radare2
play

radare2 Radare2 - a framework for reverse engineering Maxime Morin - PowerPoint PPT Presentation

Mar 17, 2023 •1.14k likes •1.99k views

radare2 Radare2 - a framework for reverse engineering Maxime Morin (@Maijin212), Julien Voisin, Jeffrey Crowell (@jeffreycrow- ell), Anton Kochkov (@akochkov) October 22, 2015 Hack.lu 10-2015 maxime morin 22 y/o french expat @ Luxembourg

  1. radare2 Radare2 - a framework for reverse engineering Maxime Morin (@Maijin212), Julien Voisin, Jeffrey Crowell (@jeffreycrow- ell), Anton Kochkov (@akochkov) October 22, 2015 Hack.lu 10-2015

  2. maxime morin • 22 y/o french expat @ Luxembourg • Food, Travel and Languages < 3 • I hate Bullshit • Malware.lu CERT team leader (2days/week) and incident response @ European Commission CSIRC (3days/week) • User of radare2 (impossibru!) • I’m creating tests + documentation 2

  3. anton kochkov • Living in Moscow, Russia • Reverse Engineering, Languages and Travel • Reverse engineer, firmware security analyst at SecurityCode Ltd. • Member of r2 crew 3

  4. julien voisin • Living in Paris • I like to reverse/pwn things • Mostly bugfixer and warning silencer 4

  5. jeffrey crowell • Boston, MA, USA • Shellphish CTF 5

  6. generality on radare2 framework • r1 2006, r2 2009 • Multi-(OSes—Archs—Bindings—FileFormats—...) • 10 tools based on the framework • Around 149 contributors from various fields • GSOC + RSOC • CLI/VisualMode/GUI/WebGUI • around 350K LOC 6

  7. installation

  8. installation • Always use git version! • Use the provided VM on SSH (radare:radare / root:radare) • git clone http://github.com/radare/radare2 && cd radare2 && ./sys/install.sh • Use the Windows installer http://bin.rada.re/radare2.exe 8

  9. utilities

  10. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 10

  11. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 11

  12. utilities: rax2 rax2 — Base converter $ rax2 10 0xa $ rax2 33 0x41 0101b 0x21 65 0x5 $ rax2 -s 4142434445 ABCDE $ rax2 0x5*101b+5 30 12

  13. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 13

  14. utilities: rabin2 rabin2 — Binary program info extractor $ rabin2 -e Entrypoints $ rabin2 -i Shows imports $ rabin2 -zz Shows strings $ rabin2 -g Show all possible information 14

  15. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 15

  16. utilities: rasm2 rasm2 — assembler and disassembler tool $ rasm2 -a x86 -b 32 ’mov eax, 33’ Assemble $ rasm2 -d 9090 Disassemble $ rasm2 -L List supported asm plugins $ rasm2 -a x86 -b 32 ’mov eax, 33’ -C Output in C format 16

  17. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 17

  18. utilities: radiff2 radiff2 — unified binary diffing utility $ radiff2 original patched Code diffing $ radiff2 -C original patched Code diffing using graphdiff algorithm $ radiff2 -g main -a x86 -b32 original patched Graph diff output of given symbol, or between two functions, at given offsets: one for each binary. 18

  19. utilities: radiff2 — graph example /bin/true /bin/false 19

  20. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 20

  21. utilities: rafind2 rafind2 — Advanced commandline hexadecimal editor $ rafind2 -X -s passwd dump.bin Search for the string passwd 21

  22. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 22

  23. utilities: rahash2 rahash2 — block based hashing utility $ rahash2 -a all binary.exe Display hashes of the whole file with all algos $ rahash2 -B -b 512 -a md5 Compute md5 per block of 512 $ rahash2 -B -b 512 -a entropy Compute md5 per block of 512 $ echo -n "admin" | rahash2 -a md5 -s " Compute md5 of the string admin 23

