[Reverse Engineering Tips] — Disabling ASLR
This blog is a quick tips about how to disable ASLR for easing reverse engineering.
What is ASLR (Address Space Layout Randomization)?
According to Wikipedia:
ASLR is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
In short the ASLR will randomised the address space in the memory making more difficult the matching and analysis into the disassembler.
Portable Executable Format and ASLR
The PE format specifies wether the ASLR is enabled or not. The ASLR flag (0X40) is specified in the DLLCharacteristic field of the optional header.
In the below screenshot, we can see with PeStudio that the ASLR flag is enabled.
The memory address into x32dbg and IDA will not match which can be very annoying when reversing a binary.
It is possible to disable this flags with an hexadecimal editor. However it can be time consuming when you have a lot of samples to analyse.
Using SetDllCharacteristic
To automate this process, it is possible to use the tool setdllcharacteristics by Didier Stevens.
The ASLR flag can be disabled with the option -d.
We can now verify with PeStudio that the ASLR flag is disabled.
The memory address will now be the same in your disassembler and your debugger, making your analysis easier.
That’s it! You can now debug your file without dealing with memory addresses. I will occasionally post some tips like that on my medium. For more stuff such as this one you can follow me on Twitter @fr0gger_
