Jekyll2022-07-23T18:24:16+00:00https://monosource.github.io/atom.xmlmonosourcemonosourceBinaryNinja API - Common and Uncommon Tricks2018-10-31T00:25:06+00:002018-10-31T00:25:06+00:00https://monosource.github.io/tutorial/2018/10/31/binaryninja-tricks<h1 id="introduction">Introduction</h1>
<p>I find myself reaching for <a href="https://binary.ninja/">BinaryNinja</a> more and more these days, navigating and experimenting with the <a href="https://api.binary.ninja/">API</a>. This post will cover a few things I’ve picked up over the last few months by fiddling around.</p>
<h1 id="global-variables">Global variables</h1>
<p>The integrated python interpreter comes with a few context-sensitive global variables which can be used in your snippets of code. You’ll find these <a href="https://docs.binary.ninja/getting-started/index.html#script-python-console">here</a>.</p>
<h1 id="patching">Patching</h1>
<p>As you may know, BinaryNinja has extensive patching features built-in, accessible directly from the GUI - you can patch to NOP, edit one line, assemble an arbitrary amount of instructions or even compile from C.</p>
<p>But you can also write some code snippets to do some more complex patching tasks. It’s as simple as <code class="language-plaintext highlighter-rouge">data = bv.read(address, length)</code>, process the data, then <code class="language-plaintext highlighter-rouge">bv.write(address, data)</code>.</p>
<h1 id="hex-editing">Hex editing</h1>
<p>I find BinaryNinja to be a very good hex editor, especially given the built-in tranform tools for common tasks such as XOR-ing with a key, decoding base64 or grabbing the data to use elsewhere.</p>
<p><img src="https://raw.githubusercontent.com/monosource/monosource.github.io/master/images/bn_hex_edit_1.png" alt="bn_hex_edit_1" /></p>
<p>There are a few coloring options available: you can make ASCII values stand out or only colorize values which have been modified (through the GUI or the API). One use case for this feature would be to take two memory dumps of the same process at two different points in time and patch the bytes which have been changed. Coloring the bytes can help see patterns in the way the data was written.</p>
<p><img src="https://raw.githubusercontent.com/monosource/monosource.github.io/master/images/bn_hex_edit_2.png" alt="bn_hex_edit_2" /></p>
<h1 id="syscall-based-function-renaming">Syscall-based function renaming</h1>
<p>This has been done before by great people in the community, such as <a href="https://github.com/carstein/Syscaller">carstein</a>.</p>
<p>I have a small snippet (and a large JSON) which I use when analyzing statically linked ARM binaries, which uses the MLIL.</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="k">for</span> <span class="n">func</span> <span class="ow">in</span> <span class="n">bv</span><span class="p">.</span><span class="n">functions</span><span class="p">:</span>
<span class="n">mlil_inst</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="n">func</span><span class="p">.</span><span class="n">mlil_instructions</span><span class="p">)</span>
<span class="k">for</span> <span class="n">mi</span> <span class="ow">in</span> <span class="n">mlil_inst</span><span class="p">:</span>
<span class="k">if</span> <span class="n">mi</span><span class="p">.</span><span class="n">operation</span> <span class="o">==</span> <span class="n">MediumLevelILOperation</span><span class="p">.</span><span class="n">MLIL_SYSCALL</span><span class="p">:</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">syscall_num</span> <span class="o">=</span> <span class="n">mi</span><span class="p">.</span><span class="n">params</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">value</span><span class="p">.</span><span class="n">value</span>
<span class="k">print</span> <span class="s">"[+] syscall: "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">syscall_num</span><span class="p">)</span> <span class="o">+</span> <span class="s">" ("</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">arm_syscalls</span><span class="p">[</span><span class="n">syscall_num</span><span class="p">])</span> <span class="o">+</span> <span class="s">") in "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">func</span><span class="p">.</span><span class="n">name</span><span class="p">)</span>
<span class="n">func</span><span class="p">.</span><span class="n">name</span> <span class="o">+=</span> <span class="s">'_'</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">arm_syscalls</span><span class="p">[</span><span class="n">syscall_num</span><span class="p">])</span>
<span class="k">except</span><span class="p">:</span>
<span class="k">pass</span></code></pre></figure>
<p>(Note to self: I should probably refactor this at some point, replace the <code class="language-plaintext highlighter-rouge">try</code>-<code class="language-plaintext highlighter-rouge">except</code> block with something more sane, such as <code class="language-plaintext highlighter-rouge">hasattr</code>). This will also rename functions by appending the syscall names, which makes analysis much easier, since most library functions are wrappers over native syscalls.</p>
<p><img src="https://raw.githubusercontent.com/monosource/monosource.github.io/master/images/bn_renamed_functions_syscalls.png" alt="renamed_functions" /></p>
<h1 id="mixed-platforms">Mixed platforms</h1>
<p>Recently, I had to deal with solving a CTF challenge which mixed 32bit and 64bit code. If you never came across such a challenge, you should know that most tools are lacking when it comes to dealing with them. Naturally, I assumed BN would also suffer from this shortcoming.</p>
<p>Let’s take a look at a short example (assemble with FASM; I couldn’t manage to coax NASM to create an ELF32 with 64bit code in it):</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">format</span> <span class="nv">ELF</span> <span class="nv">executable</span>
<span class="nf">segment</span> <span class="nv">readable</span> <span class="nv">executable</span>
<span class="nf">macro</span> <span class="nv">swap32_64</span> <span class="nb">ds</span><span class="nv">t</span> <span class="err">{</span>
<span class="nf">use32</span>
<span class="nf">push</span> <span class="mh">0x33</span>
<span class="nf">push</span> <span class="nb">ds</span><span class="nv">t</span>
<span class="nf">retf</span>
<span class="err">}</span>
<span class="nf">macro</span> <span class="nv">swap64_32</span> <span class="nb">ds</span><span class="nv">t</span> <span class="err">{</span>
<span class="nf">use32</span>
<span class="nf">push</span> <span class="nb">ds</span><span class="nv">t</span>
<span class="nf">mov</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mi">4</span><span class="p">],</span> <span class="kt">dword</span> <span class="mh">0x23</span>
<span class="nf">retf</span>
<span class="err">}</span>
<span class="nf">use64</span>
<span class="nl">hello64:</span>
<span class="nf">push</span> <span class="nb">rbp</span>
<span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span>
<span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="mi">1</span>
<span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="mi">1</span>
<span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nv">hello64_str</span>
<span class="nf">mov</span> <span class="nb">rdx</span><span class="p">,</span> <span class="mi">19</span>
<span class="nf">syscall</span>
<span class="nf">leave</span>
<span class="nf">ret</span>
<span class="nf">use32</span>
<span class="nl">hello32:</span>
<span class="nf">push</span> <span class="nb">ebp</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">esp</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">4</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="mi">1</span>
<span class="nf">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="nv">hello32_str</span>
<span class="nf">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="mi">19</span>
<span class="nf">int</span> <span class="mh">0x80</span>
<span class="nf">leave</span>
<span class="nf">ret</span>
<span class="nf">entry</span> <span class="kc">$</span>
<span class="nl">_start:</span>
<span class="nf">push</span> <span class="nb">ebp</span>
<span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">esp</span>
<span class="nf">call</span> <span class="nv">hello32</span>
<span class="nf">swap32_64</span> <span class="nv">call64</span>
<span class="nl">call64:</span>
<span class="nf">call</span> <span class="nv">hello64</span>
<span class="nf">swap64_32</span> <span class="nv">do_exit</span>
<span class="nl">do_exit:</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">1</span>
<span class="nf">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="mi">0</span>
<span class="nf">int</span> <span class="mh">0x80</span>
<span class="nf">leave</span>
<span class="nf">ret</span>
<span class="nf">segment</span> <span class="nv">readable</span> <span class="nv">writable</span>
<span class="nl">hello64_str:</span> <span class="kd">db</span> <span class="s">"Hello from 64bits!"</span><span class="p">,</span> <span class="mh">0xa</span><span class="p">,</span> <span class="mi">0</span>
<span class="nl">hello32_str:</span> <span class="kd">db</span> <span class="s">"Hello from 32bits!"</span><span class="p">,</span> <span class="mh">0xa</span><span class="p">,</span> <span class="mi">0</span></code></pre></figure>
<p><img src="https://raw.githubusercontent.com/monosource/monosource.github.io/master/images/x86_64_confusion.png" alt="x86_64_confusion" /></p>
<p>As you can see, Ninja disassembles the function as 32bit code. It’s still readable, but that’s because this is a simple example, with very little instruction variety. We can actually undefine this function and use the API to create it as a <code class="language-plaintext highlighter-rouge">Linux x86_64</code> function by explicitly specifying the Platform in the <a href="https://api.binary.ninja/binaryninja.binaryview-module.html#binaryninja.binaryview.BinaryView.create_user_function">BinaryView.create_user_function</a> method.</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="n">x64_func</span> <span class="o">=</span> <span class="n">bv</span><span class="p">.</span><span class="n">get_function_at</span><span class="p">(</span><span class="n">here</span><span class="p">)</span>
<span class="n">bv</span><span class="p">.</span><span class="n">remove_function</span><span class="p">(</span><span class="n">x64_func</span><span class="p">)</span>
<span class="n">bv</span><span class="p">.</span><span class="n">create_user_function</span><span class="p">(</span><span class="n">here</span><span class="p">,</span> <span class="n">Platform</span><span class="p">[</span><span class="s">'linux-x86_64'</span><span class="p">])</span></code></pre></figure>
<p><img src="https://raw.githubusercontent.com/monosource/monosource.github.io/master/images/x86_64_clean.png" alt="x86_64_clean" /></p>
<p>Much better!</p>
<p>This approach can also be used when dealing with obfuscation that uses Virtual CPUs. You need to define your own Architecture (there’s a great <a href="https://blog.ret2.io/2017/10/17/untangling-exotic-architectures-with-binary-ninja/">post</a> on RET2systems on how to write your own custom architecture plugin) and then define functions, specifying the current Platform and new Architecture. In this way, you won’t have to switch tabs/notes/files; you can have consistent offsets, jump targets and so on in a single view.</p>
<h1 id="closing">Closing</h1>
<p>That’s it for this post! If you found this post helpful, have any questions or comments, or would like to share some of your own tricks, drop me a line on <a href="https://twitter.com/monosrc">Twitter</a>.</p>monosourceIntroductionPlaidCTF 2018 - APLunatic Writeup2018-05-08T00:25:06+00:002018-05-08T00:25:06+00:00https://monosource.github.io/writeup/2018/05/08/plaidctf-aplunatics<h1 id="context">Context</h1>
<p>PlaidCTF was pretty neat and a bit wacky, as always. I managed to tackle a few challenges, one of them being this slice of insanity right here.</p>
<blockquote>
<p>Disclaimer: I am not an APL programmer, though I really enjoy the language from a conceptual point of view (terseness and expressivity through notation); and I have been called a lunatic on many occasions.</p>
</blockquote>
<p>In this post, I will give you a brief overview of APL basics, since we will be using the language itself to solve the challenge. You may skip over it and go straight for the solution description if you’re not interested (though you would be missing out on some <del>crazy</del> cool language features that APL provides).</p>
<p>At its core, APL is a functional programming language, dealing with functions and operators (higher-order functions which take other functions as arguments). One of the learning difficulties most often cited comes not from the high-level abstractions (I’m sure most of you are comfortable with Python’s own <code class="language-plaintext highlighter-rouge">map</code>, <code class="language-plaintext highlighter-rouge">lambda</code>, <code class="language-plaintext highlighter-rouge">filter</code> and so on), but the notation used. APL has its own set of 50 (close to 80 in modern implementations) Unicode characters, each denoting a function or operator, making the code very dense (and the language very adequate for tasks such as code golfing) and somewhat challenging to read for newcomers.</p>
<h1 id="a-quick-introduction-to-apl">A quick introduction to APL</h1>
<p>If you’re up for some brain twisters, accompanied by the soothing voice of John Scholes, then I highly recommend <a href="https://www.youtube.com/watch?v=DsZdfnlh_d0">these</a> <a href="https://www.youtube.com/watch?v=DmT80OseAGs">three</a> <a href="https://www.youtube.com/watch?v=a9xAKttWgP4">videos</a>. If you need a more gentle introduction, then keep reading.</p>
<h2 id="functions">Functions</h2>
<p>A function in APL is denoted by a pair of curly braces (<code class="language-plaintext highlighter-rouge">{}</code>) containing an expression. Functions come in two flavors, monadic (or unary, single argument) and dyadic (binary, two arguments).</p>
<p>A monadic function has a single right-hand side argument, denoted by the formal parameter <code class="language-plaintext highlighter-rouge">⍵</code>. A dyadic function also has a left-hand side argument denoted by <code class="language-plaintext highlighter-rouge">⍺</code>.</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⍝ The function f(x) = x + 1 applied to 1.
{⍵ + 1} 1
2
⍝ The function f(x,y) = x * y; note that "*" in APL is actually "pow"
2 {⍺ × ⍵} 5
10</code></pre></figure>
<h2 id="arrays">Arrays</h2>
<p>APL works beautifully with arrays of any dimension. Most functions will work over arrays without any extra work from the programmer.</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⍝ Numbers 1 through 8; APL is 1-indexed
⍳ 8
1 2 3 4 5 6 7 8
⍝ The "shape" of the previous array; for a 1D array, this will be the length
⍴ ⍳ 8
8
⍝ The 2x4 "reshape" of the array creates a 2D matrix
2 4 ⍴ ⍳ 8
1 2 3 4
5 6 7 8
⍝ Applying our simple function over the matrix
{⍵ + 1} 2 4 ⍴ ⍳ 8
2 3 4 5
6 7 8 9</code></pre></figure>
<p>You may have noticed that we used the same <em>rho</em> symbol to accomplish two related, but different things. Most symbols in APL denote both a monadic and a dyadic function. Depending on the presence of a left argument, functions will behave differently, which adds more difficulty in understanding APL code.</p>
<h2 id="operators">Operators</h2>
<p>These higher-order functions take other functions as arguments and applies them over data in various ways. This concept shouldn’t be new to you, since Python’s <code class="language-plaintext highlighter-rouge">map</code> does precisely that.</p>
<p>For instance, this is how we square all the numbers of a list in Python:</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="nb">map</span><span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span><span class="o">*</span><span class="n">x</span><span class="p">,</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">10</span><span class="p">))</span>
<span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">64</span><span class="p">,</span> <span class="mi">81</span><span class="p">]</span></code></pre></figure>
<p>…and APL:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⍝ Reads as: "the squaring function applied to each of the numbers 1 through 9"
{⍵ × ⍵} ¨ ⍳ 9
1 4 9 16 25 36 49 64 81</code></pre></figure>
<p>APL has many more operators and functions, but in the name of brevity I won’t cover them all. I’ll introduce some new ones as needed while describing the challenge solution.</p>
<h1 id="the-challenge">The challenge</h1>
<p>The code which we had to reverse was this:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⎕IO←0⋄'BIE°?½>IL½E.!!<E!:E84¥¸²E23Å8»968'{ {⍵(~⍵)/'success' 'fail'}⊃(+/⍺=⎕UCS 13+{+/⍵/⌽2*⍳⍴⍵}¨,/33 8⍴(8×⍴⍵)⍴7⌽⍉(-⌊(⍴'f0xtr0t')÷2)⌽⍉11 24⍴∊{a≠8↑(0,a←(8⍴2)⊤⍵)}¨⌽⎕UCS ⍵)=⍴⍺}'INPUT HERE'</code></pre></figure>
<p>Looks pretty daunting at first, but if we don’t stray from basic principles, we can keep our sanity in check.</p>
<p>The <code class="language-plaintext highlighter-rouge">⎕IO←0⋄</code> seems superfluous. The diamond symbol is a statement separator; on its own, the statement reads a number from the standard input. We can safely move over this part.</p>
<p>From afar, the code can be simplified as follows: <code class="language-plaintext highlighter-rouge">'some result string' {some dyadic function} 'user input'</code>. That’s all there is to it. My approach is to construct the inverse of this function such that, when applied on the result string, yields the original input. With that in mind, let’s break the code down.</p>
<h2 id="string-equality">String equality</h2>
<p>How do we check to see if two strings are identical in APL? Let’s construct such a function step by step:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⍝ The 'equals' function in APL behaves as expected on singular items
'a' = 'b'
0
'a' = 'a'
1
⍝ However, this behaviour changes in a slightly unexpected way when expanding it over arrays
'abcd' = 'agcf'
1 0 1 0
⍝ The simplest way to test string equality is to reduce (/) a logical AND over the resulting binary array
'abcd' {∧ / ⍺ = ⍵} 'agcf'
0
'abcd' {∧ / ⍺ = ⍵} 'abcd'
1
⍝ We can then write a function which maps the values 1/0 over 'equal'/'not equal'
'abcd' { {⍵ (~⍵)/'equal' 'not equal'} ∧ / ⍺ = ⍵} 'abcd'
equal </code></pre></figure>
<p>It’s starting to look a bit like the ‘success’/’fail’ function in our challenge, but it’s not quite there. The challenge maker chose a slightly more convoluted way of comparing strings. Instead of performing a logical AND over the resulting array, it sums the array and compares the sum with the length of the string, as in the following example:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">'abcd' {+/⍺=⍵} 'agcf'
2
'abcd' {(+/⍺=⍵)=⍴⍺} 'abcd'
0
'abcd' {(+/⍺=⍵)=⍴⍺} 'abcd'
1</code></pre></figure>
<p>With the string comparison out of the way, we can further simplify our challenge by removing the ‘success’/’fail’ function and the equality test. Since the encoded flag was used only for comparison, we can store it away and convert the challenge into a monadic function.</p>
<h2 id="conversions">Conversions</h2>
<p>We’re down to the following code:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">enc_flag ← 'BIE°?½>IL½E.!!<E!:E84¥¸²E23Å8»968'
challenge ← {⎕UCS 13+{+/⍵/⌽2*⍳⍴⍵}¨,/33 8⍴(8×⍴⍵)⍴7⌽⍉(-⌊(⍴'f0xtr0t')÷2)⌽⍉11 24⍴∊{a≠8↑(0,a←(8⍴2)⊤⍵)}¨⌽⎕UCS ⍵}</code></pre></figure>
<p>Again, staying with basic principles, analyzing APL functions can be done iteratively starting from the right. Our input string is denoted by the formal parameter <code class="language-plaintext highlighter-rouge">⍵</code>. <code class="language-plaintext highlighter-rouge">UCS</code> converts the string into an array of corresponding decimal ASCII values. <code class="language-plaintext highlighter-rouge">⌽</code> reverses the the array.</p>
<p>The next function in line is very interesting. Let’s reconstruct it:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⍝ Eight twos
8⍴2
2 2 2 2 2 2 2 2
⍝ The "eight twos" (8bit) encoding of the value 123
(8⍴2)⊤123
0 1 1 1 1 0 1 1
⍝ We store the value in a and prepend a 0 to the result
{(0,a←(8⍴2)⊤⍵)} 123
0 0 1 1 1 1 0 1 1
⍝ We take the first 8 elements
{8↑(0,a←(8⍴2)⊤⍵)} 123
0 0 1 1 1 1 0 1
⍝ We compare if not equal...?