  24. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 24

  25. radare2 — command line

  26. 1 command < — > 1 reverse-engineering’notion Keep in mind that: 1. Every character has a meaning i.e (w = write, p = print) 2. Every command is a succession of character i.e pdf = p < - > print d < - > disassemble f < - > function 3. Every command is documented with cmd? , i.e pdf?,?, ???, ???, ?$?, ?@? 26

  27. the # command — hashing command 1. Open a file with radare2 radare2 file.exe 2. Get Usage on the command #? Usage: #algo < size > @ addr 3. List of all existing algorithms ## 4. SHA1 #sha1 5. Hashing from the begin #sha1 @ 0 6. with a hash block size corresponding to the size of the file #sha1 $s @ 0x0 This command is same as rahash2 -a sha1 file.exe 27

  28. flags • Flags are used to specify a name for an offset: f?. • Add a function af+ hand craft a function (requires afb+) • f. name @ offset set local function label named ‘blah’ • R2 is an block-based hexadecimal editor. Change the blocksize with the ‘b’ command. 28

  29. the i command — information command 1. Get Usage on the command i? 2. Same as rabin2 3. izj for displaying in json 4. internal commands: ˜ , ls, {} , .. 29

  30. radare2 — ‘major’ command example: pf Quick Demo 30

  31. radare2 - types command example Quick Demo 31

  32. radare2 — cli main commands 1. r2 -A or r2 then aaa : Analysis 2. s : Seek 3. pdf : Print disassemble function 4. af? : Analyse function 5. ax? : Analyse XREF 6. /? : Search 7. ps? : Print strings 8. C? : Comments 9. w? : Write 32

  33. radare2 — visual mode

  34. radare2 — visual mode main commands 1. V? : Visual help 2. p/P : rotate print modes 3. move using arrows/hjkl 4. o : seek to 5. e : r2configurator 6. v : Function list 7. : HUD 8. V : ASCII Graph 9. 0-9 : Jump to function 10. u : Go back 34

  35. radare2 — webui

  36. radare2 webui r2 -A -c=H filename 36

  37. radare2 — debugger

  38. radare2 — debugger 1. radare2 -d 2. Quickly switch to Visual debugger mode: Vpp 3. OllyDBG/IDApro shortcuts friendly 38

  39. utilities • rax2 • rabin2 • rasm2 • radiff2 • rafind2 • rahash2 • radare2 • r2pm • rarun2/ragg2/ragg2-cc 39

  40. r2pm R2PM — radare2 package manager 1. r2pm -s (list all plugins) 2. r2pm -i retdec 40

  41. debugging • Native local debug (r2 -d) • r2 agent (rap:// protocol) • GDB remote protocol support • WinDBG remote protocol support 41

  42. rarun2 && ragg2 && ragg2-cc 1. Will be shown in Julien and Crowell’parts 42

  43. now your turn! • Crackmes: IOLI-Crackme, flare-on 2015 challenges • Exploitation: pwnablekr ”bof”, simple ret2libc demo, ropasaurus • Malware(1/3): Practical malware analysis samples • Malware(2/3): Any RAT samples see decoder on: https://github.com/kevthehermit/RATDecoders/ • Malware(3/3): AVCaesar.lu, MalekalDB • Firmware/BIOS/UEFI: TODO 43

  44. documentation • Website: http://rada.re/ • Blog: http://radare.today • Book: http://radare.gitbooks.io/radare2book/content • Cheatsheet: https://github.com/pwntester/cheatsheets/ blob/master/radare2.md 44

  45. scripting capabilities Available for a lot of programming languages Radare2 Bindings — R2Pipe — Demo time ! 45

  46. using r2 for exploit

  47. popular tools • gdb + peda - search memory, dereference stack/registers, debug. • ida - find xrefs/calls, debug • ropgadget - search for gadgets • r2 can do all of this... 47

