r2m2
play

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French - PowerPoint PPT Presentation

Aug 17, 2022 •468 likes •1.1k views

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network security researcher IPv6, DNS, TLS, BGP, DDoS mitigation, ... Scapy co-maintainer Python-based packet manipulation program & library neither

  1. R2M2 RADARE2 + MIASM2 = ♥ @guedou - 09/09/2016 1

  2. @GUEDOU? French hobbyist reverser network security researcher IPv6, DNS, TLS, BGP, DDoS mitigation, ... Scapy co-maintainer Python-based packet manipulation program & library neither a radare2 nor miasm2 power user 2

  3. I needed to implement a rare CPU architecture easily 3

  4. 3 Back in December 2015, only objdump knew this architecture 4

  5. 4 R2M2 GOALS? r2m2 is a radare2 plugin that aims to: use radare2 as a frontend to miasm2 tools, GUI, shortcuts, ... use miasm2 as a backend to radare2 asm/dis engine, symbolic execution, ... be architecture independent 5

  6. MIASM 101 6

  7. WHAT IS MIASM? Python-based reverse engineering framework with many features: assembling / disassembling x86 / ARM / MIPS / SH4 / MSP430 representing assembly semantic using intermediate language emulating using JIT ... See the official blog for examples and demos 7

  8. ASSEMBLING # Create a x86 miasm machine >>> from miasm2.analysis.machine import Machine >>> m = Machine("x86_32") # Get the mnemonic object >>> mn = m.mn() # Convert to an internal miasm instruction >>> instr = mn.fromstring("MOV AX, 1", 32) # Assemble all variants >>> mn.asm(instr) ['f\xb8\x01\x00', 'fg\xb8\x01\x00', 'f\xc7\xc0\x01\x00', 'fg\xc7\xc0\x01\x00'] 8

  9. DISASSEMBLING # Disassemble all variants >>> [str(mn.dis(x, 32)) for x in mn.asm(instr)] ['MOV AX, 0x1', 'MOV AX, 0x1', 'MOV AX, 0x1', 'MOV AX, 0x1'] 9

  10. MIASM INTERMEDIATE LANGUAGE # Disassemble a simple ARM instruction >>> m = Machine("arml") >>> instr = m.mn.dis("002088e0".decode("hex"), "l") # Display internal instruction arguments >>> instr.name, instr.args ('ADD', [ExprId('R2', 32), ExprId('R8', 32), ExprId('R0', 32)]) # Get the intermediate representation architecture object >>> ira = m.ira() # Get the instruction miasm intermediate representation >>> ira.get_ir(instr) ([ExprAff(ExprId('R2', 32), ExprOp('+', ExprId('R8', 32), ExprId('R0', 32)))], []) 10

  11. SYMBOLIC EXECUTION # Add the instruction to the current block >>> ira.add_instr(instr) # Display the IR block >>> for label, bloc in ira.blocs.items(): ... print bloc ... loc_0000000000000000:0x00000000 R2 = (R8+R0) IRDst = loc_0000000000000004:0x00000004 11 . 1

  12. # Import the symbolic execution object >>> from miasm2.ir.symbexec import symbexec # Create the symbolic execution object >>> s = symbexec(ira, ira.arch.regs.regs_init) # Emulate using default registers value >>> ret = s.emul_ir_bloc(ira, 0) # Dump modified registers >>> s.dump_id() R2 (R0_init+R8_init) IRDst 0x4 # miasm internal PC 11 . 2

  13. 11 . 2 # Import miasm expression objects >>> from miasm2.expression.expression import ExprId, ExprInt32 # Affect a value to R0 >>> s.symbols[ExprId("R0", 32)] = ExprInt32(0) >>> r = s.emul_ir_bloc(ira, 0) >>> s.dump_id() R2 R8_init # the expression was simplified [..] # Affect a value to R8 >>> s.symbols[ExprId("R8", 32)] = ExprInt32(0x2807) >>> r = s.emul_ir_bloc(ira, 0) >>> s.dump_id() R2 0x2807 # R0 + R8 = 0 + 0x2807 [..] 11 . 3

  14. 11 . 3 EMULATION / JIT Let's build a simple binary to emulate $ cat add.c int add (int a, int b) { return a+b; } main () { printf ("add (): %d\n", add (1, 2)); } $ gcc -m32 -o add add.c $ ./add add(): 3 12 . 1

