Reversing in open wide public, on Twitter

1. Introduction

CEbot is a tool that lets you disassemble binary code from your own Twitter!

How? Do this in 2 simple steps:

Send a tweet with your hex string. CEbot supports 2 tweet syntaxes as follows. Either tweet your hex string with hashtag #cebot or #2ce (read: “ To-C apstone- E ngine”). Or tweet the hex string directly to @ceb0t . In this case, the hashtag #cebot (or #2ce) is not needed. The first method can be used if you want all of your followers to see your reverse code. Meanwhile, the second method makes less noise because only those following both you and @ceb0t will see the tweet.

Wait 1 ~ 2 seconds, the reversed assembly code will be sent back, also via Twitter. Be sure to check the Notifications tab if you do not see it soon enough. NOTE : If you do not see any reply, check the FAQ in section 4 below for the possible reasons.



Few examples on tweets accepted by CEbot:

x32 909090 #2ce Reverse x86 32-bit code with hex-string of 3 bytes 909090. The result sent back would be 3 NOP instructions.

x64 att 0x90 0x90 0x90 #2ce Reverse x86-64 code of the same 3 NOPs, but get back assembly in AT&T syntax (rather than default Intel syntax).

arm #cebot “\x04\xe0\x2d\xe5” Reverse ARM code. Note that the hashtag can be put anywhere in the tweet.

@ceb0t m64 be 0C,10,00,97 Reverse Mips 64-bit code in big-endian mode. This time, tweet is directly sent to @ceb0t, and hashtag #2ce is not required.



Readers might already noted that CEbot is flexible with format of the input hex-string: it is perfectly legal to have space, quote, double-quote, comma or even plus sign (+) inside the code.

For now, 8 architectures are supported: Arm, Arm64, Mips, PowerPC, Sparc, SystemZ, XCore & X86. See section 3 below for further details.

2. Real-life example

A blog entry on BostonKeyParty CTF 2014 has this PowerPC shellcode:

shellcode_read_exec = " \x 38 \x a0 \x 04 \x 03" + " \x 30 \x 05 \x fb \x ff" + " \x 7c \x 24 \x 0b \x 78" + " \x 44 \x 00 \x 00 \x 02" + " \x 69 \x 69 \x 69 \x 69" + " \x 7c \x 29 \x 03 \x a6" + " \x 4e \x 80 \x 04 \x 21"



The author never explained this shellcode, but we can find out by just copying its content, putting “ppc” in front, then tweet it like below (actually with one plus sign removed to fit everything in a tweet).

ppc " \x 38 \x a0 \x 04 \x 03"" \x 30 \x 05 \x fb \x ff" + " \x 7c \x 24 \x 0b \x 78" + " \x 44 \x 00 \x 00 \x 02" + " \x 69 \x 69 \x 69 \x 69" + " \x 7c \x 29 \x 03 \x a6" + " \x 4e \x 80 \x 04 \x 21" #2ce



In under 2 seconds, we get back a tweet from @ceb0t with the assembly of the shellcode inside.

li r5, 0x403 addic r0, r5, -0x401 mr r4, r1 sc 0 xori r9, r11, 0x6969 mtctr r1 bctrl

3. Tweet syntax for CEbot

CEbot only serves requests with proper content: the accepted syntax is simple & intuitive, as follows.

[ @ceb0t] < arch > [ mode1 mode2 ...] [ syntax] <hex-string> [ #2ce|#cebot]



This means to send the tweet directly to @ceb0t, put its Twitter ID at the front. Then, the first word in the hex-string must indicate the hardware architecture. Next part specifies the hardware modes, assembly syntax, then the input hex-string. It is possible to combine more than one modes, like when we want to reverse Mips code in 64-bit & big-endian mode. But if the modes & syntax are missing, the default modes & default syntax will be used.

Note that the hashtag #2ce (or #cebot, but only one of them is needed) can be put anywhere in the tweet, not necessarily at the end. Moreover, if we tweet directly to @ceb0t, hashtag is not required. Vice versa, mass-tweet would need hashtag, but not @ceb0t in front.

Finally, to shorten the tweet contents, CEbot supports alias, which combines arch & modes. Example: x32 is actually the alias of x86 32 (32-bit X86), m64 is the alias of mips 64 (64-bit Mips)

At the moment, CEbot supports 8 architectures with the following setup.



X86

Field Value Meaning arch x86 X86 architecture mode 16

32

64 16-bit

32-bit (default mode)

64-bit syntax intel

att Intel assembly syntax (default syntax)

AT&T assembly syntax alias x16

x32

x64 x86 16

x86 32

x86 64



ARM

Field Value Meaning arch arm ARM architecture mode le

be

thumb Little endian (default endian)

Big-endian

Thumb mode



Thumb (ARM)

Field Value Meaning arch thumb Thumb mode of ARM architecture mode le

be

Little endian (default endian)

Big-endian



Arm64

Field Value Meaning arch arm64 Arm64 (or Aarch64/ArmV8) architecture mode le

be

Little endian (default endian)

Big-endian alias a64 arm64



Mips

Field Value Meaning arch mips Mips architecture mode 32

64

le

be

32-bit (default mode)

64-bit

Little endian (default endian)

Big-endian alias m32

m64 mips 32

mips 64



PowerPC

Field Value Meaning arch ppc PowerPC architecture mode - No mode specified is needed



Sparc

Field Value Meaning arch sparc Sparc architecture mode v9 Sparc V9 alias spv9 sparc v9



SystemZ

Field Value Meaning arch sysz SystemZ architecture mode - No mode specified is needed



XCore

Field Value Meaning arch xcore XCore architecture mode - No mode specified is needed alias xc xcore

4. FAQ