SLIDE 1
shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on - - PowerPoint PPT Presentation
shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on - - PowerPoint PPT Presentation
October 22, 2015 Radare2 workshop hack.lu 2015 shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on ideas and scripts from 2 disclaimer 3 Please look at the shikata_ga_nai folder in the virtual machine where to find the
SLIDE 2
SLIDE 3
where to find the material?
Please look at the shikata_ga_nai folder in the virtual machine
3
SLIDE 4
what are we going to do?
SLIDE 5
shikata ga nai
Unpack Shikata ga nai!
5
SLIDE 6
shikata ga nai
- Polymorphic
- 320 lines of msf-powered OOP Ruby
- We want the unpacked shellcode
6
SLIDE 7
how do we do it?
SLIDE 8
solutions
- Run it on your machine and see what happens
- Step-step-step-step-step-… in gdb
- Trace the execution in a virtual machine
- Use radare2 with ESIL!
8
SLIDE 9
solutions
- Run it on your machine and see what happens
- Step-step-step-step-step-… in gdb
- Trace the execution in a virtual machine
- Use radare2 with ESIL!
8
SLIDE 10
solutions
- Run it on your machine and see what happens
- Step-step-step-step-step-… in gdb
- Trace the execution in a virtual machine
- Use radare2 with ESIL!
8
SLIDE 11
solutions
- Run it on your machine and see what happens
- Step-step-step-step-step-… in gdb
- Trace the execution in a virtual machine
- Use radare2 with ESIL!
8
SLIDE 12
but what is esil?
SLIDE 13
esil
- Evaluable String Intermediary Language
- Yet another intermediary language
- RPN-ish
- jz 0xaabbccdd : zf, ?, 0xaabbccdd, eip, =,
10
SLIDE 14
what can we do with this ?
SLIDE 15
esil
- Used for
- Emulation
- Decompilation
- Analysis
- Flamewars
against other IL
12
SLIDE 16
esil
- Used for
- Emulation
- Decompilation
- Analysis
- Flamewars
against other IL
12
SLIDE 17
esil
- Used for
- Emulation
- Decompilation
- Analysis
- Flamewars
against other IL
12
SLIDE 18
esil
- Used for
- Emulation
- Decompilation
- Analysis
- Flamewars
against other IL
12
SLIDE 19
how does emulation help us to dump the shellcode?
SLIDE 20
where to stop?
We can emulate the shellcode, but where do we stop?
- Instructions aren’t fixed.
- Blocks are permutated.
- Registers are dynamically selected.
So what can we do?
14
SLIDE 21
reading the source code
It seems that the last instruction will always be loop. So we can emulate the shellcode, and dump the result from the last loop instruction till then end.
15
SLIDE 22
reading the source code
It seems that the last instruction will always be loop. So we can emulate the shellcode, and dump the result from the last loop instruction till then end.
15
SLIDE 23
how do we use radare2/esil anyway?
SLIDE 24
r2pipe
17
SLIDE 25
languages
NodeJS npm install r2pipe Python pip install r2pipe Ruby gem install r2pipe
18
SLIDE 26
so let’s use esil?
SLIDE 27
plot twist
- FPU is currently not supported in ESIL :D
- FPU is used to get EIP with FNSTENV
- Polymorphic FPU instructions
20
SLIDE 28
plot twist
20
SLIDE 29
can we emulate them the ?
SLIDE 30
are those detected as fpu by r2?
- You’ve got the hello_world.py code
- Check if every opcode in the test_fpu.py one has the fpu
family
- Feel free to do it in your favourite language!
22
SLIDE 31
my solution
23
SLIDE 32
ready to unpack shikata ga nai?
SLIDE 33
sum up
- 1. Initialize the ESIL vm
- 2. If the instruction is invalid
2.1 We’re at the end! 2.2 Dump from the last encountered loop instruction to the end
- 3. Else, if the instruction is an fpu one
3.1 If it’s fnstenv, write the previously stored eip at esp 3.2 Else, store eip
- 4. Else, if the instruction is loop, store its location
- 5. Step and goto 2.
25
SLIDE 34
your turn!
SLIDE 35
my solution
27
SLIDE 36
conclusion
SLIDE 37
conclusion
- ESIL is cool
- Still WIP
- More to come!
29
SLIDE 38
conclusion
Radare2 is nice. You should use it.
29
SLIDE 39
resources
- Github repo
- Official website
- The r2 blog
- The r2 book