{a≠8↑(0,a←(8⍴2)⊤⍵)} 123
0 1 0 0 0 1 1 0
⍝ Actually, ≠ denotes XOR
1 0 1 ≠ 0 1 0
1 1 1</code></pre></figure>
<p>What this code essentially does is <code class="language-plaintext highlighter-rouge">f(x) = x ^ (x >> 1)</code>; this XOR shift has some interesting properties, one being that successive elements differ in exactly one bit; we’ll see another interesting property when we get to (finally) solving the challenge.</p>
<p>I’ll skip the middle part in order to focus on another conversion function, namely <code class="language-plaintext highlighter-rouge">{+/⍵/⌽2*⍳⍴⍵}</code>. I’ll leave it as an exercise to reconstruct it as before. This function can be read as: “The sum over omega over the reversed array of the powers of two”, which is just a fancy way of saying binary-to-decimal. However, the ability to decode a binary number is implemented as primitive in APL:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">{+/⍵/⌽2*⍳⍴⍵} 0 1 1 1 1 0 1 1
123
2⊥0 1 1 1 1 0 1 1
123</code></pre></figure>
<h2 id="reshaping-transposed-rotations">Reshaping transposed rotations</h2>
<p>The middle part which we haven’t covered is this: <code class="language-plaintext highlighter-rouge">33 8⍴(8×⍴⍵)⍴7⌽⍉(-⌊(⍴'f0xtr0t')÷2)⌽⍉11 24⍴∊</code></p>
<p>Again, in right-to-left order, the unary <code class="language-plaintext highlighter-rouge">∊</code> flattens our array of arrays of 8 bits into a single array of bits. Then we reshape these bits into an 11-by-24 matrix. This matrix then gets transposed, then rotated with a left argument given by <code class="language-plaintext highlighter-rouge">(-⌊(⍴'f0xtr0t')÷2)</code>. We can simply evaluate this part and see that we get the value <code class="language-plaintext highlighter-rouge">-3</code> (being the length of the string “f0xtr0t”, divided by two, rounded down and sign-inverted).</p>
<p>This in turn goes through another transposition and another rotation, this time of <code class="language-plaintext highlighter-rouge">7</code>. This result first gets reshaped into a flat array of 264 bits (the result of <code class="language-plaintext highlighter-rouge">(8×⍴⍵)⍴</code>), which again gets reshaped into a 33 by 8 matrix. Lastly, each 8bit row of this matrix gets decoded back into decimal, giving us our resulting encoded flag.</p>
<h2 id="reversal">Reversal</h2>
<p>To sum up what the encoding function did so far:</p>
<ol>
<li>Convert the string from array of characters to array of corresponding ASCII decimals.</li>
<li>Reverse the array.</li>
<li>Convert each value to an array of 8 bits and apply <code class="language-plaintext highlighter-rouge">x^(x>>1)</code> over each.</li>
<li>Reshape into an 11-by-24 matrix.</li>
<li>Transpose and rotate by -3.</li>
<li>Transpose and rotate by 7.</li>
<li>Reshape into a 33-by-8 matrix.</li>
<li>Convert back to decimal. Add 13.</li>
<li>Convert back to “ASCII” (actually, APL uses Unicode by default).</li>
</ol>
<p>All we need to do is go through the steps in reverse, making sure to change the order in which transpositions and rotations are performed.</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⍝ Our encoded flag
enc_flag
BIE°?½>IL½E.!!<E!:E84¥¸²E23Å8»968
⍝ Convert to decimal
{⎕UCS ⍵} enc_flag
66 73 69 176 63 189 62 73 76 189 69 46 33 33 60 69 33 58 69
56 52 165 184 178 69 50 51 197 56 187 57 54 56
⍝ Subtract 13
{¯13+⎕UCS ⍵} enc_flag
53 60 56 163 50 176 49 60 63 176 56 33 20 20 47 56 20 45 56
43 39 152 171 165 56 37 38 184 43 174 44 41 43
⍝ decimal to 8 bits function
bin ← {(8⍴2)⊤⍵}
⍝ Each element -> 8 bit array
{bin¨ ¯13+⎕UCS ⍵} enc_flag
⍝ 11 by 24 reshape
{11 24⍴∊bin¨ ¯13+⎕UCS ⍵} enc_flag
⍝ Reverse the transpositions and rotations
{⍉3⌽⍉¯7⌽11 24⍴∊bin¨ ¯13+⎕UCS ⍵} enc_flag
⍝ The 33 by 8 reshape
{33 8⍴(8×⍴⍵)⍴⍉3⌽⍉¯7⌽11 24⍴∊bin¨ ¯13+⎕UCS ⍵} enc_flag
⍝ Convert each 8 bit array to its corresponding value
{2⊥¨,/33 8⍴(8×⍴⍵)⍴⍉3⌽⍉¯7⌽11 24⍴∊bin¨ ¯13+⎕UCS ⍵} enc_flag
67 96 112 94 40 40 90 112 40 78 112 86 75 49 87 76 112 74
93 112 87 86 88 82 112 106 120 97 70 101 126 98 120</code></pre></figure>
<p>We’re almost there, but we’ve hit a small bump in the road. How do we reverse the xorshift operation? Your first instinct could be to construct a lookup table for all 8 bit values (and that’s how I did it during the CTF), but there’s a more elegant solution.</p>
<h2 id="reversing-the-xorshift">“Reversing” the xorshift</h2>
<p>I don’t know if there is a simple form for the inverse <code class="language-plaintext highlighter-rouge">xorshift^(-1)</code>, but I can experiment a bit with the function as is:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">xsh ← {2⊥a≠8↑(0,a←(8⍴2)⊤⍵)}
xsh 50
43
xsh xsh 50
62
⍝ The function applied twice
(xsh ⍣ 2) 50
62
(xsh ⍣ 3) 50
33
(xsh ⍣ 7) 50
35
(xsh ⍣ 8) 50
50
⍝ Jackpot!
(xsh ⍣ 8) 123
123</code></pre></figure>
<p>As we can see, if we apply the function 8 times in a row, we get right back where we started. This means that if we apply it 7 times, it would be as if we applied the inverse of the function. We can also observe that for an N bit number, <code class="language-plaintext highlighter-rouge">xsh^(N-1) = xsh^(-1)</code>.</p>
<h2 id="end-of-the-apline">End of the APLine</h2>
<p>With this final piece, we have everything we need to construct our inverse challenge function:</p>
<figure class="highlight"><pre><code class="language-apl" data-lang="apl">⍝ Apply the "inverse" xorshift
{(xsh ⍣ 7)¨ 2⊥¨,/33 8⍴(8×⍴⍵)⍴⍉3⌽⍉¯7⌽11 24⍴∊bin¨ ¯13+⎕UCS ⍵} enc_flag
125 64 95 107 48 48 108 95 48 116 95 100 114 33 101 119 95
115 105 95 101 100 111 99 95 76 80 65 123 70 84 67 80
⍝ Convert back to ASCII
{⎕UCS(xsh ⍣ 7)¨ 2⊥¨,/33 8⍴(8×⍴⍵)⍴⍉3⌽⍉¯7⌽11 24⍴∊bin¨ ¯13+⎕UCS ⍵} enc_flag
}@_k00l_0t_dr!ew_si_edoc_LPA{FTCP
⍝ Oops, forgot to reverse!
{⌽⎕UCS(xsh ⍣ 7)¨ 2⊥¨,/33 8⍴(8×⍴⍵)⍴⍉3⌽⍉¯7⌽11 24⍴∊bin¨ ¯13+⎕UCS ⍵} enc_flag
PCTF{APL_code_is_we!rd_t0_l00k_@}</code></pre></figure>
<p>So there you have it, a solution in APL which can fit in one tweet.</p>
<p>I hope you had fun reading (and perhaps even trying the code at <a href="https://tryapl.org">TryAPL</a>). Protip: the backtick <code class="language-plaintext highlighter-rouge">(`)</code> can be used to enter APL’s special characters (i.e. <code class="language-plaintext highlighter-rouge">(`w)</code> is <code class="language-plaintext highlighter-rouge">⍵</code>)</p>
<p>Big thanks to PPP for the CTF!</p>monosourceContextBinary instrumentation with Frida on Linux (Part 1)2017-01-26T00:25:06+00:002017-01-26T00:25:06+00:00https://monosource.github.io/tutorial/2017/01/26/frida-linux-part1<p>With the recent release of <a href="https://www.frida.re/news/2017/01/09/frida-9-0-released/">Frida version 9</a>, I got motivated to dive into it some more and figure things out by myself, since the <a href="https://www.frida.re/docs/examples/linux/">Linux</a> section is disappointingly dry at the moment.</p>
<h2 id="dynamic-binary-instrumentation">Dynamic Binary Instrumentation</h2>
<p>DBI is a runtime analysis technique for code, be it source or binary. You usually come across it in relation to code profiling done in order to optimize performance or find memory leaks.</p>
<p>The principle behind instrumentation is that of injecting your own code to run inside a given process. In layman’s terms, the main difference in principle between instrumenting and debugging is that with a debugger you attach to a process; with instrumentation, you <strong>are</strong> the process (in some sense).</p>
<h2 id="illustrative-example">Illustrative example</h2>
<p>Consider the following code:</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">push</span> <span class="nb">rbp</span>
<span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span>
<span class="nf">sub</span> <span class="nb">rsp</span><span class="p">,</span> <span class="mh">0x20</span>
<span class="nf">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">rbp</span> <span class="o">-</span> <span class="mh">0x14</span><span class="p">],</span> <span class="nb">edi</span>
<span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rbp</span> <span class="o">-</span> <span class="mh">0x20</span><span class="p">],</span> <span class="nb">rsi</span>
<span class="nf">mov</span> <span class="nb">edi</span><span class="p">,</span> <span class="mi">1</span>
<span class="nf">call</span> <span class="nv">sym.imp.malloc</span>
<span class="nf">mov</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rbp</span> <span class="o">-</span> <span class="mi">8</span><span class="p">],</span> <span class="nb">rax</span>
<span class="nf">mov</span> <span class="nb">rax</span><span class="p">,</span> <span class="kt">qword</span> <span class="p">[</span><span class="nb">rbp</span> <span class="o">-</span> <span class="mi">8</span><span class="p">]</span>
<span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rax</span>
<span class="nf">call</span> <span class="nv">sym.imp.free</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">0</span>
<span class="nf">leave</span>
<span class="nf">ret</span></code></pre></figure>
<p>We wish to instrument the <code class="language-plaintext highlighter-rouge">malloc</code> and <code class="language-plaintext highlighter-rouge">free</code> instructions by inserting our own code. We obviously cannot do this in the .text segment. The interpreter will map its own region of memory in which it can both write and execute code. It will then make a copy of the original code and add our own, as follows:</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nl">malloc:</span>
<span class="err"><</span><span class="nf">save</span> <span class="nv">registers</span><span class="o">></span>
<span class="nf">call</span> <span class="nv">on_enter_malloc_callback</span>
<span class="err"><</span><span class="kd">rest</span><span class="nv">ore</span> <span class="nv">registers</span><span class="o">></span>
<span class="nf">push</span> <span class="nb">rbp</span>
<span class="nf">mov</span> <span class="nb">rbp</span><span class="p">,</span> <span class="nb">rsp</span>
<span class="err"><</span><span class="kd">rest</span> <span class="nv">of</span> <span class="nv">malloc</span> <span class="nv">code</span><span class="o">></span>
<span class="err"><</span><span class="nf">save</span> <span class="nv">registers</span><span class="o">></span>
<span class="nf">call</span> <span class="nv">on_leave_malloc_callback</span>
<span class="err"><</span><span class="kd">rest</span><span class="nv">ore</span> <span class="nv">registers</span><span class="o">></span>
<span class="nf">ret</span></code></pre></figure>
<p>In this way, whenever <code class="language-plaintext highlighter-rouge">malloc</code> is called, it will in turn call our instrumentation routine, which can print the argument (or change it!), or the return value, or increment a counter, print the register values at that point and so on. Much more complex things can be achieved, such as passing a custom <code class="language-plaintext highlighter-rouge">sockaddr_in</code> struct to a <code class="language-plaintext highlighter-rouge">connect</code> call.</p>
<p>This technique is known as interception. Instruction level instrumentation is the fine-grained version in which each instruction is instrumented, rather than each function.</p>
<h2 id="use-cases">Use cases</h2>
<p>As mentioned previously, <strong>profiling</strong> and tracking down leaks (the <a href="http://valgrind.org/">Valgrind</a> suite is a good example for this). But there are other interesting use-cases as well, such as <strong>fault injection</strong>, <strong>reversing/discovering APIs</strong>, building <strong>code tracers</strong>, <strong>side-channel attacks</strong> on badly implemented crypto binaries (i.e. via counting instructions), <strong>fuzzing</strong> and <strong>taint analysis</strong>.</p>
<h2 id="frameworks">Frameworks</h2>
<p>Two very efficient and feature-rich instrumentation frameworks are <a href="https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool">Intel’s Pin</a> and <a href="http://www.dynamorio.org/">DynamoRIO</a>. Both of them provide a C/C++ API in which you can write your instrumentation code. You then have to compile your code into a dynamic library which will be injected in the desired binary.</p>
<h2 id="frida">Frida</h2>
<p>The third option is the relatively recent but fast-growing Frida framework. There are a couple of advantages (or disadvantages, depending on how you look at it). Frida injects a JavaScript interpreter (Duktape by default as of version 9; it’s capable of also injecting the bulkier Google V8 engine) inside the binary, which is capable of running JS code. Now, instead of writing C code, you’re writing JS to instrument your binary. This also means that you don’t have to compile anything. Frida always injects the same interpreter; what gets changed is the instrumentation code written in JavaScript. In effect, you are manipulating low-level elements (basic blocks, instructions) using a high-level language.</p>
<p>Frida is a good excuse for a reverse engineer to learn a bit of JavaScript, or for a web developer to learn a bit of reversing. Being in the former case, I stumbled across the wonderful world of JS, where every Number is a Float, where the <em>triple equals</em> operator exists (and is needed; and I heard of a <em>quad</em> equals operator being requested) and where very <a href="https://gist.github.com/MichalZalecki/c964192f830360ce6361">interesting</a> (in the most frustrating sense imaginable) things happen.</p>
<p>The comprehensive <a href="https://www.frida.re/docs/javascript-api/">JS API</a> features some very high-level entities, such as ObjC and Java, which allow for access to native ObjectiveC and Java methods and objects, which are brilliant to use when working with mobile platforms like Android and iOS.</p>
<p>While the instrumentation code has to be written in JavaScript, the resulting tools can be written in either Python or JS. The injected interpreter can communicate with your application via primitive <code class="language-plaintext highlighter-rouge">send</code> and <code class="language-plaintext highlighter-rouge">recv</code> methods. The data exchanged has to be serializable to JSON.</p>
<h2 id="the-repl">The REPL</h2>
<p>After installing the framework and Python bindings (which is a breeze via pip), you get a collection of tools which have been built using Frida, such as the REPL, frida-discover, frida-ls-devices, frida-ps, frida-trace.</p>
<p>Just like with a debugger, you can use the Frida CLI app to attach to a process or spawn a new one.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>frida ./cli_example
____
/ _ | Frida 9.0.13 - A world-class dynamic instrumentation framework
| <span class="o">(</span>_| |
<span class="o">></span> _ | Commands:
/_/ |_| <span class="nb">help</span> -> Displays the <span class="nb">help </span>system
<span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> object? -> Display information about <span class="s1">'object'</span>
<span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">exit</span>/quit -> Exit
<span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span>
<span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> More info at http://www.frida.re/docs/home/
Spawned <span class="sb">`</span>./cli_example<span class="sb">`</span><span class="nb">.</span> Use %resume to <span class="nb">let </span>the main thread start executing!
