, useful for daily reference, or training:
• PE 101 - a windows executable walkthrough



• Opcodes' tables of Java, .Net, Android, x86 - as either compact single-page cheat sheets, or full descriptive posters.



• Opcodes (x86 & x64 simplified tables, one-liners)



• packers (models, categories & features, landscape, detailed features, entrypoints, algorithms)



• PE file format (file & memory layout, headers, data directories)
• anti-debugs

presentations

• x86 & PE: first presented and recorded at Hashdays, then improved at Berlinsides
1. Hashdays 2011: Such a weird processor - messing with opcodes (...and a little bit of PE) (28th October 2011)

1. BerlinSides x2: x86 & PE (28th December 2011) - with demo as screencasts

articles

• the PE format
• a summary of PDF tricks - encodings, structures, JavaScript... with hand-made PoCs (français 日本語)

• Corkami Standard Test is a PE/x86/x64 test program for your tools/emulators/skills.
• it checks standard opcodes,
• but also many x86 oddities,
• and how to get the current IP
• and it's also a tricky PE, using many tricks, so many tools don't even identify it as a PE.



• curious encodings

binaries

• Binary corpus is a group of non malicious binaries, exhibiting various file formats, and more specifically, aspects of PE files.
• Formats: NE, PE, Elf, LX, LE, COM, EXE
• Compilers: Digital Mars C, Lcc, Masm, Tasm, FreeBasic, FreePascal, OpenWatcom, Fasm, GoAsm...
• PE:
• sections: none, 16 (legitimate), 199 (maximum), duplicate, PE-mapping, wrong order...
• Misc: Tiny PE, EntryPoint (on 2nd section, external), no ImageBase...
• Directories: none, DelayImports, Bound Imports, LoadConfig Directory, Copyright directory, COM directory, TLS (Empty/normal/Fake/External), Resource (recursive)....
• packers
• categories: patcher, protecter, crypter, compresser, mutater, virtualizer
• crypters algos: xor, prng, rc4
• architectures of virtualization: standard, stack, SubLeq, TTA
• imports loading obfuscation
• string encodings
• a toolkit to run drivers in user-mode, and unpack them directly from OllyDbg

misc

• a page gathering values of system registers and values on TLS/EntryPoint/... of most Windows versions.
• a one-file aPLib compression/decompression in python
• Explaining what’s a computer virus to grandma
• Calling conventions, seen from ASM
• (initial) values of cpu registers on Windows OSes
• Kernel31, a trampoline DLL to enable >XpSp3 binaries work on previous OS.
• old crackmes solutions: PredatorPirupiru LilcwXor

external works

• Screencasts:
• OllyDbg Tracing (easy level) setting OllyDbg as a JIT debugger, tracing, optimizing tracing, finding bug, patching, saving as a new executable
• reJava create a .class from scratch

known related works

• a very nice and simple opcode table, by Daniel Plohmann

more...

...for more information, check the (old) blog map, and the downloads tab.