  15. Then, build a miasm sandbox to emulate add() $ cat sandbox_r2con.py from miasm2.analysis.sandbox import Sandbox_Linux_x86_32 # Parse arguments parser = Sandbox_Linux_x86_32.parser(description="ELF sandboxer" parser.add_argument("filename", help="ELF Filename") options = parser.parse_args() # Create sandbox sb = Sandbox_Linux_x86_32(options.filename, options, globals()) # Get the address of add() addr = sb.elf.getsectionbyname(".symtab").symbols["add"].value # /!\ the last part of the code is on the next slide /!\ # 12 . 2

  16. 12 . 2 # /!\ the first part of the code is on the previous slide /!\ # # Push arguments on the stack sb.jitter.push_uint32_t(1) sb.jitter.push_uint32_t(0x2806) # Push the address of the implicit breakpoint sb.jitter.push_uint32_t(0x1337beef) # Run sb.jitter.jit.log_mn = True sb.run(addr) # Display the result print "\nadd(): 0x%x" % sb.jitter.cpu.EAX 12 . 3

  17. 12 . 3 Finally, emulate add() $ python sandbox_r2con.py ./add 080483E4 PUSH EBP 080483E5 MOV EBP, ESP 080483E7 MOV EAX, DWORD PTR [EBP+0xC] 080483EA MOV EDX, DWORD PTR [EBP+0x8] 080483ED ADD EAX, EDX 080483EF POP EBP 080483F0 RET add(): 0x2807 12 . 4

  18. 12 . 4 GDB SERVER $ python sandbox_r2con.py ./add -g 2807 Listen on port 2807 $ gdb (gdb) target remote localhost:2807 Remote debugging using localhost:2807 0x080483ff in ?? () (gdb) info registers eip eax eip 0x80483ff 0x80483ff eax 0x0 0 (gdb) c Continuing. Program received signal SIGTRAP, Trace/breakpoint trap. 0x1337beef in ?? () (gdb) info registers eip eax eip 0x1337beef 0x1337beef eax 0x3 3 13

  19. ADDING A NEW ARCHITECTURE TO MIASM 14

  20. HIGH-LEVEL CHECKLIST 1. registers in miasm2/arch/ARCH/regs.py 2. opcodes in miasm2/arch/ARCH/arch.py 3. semantic in miasm2/arch/ARCH/sem.py 15

  21. ADDING A NEW OPCODE IN ARCH.PY MIPS ADDIU Encoding 001001 ss ssst tttt iiii iiii iiii iiii The opcode is defined as: addop("addiu", [bs("001001"), rs, rt, s16imm], [rt, rs, s16imm]) 16 . 1

  22. The arguments are defined as: rs = bs(l=5, cls=(mips32_gpreg,)) rt = bs(l=5, cls=(mips32_gpreg,)) s16imm = bs(l=16, cls=(mips32_s16imm,)) mips32_* objects implement encode() and decode() methods that return miasm expressions! 16 . 2

  23. 16 . 2 ADDING A NEW OPCODE IN SEM.PY Solution#1 - Implement the logic with miasm expressions def addiu(ir, instr, reg_dst, reg_src, imm16): expr_src = ExprOp("+", reg_src, imm16.zeroExtend(32)) return [ExprAff(reg_dst, expr_src)], [] 17 . 1

  24. Solution#2 - Be lazy, and implement using the sembuilder @sbuild.parse def addiu(reg_dst, reg_src, imm16): reg_dst = reg_src + imm16 17 . 2

  25. 17 . 2 The resulting expression is: >>> ir.get_ir(instr) # instr being the IR of "ADDIU A0, A1, 2" ([ExprAff(ExprId('A0', 32), ExprOp('+', ExprId('A1', 32), ExprInt(uint32(0x2L))))], []) 17 . 3

  26. 17 . 3 R2 PLUGINS IN PYTHON 18

  27. RADARE2-BINDINGS BASED PLUGINS $ cat radare2-bindings_plugin_ad.py from miasm2.analysis.machine import Machine import r2lang def miasm_asm(buf): # [..] return asm_str def miasm_dis(buf): # [..] return [dis_len, dis_str] # /!\ the last part of the code is on the next slide /!\ # 19 . 1

  28. # /!\ the first part of the code is on the previous slide /!\ # def miasm_ad_plugin(a): return { "name": "miasm", "arch": "miasm", "bits": 32, "license": "LGPL3", "desc": "miasm2 backend with radare2-bindings", "assemble": miasm_asm, "disassemble": miasm_dis } r2lang.plugin("asm", miasm_ad_plugin) 19 . 2

  29. 19 . 2 Quite easy to use $ r2 -i radare2-bindings_plugin_ad.py /bin/ls -qc 'e asm.arch=miasm; pd 5' ;-- entry0: 0x004049de 31ed XOR EBP, EBP 0x004049e0 4989d1 MOV R9, RDX 0x004049e3 5e POP RSI 0x004049e4 4889e2 MOV RDX, RSP 0x004049e7 4883e4f0 AND RSP, 0xFFFFFFFFFFFFFFF0 As of today, only assembly and disassembly plugins can be implemented 19 . 3