<span class="o">[</span>Local::file::[u<span class="s1">'./cli_example'</span><span class="o">]]</span>-> </code></pre></figure>
<p>We’re given a fully fledged, beautifully-colored JS REPL, much like iPython, inside the binary. What’s lacking as of now is an interactive help, but that’s what the JS API Docs are for.</p>
<p>We can explore the binary a little, by enumerating function names from imports, getting addresses from debug symbols (won’t work on stripped binaries, obviously), disassemble an instruction at an address.</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="nx">Module</span><span class="p">.</span><span class="nx">enumerateImportsSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">cli_example</span><span class="dl">'</span><span class="p">).</span><span class="nx">forEach</span><span class="p">(</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">elem</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">elem</span><span class="p">[</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">]);</span> <span class="p">});</span>
<span class="nx">AES_set_encrypt_key</span>
<span class="nx">__libc_start_main</span>
<span class="nx">AES_encrypt</span>
<span class="nx">AES_decrypt</span>
<span class="nx">AES_set_decrypt_key</span>
<span class="nx">__stack_chk_fail</span>
<span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="nx">DebugSymbol</span><span class="p">.</span><span class="nx">fromName</span><span class="p">(</span><span class="dl">'</span><span class="s1">main</span><span class="dl">'</span><span class="p">)</span>
<span class="p">{</span>
<span class="dl">"</span><span class="s2">address</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">0x4007a4</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">fileName</span><span class="dl">"</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">lineNumber</span><span class="dl">"</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">moduleName</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cli_example</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">main</span><span class="dl">"</span>
<span class="p">}</span>
<span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="nx">DebugSymbol</span><span class="p">.</span><span class="nx">fromName</span><span class="p">(</span><span class="dl">'</span><span class="s1">cooky_math</span><span class="dl">'</span><span class="p">)</span>
<span class="p">{</span>
<span class="dl">"</span><span class="s2">address</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">0x400776</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">fileName</span><span class="dl">"</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">lineNumber</span><span class="dl">"</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">moduleName</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cli_example</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cooky_math</span><span class="dl">"</span>
<span class="p">}</span>
<span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="nx">Instruction</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">ptr</span><span class="p">(</span><span class="nx">DebugSymbol</span><span class="p">.</span><span class="nx">fromName</span><span class="p">(</span><span class="dl">'</span><span class="s1">main</span><span class="dl">'</span><span class="p">)[</span><span class="dl">'</span><span class="s1">address</span><span class="dl">'</span><span class="p">]));</span>
<span class="p">{</span>
<span class="dl">"</span><span class="s2">address</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">0x4007a4</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">mnemonic</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">push</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">next</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">0x4007a5</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">opStr</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">rbp</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">size</span><span class="dl">"</span><span class="p">:</span> <span class="mi">1</span>
<span class="p">}</span>
<span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="nx">Instruction</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">ptr</span><span class="p">(</span><span class="nx">DebugSymbol</span><span class="p">.</span><span class="nx">fromName</span><span class="p">(</span><span class="dl">'</span><span class="s1">main</span><span class="dl">'</span><span class="p">)[</span><span class="dl">'</span><span class="s1">address</span><span class="dl">'</span><span class="p">])).</span><span class="nx">toString</span><span class="p">();</span>
<span class="dl">"</span><span class="s2">push rbp</span><span class="dl">"</span></code></pre></figure>
<p>Let’s build on that last example to disassemble the main function.</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="kd">var</span> <span class="nx">cinstr</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="c1">// Initialize current instruction</span>
<span class="dl">""</span>
<span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="kd">var</span> <span class="nx">pc</span> <span class="o">=</span> <span class="nx">ptr</span><span class="p">(</span><span class="nx">DebugSymbol</span><span class="p">.</span><span class="nx">fromName</span><span class="p">(</span><span class="dl">'</span><span class="s1">main</span><span class="dl">'</span><span class="p">)[</span><span class="dl">'</span><span class="s1">address</span><span class="dl">'</span><span class="p">]);</span> <span class="c1">// Initialize simulated pc</span>
<span class="dl">"</span><span class="s2">0x4007a4</span><span class="dl">"</span>
<span class="p">[</span><span class="nx">Local</span><span class="p">::</span><span class="nx">file</span><span class="p">::[</span><span class="nx">u</span><span class="dl">'</span><span class="s1">./cli_example</span><span class="dl">'</span><span class="p">]]</span><span class="o">-></span> <span class="k">while</span> <span class="p">(</span><span class="nx">cinstr</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="dl">'</span><span class="s1">ret</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">instr</span> <span class="o">=</span> <span class="nx">Instruction</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">pc</span><span class="p">);</span> <span class="nx">cinstr</span> <span class="o">=</span> <span class="nx">instr</span><span class="p">.</span><span class="nx">toString</span><span class="p">();</span> <span class="nx">caddr</span> <span class="o">=</span> <span class="nx">instr</span><span class="p">[</span><span class="dl">'</span><span class="s1">address</span><span class="dl">'</span><span class="p">];</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">caddr</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">cinstr</span><span class="p">);</span> <span class="nx">pc</span> <span class="o">=</span> <span class="nx">ptr</span><span class="p">(</span><span class="nx">instr</span><span class="p">[</span><span class="dl">'</span><span class="s1">next</span><span class="dl">'</span><span class="p">]);</span> <span class="p">}</span>
<span class="mh">0x4007a4</span> <span class="nx">push</span> <span class="nx">rbp</span>
<span class="mh">0x4007a5</span> <span class="nx">mov</span> <span class="nx">rbp</span><span class="p">,</span> <span class="nx">rsp</span>
<span class="mh">0x4007a8</span> <span class="nx">sub</span> <span class="nx">rsp</span><span class="p">,</span> <span class="mh">0x2d0</span>
<span class="mh">0x4007af</span> <span class="nx">mov</span> <span class="nx">dword</span> <span class="nx">ptr</span> <span class="p">[</span><span class="nx">rbp</span> <span class="o">-</span> <span class="mh">0x2c4</span><span class="p">],</span> <span class="nx">edi</span>
<span class="o">====================</span><span class="nx">SNIP</span><span class="o">====================</span>
<span class="mh">0x400885</span> <span class="nx">ret</span> </code></pre></figure>
<h2 id="moving-on-to-scripting">Moving on to scripting</h2>
<p>That last example was a little extreme for CLI use. We can use it as a building block for a simple disassembly tool. Please note that I like to keep my instrumentation JS code and my Python management code in separate script files.</p>
<p>First, the code which performs the actual disassembly.</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="nx">cinstr</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span>
<span class="c1">// Format string to be used in Python</span>
<span class="nx">pc</span> <span class="o">=</span> <span class="nx">ptr</span><span class="p">(</span><span class="dl">"</span><span class="s2">%s</span><span class="dl">"</span><span class="p">)</span>
<span class="k">while</span> <span class="p">(</span><span class="nx">cinstr</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="dl">'</span><span class="s1">ret</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">instr</span> <span class="o">=</span> <span class="nx">Instruction</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">pc</span><span class="p">);</span>
<span class="nx">caddr</span> <span class="o">=</span> <span class="nx">instr</span><span class="p">[</span><span class="dl">'</span><span class="s1">address</span><span class="dl">'</span><span class="p">];</span>
<span class="nx">cinstr</span> <span class="o">=</span> <span class="nx">instr</span><span class="p">.</span><span class="nx">toString</span><span class="p">();</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">caddr</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">cinstr</span><span class="p">);</span>
<span class="nx">pc</span> <span class="o">=</span> <span class="nx">ptr</span><span class="p">(</span><span class="nx">instr</span><span class="p">[</span><span class="dl">'</span><span class="s1">next</span><span class="dl">'</span><span class="p">])</span>
<span class="p">}</span></code></pre></figure>
<p>This script will receive an address in hex from the Python script, which will in turn be given as a command-line argument.</p>
<p>Next, the management code, pretty easy to read and understand.</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/env python
</span><span class="kn">import</span> <span class="nn">frida</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">:</span>
<span class="k">print</span> <span class="s">'Usage: '</span> <span class="o">+</span> <span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s">' <address>'</span>
<span class="n">sys</span><span class="p">.</span><span class="nb">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="c1"># Spawn and attach to process
</span><span class="n">pid</span> <span class="o">=</span> <span class="n">frida</span><span class="p">.</span><span class="n">spawn</span><span class="p">([</span><span class="s">'./cli_example'</span><span class="p">])</span>
<span class="n">session</span> <span class="o">=</span> <span class="n">frida</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">pid</span><span class="p">)</span>
<span class="c1"># Read the instrumentation script
</span><span class="n">contents</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'dis.js'</span><span class="p">).</span><span class="n">read</span><span class="p">()</span>
<span class="n">script</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="n">create_script</span><span class="p">(</span><span class="n">contents</span> <span class="o">%</span> <span class="nb">int</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="mi">16</span><span class="p">))</span>
<span class="c1"># Pass it to the injected interpreter
</span><span class="n">script</span><span class="p">.</span><span class="n">load</span><span class="p">()</span></code></pre></figure>
<p>Now we can test it.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>./disas.py 0x00400766
0x400766 push rbp
0x400767 mov rbp, rsp
0x40076a mov dword ptr <span class="o">[</span>rbp - 4], edi
0x40076d mov eax, dword ptr <span class="o">[</span>rbp - 4]
0x400770 imul eax, dword ptr <span class="o">[</span>rbp - 4]
0x400774 pop rbp
0x400775 ret </code></pre></figure>
<p>Brilliant!</p>
<h2 id="building-our-own-ltrace">Building our own ltrace</h2>
<p>Let’s use Frida’s <code class="language-plaintext highlighter-rouge">Interceptor</code> to trace all <code class="language-plaintext highlighter-rouge">malloc</code> and <code class="language-plaintext highlighter-rouge">free</code> calls performed by a binary, similar to <code class="language-plaintext highlighter-rouge">ltrace</code>. We want to know how much is being requested to be allocated, pointer values returned and the argument of free.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>ltrace <span class="nt">-e</span> malloc+free ./mallocs <span class="o">></span> /dev/null
mallocs->malloc<span class="o">(</span>80<span class="o">)</span> <span class="o">=</span> 0x1d54010
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d54070
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d540a0
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d540d0
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d54100
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d54130
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d54160
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d54190
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d541c0
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d541f0
mallocs->malloc<span class="o">(</span>32<span class="o">)</span> <span class="o">=</span> 0x1d54220
mallocs->free<span class="o">(</span>0x1d54070<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d540a0<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d540d0<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d54100<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d54130<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d54160<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d54190<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d541c0<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d541f0<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d54220<span class="o">)</span> <span class="o">=</span> <void>
mallocs->free<span class="o">(</span>0x1d54010<span class="o">)</span> <span class="o">=</span> <void>
+++ exited <span class="o">(</span>status 0<span class="o">)</span> +++</code></pre></figure>
<p>We’ll be using pretty much the same Python script, but do note the <code class="language-plaintext highlighter-rouge">frida.resume(pid)</code> to get the process to resume execution.</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/env python
</span><span class="kn">import</span> <span class="nn">frida</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="n">pid</span> <span class="o">=</span> <span class="n">frida</span><span class="p">.</span><span class="n">spawn</span><span class="p">([</span><span class="s">'./mallocs'</span><span class="p">])</span>
<span class="n">session</span> <span class="o">=</span> <span class="n">frida</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">pid</span><span class="p">)</span>
<span class="n">contents</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'malloc_free.js'</span><span class="p">).</span><span class="n">read</span><span class="p">()</span>
<span class="n">script</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="n">create_script</span><span class="p">(</span><span class="n">contents</span><span class="p">)</span>
<span class="n">script</span><span class="p">.</span><span class="n">load</span><span class="p">()</span>
<span class="n">frida</span><span class="p">.</span><span class="n">resume</span><span class="p">(</span><span class="n">pid</span><span class="p">)</span>
<span class="n">sys</span><span class="p">.</span><span class="n">stdin</span><span class="p">.</span><span class="n">read</span><span class="p">()</span></code></pre></figure>
<p>Frida’s <code class="language-plaintext highlighter-rouge">Interceptor</code> can auto-detect some of the common calling conventions. If this wasn’t the case, then we could simply use the global <code class="language-plaintext highlighter-rouge">context</code> to read registers, or navigate through memory to retrieve the arguments.</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Tracing initiated</span><span class="dl">'</span><span class="p">);</span>
<span class="c1">// Interceptor's first argument is a NativePointer to which it attaches.</span>
<span class="c1">// The second argument is a list of callbacks (i.e. what to do at a certain event, such as entering or leaving the function).</span>
<span class="nx">Interceptor</span><span class="p">.</span><span class="nx">attach</span><span class="p">(</span><span class="nx">Module</span><span class="p">.</span><span class="nx">findExportByName</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="dl">'</span><span class="s1">malloc</span><span class="dl">'</span><span class="p">),</span>
<span class="p">{</span>
<span class="c1">// When entering malloc, print its argument as an integer to the console.</span>
<span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">malloc(</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">toInt32</span><span class="p">()</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">)</span><span class="dl">"</span><span class="p">);</span>
<span class="p">},</span>
<span class="c1">// When returning from malloc, print the return value (pointer) as a hexadecimal string.</span>
<span class="na">onLeave</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">retval</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">-> 0x</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">retval</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">));</span>
<span class="p">}</span>
<span class="p">});</span>
<span class="c1">// We need a second Interceptor for 'free'</span>
<span class="nx">Interceptor</span><span class="p">.</span><span class="nx">attach</span><span class="p">(</span><span class="nx">Module</span><span class="p">.</span><span class="nx">findExportByName</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="dl">'</span><span class="s1">free</span><span class="dl">'</span><span class="p">),</span>
<span class="p">{</span>
<span class="na">onEnter</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">free(0x</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">)</span><span class="dl">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">});</span></code></pre></figure>
<p>And that’s about it. Let’s see if this works.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>./trace.py
Tracing initiated
malloc<span class="o">(</span>80<span class="o">)</span>
-> 0x12c2840
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c28a0
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c28d0
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c2900
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c2930
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c2960
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c2990
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c29c0
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c29f0
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c2a20
malloc<span class="o">(</span>32<span class="o">)</span>
-> 0x12c2a50
free<span class="o">(</span>0x12c28a0<span class="o">)</span>
free<span class="o">(</span>0x12c28d0<span class="o">)</span>
free<span class="o">(</span>0x12c2900<span class="o">)</span>
free<span class="o">(</span>0x12c2930<span class="o">)</span>
free<span class="o">(</span>0x12c2960<span class="o">)</span>
free<span class="o">(</span>0x12c2990<span class="o">)</span>
free<span class="o">(</span>0x12c29c0<span class="o">)</span>
free<span class="o">(</span>0x12c29f0<span class="o">)</span>
free<span class="o">(</span>0x12c2a20<span class="o">)</span>
free<span class="o">(</span>0x12c2a50<span class="o">)</span>
free<span class="o">(</span>0x12c2840<span class="o">)</span></code></pre></figure>
<h2 id="frida-trace">frida-trace</h2>
<p>Let’s redo the last example using <code class="language-plaintext highlighter-rouge">frida-trace</code>, a nifty tracer built using Frida.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>frida-trace <span class="nt">-i</span> malloc <span class="nt">-i</span> free ./mallocs
Instrumenting functions...
malloc: Auto-generated handler at <span class="s2">"/__handlers__/libc_2.23.so/malloc.js"</span>
malloc: Auto-generated handler at <span class="s2">"/__handlers__/ld_2.23.so/malloc.js"</span>
free: Auto-generated handler at <span class="s2">"/__handlers__/libc_2.23.so/free.js"</span>
free: Auto-generated handler at <span class="s2">"/__handlers__/ld_2.23.so/free.js"</span>
Started tracing 4 functions. Press Ctrl+C to stop.
