radare2 workshop Freshly graduated I dont know Windows 1 whoami - - PowerPoint PPT Presentation

radare2 workshop
SMART_READER_LITE
LIVE PREVIEW

radare2 workshop Freshly graduated I dont know Windows 1 whoami - - PowerPoint PPT Presentation

Jun 09, 2023 257 likes •577 views

October 22, 2015 Writing a crack for hack.lu 2015 radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin) Voisin French 2 Piracy is bad, mkay. disclaimer 3 what is this? 4 and what is this?

slide-1
SLIDE 1

radare2 workshop

Writing a crack for October 22, 2015

hack.lu 2015

slide-2
SLIDE 2

whoami

Julien (jvoisin) Voisin ∙ French ∙ Freshly graduated ∙ I don’t know Windows

1

slide-3
SLIDE 3

disclaimer

Piracy is bad, m’kay.

2

slide-4
SLIDE 4

what is this?

3

slide-5
SLIDE 5

and what is this?

4

slide-6
SLIDE 6

but i still want to play!

Time to write a compatibility enhancement hotfix! While knowing close to nothing about the Windows world.

5

slide-7
SLIDE 7

but i still want to play!

Time to write a compatibility enhancement hotfix! While knowing close to nothing about the Windows world.

5

slide-8
SLIDE 8

where to look

In your virtual machine, in the nocd folder.

6

slide-9
SLIDE 9

finding the right function

7

slide-10
SLIDE 10

lets script some documentation fetcher for r2

You’ve got this one in your .radare2rc in the VM

8

slide-11
SLIDE 11

lets script some documentation fetcher for r2

You’ve got this one in your .radare2rc in the VM

8

slide-12
SLIDE 12

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-13
SLIDE 13

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-14
SLIDE 14

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-15
SLIDE 15

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-16
SLIDE 16

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-17
SLIDE 17

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-18
SLIDE 18

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-19
SLIDE 19

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-20
SLIDE 20

find where it’s called

Your turn! ∙ Find where GetDriveTypeA is called ∙ It’s likely an analysis command, about xref to something ∙ There are two locations:

∙ 0x4d65f6 ∙ 0x5352ee

∙ In what function do they belong? ∙ Still in analysis, function related, about information ∙ afi 0x4d65f6 ∙ afi 0x5352ee

9

slide-21
SLIDE 21

find where it’s called (cont.)

Your turn! ∙ 0x4d65f6 is called from two locations:

∙ 0x004d6550 ∙ 0x004ab1aa

∙ Which one is the relevant one? (check with VV) ∙ 0x004d6550 is the cd-check routine!

10

slide-22
SLIDE 22

find where it’s called (cont.)

Your turn! ∙ 0x4d65f6 is called from two locations:

∙ 0x004d6550 ∙ 0x004ab1aa

∙ Which one is the relevant one? (check with VV) ∙ 0x004d6550 is the cd-check routine!

10

slide-23
SLIDE 23

find where it’s called (cont.)

Your turn! ∙ 0x4d65f6 is called from two locations:

∙ 0x004d6550 ∙ 0x004ab1aa

∙ Which one is the relevant one? (check with VV) ∙ 0x004d6550 is the cd-check routine!

10

slide-24
SLIDE 24

find where it’s called (cont.)

Your turn! ∙ 0x4d65f6 is called from two locations:

∙ 0x004d6550 ∙ 0x004ab1aa

∙ Which one is the relevant one? (check with VV) ∙ 0x004d6550 is the cd-check routine!

10

slide-25
SLIDE 25

find where it’s called (cont.)

Your turn! ∙ 0x4d65f6 is called from two locations:

∙ 0x004d6550 ∙ 0x004ab1aa

∙ Which one is the relevant one? (check with VV) ∙ 0x004d6550 is the cd-check routine!

10

slide-26
SLIDE 26

patching time

  • 1. Reopen the binary in write mode with oo+
  • 2. Hardcode a return value for fcn.0x004d6550
  • 3. Play the game without the CD!

11

slide-27
SLIDE 27

my solution

12

slide-28
SLIDE 28

conclusion

∙ Having no CD reader sucks, ∙ Age of Empire is cool, ∙ So is radare2.

13

slide-29
SLIDE 29

conclusion

Radare2 is nice. You should use it.

13

slide-30
SLIDE 30

resources

∙ Github repo ∙ Official website ∙ The r2 blog ∙ The r2 book ∙ Twitter

14