  30. 19 . 3 CFFI BASED PLUGINS More steps must be taken: 1. call Python from C 2. access r2 structures from Python 3. build a r2 plugin The CFFI Python module produces a .so ! 20

  31. STEP#1 - CALL PYTHON FROM C Example: convert argv[1] in base64 from Python 1 - C side of the world $ cat test_cffi.h char* base64(char*); // under the hood, a Python function will be called $ cat test_cffi.c #include <stdio.h> #include "test_cffi.h" int main(int argc, char** argv) { printf("[C] %s\n", base64(argc>1?argv[1]:"r2con")); } 21 . 1

  32. 2 - Python side of the world $ cat cffi_test.py import cffi ffi = cffi.FFI() # Declare the function that will be exported ffi.embedding_api("".join(open("test_cffi.h").readlines())) # /!\ the last part of the code is on the next slide /!\ # 21 . 2

  33. 21 . 2 # /!\ the first part of the code is on the previous slide /!\ # # Define the Python module seen from Python ffi.set_source("python_embedded", '#include "test_cffi.h"') # Define the Python code that will be called ffi.embedding_init_code(""" from python_embedded import ffi @ffi.def_extern() def base64(s): s = ffi.string(s) # convert to Python string print "[P] %s" % s return ffi.new("char[]", s.encode("hex")) # convert to C string """) ffi.compile() 21 . 3

  34. 21 . 3 3 - compile $ python cffi_test.py # build python_embedded.so $ gcc -o test_cffi test_cffi.c python_embedded.so 21 . 4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

R2M2 RADARE2 + MIASM2 = https://github.com/guedou/r2m2 @guedou - 28/01/2017 - REcon BRX

R2M2 RADARE2 + MIASM2 = https://github.com/guedou/r2m2 @guedou - 28/01/2017 - REcon BRX

R2M2 RADARE2 + MIASM2 = https://github.com/guedou/r2m2 @guedou - 28/01/2017 - REcon BRX 1 @GUEDOU? French hobbyist reverser network security researcher IPv6, DNS, TLS, BGP, DDoS mitigation, ... Scapy co-maintainer Python-based

1.48k views • 73 slides
USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart

USING MIASM TO FUZZ BINARIES WITH AFL @guedou - 22/06/2017 - BeeRumP 1 WHAT IS AFL? A smart fuzzer that uses code coverage needs an initial corpus ~20 different mutations strategies only keep mutated inputs that modify coverage source

868 views • 29 slides
Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie atomique et aux nergies alternatives June 17, 2017 Summary 1 Introduction 2 Use case: Shellcode Use case: EquationDrug from EquationGroup 3 Use

1.66k views • 143 slides
1.2 What Exactly is Economics? ECON 452 History of Economic Thought Fall 2020 Ryan

1.2 What Exactly is Economics? ECON 452 History of Economic Thought Fall 2020 Ryan

1.2 What Exactly is Economics? ECON 452 History of Economic Thought Fall 2020 Ryan Safner Assistant Professor of Economics safner@hood.edu ryansafner/thoughtF20 thoughtF20.classes.ryansafner.com Outline Interpretations

885 views • 46 slides
Spatial Modelling Patrick Brown Cancer Care Ontario 620 University Ave, 12th floor.

Spatial Modelling Patrick Brown Cancer Care Ontario 620 University Ave, 12th floor.

Spatial Modelling Patrick Brown Cancer Care Ontario 620 University Ave, 12th floor. patrick.brown@cancercare.on.ca With thanks to Paulo Ribeiro (Curitiba) and Chris Sherlock (Lancaster) for provision of course notes! Motivating

2.3k views • 181 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent MONJALET Commissariat lnergie Atomique et aux nergies alternatives Direction des Applications Militaires 17 novembre 2017 Guidelines :

672 views • 49 slides
An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

Background Evaluation An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle Malte Helmert University of Basel Switzerland June 15, 2016 Background Evaluation Outline Background 1 Evaluation 2

413 views • 23 slides
Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017 Introduction Merge-and-Shrink Evaluation of Merge Strategies Implementation Conclusion Motivation An important factor for the performance of

489 views • 22 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides
Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Grtz Institute for IT-Security Bochum, Germany About me Playing with InfoSec since 2010 Currently in academia

1.13k views • 84 slides
Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International Conference on Audio for Virtual and Augmented Reality September 30th, 2016 Joseph G. Tylka (presenter) Edgar Y. Choueiri 3D Audio and Applied