/<span class="k">*</span> TID 0x5cd1 <span class="k">*</span>/
183 ms malloc<span class="o">()</span>
184 ms malloc<span class="o">()</span>
184 ms malloc<span class="o">()</span>
184 ms malloc<span class="o">()</span>
184 ms malloc<span class="o">()</span>
184 ms malloc<span class="o">()</span>
184 ms malloc<span class="o">()</span>
185 ms malloc<span class="o">()</span>
185 ms malloc<span class="o">()</span>
185 ms malloc<span class="o">()</span>
185 ms malloc<span class="o">()</span>
185 ms malloc<span class="o">()</span>
186 ms free<span class="o">()</span>
186 ms free<span class="o">()</span>
186 ms free<span class="o">()</span>
186 ms free<span class="o">()</span>
187 ms free<span class="o">()</span>
187 ms free<span class="o">()</span>
187 ms free<span class="o">()</span>
187 ms free<span class="o">()</span>
187 ms free<span class="o">()</span>
187 ms free<span class="o">()</span>
188 ms free<span class="o">()</span></code></pre></figure>
<p>Notice that, again, Frida has no inner understanding about <code class="language-plaintext highlighter-rouge">malloc</code>, <code class="language-plaintext highlighter-rouge">free</code> and their respective arguments. The <code class="language-plaintext highlighter-rouge">frida-trace</code> tool has generated handler stubs for us in the local directory, which we can modify to our liking.</p>
<p>Both stubs look something like this (discarding helpful comments):</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">{</span>
<span class="nl">onEnter</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">log</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="nx">state</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">free(</span><span class="dl">"</span> <span class="o">+</span> <span class="dl">""</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">)</span><span class="dl">"</span><span class="p">);</span>
<span class="p">},</span>
<span class="nx">onLeave</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">log</span><span class="p">,</span> <span class="nx">retval</span><span class="p">,</span> <span class="nx">state</span><span class="p">)</span> <span class="p">{</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<p>We can change these to supply us with useful information. In the case of <code class="language-plaintext highlighter-rouge">free</code>, we need only print the argument.</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">{</span>
<span class="nl">onEnter</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">log</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="nx">state</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">free(0x</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">)</span><span class="dl">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<p>While for <code class="language-plaintext highlighter-rouge">malloc</code>, we’re also interested in the return value.</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">{</span>
<span class="nl">onEnter</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">log</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="nx">state</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">malloc(</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">args</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">toInt32</span><span class="p">()</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">)</span><span class="dl">"</span><span class="p">);</span>
<span class="p">},</span>
<span class="nx">onLeave</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">log</span><span class="p">,</span> <span class="nx">retval</span><span class="p">,</span> <span class="nx">state</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">-> 0x</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">retval</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">));</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<p>If we run <code class="language-plaintext highlighter-rouge">frida-trace</code> again, it will use the handlers we just modified.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>frida-trace <span class="nt">-i</span> malloc <span class="nt">-i</span> free ./mallocs
Instrumenting functions...
Started tracing 4 functions. Press Ctrl+C to stop.
/<span class="k">*</span> TID 0x5d2b <span class="k">*</span>/
104 ms malloc<span class="o">(</span>80<span class="o">)</span>
104 ms -> 0x80b840
104 ms malloc<span class="o">(</span>32<span class="o">)</span>
104 ms -> 0x80b8a0
104 ms malloc<span class="o">(</span>32<span class="o">)</span>
104 ms -> 0x80b8d0
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80b900
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80b930
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80b960
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80b990
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80b9c0
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80b9f0
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80ba20
105 ms malloc<span class="o">(</span>32<span class="o">)</span>
105 ms -> 0x80ba50
105 ms malloc<span class="o">(</span>4096<span class="o">)</span>
105 ms -> 0x80ba80
105 ms free<span class="o">(</span>0x80b8a0<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b8d0<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b900<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b930<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b960<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b990<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b9c0<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b9f0<span class="o">)</span>
105 ms free<span class="o">(</span>0x80ba20<span class="o">)</span>
105 ms free<span class="o">(</span>0x80ba50<span class="o">)</span>
105 ms free<span class="o">(</span>0x80b840<span class="o">)</span></code></pre></figure>
<p>That’s about it for this session. Stay tuned for more in the (hopefully) near future, when I’ll dive into the Stalker API and provide a fun use-case.</p>monosourceWith the recent release of Frida version 9, I got motivated to dive into it some more and figure things out by myself, since the Linux section is disappointingly dry at the moment.radare2 as an alternative to gdb-peda2016-10-26T00:25:06+00:002016-10-26T00:25:06+00:00https://monosource.github.io/2016/10/26/radare2-peda<p>Many people feel discouraged or overwhelmed to use <a href="https://github.com/radare/radare2">radare2</a> due to its complexity (understandably so). They often use gdb with the downright amazing <a href="https://github.com/longld/peda">PEDA extension</a> for their debugging needs and <a href="https://www.hex-rays.com/products/ida/">IDA Pro</a> for disassembly (or <a href="https://www.hopperapp.com/">Hopper</a>/<a href="https://binary.ninja/">Binary Ninja</a> if the price of IDA is too prohibitive).</p>
<p>But you can do both static and dynamic analysis using radare2, with comparable features to gdb-peda on the dynamic front. In this post, I’m going to illustrate this better; perhaps then r2 won’t seem so daunting to use.</p>
<h1 id="debugger-mode">Debugger mode</h1>
<p>To open a binary in debug mode, either specify the <code class="language-plaintext highlighter-rouge">-d</code> option in the command line,</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>r2 <span class="nt">-d</span> /path/to/binary</code></pre></figure>
<p>Or, if you’ve already performed some analysis, you can reopen it in debug mode using <code class="language-plaintext highlighter-rouge">ood</code> or <code class="language-plaintext highlighter-rouge">doo</code>; all custom flags will still be there.</p>
<h1 id="diassemble">Diassemble</h1>
<h2 id="peda">PEDA</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">gdb</span><span class="o">-</span><span class="nv">peda$</span> <span class="nv">pdis</span> <span class="nv">main</span>
<span class="nf">Dump</span> <span class="nv">of</span> <span class="nv">assembler</span> <span class="nv">code</span> <span class="nv">for</span> <span class="nv">function</span> <span class="nv">main</span><span class="p">:</span>
<span class="err">-----------------------------</span><span class="nf">SNIP</span><span class="o">------------------------------</span>
<span class="err">0</span><span class="nf">x08048557</span> <span class="o"><+</span><span class="mi">121</span><span class="o">></span><span class="p">:</span> <span class="nv">push</span> <span class="nb">eax</span>
<span class="err">0</span><span class="nf">x08048558</span> <span class="o"><+</span><span class="mi">122</span><span class="o">></span><span class="p">:</span> <span class="nv">call</span> <span class="mh">0x804846b</span> <span class="o"><</span><span class="nv">func</span><span class="o">></span>
<span class="err">0</span><span class="nf">x0804855d</span> <span class="o"><+</span><span class="mi">127</span><span class="o">></span><span class="p">:</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span><span class="mh">0x8</span>
<span class="err">0</span><span class="nf">x08048560</span> <span class="o"><+</span><span class="mi">130</span><span class="o">></span><span class="p">:</span> <span class="nv">test</span> <span class="nb">eax</span><span class="p">,</span><span class="nb">eax</span>
<span class="err">0</span><span class="nf">x08048562</span> <span class="o"><+</span><span class="mi">132</span><span class="o">></span><span class="p">:</span> <span class="nv">jne</span> <span class="mh">0x8048574</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">150</span><span class="o">></span>
<span class="err">0</span><span class="nf">x08048564</span> <span class="o"><+</span><span class="mi">134</span><span class="o">></span><span class="p">:</span> <span class="nv">sub</span> <span class="nb">esp</span><span class="p">,</span><span class="mh">0xc</span>
<span class="err">0</span><span class="nf">x08048567</span> <span class="o"><+</span><span class="mi">137</span><span class="o">></span><span class="p">:</span> <span class="nv">push</span> <span class="mh">0x8048620</span>
<span class="err">0</span><span class="nf">x0804856c</span> <span class="o"><+</span><span class="mi">142</span><span class="o">></span><span class="p">:</span> <span class="nv">call</span> <span class="mh">0x8048340</span> <span class="o"><</span><span class="nv">puts@plt</span><span class="o">></span>
<span class="err">0</span><span class="nf">x08048571</span> <span class="o"><+</span><span class="mi">147</span><span class="o">></span><span class="p">:</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span><span class="mh">0x10</span>
<span class="err">0</span><span class="nf">x08048574</span> <span class="o"><+</span><span class="mi">150</span><span class="o">></span><span class="p">:</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span><span class="mh">0x0</span>
<span class="err">0</span><span class="nf">x08048579</span> <span class="o"><+</span><span class="mi">155</span><span class="o">></span><span class="p">:</span> <span class="nv">mov</span> <span class="nb">edx</span><span class="p">,</span><span class="kt">DWORD</span> <span class="nv">PTR</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">-</span><span class="mh">0xc</span><span class="p">]</span>
<span class="err">0</span><span class="nf">x0804857c</span> <span class="o"><+</span><span class="mi">158</span><span class="o">></span><span class="p">:</span> <span class="nv">xor</span> <span class="nb">edx</span><span class="p">,</span><span class="kt">DWORD</span> <span class="nv">PTR</span> <span class="nb">gs</span><span class="p">:</span><span class="mh">0x14</span>
<span class="err">0</span><span class="nf">x08048583</span> <span class="o"><+</span><span class="mi">165</span><span class="o">></span><span class="p">:</span> <span class="nv">je</span> <span class="mh">0x804858a</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">172</span><span class="o">></span>
<span class="err">0</span><span class="nf">x08048585</span> <span class="o"><+</span><span class="mi">167</span><span class="o">></span><span class="p">:</span> <span class="nv">call</span> <span class="mh">0x8048330</span> <span class="o"><</span><span class="nv">__stack_chk_fail@plt</span><span class="o">></span>
<span class="err">0</span><span class="nf">x0804858a</span> <span class="o"><+</span><span class="mi">172</span><span class="o">></span><span class="p">:</span> <span class="nv">mov</span> <span class="nb">ecx</span><span class="p">,</span><span class="kt">DWORD</span> <span class="nv">PTR</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">-</span><span class="mh">0x4</span><span class="p">]</span>
<span class="err">0</span><span class="nf">x0804858d</span> <span class="o"><+</span><span class="mi">175</span><span class="o">></span><span class="p">:</span> <span class="nv">leave</span>
<span class="err">0</span><span class="nf">x0804858e</span> <span class="o"><+</span><span class="mi">176</span><span class="o">></span><span class="p">:</span> <span class="nv">lea</span> <span class="nb">esp</span><span class="p">,[</span><span class="nb">ecx</span><span class="o">-</span><span class="mh">0x4</span><span class="p">]</span>
<span class="err">0</span><span class="nf">x08048591</span> <span class="o"><+</span><span class="mi">179</span><span class="o">></span><span class="p">:</span> <span class="nv">ret</span></code></pre></figure>
<h2 id="radare2">radare2</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x08048558</span><span class="p">]</span><span class="o">></span> <span class="nv">pdf</span> <span class="err">@</span> <span class="nv">main</span>
<span class="err">-------------------------------------------</span><span class="nf">SNIP</span><span class="o">--------------------------------------------</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048557</span> <span class="mi">50</span> <span class="nv">push</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048558</span> <span class="nv">e80effffff</span> <span class="nv">call</span> <span class="nv">sym.func</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804855d</span> <span class="mi">83</span><span class="nv">c408</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mi">8</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048560</span> <span class="mi">85</span><span class="nv">c0</span> <span class="nv">test</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">┌─<</span> <span class="err">0</span><span class="nf">x08048562</span> <span class="mi">7510</span> <span class="nv">jne</span> <span class="mh">0x8048574</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048564</span> <span class="mi">83</span><span class="nv">ec0c</span> <span class="nv">sub</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0xc</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048567</span> <span class="mi">6820860408</span> <span class="nv">push</span> <span class="nv">str.Okay</span> <span class="c1">; str.Okay ; "Okay" @ 0x8048620</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x0804856c</span> <span class="nv">e8cffdffff</span> <span class="nv">call</span> <span class="nv">sym.imp.puts</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048571</span> <span class="mi">83</span><span class="nv">c410</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x10</span>
<span class="err">│</span> <span class="err">└─></span> <span class="err">0</span><span class="nf">x08048574</span> <span class="nv">b800000000</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="mi">0</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048579</span> <span class="mi">8</span><span class="nv">b55f4</span> <span class="nv">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_ch</span><span class="p">]</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804857c</span> <span class="mi">653315140000</span><span class="nv">.</span> <span class="nv">xor</span> <span class="nb">edx</span><span class="p">,</span> <span class="kt">dword</span> <span class="nb">gs</span><span class="p">:[</span><span class="mh">0x14</span><span class="p">]</span>
<span class="err">│</span> <span class="err">┌─<</span> <span class="err">0</span><span class="nf">x08048583</span> <span class="mi">7405</span> <span class="nv">je</span> <span class="mh">0x804858a</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048585</span> <span class="nv">e8a6fdffff</span> <span class="nv">call</span> <span class="nv">sym.imp.__stack_chk_fail</span>
<span class="err">│</span> <span class="err">└─></span> <span class="err">0</span><span class="nf">x0804858a</span> <span class="mi">8</span><span class="nv">b4dfc</span> <span class="nv">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_4h_2</span><span class="p">]</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804858d</span> <span class="nv">c9</span> <span class="nv">leave</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804858e</span> <span class="mi">8</span><span class="nv">d61fc</span> <span class="nv">lea</span> <span class="nb">esp</span><span class="p">,</span> <span class="p">[</span><span class="nb">ecx</span> <span class="o">-</span> <span class="mi">4</span><span class="p">]</span>
<span class="err">└</span> <span class="err">0</span><span class="nf">x08048591</span> <span class="nv">c3</span> <span class="nv">ret</span></code></pre></figure>
<h1 id="checking-deppic-and-other-things">Checking DEP/PIC and other things</h1>
<h2 id="peda-1">PEDA</h2>
<p>In peda, you have the <code class="language-plaintext highlighter-rouge">checksec</code> command, which gives varying information about the security fortification of the debugged binary.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">gdb</span><span class="o">-</span><span class="nv">peda$</span> <span class="nb">ch</span><span class="nv">ecksec</span>
<span class="nf">CANARY</span> <span class="p">:</span> <span class="nv">ENABLED</span>
<span class="nf">FORTIFY</span> <span class="p">:</span> <span class="nv">ENABLED</span>
<span class="nf">NX</span> <span class="p">:</span> <span class="nv">ENABLED</span>
<span class="nf">PIE</span> <span class="p">:</span> <span class="nb">di</span><span class="nv">sabled</span>
<span class="nf">RELRO</span> <span class="p">:</span> <span class="nv">Partial</span></code></pre></figure>
<h2 id="radare2-1">radare2</h2>
<p>In radare2, you can view a lot of information about the loaded binary using <code class="language-plaintext highlighter-rouge">i</code>.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x7f5082528cc0</span><span class="p">]</span><span class="o">></span> <span class="nv">i</span>