  48. getting binary info • ”checksec” - get info : pie, stack canaries, nx • find strings - find references to calls, etc. • find writable/executable sections 48

  49. getting binary info 49

  50. ”telescoping” register • ”telescoping” registers • ”telescoping” stack references • we lose our analysis capabilities on gdb 50

  51. ”telescoping” register • we can do the same thing with r2 • display references to code/ascii/etc. from registers/stack • quite useful for dynamic analysis. • keep flags, symbols, etc. • drr (registers) pxr N @ esp/rsp (stack) 51

  52. knowing context is useful • does your register point to a string you control? • what’s in the stack? • keep flags, symbols, etc. • use from within visual mode ‘e dbg.slow = true‘ 52

  53. pattern generate • DeBruijn patterns. • made famous by metasploit pattern create.rb • cyclic patterns, find offset in string. • Where’s our faked struct/string/etc. being referenced? • Where did we crash? • ragg2 -P -r or woD to write • ragg2 -q or woO to find your offset. 53

  54. debugger • native, or remote (windows, gdb, ...) • d? • db addr/flag • dc[u] debug, continue [until] • visual mode ”?” c for cursor, b for breakpoints • starts in the loader, ”dcu entry0” before doing any analyis. 54

  55. debug ’profiles’ • r2 -de dbg.profile=file.rr2 exec.elf • set custom arguments, redirect stdin/out to files/sockets • useful for reproducing environments 55

  56. context + patterns • bof from pwnable.kr 1 • super simple challenge, overflow a buffer • offset at a certain place must be. • let’s use rarun2 + references + patterns! 1 Pwnable kr (2015). 56

  57. context + patterns • write your own expl ;) 57

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis Anton Kochkov

Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis Anton Kochkov

Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis Anton Kochkov PHDays IV, May 21, 2014 Intro radare2 Please use radare2 from git Warnings There is a nasty bug in r2 for now, please bear with us This is a

606 views • 26 slides
Radare2 - The Dwarf Fortress of reversing Who needs a GUI anyway? Florent (Skia) Jacquet Julien

Radare2 - The Dwarf Fortress of reversing Who needs a GUI anyway? Florent (Skia) Jacquet Julien

Radare2 - The Dwarf Fortress of reversing Who needs a GUI anyway? Florent (Skia) Jacquet Julien (jvoisin) Voisin November 18, 2016 GreHack 2016 pf.skia 1 Who needs the source code anyway? Playground 2 How to radare2? Installing

897 views • 71 slides
radare2 22 y/o french expat @ Luxembourg Food, Travel and Languages &lt;3 I hate

radare2 22 y/o french expat @ Luxembourg Food, Travel and Languages &lt;3 I hate

Maxime Morin (@Maijin212), Anton Kochkov (@akochkov) First r2babies steps - Long Version August 13, 2015 ISSA South Africa radare2 22 y/o french expat @ Luxembourg Food, Travel and Languages &lt;3 I hate Bullshit Malware.lu

1.4k views • 68 slides
R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network

R2M2 RADARE2 + MIASM2 = @guedou - 09/09/2016 1 @GUEDOU? French hobbyist reverser network security researcher IPv6, DNS, TLS, BGP, DDoS mitigation, ... Scapy co-maintainer Python-based packet manipulation program &amp; library neither

1.1k views • 61 slides
radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin)

radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin)

October 22, 2015 Writing a crack for hack.lu 2015 radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin) Voisin French 2 Piracy is bad, mkay. disclaimer 3 what is this? 4 and what is this?