441 views • 22 slides
Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick Richardson, Brian Nemsick and Douglas Reynolds Odyssey 2016 June 22, 2016 This work was sponsored by the Department of Defense under Air Force

413 views • 18 slides
Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows the recording of audio and video ( via webcam ) and slides together which can be shared with students. Its not a live broadcast and can be used

404 views • 11 slides
MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology

MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology

MICE Cavity Microphone Tests MTA Weekly RF Meeting Peter Lane Illinois Institute of Technology 1 Tests Description Use trigger hammer to capture physical taps trigger DAQ by completing a circuit on contact Tap ~5 times on each

390 views • 11 slides
Whats inside These slides are provided for GoToWebinar users. Please feel free to adapt

Whats inside These slides are provided for GoToWebinar users. Please feel free to adapt

Whats inside These slides are provided for GoToWebinar users. Please feel free to adapt these slides for your personal use and add them to your own PowerPoint files. Using these slides to perform GoToWebinar housekeeping and provide

287 views • 7 slides
CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for

CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for

CS 423 Operating System Design: Historical Memory Management Tianyin Xu (MIC) * Thanks for Prof. Adam Bates for the slides. CS 423: Operating Systems Design Storage Hierarchy CPU Registers Size Performance 32-64 bits Cache 4-128 words

994 views • 32 slides
Pattern Recognition Part 3: Beamforming Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel

Pattern Recognition Part 3: Beamforming Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel

Pattern Recognition Part 3: Beamforming Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel Faculty of Engineering Institute of Electrical and Information Engineering Digital Signal Processing and System Theory Beamforming Contents

820 views • 44 slides
Meeting Recorder: Audio Processing Dan Ellis &lt;dpwe@ee.columbia.edu&gt; Lab ROSA , Columbia

Meeting Recorder: Audio Processing Dan Ellis &lt;dpwe@ee.columbia.edu&gt; Lab ROSA , Columbia

Meeting Recorder: Audio Processing Dan Ellis &lt;dpwe@ee.columbia.edu&gt; Lab ROSA , Columbia University and ICSI, Berkeley Outline 1 ICSI Meeting Recorder 2 Close-mics: cancellation &amp; turn estimation 3 Tabletop mics: turns &amp;

491 views • 11 slides
Regular logarithmic connections Motivic Geometry CAS Oslo Sep 8, 2020 Piotr Achinger IMPAN

Regular logarithmic connections Motivic Geometry CAS Oslo Sep 8, 2020 Piotr Achinger IMPAN

Regular logarithmic connections Motivic Geometry CAS Oslo Sep 8, 2020 Piotr Achinger IMPAN Warsaw I Regular connections (after Deligne) Regularity in dimension one = t d K = C (( t )) C [[ t ]] = O dt M fin. dim. over K

379 views • 22 slides
Open Microphone Meeting: USP General Chapter &lt;797&gt; Pharmaceutical Compounding Sterile

Open Microphone Meeting: USP General Chapter &lt;797&gt; Pharmaceutical Compounding Sterile

Open Microphone Meeting: USP General Chapter &lt;797&gt; Pharmaceutical Compounding Sterile Preparations October 21, 2015 2:00 p.m. to 4:00 p.m. EDT Agenda Welcome Overview of USPs Revision Process Overview of Revised General

506 views • 25 slides
OPTIMISING PARALLEL PROGRAMS ON XEON PHI Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc

OPTIMISING PARALLEL PROGRAMS ON XEON PHI Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc

OPTIMISING PARALLEL PROGRAMS ON XEON PHI Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Specialised Optimisations Some optimisation are specific to Xeon Phi only Offloading MPI performance Thread and process placement

138 views • 9 slides
the Xeon Phi Jie Lin, Qingbo Wu, Yusong Tan, Jie Yu, Qi Zhang, Xiaoling Li and Lei Luo College

the Xeon Phi Jie Lin, Qingbo Wu, Yusong Tan, Jie Yu, Qi Zhang, Xiaoling Li and Lei Luo College

MicRun A Framework for Scale-free Graph Algorithms on SIMD Architecture of the Xeon Phi Jie Lin, Qingbo Wu, Yusong Tan, Jie Yu, Qi Zhang, Xiaoling Li and Lei Luo College of Computer National University of Defense Technology 10/7/2017

522 views • 23 slides
Planning AV for your event All general use classrooms are equipped with: Sound system for

Planning AV for your event All general use classrooms are equipped with: Sound system for

Planning AV for your event All general use classrooms are equipped with: Sound system for laptop/video Video-Data Projector (VDP) DVD Player or optical drive Upgraded rooms also have: Computer (Login with UVic NetLink ID)

303 views • 11 slides

More recommend