<span class="nf">type</span> <span class="nv">EXEC</span> <span class="p">(</span><span class="nv">Executable</span> <span class="nv">file</span><span class="p">)</span>
<span class="nf">file</span> <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span>
<span class="nf">referer</span> <span class="nv">dbg</span><span class="p">:</span><span class="o">///</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span>
<span class="nf">fd</span> <span class="mi">25226</span>
<span class="nf">iorw</span> <span class="nv">true</span>
<span class="nf">blksz</span> <span class="mh">0x0</span>
<span class="nf">mode</span> <span class="o">-</span><span class="nv">rwx</span>
<span class="nf">block</span> <span class="mh">0x100</span>
<span class="nf">format</span> <span class="nv">elf64</span>
<span class="nf">havecode</span> <span class="nv">true</span>
<span class="nf">pic</span> <span class="nv">false</span>
<span class="nf">canary</span> <span class="nv">true</span>
<span class="nf">nx</span> <span class="nv">true</span>
<span class="nf">crypto</span> <span class="nv">false</span>
<span class="nf">va</span> <span class="nv">true</span>
<span class="nf">intrp</span> <span class="o">/</span><span class="nv">lib64</span><span class="o">/</span><span class="nv">ld</span><span class="o">-</span><span class="nv">linux</span><span class="o">-</span><span class="nv">x86</span><span class="o">-</span><span class="mi">64</span><span class="nv">.so.2</span>
<span class="nf">bintype</span> <span class="nv">elf</span>
<span class="nf">class</span> <span class="nv">ELF64</span>
<span class="nf">lang</span> <span class="nv">c</span>
<span class="nf">arch</span> <span class="nv">x86</span>
<span class="nf">bits</span> <span class="mi">64</span>
<span class="nf">machine</span> <span class="nv">AMD</span> <span class="nv">x86</span><span class="o">-</span><span class="mi">64</span> <span class="nv">architecture</span>
<span class="nf">os</span> <span class="nv">linux</span>
<span class="nf">minopsz</span> <span class="mi">1</span>
<span class="nf">maxopsz</span> <span class="mi">16</span>
<span class="nf">pcalign</span> <span class="mi">0</span>
<span class="nf">subsys</span> <span class="nv">linux</span>
<span class="nf">endian</span> <span class="nv">little</span>
<span class="nf">stripped</span> <span class="nv">true</span>
<span class="nf">static</span> <span class="nv">false</span>
<span class="nf">linenum</span> <span class="nv">false</span>
<span class="nf">lsyms</span> <span class="nv">false</span>
<span class="nf">relocs</span> <span class="nv">false</span>
<span class="nf">rpath</span> <span class="nv">NONE</span>
<span class="nf">binsz</span> <span class="mi">124726</span></code></pre></figure>
<p>We can filter out any information that’s irrelevant to us using the internal grep operator (<code class="language-plaintext highlighter-rouge">~</code>)</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x7f5082528cc0</span><span class="p">]</span><span class="o">></span> <span class="nv">i~pic</span><span class="p">,</span><span class="nv">canary</span><span class="p">,</span><span class="nv">nx</span><span class="p">,</span><span class="nv">crypto</span><span class="p">,</span><span class="nv">stripped</span><span class="p">,</span><span class="nv">static</span><span class="p">,</span><span class="nv">relocs</span>
<span class="nf">pic</span> <span class="nv">false</span>
<span class="nf">canary</span> <span class="nv">true</span>
<span class="nf">nx</span> <span class="nv">true</span>
<span class="nf">crypto</span> <span class="nv">false</span>
<span class="nf">stripped</span> <span class="nv">true</span>
<span class="nf">static</span> <span class="nv">false</span>
<span class="nf">relocs</span> <span class="nv">false</span></code></pre></figure>
<h1 id="unsetting-aslr">(Un)setting ASLR</h1>
<h2 id="peda-2">PEDA</h2>
<p>In peda, you can check/disable ASLR using <code class="language-plaintext highlighter-rouge">aslr</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-peda$ aslr
ASLR is ON
gdb-peda$ aslr off
gdb-peda$ aslr
ASLR is OFF
</code></pre></div></div>
<h2 id="radare2-2">radare2</h2>
<p>You can use <code class="language-plaintext highlighter-rouge">rarun2</code> to run a binary with a custom environment. Again, use <code class="language-plaintext highlighter-rouge">radare2</code> to debug.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>r2 <span class="nt">-d</span> rarun2 <span class="nv">program</span><span class="o">=</span>/bin/ls <span class="nv">aslr</span><span class="o">=</span>no</code></pre></figure>
<p>The problem with <code class="language-plaintext highlighter-rouge">rarun2</code> is that it tries to write to <code class="language-plaintext highlighter-rouge">/proc/sys/kernel/randomize_va_space</code>; you need to be root to do that. I’m not sure how gdb disables ASLR at a user level.</p>
<h1 id="function-argument-detection">Function argument detection</h1>
<h2 id="peda-3">PEDA</h2>
<p>PEDA does some neat argument guessing whenever a <code class="language-plaintext highlighter-rouge">call <function></code> instruction is reached:</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[-------------------------------------</span><span class="nf">code</span><span class="o">-------------------------------------</span><span class="p">]</span>
<span class="err">0</span><span class="nf">x8048553</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">117</span><span class="o">></span><span class="p">:</span> <span class="nv">push</span> <span class="nb">eax</span>
<span class="err">0</span><span class="nf">x8048554</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">118</span><span class="o">></span><span class="p">:</span> <span class="nv">lea</span> <span class="nb">eax</span><span class="p">,[</span><span class="nb">ebp</span><span class="o">-</span><span class="mh">0x2c</span><span class="p">]</span>
<span class="err">0</span><span class="nf">x8048557</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">121</span><span class="o">></span><span class="p">:</span> <span class="nv">push</span> <span class="nb">eax</span>
<span class="err">=></span> <span class="err">0</span><span class="nf">x8048558</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">122</span><span class="o">></span><span class="p">:</span> <span class="nv">call</span> <span class="mh">0x804846b</span> <span class="o"><</span><span class="nv">func</span><span class="o">></span>
<span class="err">0</span><span class="nf">x804855d</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">127</span><span class="o">></span><span class="p">:</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span><span class="mh">0x8</span>
<span class="err">0</span><span class="nf">x8048560</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">130</span><span class="o">></span><span class="p">:</span> <span class="nv">test</span> <span class="nb">eax</span><span class="p">,</span><span class="nb">eax</span>
<span class="err">0</span><span class="nf">x8048562</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">132</span><span class="o">></span><span class="p">:</span> <span class="nv">jne</span> <span class="mh">0x8048574</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">150</span><span class="o">></span>
<span class="err">0</span><span class="nf">x8048564</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">134</span><span class="o">></span><span class="p">:</span> <span class="nv">sub</span> <span class="nb">esp</span><span class="p">,</span><span class="mh">0xc</span>
<span class="nf">Guessed</span> <span class="nv">arguments</span><span class="p">:</span>
<span class="nf">arg</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> <span class="mh">0xff81a4cc</span> <span class="p">(</span><span class="s">"This is arg1"</span><span class="p">)</span>
<span class="nf">arg</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="mh">0xff81a4da</span> <span class="p">(</span><span class="err">"</span><span class="nv">And</span> <span class="nv">this</span> <span class="nv">is</span> <span class="nv">arg2</span><span class="err">"</span><span class="p">)</span></code></pre></figure>
<h2 id="radare2-3">radare2</h2>
<p>It’s pretty close to doing this automatically. You still have to look for them on the stack and registers; see how to dereference below.</p>
<h1 id="rop-gadgets">ROP gadgets</h1>
<h2 id="peda-4">PEDA</h2>
<p>In PEDA, you can use <code class="language-plaintext highlighter-rouge">dumprop</code> to dump all ROP gadgets within a memory range and with a specific maximum depth.</p>
<h2 id="radare2-4">radare2</h2>
<p>You can customize a few options for gadget hunting within radare2.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x00402a00</span><span class="p">]</span><span class="o">></span> <span class="nv">e?rop</span>
<span class="nl">rop.comments:</span> <span class="nf">Display</span> <span class="nv">comments</span> <span class="nv">in</span> <span class="nv">rop</span> <span class="nv">search</span> <span class="nv">output</span>
<span class="nl">rop.conditional:</span> <span class="nf">Include</span> <span class="nv">conditional</span> <span class="nv">jump</span><span class="p">,</span> <span class="nv">calls</span> <span class="nv">and</span> <span class="nv">returns</span> <span class="nv">in</span> <span class="nv">ropsearch</span>
<span class="nl">rop.db:</span> <span class="nf">Store</span> <span class="nv">rop</span> <span class="nv">search</span> <span class="nv">results</span> <span class="nv">in</span> <span class="nv">sdb</span>
<span class="nl">rop.len:</span> <span class="nf">Maximum</span> <span class="nv">ROP</span> <span class="nv">gadget</span> <span class="nv">length</span>
<span class="nl">rop.nx:</span> <span class="nf">Include</span> <span class="nv">NX</span><span class="o">/</span><span class="nv">XN</span><span class="o">/</span><span class="nv">XD</span> <span class="nv">sections</span> <span class="nv">in</span> <span class="nv">ropsearch</span>
<span class="nl">rop.subchains:</span> <span class="nf">Display</span> <span class="nv">every</span> <span class="nv">length</span> <span class="nv">gadget</span> <span class="nv">from</span> <span class="nv">rop.len</span><span class="err">=</span><span class="nv">X</span> <span class="nv">to</span> <span class="mi">2</span> <span class="nv">in</span> <span class="o">/</span><span class="nv">Rl</span></code></pre></figure>
<p>You can search for gadgets using either <code class="language-plaintext highlighter-rouge">/R</code> or <code class="language-plaintext highlighter-rouge">/Rl</code> (display in linear fashion, just like <code class="language-plaintext highlighter-rouge">dumprop</code>). There are also the <code class="language-plaintext highlighter-rouge">/R/</code> and <code class="language-plaintext highlighter-rouge">/Rl/</code> variants which allow the use of regular expressions in your search.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x080482f0</span><span class="p">]</span><span class="o">></span> <span class="nv">e</span> <span class="nv">rop.len</span><span class="err">=</span><span class="mi">2</span>
<span class="err">[0</span><span class="nf">x080482f0</span><span class="p">]</span><span class="o">></span> <span class="s">"/Rl add esp;ret"</span>
<span class="err">0</span><span class="nl">x0807ecb9:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mi">4</span><span class="c1">; ret;</span>
<span class="err">0</span><span class="nl">x08089a67:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebx</span> <span class="o">+</span> <span class="nb">eax</span><span class="o">*</span><span class="mi">4</span><span class="p">]</span><span class="c1">; ret;</span>
<span class="err">0</span><span class="nl">x0808f570:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x3c</span><span class="c1">; ret;</span>
<span class="err">0</span><span class="nl">x080dbd37:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="mh">0xa</span><span class="p">]</span><span class="c1">; ret;</span>
<span class="err">0</span><span class="nl">x080df4cf:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0xa</span><span class="p">]</span><span class="c1">; ret;</span>
<span class="err">0</span><span class="nl">x080df667:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">eax</span> <span class="o">+</span> <span class="mh">0xa</span><span class="p">]</span><span class="c1">; ret;</span>
<span class="err">0</span><span class="nl">x080df815:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">+</span> <span class="mh">0xa</span><span class="p">]</span><span class="c1">; ret;</span>
<span class="err">0</span><span class="nl">x080dfd5b:</span> <span class="nf">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="mh">0xa</span><span class="p">]</span><span class="c1">; ret;</span>
<span class="err">[0</span><span class="nf">x080482f0</span><span class="p">]</span><span class="o">></span> <span class="s">"/Rl mov dword;ret"</span>
<span class="err">0</span><span class="nl">x08048c12:</span> <span class="nf">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">edx</span> <span class="o">+</span> <span class="mh">0x18</span><span class="p">],</span> <span class="nb">eax</span><span class="c1">; ret;</span>
<span class="err">-------------------[</span><span class="nf">SNIP</span><span class="p">]</span><span class="o">---------------------</span></code></pre></figure>
<h1 id="searching-for-specific-instructions">Searching for specific instructions</h1>
<h2 id="peda-5">PEDA</h2>
<p>Note: needs <code class="language-plaintext highlighter-rouge">nasm</code> to be installed.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">gdb</span><span class="o">-</span><span class="nv">peda$</span> <span class="nv">asmsearch</span> <span class="s">"pop ?;ret"</span> <span class="mh">0x08048000</span> <span class="mh">0x08049000</span>
<span class="nf">Searching</span> <span class="nv">for</span> <span class="nv">ASM</span> <span class="nv">code</span><span class="p">:</span> <span class="s">'pop ?;ret'</span> <span class="nv">in</span> <span class="nv">range</span><span class="p">:</span> <span class="mh">0x8048000</span> <span class="o">-</span> <span class="mh">0x8049000</span>
<span class="err">0</span><span class="nf">x08048311</span> <span class="p">:</span> <span class="p">(</span><span class="mi">5</span><span class="nv">bc3</span><span class="p">)</span> <span class="nv">pop</span> <span class="nb">ebx</span><span class="c1">; ret</span>
<span class="err">0</span><span class="nf">x080485fb</span> <span class="p">:</span> <span class="p">(</span><span class="mi">5</span><span class="nv">dc3</span><span class="p">)</span> <span class="nv">pop</span> <span class="nb">ebp</span><span class="c1">; ret</span>
<span class="err">0</span><span class="nf">x08048616</span> <span class="p">:</span> <span class="p">(</span><span class="mi">5</span><span class="nv">bc3</span><span class="p">)</span> <span class="nv">pop</span> <span class="nb">ebx</span><span class="c1">; ret</span>
<span class="nf">gdb</span><span class="o">-</span><span class="nv">peda$</span> <span class="nv">asmsearch</span> <span class="err">"</span><span class="nv">inc</span> <span class="nv">?</span><span class="c1">;pop ?" 0x08048000 0x08049000</span>
<span class="nf">Searching</span> <span class="nv">for</span> <span class="nv">ASM</span> <span class="nv">code</span><span class="p">:</span> <span class="err">'</span><span class="nv">inc</span> <span class="nv">?</span><span class="c1">;pop ?' in range: 0x8048000 - 0x8049000</span>
<span class="err">0</span><span class="nf">x08048281</span> <span class="p">:</span> <span class="p">(</span><span class="mi">435</span><span class="nv">f</span><span class="p">)</span> <span class="nv">inc</span> <span class="nb">ebx</span><span class="c1">; pop edi</span>
<span class="err">0</span><span class="nf">x0804828b</span> <span class="p">:</span> <span class="p">(</span><span class="mi">435</span><span class="nv">f</span><span class="p">)</span> <span class="nv">inc</span> <span class="nb">ebx</span><span class="c1">; pop edi</span></code></pre></figure>
<h2 id="radare2-5">radare2</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x080484de</span><span class="p">]</span><span class="o">></span> <span class="s">"/c pop;ret"</span>
<span class="err">0</span><span class="nf">x08048312</span> <span class="err">#</span> <span class="mi">2</span><span class="p">:</span> <span class="nv">pop</span> <span class="nb">ebx</span><span class="c1">; ret</span>
<span class="err">0</span><span class="nf">x080485fc</span> <span class="err">#</span> <span class="mi">2</span><span class="p">:</span> <span class="nv">pop</span> <span class="nb">ebp</span><span class="c1">; ret</span>
<span class="err">0</span><span class="nf">x08048617</span> <span class="err">#</span> <span class="mi">2</span><span class="p">:</span> <span class="nv">pop</span> <span class="nb">ebx</span><span class="c1">; ret</span>
<span class="err">[0</span><span class="nf">x080484de</span><span class="p">]</span><span class="o">></span> <span class="err">"</span><span class="o">/</span><span class="nv">c</span> <span class="nv">inc</span><span class="c1">;pop"</span>
<span class="err">0</span><span class="nf">x08048282</span> <span class="err">#</span> <span class="mi">2</span><span class="p">:</span> <span class="nv">inc</span> <span class="nb">ebx</span><span class="c1">; pop edi</span>
<span class="err">0</span><span class="nf">x0804828c</span> <span class="err">#</span> <span class="mi">2</span><span class="p">:</span> <span class="nv">inc</span> <span class="nb">ebx</span><span class="c1">; pop edi</span></code></pre></figure>
<h1 id="elf-header-information">ELF header information</h1>
<h2 id="peda-6">PEDA</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-peda$ elfheader
.interp = 0x8048154
.note.ABI-tag = 0x8048168
.note.gnu.build-id = 0x8048188
.gnu.hash = 0x80481ac
.dynsym = 0x80481cc
.dynstr = 0x804822c
.gnu.version = 0x8048292
.gnu.version_r = 0x80482a0
.rel.dyn = 0x80482d0
.rel.plt = 0x80482d8
.init = 0x80482f0
.plt = 0x8048320
.plt.got = 0x8048360
.text = 0x8048370
.fini = 0x8048604
.rodata = 0x8048618
.eh_frame_hdr = 0x8048648
.eh_frame = 0x804867c
.init_array = 0x8049f08
.fini_array = 0x8049f0c
.jcr = 0x8049f10
.dynamic = 0x8049f14
.got = 0x8049ffc
.got.plt = 0x804a000
.data = 0x804a018
.bss = 0x804a020
</code></pre></div></div>
<h2 id="radare2-6">radare2</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[0x080484de]> iS~ehdr
idx=40 vaddr=0x08048000 paddr=0x00000000 sz=52 vsz=52 perm=m-rw- name=ehdr
[0x080484de]> s 0x08048000
[0x08048000]> pfo elf32 # Load ELF header format
[0x08048000]> pf.elf_header # Print formatted as ELF header struct
ident : 0x08048000 = .ELF...