572 views • 30 slides
R2M2 RADARE2 + MIASM2 = https://github.com/guedou/r2m2 @guedou - 28/01/2017 - REcon BRX

R2M2 RADARE2 + MIASM2 = https://github.com/guedou/r2m2 @guedou - 28/01/2017 - REcon BRX

R2M2 RADARE2 + MIASM2 = https://github.com/guedou/r2m2 @guedou - 28/01/2017 - REcon BRX 1 @GUEDOU? French hobbyist reverser network security researcher IPv6, DNS, TLS, BGP, DDoS mitigation, ... Scapy co-maintainer Python-based

1.48k views • 73 slides
Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS alternative (coreboot, OpenEC) Figure out possible attack vectors via firmware trojans We will take only case of modern PC/Laptop/Server firmware(s).

747 views • 46 slides
BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2 Marion Marschalek

BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2 Marion Marschalek

BUBBLE STR UBBLE STRUGGLE UGGLE Call Graph Visualization with Radare2 Marion Marschalek marion@0x1338.at @pinkflawd Static Analysis is King What my my sa sandbox th thought What my my cu customer th thought the malw th alware do

886 views • 50 slides
building a concrete alternative to ida 1 were sorry raxcity.com Shellphish

building a concrete alternative to ida 1 were sorry raxcity.com Shellphish

Jeffrey (crowell) Crowell Julien (jvoisin) Voisin Radare2 to the rescue! June 20, 2015 REcon 2015 Montreal building a concrete alternative to ida 1 were sorry raxcity.com Shellphish Boston Key Party

1.04k views • 64 slides
shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on ideas and scripts from 2

shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on ideas and scripts from 2

October 22, 2015 Radare2 workshop hack.lu 2015 shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on ideas and scripts from 2 disclaimer 3 Please look at the shikata_ga_nai folder in the virtual machine where to find the

539 views • 39 slides
Tails: Security, Maintainability and Usability Pick three! Julien Voisin Jrme Boursier

Tails: Security, Maintainability and Usability Pick three! Julien Voisin Jrme Boursier

Tails: Security, Maintainability and Usability Pick three! Julien Voisin Jrme Boursier July 4, 2016 Nuit du Hack Who are we ? Who are we ? Julien Voisin Radare2 NBS-System dustri.org Jrme Boursier AdwCleaner

1.53k views • 94 slides
On Another Level: How to Debug Compiling Query Engines Timo Kersten and Thomas Neumann Technical

On Another Level: How to Debug Compiling Query Engines Timo Kersten and Thomas Neumann Technical

On Another Level: How to Debug Compiling Query Engines On Another Level: How to Debug Compiling Query Engines Timo Kersten and Thomas Neumann Technical University of Munich 1 kersten@in.tum.de | DBTEST 20 On Another Level: How to Debug

438 views • 10 slides
LLDB Reproducers Jonas Devlieghere, Apple LLVM Developers Meeting, Brussels,

LLDB Reproducers Jonas Devlieghere, Apple LLVM Developers Meeting, Brussels,

LLDB Reproducers Jonas Devlieghere, Apple LLVM Developers Meeting, Brussels, Belgium, April 2019 &quot;The debugger doesn't work&quot; Somebody on the internet LLDB Bugs $ lldb ./a.out (lldb) target create

958 views • 51 slides
TOS Arno Puder 1 Objectives Explain the TOS testing system Explain some debugging

TOS Arno Puder 1 Objectives Explain the TOS testing system Explain some debugging

TOS Arno Puder 1 Objectives Explain the TOS testing system Explain some debugging techniques when a program error typically crashes the whole system Explain symbolic debugging of TOS 2 Test Cases TOS comes with many test cases

483 views • 22 slides
Hacking PostgreSQL with Eclipse Metin Dl metin@citusdata.com PGCONF.EU 2017 1

Hacking PostgreSQL with Eclipse Metin Dl metin@citusdata.com PGCONF.EU 2017 1

Hacking PostgreSQL with Eclipse Metin Dl metin@citusdata.com PGCONF.EU 2017 1 Motivation Postgres cant do everything You can extend it Eclipse makes it easy 2 Extensions postGIS - Spatial and Geographic objects pg_cron - Run

