Reversing in open wide public, on Twitter

1. Introduction

CEbot is a tool that lets you disassemble binary code from your own Twitter!

How? Do this in 2 simple steps:

  1. Either tweet your hex string with hashtag #cebot or #2ce (read: "To-Capstone-Engine").

  2. Or tweet the hex string directly to @ceb0t. In this case, the hashtag #cebot (or #2ce) is not needed.

The first method can be used if you want all of your followers to see your reverse code.

Meanwhile, the second method makes less noise because only those following both you and @ceb0t will see the tweet.

NOTE: If you do not see any reply, check the FAQ in section 4 below for the possible reasons.

Few examples on tweets accepted by CEbot:

Reverse x86 32-bit code with hex-string of 3 bytes 909090. The result sent back would be 3 NOP instructions.

Reverse x86-64 code of the same 3 NOPs, but get back assembly in AT&T syntax (rather than default Intel syntax).

Reverse ARM code. Note that the hashtag can be put anywhere in the tweet.

Reverse Mips 64-bit code in big-endian mode. This time, tweet is directly sent to @ceb0t, and hashtag #2ce is not required.

Readers might already noted that CEbot is flexible with format of the input hex-string: it is perfectly legal to have space, quote, double-quote, comma or even plus sign (+) inside the code.

For now, 8 architectures are supported: Arm, Arm64, Mips, PowerPC, Sparc, SystemZ, XCore & X86. See section 3 below for further details.

2. Real-life example

A blog entry on BostonKeyParty CTF 2014 has this PowerPC shellcode:

shellcode_read_exec = "\x38\xa0\x04\x03"+

The author never explained this shellcode, but we can find out by just copying its content, putting "ppc" in front, then tweet it like below (actually with one plus sign removed to fit everything in a tweet).

ppc "\x38\xa0\x04\x03""\x30\x05\xfb\xff"+"\x7c\x24\x0b\x78"+"\x44\x00\x00\x02"+
"\x69\x69\x69\x69"+"\x7c\x29\x03\xa6"+"\x4e\x80\x04\x21" #2ce

In under 2 seconds, we get back a tweet from @ceb0t with the assembly of the shellcode inside.

li r5, 0x403
    addic r0, r5, -0x401
    mr r4, r1
    sc 0
    xori r9, r11, 0x6969
    mtctr r1

3. Tweet syntax for CEbot

CEbot only serves requests with proper content: the accepted syntax is simple & intuitive, as follows.

[@ceb0t] <arch> [mode1 mode2 ...] [syntax] <hex-string> [#2ce|#cebot]

This means to send the tweet directly to @ceb0t, put its Twitter ID at the front. Then, the first word in the hex-string must indicate the hardware architecture. Next part specifies the hardware modes, assembly syntax, then the input hex-string. It is possible to combine more than one modes, like when we want to reverse Mips code in 64-bit & big-endian mode. But if the modes & syntax are missing, the default modes & default syntax will be used.

Note that the hashtag #2ce (or #cebot, but only one of them is needed) can be put anywhere in the tweet, not necessarily at the end. Moreover, if we tweet directly to @ceb0t, hashtag is not required. Vice versa, mass-tweet would need hashtag, but not @ceb0t in front.

Finally, to shorten the tweet contents, CEbot supports alias, which combines arch & modes. Example: x32 is actually the alias of x86 32 (32-bit X86), m64 is the alias of mips 64 (64-bit Mips)

At the moment, CEbot supports 8 architectures with the following setup.


| Field | Value | Meaning | | :--: |:--:|:--| | arch | x86 | X86 architecture | | mode | 16
64 | 16-bit
32-bit (default mode)
64-bit | | syntax | intel
att | Intel assembly syntax (default syntax)
AT&T assembly syntax | | alias | x16
x64 | x86 16
x86 32
x86 64 |


| Field | Value | Meaning | | :--: |:--:|:--| | arch | arm | ARM architecture | | mode | le
thumb | Little endian (default endian)
Thumb mode |

Thumb (ARM)

| Field | Value | Meaning | | :--: |:--:|:--| | arch | thumb | Thumb mode of ARM architecture | | mode | le
| Little endian (default endian)
Big-endian |


| Field | Value | Meaning | | :--: |:--:|:--| | arch | arm64 | Arm64 (or Aarch64/ArmV8) architecture | | mode | le
| Little endian (default endian)
Big-endian | | alias | a64 | arm64 |


| Field | Value | Meaning | | :--: |:--:|:--| | arch | mips | Mips architecture | | mode | 32
| 32-bit (default mode)
Little endian (default endian)
Big-endian | | alias | m32
m64 | mips 32
mips 64 |


| Field | Value | Meaning | | :--: |:--:|:--| | arch | ppc | PowerPC architecture | | mode | - | No mode specified is needed |


| Field | Value | Meaning | | :--: |:--:|:--| | arch | sparc | Sparc architecture | | mode | v9 | Sparc V9 | | alias | spv9 | sparc v9 |


| Field | Value | Meaning | | :--: |:--:|:--| | arch | sysz | SystemZ architecture | | mode | - | No mode specified is needed |


| Field | Value | Meaning | | :--: |:--:|:--| | arch | xcore | XCore architecture | | mode | - | No mode specified is needed | | alias | xc | xcore |

4. FAQ

Our bot with the Twitter ID @CEb0t watches for Twitter stream with hashtags #2ce and #cebot to pick up the requests. Powered by the latest Capstone Engine, this bot reverses the input hex-string, then sends back the assembly to the user via Twitter.

Note that the input code is disassembled with offset 0.

There are two main reasons when no assembly code is sent back.

Too bad, Twitter puts a tight limit on DM: we can only send 15 DMs in 15 minutes, and this restriction effectively makes it pretty useless. Therefore, CEbot has to stick with public tweets.

CEbot only answers requests having hashtags #2ce or #cebot#, plus the tweet content must strictly follows the syntax presented in section 3 above. It is unlikely that usual tweets meet these requirements. Therefore, there is little chance that CEbot will bother those who do not explicitly ask for its service.

The main issue comes from Twitter itself, as users can only send in short hex-strings: keep in mind that Twitter allows no more than 140 chars in a tweet.

In return, we walkaround this limit by sending back the assembly on Twitter only if the output is shorter than 140 chars. With longer code, we post the result on, then send back the link instead.