type : 0x08048010 = type (enum elf_type) = 0x2 ; ET_EXEC
machine : 0x08048012 = machine (enum elf_machine) = 0x3 ; EM_386
version : 0x08048014 = 0x00000001
entry : 0x08048018 = 0x08048370
phoff : 0x0804801c = 0x00000034
shoff : 0x08048020 = 0x0000181c
flags : 0x08048024 = 0x00000000
ehsize : 0x08048028 = 0x0034
phentsize : 0x0804802a = 0x0020
phnum : 0x0804802c = 0x0009
shentsize : 0x0804802e = 0x0028
shnum : 0x08048030 = 0x001f
shstrndx : 0x08048032 = 0x001c
[0x08048000]> pf.elf_phdr @ 0x08048034
type : 0x08048034 = type (enum elf_p_type) = 0x6 ; PT_PHDR
offset : 0x08048038 = 0x00000034
vaddr : 0x0804803c = 0x08048034
paddr : 0x08048040 = 0x08048034
filesz : 0x08048044 = 0x00000120
memsz : 0x08048048 = 0x00000120
flags : 0x0804804c = flags (enum elf_p_flags) = 0x5 ; PF_Read_Exec
align : 0x08048050 = 0x00000004
</code></pre></div></div>
<p>What about section information?</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[0x08048000]> iS
[Sections]
idx=00 vaddr=0x00000000 paddr=0x00000000 sz=0 vsz=0 perm=----- name=
idx=01 vaddr=0x08048154 paddr=0x00000154 sz=19 vsz=19 perm=--r-- name=.interp
idx=02 vaddr=0x08048168 paddr=0x00000168 sz=32 vsz=32 perm=--r-- name=.note.ABI_tag
idx=03 vaddr=0x08048188 paddr=0x00000188 sz=36 vsz=36 perm=--r-- name=.note.gnu.build_id
idx=04 vaddr=0x080481ac paddr=0x000001ac sz=32 vsz=32 perm=--r-- name=.gnu.hash
idx=05 vaddr=0x080481cc paddr=0x000001cc sz=96 vsz=96 perm=--r-- name=.dynsym
idx=06 vaddr=0x0804822c paddr=0x0000022c sz=101 vsz=101 perm=--r-- name=.dynstr
idx=07 vaddr=0x08048292 paddr=0x00000292 sz=12 vsz=12 perm=--r-- name=.gnu.version
idx=08 vaddr=0x080482a0 paddr=0x000002a0 sz=48 vsz=48 perm=--r-- name=.gnu.version_r
idx=09 vaddr=0x080482d0 paddr=0x000002d0 sz=8 vsz=8 perm=--r-- name=.rel.dyn
idx=10 vaddr=0x080482d8 paddr=0x000002d8 sz=24 vsz=24 perm=--r-- name=.rel.plt
idx=11 vaddr=0x080482f0 paddr=0x000002f0 sz=35 vsz=35 perm=--r-x name=.init
idx=12 vaddr=0x08048320 paddr=0x00000320 sz=64 vsz=64 perm=--r-x name=.plt
idx=13 vaddr=0x08048360 paddr=0x00000360 sz=8 vsz=8 perm=--r-x name=.plt.got
idx=14 vaddr=0x08048370 paddr=0x00000370 sz=658 vsz=658 perm=--r-x name=.text
idx=15 vaddr=0x08048604 paddr=0x00000604 sz=20 vsz=20 perm=--r-x name=.fini
idx=16 vaddr=0x08048618 paddr=0x00000618 sz=45 vsz=45 perm=--r-- name=.rodata
idx=17 vaddr=0x08048648 paddr=0x00000648 sz=52 vsz=52 perm=--r-- name=.eh_frame_hdr
idx=18 vaddr=0x0804867c paddr=0x0000067c sz=236 vsz=236 perm=--r-- name=.eh_frame
idx=19 vaddr=0x08049f08 paddr=0x00000f08 sz=4 vsz=4 perm=--rw- name=.init_array
idx=20 vaddr=0x08049f0c paddr=0x00000f0c sz=4 vsz=4 perm=--rw- name=.fini_array
idx=21 vaddr=0x08049f10 paddr=0x00000f10 sz=4 vsz=4 perm=--rw- name=.jcr
idx=22 vaddr=0x08049f14 paddr=0x00000f14 sz=232 vsz=232 perm=--rw- name=.dynamic
idx=23 vaddr=0x08049ffc paddr=0x00000ffc sz=4 vsz=4 perm=--rw- name=.got
idx=24 vaddr=0x0804a000 paddr=0x00001000 sz=24 vsz=24 perm=--rw- name=.got.plt
idx=25 vaddr=0x0804a018 paddr=0x00001018 sz=8 vsz=8 perm=--rw- name=.data
idx=26 vaddr=0x0804a020 paddr=0x00001020 sz=4 vsz=4 perm=--rw- name=.bss
idx=27 vaddr=0x00000000 paddr=0x00001020 sz=52 vsz=52 perm=----- name=.comment
idx=28 vaddr=0x00000000 paddr=0x00001712 sz=266 vsz=266 perm=----- name=.shstrtab
idx=29 vaddr=0x00000000 paddr=0x00001054 sz=1136 vsz=1136 perm=----- name=.symtab
idx=30 vaddr=0x00000000 paddr=0x000014c4 sz=590 vsz=590 perm=----- name=.strtab
idx=31 vaddr=0x08048034 paddr=0x00000034 sz=288 vsz=288 perm=m-r-x name=PHDR
idx=32 vaddr=0x08048154 paddr=0x00000154 sz=19 vsz=19 perm=m-r-- name=INTERP
idx=33 vaddr=0x08048000 paddr=0x00000000 sz=1896 vsz=1896 perm=m-r-x name=LOAD0
idx=34 vaddr=0x08049f08 paddr=0x00000f08 sz=280 vsz=284 perm=m-rw- name=LOAD1
idx=35 vaddr=0x08049f14 paddr=0x00000f14 sz=232 vsz=232 perm=m-rw- name=DYNAMIC
idx=36 vaddr=0x08048168 paddr=0x00000168 sz=68 vsz=68 perm=m-r-- name=NOTE
idx=37 vaddr=0x08048648 paddr=0x00000648 sz=52 vsz=52 perm=m-r-- name=GNU_EH_FRAME
idx=38 vaddr=0x00000000 paddr=0x00000000 sz=0 vsz=0 perm=m-rw- name=GNU_STACK
idx=39 vaddr=0x08049f08 paddr=0x00000f08 sz=248 vsz=248 perm=m-r-- name=GNU_RELRO
idx=40 vaddr=0x08048000 paddr=0x00000000 sz=52 vsz=52 perm=m-rw- name=ehdr
41 sections
</code></pre></div></div>
<h1 id="cross-references">Cross-references</h1>
<p>This is a very useful feature to find out who calls/references what, whether it be an interesting function or string.</p>
<h2 id="peda-7">PEDA</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">gdb</span><span class="o">-</span><span class="nv">peda$</span> <span class="nv">xrefs</span> <span class="nv">func</span>
<span class="nf">All</span> <span class="nv">references</span> <span class="nv">to</span> <span class="err">'</span><span class="nv">func</span><span class="err">'</span><span class="p">:</span>
<span class="err">0</span><span class="nf">x8048558</span> <span class="o"><</span><span class="nv">main</span><span class="o">+</span><span class="mi">122</span><span class="o">></span><span class="p">:</span> <span class="nv">call</span> <span class="mh">0x804846b</span> <span class="o"><</span><span class="nv">func</span><span class="o">></span></code></pre></figure>
<h2 id="radare2-7">radare2</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x080484e2</span><span class="p">]</span><span class="o">></span> <span class="nb">ax</span><span class="nv">t</span> <span class="nv">sym.func</span>
<span class="nf">call</span> <span class="mh">0x8048558</span> <span class="nv">call</span> <span class="nv">sym.func</span> <span class="nv">in</span> <span class="nv">sym.main</span></code></pre></figure>
<p>This can also be done in visual mode using <code class="language-plaintext highlighter-rouge">x</code> on a specific symbol.</p>
<h1 id="patching-codememory">Patching code/memory</h1>
<h2 id="peda-8">PEDA</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-peda$ patch 0x402a00 0x90
Written 1 bytes to 0x402a00
</code></pre></div></div>
<h2 id="radare2-8">radare2</h2>
<p>If opening in read-only mode, you should enable cache-writing via <code class="language-plaintext highlighter-rouge">e io.cache = true</code>. Otherwise, you can use the <code class="language-plaintext highlighter-rouge">-w</code> option when loading the file: <code class="language-plaintext highlighter-rouge">r2 -d -w ./binary</code>.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">$</span> <span class="nv">r2</span> <span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span>
<span class="err">[0</span><span class="nf">x004049a0</span><span class="p">]</span><span class="o">></span> <span class="nv">e</span> <span class="nv">io.cache</span> <span class="err">=</span> <span class="nv">true</span>
<span class="err">[0</span><span class="nf">x004049a0</span><span class="p">]</span><span class="o">></span> <span class="nv">pi</span> <span class="mi">1</span> <span class="err">@</span> <span class="nv">main</span>
<span class="nf">push</span> <span class="nv">r15</span>
<span class="err">[0</span><span class="nf">x004049a0</span><span class="p">]</span><span class="o">></span> <span class="nv">wx</span> <span class="mi">90</span> <span class="err">@</span> <span class="nv">main</span>
<span class="err">[0</span><span class="nf">x004049a0</span><span class="p">]</span><span class="o">></span> <span class="nv">pi</span> <span class="mi">1</span> <span class="err">@</span> <span class="nv">main</span>
<span class="nf">nop</span></code></pre></figure>
<h1 id="de-bruijn-patterns">De Bruijn patterns</h1>
<h2 id="peda-9">PEDA</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-peda$ pattc 100
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
gdb-peda$ patto AAEA
AAEA found at offset: 34
</code></pre></div></div>
<h2 id="radare2-9">radare2</h2>
<p>In r2, you need to specify the address at which you wish to write the pattern. AFAIK, there is no way to write the pattern to <code class="language-plaintext highlighter-rouge">stdout</code> for copy-pasting it. Also, the offset doesn’t work with string values; must be hex.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x00402a00</span><span class="p">]</span><span class="o">></span> <span class="nv">wop?</span>
<span class="err">|</span><span class="nl">Usage:</span> <span class="nf">wop</span><span class="p">[</span><span class="nv">DO</span><span class="p">]</span> <span class="nv">len</span> <span class="err">@</span> <span class="nv">addr</span> <span class="o">|</span> <span class="nv">value</span>
<span class="err">|</span> <span class="nf">wopD</span> <span class="nv">len</span> <span class="p">[</span><span class="err">@</span> <span class="nv">addr</span><span class="p">]</span> <span class="nv">Write</span> <span class="nv">a</span> <span class="nv">De</span> <span class="nv">Bruijn</span> <span class="nv">Pattern</span> <span class="nv">of</span> <span class="nv">length</span> <span class="err">'</span><span class="nv">len</span><span class="s">' at address '</span><span class="nv">addr</span><span class="err">'</span>
<span class="err">|</span> <span class="nf">wopO</span> <span class="nv">value</span> <span class="nv">Finds</span> <span class="nv">the</span> <span class="nv">given</span> <span class="nv">value</span> <span class="nv">into</span> <span class="nv">a</span> <span class="nv">De</span> <span class="nv">Bruijn</span> <span class="nv">Pattern</span> <span class="nv">at</span> <span class="nv">current</span> <span class="nv">offset</span>
<span class="err">[0</span><span class="nf">x00402a00</span><span class="p">]</span><span class="o">></span> <span class="nv">wopD</span> <span class="mi">100</span> <span class="err">@</span> <span class="nb">rsi</span>
<span class="err">[0</span><span class="nf">x00402a00</span><span class="p">]</span><span class="o">></span> <span class="nv">ps</span> <span class="err">@</span> <span class="nb">rsi</span><span class="err">!</span><span class="mi">100</span>
<span class="nf">AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh</span>
<span class="err">[0</span><span class="nf">x00402a00</span><span class="p">]</span><span class="o">></span> <span class="nv">wopO</span> <span class="mh">0x414b4141</span>
<span class="err">28</span></code></pre></figure>
<h1 id="searching-in-memory">Searching in memory</h1>
<h2 id="peda-10">PEDA</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-peda$ phelp searchmem
Search for a pattern in memory; support regex search
Usage:
searchmem pattern start end
searchmem pattern mapname
</code></pre></div></div>
<h2 id="radare2-10">radare2</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x004049a0</span><span class="p">]</span><span class="o">></span> <span class="o">/</span><span class="nv">?</span>
<span class="err">|</span><span class="nl">Usage:</span> <span class="err">/[</span><span class="nf">amx</span><span class="o">/</span><span class="p">]</span> <span class="p">[</span><span class="nv">arg</span><span class="p">]</span><span class="nv">Search</span> <span class="nv">stuff</span> <span class="p">(</span><span class="nv">see</span> <span class="s">'e??search'</span> <span class="nv">for</span> <span class="nv">options</span><span class="p">)</span>
<span class="err">|</span> <span class="err">/</span> <span class="nf">foo</span><span class="err">\</span><span class="nv">x00</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">string</span> <span class="err">'</span><span class="nv">foo</span><span class="err">\</span><span class="mi">0</span><span class="err">'</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">j</span> <span class="nv">foo</span><span class="err">\</span><span class="nv">x00</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">string</span> <span class="err">'</span><span class="nv">foo</span><span class="err">\</span><span class="mi">0</span><span class="err">'</span> <span class="p">(</span><span class="nv">json</span> <span class="nv">output</span><span class="p">)</span>
<span class="err">|</span> <span class="err">/!</span> <span class="nf">ff</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">first</span> <span class="nv">occurrence</span> <span class="nv">not</span> <span class="nv">matching</span>
<span class="err">|</span> <span class="err">/+</span> <span class="err">/</span><span class="nf">bin</span><span class="o">/</span><span class="nv">sh</span> <span class="nv">construct</span> <span class="nv">the</span> <span class="nv">string</span> <span class="nv">with</span> <span class="nb">ch</span><span class="nv">unks</span>
<span class="err">|</span> <span class="err">/!</span><span class="nf">x</span> <span class="mi">00</span> <span class="nv">inverse</span> <span class="nv">hexa</span> <span class="nv">search</span> <span class="p">(</span><span class="nv">find</span> <span class="nv">first</span> <span class="kt">byte</span> <span class="err">!=</span> <span class="mh">0x00</span><span class="p">)</span>
<span class="err">|</span> <span class="err">//</span> <span class="nf">repeat</span> <span class="nv">last</span> <span class="nv">search</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">h</span><span class="p">[</span><span class="nv">t</span><span class="p">]</span> <span class="p">[</span><span class="nv">hash</span><span class="p">]</span> <span class="p">[</span><span class="nv">len</span><span class="p">]</span> <span class="nv">find</span> <span class="nb">bl</span><span class="nv">ock</span> <span class="nv">matching</span> <span class="nv">this</span> <span class="nv">hash.</span> <span class="nv">See</span> <span class="o">/</span><span class="err">#</span><span class="nv">?</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">a</span> <span class="nv">jmp</span> <span class="nb">eax</span> <span class="nv">assemble</span> <span class="nv">opcode</span> <span class="nv">and</span> <span class="nv">search</span> <span class="nv">its</span> <span class="kt">byte</span><span class="nv">s</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">A</span> <span class="nv">jmp</span> <span class="nv">find</span> <span class="nv">analyzed</span> <span class="nv">instructions</span> <span class="nv">of</span> <span class="nv">this</span> <span class="nv">type</span> <span class="p">(</span><span class="o">/</span><span class="nv">A?</span> <span class="nv">for</span> <span class="nv">help</span><span class="p">)</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">b</span> <span class="nv">search</span> <span class="nv">backwards</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">B</span> <span class="nv">search</span> <span class="nv">recognized</span> <span class="nv">RBin</span> <span class="nv">headers</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">c</span> <span class="nv">jmp</span> <span class="p">[</span><span class="nb">esp</span><span class="p">]</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">asm</span> <span class="nv">code</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">C</span><span class="p">[</span><span class="nv">ar</span><span class="p">]</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">crypto</span> <span class="nv">materials</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">d</span> <span class="mi">101112</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">a</span> <span class="nv">deltified</span> <span class="nv">sequence</span> <span class="nv">of</span> <span class="kt">byte</span><span class="nv">s</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">e</span> <span class="o">/</span><span class="nv">E.F</span><span class="o">/</span><span class="nv">i</span> <span class="nv">match</span> <span class="nv">regular</span> <span class="nv">expression</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">E</span> <span class="nb">esi</span><span class="nv">l</span><span class="o">-</span><span class="nv">expr</span> <span class="nv">offset</span> <span class="nv">matching</span> <span class="nv">given</span> <span class="nb">esi</span><span class="nv">l</span> <span class="nv">expressions</span> <span class="o">%%</span><span class="err">=</span> <span class="nv">here</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">i</span> <span class="nv">foo</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">string</span> <span class="s">'foo'</span> <span class="nv">ignoring</span> <span class="nv">case</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">m</span> <span class="nv">magicfile</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">matching</span> <span class="nv">magic</span> <span class="nv">file</span> <span class="p">(</span><span class="nv">use</span> <span class="nb">bl</span><span class="nv">ocksize</span><span class="p">)</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">p</span> <span class="nv">patternsize</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">pattern</span> <span class="nv">of</span> <span class="nv">given</span> <span class="nb">si</span><span class="nv">ze</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">P</span> <span class="nv">show</span> <span class="nv">offset</span> <span class="nv">of</span> <span class="nv">previous</span> <span class="nv">instruction</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">r</span> <span class="nv">sym.printf</span> <span class="nv">analyze</span> <span class="nv">opcode</span> <span class="nv">reference</span> <span class="nv">an</span> <span class="nv">offset</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">R</span> <span class="p">[</span><span class="nv">grepopcode</span><span class="p">]</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">matching</span> <span class="nv">ROP</span> <span class="nv">gadgets</span><span class="p">,</span> <span class="nv">semicolon</span><span class="o">-</span><span class="nv">separated</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">v</span><span class="p">[</span><span class="mi">1248</span><span class="p">]</span> <span class="nv">value</span> <span class="nv">look</span> <span class="nv">for</span> <span class="nv">an</span> <span class="err">`</span><span class="nv">asm.bigendian</span><span class="err">`</span> <span class="mi">32</span><span class="nv">bit</span> <span class="nv">value</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">V</span><span class="p">[</span><span class="mi">1248</span><span class="p">]</span> <span class="nv">min</span> <span class="nv">max</span> <span class="nv">look</span> <span class="nv">for</span> <span class="nv">an</span> <span class="err">`</span><span class="nv">asm.bigendian</span><span class="err">`</span> <span class="mi">32</span><span class="nv">bit</span> <span class="nv">value</span> <span class="nv">in</span> <span class="nv">range</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">w</span> <span class="nv">foo</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">wide</span> <span class="nv">string</span> <span class="err">'</span><span class="nv">f</span><span class="err">\</span><span class="mi">0</span><span class="nv">o</span><span class="err">\</span><span class="mi">0</span><span class="nv">o</span><span class="err">\</span><span class="mi">0</span><span class="err">'</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">wi</span> <span class="nv">foo</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">wide</span> <span class="nv">string</span> <span class="nv">ignoring</span> <span class="nv">case</span> <span class="err">'</span><span class="nv">f</span><span class="err">\</span><span class="mi">0</span><span class="nv">o</span><span class="err">\</span><span class="mi">0</span><span class="nv">o</span><span class="err">\</span><span class="mi">0</span><span class="err">'</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">x</span> <span class="nv">ff..33</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">hex</span> <span class="nv">string</span> <span class="nv">ignoring</span> <span class="nv">some</span> <span class="nv">nibbles</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">x</span> <span class="nv">ff0033</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">hex</span> <span class="nv">string</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">x</span> <span class="nv">ff43</span> <span class="nv">ffd0</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">hexpair</span> <span class="nv">with</span> <span class="nv">mask</span>
<span class="err">|</span> <span class="err">/</span><span class="nf">z</span> <span class="nv">min</span> <span class="nv">max</span> <span class="nv">search</span> <span class="nv">for</span> <span class="nv">strings</span> <span class="nv">of</span> <span class="nv">given</span> <span class="nb">si</span><span class="nv">ze</span></code></pre></figure>
<h1 id="shellcoding">Shellcoding</h1>
<h2 id="peda-11">PEDA</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-peda$ shellcode
Error: missing argument
Generate or download common shellcodes.