376 views • 19 slides
Project 2 Soumya Basu Department of Computer Science Cornell University September 18, 2015

Project 2 Soumya Basu Department of Computer Science Cornell University September 18, 2015

Project 2 Soumya Basu Department of Computer Science Cornell University September 18, 2015 Administrivia Administrivia Project 2 is due on September 30 Administrivia Project 2 is due on September 30 Ground Truth First Hint First

1.12k views • 64 slides
ENERGY INTERNATIONAL GDF SUEZ - Overview GDF SUEZ is a Global LNG portfolio player 3 rd

ENERGY INTERNATIONAL GDF SUEZ - Overview GDF SUEZ is a Global LNG portfolio player 3 rd

GDF Suez GEMI Symposium March 11 th , 2015 ENERGY INTERNATIONAL GDF SUEZ - Overview GDF SUEZ is a Global LNG portfolio player 3 rd largest importer of LNG in the world Involved in Liquefaction in the USA Global portfolio of LNG

246 views • 8 slides
Coordinate Reference S y stems W OR K IN G W ITH G E OSPATIAL DATA IN P YTH ON Joris Van den

Coordinate Reference S y stems W OR K IN G W ITH G E OSPATIAL DATA IN P YTH ON Joris Van den

Coordinate Reference S y stems W OR K IN G W ITH G E OSPATIAL DATA IN P YTH ON Joris Van den Bossche Open so u rce so w are de v eloper and teacher , GeoPandas maintainer Coordinate Reference S y stem ( CRS ) Location of the Ei el To w

688 views • 39 slides
Performance Optimization: Performance Optimizatio n: Simulation and Real Measurement Simulation

Performance Optimization: Performance Optimizatio n: Simulation and Real Measurement Simulation

Performance Optimization: Performance Optimizatio n: Simulation and Real Measurement Simulation and Real Measurement Josef Weidendorfer KDE Developer Conference 2004 Ludwigsburg, Germany Agenda Agenda Introduction Performance

492 views • 30 slides
Exchange of Information amongst Competitors Dos and Donts Dos and Donts FEB

Exchange of Information amongst Competitors Dos and Donts Dos and Donts FEB

Exchange of Information amongst Competitors Dos and Donts Dos and Donts FEB Seminar, 22 June 2011 Lars Kjlbye Information exchange: exposure New chapter in Commission Guidelines on horizontal cooperation agreements New

269 views • 10 slides
CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda

CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda

A modern approach to ICT security in pubblic administration CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda SPCs architetture Scenario: security threats The CERT-SPC: role and

562 views • 30 slides
The RESULTS S United ed National al Webin inar Welcome! 2 Remarks from Execu cutiv tive

The RESULTS S United ed National al Webin inar Welcome! 2 Remarks from Execu cutiv tive

The RESULTS S United ed National al Webin inar Welcome! 2 Remarks from Execu cutiv tive Director tor Dr. Joanne nne Carter rter 3 Our Anti-Oppressi ssion on Values RESULTS is a movement of passionate, committed everyday people.

458 views • 42 slides
October 9, 2014 San Joaquin Valley APCD State law requires the Office of Environmental

October 9, 2014 San Joaquin Valley APCD State law requires the Office of Environmental

October 9, 2014 San Joaquin Valley APCD State law requires the Office of Environmental Health Hazard Assessment (OEHHA) to develop guidelines for estimating health risk District utilizes OEHHA guidelines to calculate health risk:

327 views • 32 slides
Geospaal data processing for image automac analysis PyParis 2018 - 15/11/18 Raphal

Geospaal data processing for image automac analysis PyParis 2018 - 15/11/18 Raphal

Geospaal data processing for image automac analysis PyParis 2018 - 15/11/18 Raphal Delhome 1 Introduction Introduction 2 Oslandia... Oslandia... since 2009 Open Source specialist GIS experts (QGIS contributors) Provide

623 views • 33 slides

More recommend