Usage:
shellcode generate [arch/]platform type [port] [host]
shellcode search keyword (use % for any character wildcard)
shellcode display shellcodeId (shellcodeId as appears in search results)
shellcode zsc [generate customize shellcode]
For generate option:
default port for bindport shellcode: 16706 (0x4142)
default host/port for connect back shellcode: 127.127.127.127/16706
supported arch: x86
gdb-peda$ shellcode generate
Available shellcodes:
x86/linux exec
x86/linux connect
x86/linux bindport
x86/bsd exec
x86/bsd connect
x86/bsd bindport
gdb-peda$ shellcode generate x86/linux exec
# x86/linux/exec: 24 bytes
shellcode = (
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"
"\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
)
</code></pre></div></div>
<h2 id="radare2-11">radare2</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x004049a0</span><span class="p">]</span><span class="o">></span> <span class="nv">g?</span>
<span class="err">|</span><span class="nl">Usage:</span> <span class="nf">g</span><span class="p">[</span><span class="nv">wcilper</span><span class="p">]</span> <span class="p">[</span><span class="nv">arg</span><span class="p">]</span><span class="nv">Go</span> <span class="nv">compile</span> <span class="nv">shellcodes</span>
<span class="err">|</span> <span class="nf">g</span> <span class="nv">foo.r</span> <span class="nv">Compile</span> <span class="nv">r_egg</span> <span class="nv">source</span> <span class="nv">file</span>
<span class="err">|</span> <span class="nf">gw</span> <span class="nv">Compile</span> <span class="nv">and</span> <span class="nv">write</span>
<span class="err">|</span> <span class="nf">gc</span> <span class="nv">cmd</span><span class="err">=</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span> <span class="nv">Set</span> <span class="nv">config</span> <span class="nv">option</span> <span class="nv">for</span> <span class="nv">shellcodes</span> <span class="nv">and</span> <span class="nv">encoders</span>
<span class="err">|</span> <span class="nf">gc</span> <span class="nv">List</span> <span class="nb">al</span><span class="nv">l</span> <span class="nv">config</span> <span class="nv">options</span>
<span class="err">|</span> <span class="nf">gl</span> <span class="nv">List</span> <span class="nv">plugins</span> <span class="p">(</span><span class="nv">shellcodes</span><span class="p">,</span> <span class="nv">encoders</span><span class="p">)</span>
<span class="err">|</span> <span class="nf">gs</span> <span class="nv">name</span> <span class="nv">args</span> <span class="nv">Compile</span> <span class="nv">syscall</span> <span class="nv">name</span><span class="p">(</span><span class="nv">args</span><span class="p">)</span>
<span class="err">|</span> <span class="nf">gi</span> <span class="nv">exec</span> <span class="nv">Compile</span> <span class="nv">shellcode.</span> <span class="nv">like</span> <span class="nv">ragg2</span> <span class="o">-</span><span class="nv">i</span>
<span class="err">|</span> <span class="nf">gp</span> <span class="nv">padding</span> <span class="nv">Define</span> <span class="nv">padding</span> <span class="nv">for</span> <span class="nv">command</span>
<span class="err">|</span> <span class="nf">ge</span> <span class="nv">xor</span> <span class="nb">Sp</span><span class="nv">ecify</span> <span class="nv">an</span> <span class="nv">encoder</span>
<span class="err">|</span> <span class="nf">gr</span> <span class="nv">Reset</span> <span class="nv">r_egg</span>
<span class="err">|</span> <span class="nf">EVAL</span> <span class="nv">VARS</span><span class="p">:</span> <span class="nv">asm.arch</span><span class="p">,</span> <span class="nv">asm.bits</span><span class="p">,</span> <span class="nv">asm.os</span>
<span class="err">[0</span><span class="nf">x004049a0</span><span class="p">]</span><span class="o">></span> <span class="nv">gl</span>
<span class="nf">shc</span> <span class="nv">exec</span> <span class="p">:</span> <span class="nv">execute</span> <span class="nv">cmd</span><span class="err">=</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">sh</span> <span class="nv">suid</span><span class="err">=</span><span class="nv">false</span>
<span class="nf">enc</span> <span class="nv">xor</span> <span class="p">:</span> <span class="nv">xor</span> <span class="nv">encoder</span> <span class="nv">for</span> <span class="nv">shellcode</span>
<span class="err">[0</span><span class="nf">x00000000</span><span class="p">]</span><span class="o">></span> <span class="nv">gi</span> <span class="nv">exec</span>
<span class="err">[0</span><span class="nf">x00000000</span><span class="p">]</span><span class="o">></span> <span class="nv">g</span>
<span class="err">31</span><span class="nf">c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05</span>
<span class="err">[0</span><span class="nf">x00000000</span><span class="p">]</span><span class="o">></span>
<span class="err">[0</span><span class="nf">x00000000</span><span class="p">]</span><span class="o">></span> <span class="nv">wx</span> <span class="s">`g`</span>
<span class="err">[0</span><span class="nf">x00000000</span><span class="p">]</span><span class="o">></span> <span class="nv">pi</span> <span class="mi">13</span>
<span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">movabs</span> <span class="nb">rbx</span><span class="p">,</span> <span class="mh">0xff978cd091969dd1</span>
<span class="nf">neg</span> <span class="nb">rbx</span>
<span class="nf">push</span> <span class="nb">rbx</span>
<span class="nf">push</span> <span class="nb">rsp</span>
<span class="nf">pop</span> <span class="nb">rdi</span>
<span class="nf">cdq</span>
<span class="nf">push</span> <span class="nb">rdx</span>
<span class="nf">push</span> <span class="nb">rdi</span>
<span class="nf">push</span> <span class="nb">rsp</span>
<span class="nf">pop</span> <span class="nb">rsi</span>
<span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="mh">0x3b</span>
<span class="nf">syscall</span></code></pre></figure>
<p>You can write your own shellcode for future use and compile it. Also, you can write the shellcode anywhere by using the <code class="language-plaintext highlighter-rouge">@</code> address specifier.</p>
<h1 id="tracing">Tracing</h1>
<h2 id="peda-12">PEDA</h2>
<p><code class="language-plaintext highlighter-rouge">tracecall</code> and <code class="language-plaintext highlighter-rouge">traceinst</code> are very useful in a number of situations.</p>
<h2 id="radare2-12">radare2</h2>
<p>Sadly <a href="https://github.com/radare/radare2/issues/5473">broken</a> at the moment.</p>
<h1 id="virtual-memory-mapping">Virtual memory mapping</h1>
<p>Using <code class="language-plaintext highlighter-rouge">vmm</code> in peda? In r2, it’s <code class="language-plaintext highlighter-rouge">dm</code>.</p>
<h1 id="dereferencing-stack-and-registers-telescoping">Dereferencing stack and registers (telescoping)</h1>
<h2 id="peda-13">PEDA</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="nf">gdb</span><span class="o">-</span><span class="nv">peda$</span> <span class="nv">telescope</span> <span class="mi">10</span>
<span class="err">0000|</span> <span class="err">0</span><span class="nf">x7fff1225eed8</span> <span class="o">--></span> <span class="mh">0x7fb93f6b9830</span> <span class="p">(</span><span class="o"><</span><span class="nv">__libc_start_main</span><span class="o">+</span><span class="mi">240</span><span class="o">></span><span class="p">:</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">eax</span><span class="p">)</span>
<span class="err">0008|</span> <span class="err">0</span><span class="nf">x7fff1225eee0</span> <span class="o">--></span> <span class="mh">0x0</span>
<span class="err">0016|</span> <span class="err">0</span><span class="nf">x7fff1225eee8</span> <span class="o">--></span> <span class="mh">0x7fff1225efb8</span> <span class="o">--></span> <span class="mh">0x7fff122611fd</span> <span class="o">--></span> <span class="mh">0x736c2f6e69622f</span> <span class="p">(</span><span class="err">'</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="err">'</span><span class="p">)</span>
<span class="err">0024|</span> <span class="err">0</span><span class="nf">x7fff1225eef0</span> <span class="o">--></span> <span class="mh">0x100000000</span>
<span class="err">0032|</span> <span class="err">0</span><span class="nf">x7fff1225eef8</span> <span class="o">--></span> <span class="mh">0x402a00</span> <span class="p">(</span><span class="nv">push</span> <span class="nv">r15</span><span class="p">)</span>
<span class="err">0040|</span> <span class="err">0</span><span class="nf">x7fff1225ef00</span> <span class="o">--></span> <span class="mh">0x0</span>
<span class="err">0048|</span> <span class="err">0</span><span class="nf">x7fff1225ef08</span> <span class="o">--></span> <span class="mh">0xdeca45a1d59f8b89</span>
<span class="err">0056|</span> <span class="err">0</span><span class="nf">x7fff1225ef10</span> <span class="o">--></span> <span class="mh">0x4049a0</span> <span class="p">(</span><span class="nv">xor</span> <span class="nb">ebp</span><span class="p">,</span><span class="nb">ebp</span><span class="p">)</span>
<span class="err">0064|</span> <span class="err">0</span><span class="nf">x7fff1225ef18</span> <span class="o">--></span> <span class="mh">0x7fff1225efb0</span> <span class="o">--></span> <span class="mh">0x1</span>
<span class="err">0072|</span> <span class="err">0</span><span class="nf">x7fff1225ef20</span> <span class="o">--></span> <span class="mh">0x0</span>
<span class="nf">gdb</span><span class="o">-</span><span class="nv">peda$</span> <span class="nv">context</span> <span class="nv">reg</span>
<span class="err">[----------------------------------</span><span class="nf">registers</span><span class="o">-----------------------------------</span><span class="p">]</span>
<span class="nl">RAX:</span> <span class="err">0</span><span class="nf">x402a00</span> <span class="p">(</span><span class="nv">push</span> <span class="nv">r15</span><span class="p">)</span>
<span class="nl">RBX:</span> <span class="err">0</span><span class="nf">x0</span>
<span class="nl">RCX:</span> <span class="err">0</span><span class="nf">x0</span>
<span class="nl">RDX:</span> <span class="err">0</span><span class="nf">x7fff1225efc8</span> <span class="o">--></span> <span class="mh">0x7fff12261205</span> <span class="p">(</span><span class="s">"LC_PAPER=ro_RO.UTF-8"</span><span class="p">)</span>
<span class="nl">RSI:</span> <span class="err">0</span><span class="nf">x7fff1225efb8</span> <span class="o">--></span> <span class="mh">0x7fff122611fd</span> <span class="o">--></span> <span class="mh">0x736c2f6e69622f</span> <span class="p">(</span><span class="err">'</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="err">'</span><span class="p">)</span>
<span class="nl">RDI:</span> <span class="err">0</span><span class="nf">x1</span>
<span class="nl">RBP:</span> <span class="err">0</span><span class="nf">x413be0</span> <span class="p">(</span><span class="nv">push</span> <span class="nv">r15</span><span class="p">)</span>
<span class="nl">RSP:</span> <span class="err">0</span><span class="nf">x7fff1225eed8</span> <span class="o">--></span> <span class="mh">0x7fb93f6b9830</span> <span class="p">(</span><span class="o"><</span><span class="nv">__libc_start_main</span><span class="o">+</span><span class="mi">240</span><span class="o">></span><span class="p">:</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">eax</span><span class="p">)</span>
<span class="nl">RIP:</span> <span class="err">0</span><span class="nf">x402a00</span> <span class="p">(</span><span class="nv">push</span> <span class="nv">r15</span><span class="p">)</span>
<span class="nf">R8</span> <span class="p">:</span> <span class="mh">0x413c50</span> <span class="p">(</span><span class="nv">repz</span> <span class="nv">ret</span><span class="p">)</span>
<span class="nf">R9</span> <span class="p">:</span> <span class="mh">0x7fb93fc948e0</span> <span class="p">(</span><span class="o"><</span><span class="nv">_dl_fini</span><span class="o">></span><span class="p">:</span> <span class="nv">push</span> <span class="nb">rbp</span><span class="p">)</span>
<span class="nl">R10:</span> <span class="err">0</span><span class="nf">x846</span>
<span class="nl">R11:</span> <span class="err">0</span><span class="nf">x7fb93f6b9740</span> <span class="p">(</span><span class="o"><</span><span class="nv">__libc_start_main</span><span class="o">></span><span class="p">:</span> <span class="nv">push</span> <span class="nv">r14</span><span class="p">)</span>
<span class="nl">R12:</span> <span class="err">0</span><span class="nf">x4049a0</span> <span class="p">(</span><span class="nv">xor</span> <span class="nb">ebp</span><span class="p">,</span><span class="nb">ebp</span><span class="p">)</span>
<span class="nl">R13:</span> <span class="err">0</span><span class="nf">x7fff1225efb0</span> <span class="o">--></span> <span class="mh">0x1</span>
<span class="nl">R14:</span> <span class="err">0</span><span class="nf">x0</span>
<span class="nl">R15:</span> <span class="err">0</span><span class="nf">x0</span>
<span class="nl">EFLAGS:</span> <span class="err">0</span><span class="nf">x246</span> <span class="p">(</span><span class="nv">carry</span> <span class="nv">PARITY</span> <span class="nv">adjust</span> <span class="nv">ZERO</span> <span class="nb">si</span><span class="nv">gn</span> <span class="nv">trap</span> <span class="nv">INTERRUPT</span> <span class="nb">di</span><span class="nv">rection</span> <span class="nv">overflow</span><span class="p">)</span></code></pre></figure>
<h2 id="radare2-13">radare2</h2>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x00402a00</span><span class="p">]</span><span class="o">></span> <span class="nv">pxr</span> <span class="err">@</span> <span class="nb">rsp</span><span class="err">!</span><span class="mi">80</span>
<span class="err">0</span><span class="nf">x7ffe4ea90fb8</span> <span class="mh">0x00007fc0a5275830</span> <span class="mi">0</span><span class="nv">X</span><span class="err">'</span><span class="nv">.....</span> <span class="p">(</span><span class="o">/</span><span class="nv">lib</span><span class="o">/</span><span class="nv">x86_64</span><span class="o">-</span><span class="nv">linux</span><span class="o">-</span><span class="nv">gnu</span><span class="o">/</span><span class="nv">libc</span><span class="o">-</span><span class="mf">2.23</span><span class="nv">.so</span><span class="p">)</span> <span class="nv">library</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'mov edi, eax'</span> <span class="s">'libc-2.23.so'</span>
<span class="err">0</span><span class="nf">x7ffe4ea90fc0</span> <span class="mh">0x0000000000000000</span> <span class="nv">........</span> <span class="nv">r15</span>
<span class="err">0</span><span class="nf">x7ffe4ea90fc8</span> <span class="mh">0x00007ffe4ea91098</span> <span class="nv">...N....</span> <span class="nb">rsi</span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x7ffe4ea931a0</span> <span class="o">--></span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x736c2f6e69622f</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="o">--></span> <span class="nv">ascii</span>
<span class="err">0</span><span class="nf">x7ffe4ea90fd0</span> <span class="mh">0x0000000100000000</span> <span class="nv">........</span>
<span class="err">0</span><span class="nf">x7ffe4ea90fd8</span> <span class="mh">0x0000000000402a00</span> <span class="nv">.</span><span class="o">*</span><span class="err">@</span><span class="nv">.....</span> <span class="p">(</span><span class="nv">.text</span><span class="p">)</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="nv">rip</span> <span class="nv">program</span> <span class="nv">ascii</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'push r15'</span> <span class="s">'ls'</span>
<span class="err">0</span><span class="nf">x7ffe4ea90fe0</span> <span class="mh">0x0000000000000000</span> <span class="nv">........</span> <span class="nv">r15</span>
<span class="err">0</span><span class="nf">x7ffe4ea90fe8</span> <span class="mh">0xd73cce5c2543d7a1</span> <span class="nv">..C</span><span class="o">%</span><span class="err">\</span><span class="nv">.</span><span class="o"><</span><span class="nv">.</span>
<span class="err">0</span><span class="nf">x7ffe4ea90ff0</span> <span class="mh">0x00000000004049a0</span> <span class="nv">.I@.....</span> <span class="p">(</span><span class="nv">.text</span><span class="p">)</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="nv">r12</span> <span class="nv">program</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'xor ebp, ebp'</span> <span class="s">'ls'</span>
<span class="err">0</span><span class="nf">x7ffe4ea90ff8</span> <span class="mh">0x00007ffe4ea91090</span> <span class="nv">...N....</span> <span class="nv">r13</span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x1</span> <span class="o">--></span> <span class="p">(</span><span class="nv">.gnu_debuglink</span><span class="p">)</span> <span class="nb">rdi</span>
<span class="err">0</span><span class="nf">x7ffe4ea91000</span> <span class="mh">0x0000000000000000</span> <span class="nv">........</span> <span class="nv">r15</span>
<span class="err">[0</span><span class="nf">x00402a00</span><span class="p">]</span><span class="o">></span> <span class="nv">drr</span>
<span class="nf">orax</span> <span class="mh">0xffffffffffffffff</span> <span class="nv">orax</span>
<span class="nf">rax</span> <span class="mh">0x0000000000402a00</span> <span class="p">(</span><span class="nv">.text</span><span class="p">)</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="nv">rip</span> <span class="nv">program</span> <span class="nv">ascii</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'push r15'</span> <span class="s">'ls'</span>
<span class="nf">rbx</span> <span class="mh">0x0000000000000000</span> <span class="nv">r15</span>
<span class="nf">rcx</span> <span class="mh">0x0000000000000000</span> <span class="nv">r15</span>
<span class="nf">rdx</span> <span class="mh">0x00007ffe4ea910a8</span> <span class="nb">rdx</span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x7ffe4ea931a8</span> <span class="o">--></span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x524e54565f474458</span> <span class="p">(</span><span class="nv">XDG_VTNR</span><span class="err">=</span><span class="mi">7</span><span class="p">)</span> <span class="o">--></span> <span class="nv">ascii</span>
<span class="nf">r8</span> <span class="mh">0x0000000000413c50</span> <span class="p">(</span><span class="nv">.text</span><span class="p">)</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="nv">r8</span> <span class="nv">program</span> <span class="nv">ascii</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'ret'</span> <span class="s">'ls'</span>
<span class="nf">r9</span> <span class="mh">0x00007fc0a58508e0</span> <span class="p">(</span><span class="o">/</span><span class="nv">lib</span><span class="o">/</span><span class="nv">x86_64</span><span class="o">-</span><span class="nv">linux</span><span class="o">-</span><span class="nv">gnu</span><span class="o">/</span><span class="nv">ld</span><span class="o">-</span><span class="mf">2.23</span><span class="nv">.so</span><span class="p">)</span> <span class="nv">r9</span> <span class="nv">library</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'push rbp'</span> <span class="s">'ld-2.23.so'</span>
<span class="nf">r10</span> <span class="mh">0x0000000000000846</span> <span class="nv">r10</span>
<span class="nf">r11</span> <span class="mh">0x00007fc0a5275740</span> <span class="p">(</span><span class="o">/</span><span class="nv">lib</span><span class="o">/</span><span class="nv">x86_64</span><span class="o">-</span><span class="nv">linux</span><span class="o">-</span><span class="nv">gnu</span><span class="o">/</span><span class="nv">libc</span><span class="o">-</span><span class="mf">2.23</span><span class="nv">.so</span><span class="p">)</span> <span class="nv">r11</span> <span class="nv">library</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'push r14'</span> <span class="s">'libc-2.23.so'</span>
<span class="nf">r12</span> <span class="mh">0x00000000004049a0</span> <span class="p">(</span><span class="nv">.text</span><span class="p">)</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="nv">r12</span> <span class="nv">program</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'xor ebp, ebp'</span> <span class="s">'ls'</span>
<span class="nf">r13</span> <span class="mh">0x00007ffe4ea91090</span> <span class="nv">r13</span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x1</span> <span class="o">--></span> <span class="p">(</span><span class="nv">.gnu_debuglink</span><span class="p">)</span> <span class="nb">rdi</span>
<span class="nf">r14</span> <span class="mh">0x0000000000000000</span> <span class="nv">r15</span>
<span class="nf">r15</span> <span class="mh">0x0000000000000000</span> <span class="nv">r15</span>
<span class="nf">rsi</span> <span class="mh">0x00007ffe4ea91098</span> <span class="nb">rsi</span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x7ffe4ea931a0</span> <span class="o">--></span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x736c2f6e69622f</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="o">--></span> <span class="nv">ascii</span>
<span class="nf">rdi</span> <span class="mh">0x0000000000000001</span> <span class="p">(</span><span class="nv">.gnu_debuglink</span><span class="p">)</span> <span class="nb">rdi</span>
<span class="nf">rsp</span> <span class="mh">0x00007ffe4ea90fb8</span> <span class="nb">rsp</span> <span class="nv">stack</span> <span class="nv">R</span> <span class="nv">W</span> <span class="mh">0x7fc0a5275830</span> <span class="o">--></span> <span class="p">(</span><span class="o">/</span><span class="nv">lib</span><span class="o">/</span><span class="nv">x86_64</span><span class="o">-</span><span class="nv">linux</span><span class="o">-</span><span class="nv">gnu</span><span class="o">/</span><span class="nv">libc</span><span class="o">-</span><span class="mf">2.23</span><span class="nv">.so</span><span class="p">)</span> <span class="nv">library</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'mov edi, eax'</span> <span class="s">'libc-2.23.so'</span>
<span class="nf">rbp</span> <span class="mh">0x0000000000413be0</span> <span class="p">(</span><span class="nv">.text</span><span class="p">)</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="nb">rbp</span> <span class="nv">program</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'push r15'</span> <span class="s">'ls'</span>
<span class="nf">rip</span> <span class="mh">0x0000000000402a00</span> <span class="p">(</span><span class="nv">.text</span><span class="p">)</span> <span class="p">(</span><span class="o">/</span><span class="nv">bin</span><span class="o">/</span><span class="nv">ls</span><span class="p">)</span> <span class="nv">rip</span> <span class="nv">program</span> <span class="nv">ascii</span> <span class="nv">R</span> <span class="nv">X</span> <span class="s">'push r15'</span> <span class="s">'ls'</span>
<span class="nf">rflags</span> <span class="mh">0x0000000000000246</span> <span class="nv">rflags</span></code></pre></figure>
<h1 id="breakpoint-commands">Breakpoint commands</h1>
<h2 id="peda-14">PEDA</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-peda$ commands 1
gdb-peda$ commands 1
Type commands for breakpoint(s) 1, one per line.
End with a line saying just "end".
>set $rax=0xdeadbeef
>set $rbx=0xdeadc0de
>end
gdb-peda$ i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000402a00
breakpoint already hit 1 time
set $rax=0xdeadbeef
set $rbx=0xdeadc0de
</code></pre></div></div>
<h2 id="radare2-14">radare2</h2>
<p>Warning: some commands may not work properly with <code class="language-plaintext highlighter-rouge">dbc</code>.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x7fcd2c7a2cc0</span><span class="p">]</span><span class="o">></span> <span class="err">"</span><span class="nv">dbc</span> <span class="nv">main</span> <span class="nv">pi</span> <span class="mi">10</span><span class="c1">;pxr@rsp!8;ps @ 0x0041a5f6"</span>
<span class="err">[0</span><span class="nf">x7fcd2c7a2cc0</span><span class="p">]</span><span class="o">></span> <span class="nv">dc</span>
<span class="err">=</span> <span class="nf">attach</span> <span class="mi">5283</span> <span class="mi">1</span>
<span class="nf">hit</span> <span class="nv">breakpoint</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">402</span><span class="nv">a00</span>
<span class="nf">mov</span> <span class="nb">rdi</span><span class="p">,</span> <span class="nb">rsp</span>
<span class="nf">call</span> <span class="mh">0x7fcd2c7a6c00</span>
<span class="nf">mov</span> <span class="nv">r12</span><span class="p">,</span> <span class="nb">rax</span>
<span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nv">rip</span> <span class="o">+</span> <span class="mh">0x224fa7</span><span class="p">]</span>
<span class="nf">pop</span> <span class="nb">rdx</span>
<span class="nf">lea</span> <span class="nb">rsp</span><span class="p">,</span> <span class="p">[</span><span class="nb">rsp</span> <span class="o">+</span> <span class="nb">rax</span><span class="o">*</span><span class="mi">8</span><span class="p">]</span>
<span class="nf">sub</span> <span class="nb">edx</span><span class="p">,</span> <span class="nb">eax</span>
<span class="nf">push</span> <span class="nb">rdx</span>
<span class="nf">mov</span> <span class="nb">rsi</span><span class="p">,</span> <span class="nb">rdx</span>
<span class="nf">mov</span> <span class="nv">r13</span><span class="p">,</span> <span class="nb">rsp</span>
<span class="err">0</span><span class="nf">x7ffffe8da290</span> <span class="mh">0x0000000000000001</span> <span class="nv">........</span> <span class="p">(</span><span class="nv">.gnu_debuglink</span><span class="p">)</span>
<span class="nf">CHARSETALIASDIR</span></code></pre></figure>
<h1 id="closing-remarks">Closing remarks</h1>
<p>Radare2 also has numerous features which PEDA lacks, such as CFG, heap analysis, renaming variables and arguments in the disassembly and many more. One thing which r2 is missing is a nice <a href="https://github.com/Gallopsled/pwntools">pwntools</a> integration (although I think this can be easily done on the fly by attaching r2 to the running process. r2pipe + pwntools, however, would be a different story).</p>
<p>Still feel like missing something? Drop <a href="https://twitter.com/monosrc">me</a> a line or ask on #radare on freenode.</p>monosourceMany people feel discouraged or overwhelmed to use radare2 due to its complexity (understandably so). They often use gdb with the downright amazing PEDA extension for their debugging needs and IDA Pro for disassembly (or Hopper/Binary Ninja if the price of IDA is too prohibitive).TrendMicro CTF 2016 - re1002016-08-03T00:25:06+00:002016-08-03T00:25:06+00:00https://monosource.github.io/writeup/2016/08/03/trendmicro-re100<h1 id="context">Context</h1>
<p>The <a href="https://ctf.trendmicro.co.jp">TrendMicro CTF</a> was a blast (apart for some Shakespeare guesswork), and I solved a challenge using radare2, so I thought this would be a good opportunity to present a challenge which can be solved using emulation.</p>
<h1 id="the-challenge">The challenge</h1>
<p><a href="http://www.mediafire.com/download/n7gt2ry237578co/files13.zip">Link</a></p>
<p>We’re provided with a file called <code class="language-plaintext highlighter-rouge">dataloss</code>.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>file dataloss
dataloss: data</code></pre></figure>
<p>OK, so <code class="language-plaintext highlighter-rouge">file</code> doesn’t know what it is. Time to open it in radare2.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>r2 <span class="nt">-b</span> 32 <span class="nt">-a</span> x86 dataloss</code></pre></figure>
<p>If we look around in visual mode, we can see that some instructions make sense. We can tell r2 to auto-analyze the data and identify functions.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x00000000</span><span class="p">]</span><span class="o">></span> <span class="nv">aaa</span>
<span class="err">[</span><span class="nf">x</span><span class="p">]</span> <span class="nv">Analyze</span> <span class="nb">al</span><span class="nv">l</span> <span class="nv">flags</span> <span class="nv">starting</span> <span class="nv">with</span> <span class="nv">sym.</span> <span class="nv">and</span> <span class="nv">entry0</span> <span class="p">(</span><span class="nv">aa</span><span class="p">)</span>
<span class="err">[</span><span class="nf">x</span><span class="p">]</span> <span class="nv">Analyze</span> <span class="nv">len</span> <span class="kt">byte</span><span class="nv">s</span> <span class="nv">of</span> <span class="nv">instructions</span> <span class="nv">for</span> <span class="nv">references</span> <span class="p">(</span><span class="nv">aar</span><span class="p">)</span>
<span class="err">[</span><span class="nf">x</span><span class="p">]</span> <span class="nv">Analyze</span> <span class="nv">function</span> <span class="nv">calls</span> <span class="p">(</span><span class="nv">aac</span><span class="p">)</span>
<span class="err">[</span> <span class="err">]</span> <span class="err">[*]</span> <span class="nf">Use</span> <span class="o">-</span><span class="nv">AA</span> <span class="nv">or</span> <span class="nv">aaaa</span> <span class="nv">to</span> <span class="nv">perform</span> <span class="nv">additional</span> <span class="nv">experimental</span> <span class="nv">analysis.</span>
<span class="err">[</span><span class="nf">x</span><span class="p">]</span> <span class="nv">Constructing</span> <span class="nv">a</span> <span class="nv">function</span> <span class="nv">name</span> <span class="nv">for</span> <span class="nv">fcn.</span><span class="o">*</span> <span class="nv">and</span> <span class="nv">sym.func.</span><span class="o">*</span> <span class="nv">functions</span> <span class="p">(</span><span class="nv">aan</span><span class="p">))</span>
<span class="err">[0</span><span class="nf">x00000000</span><span class="p">]</span><span class="o">></span> <span class="nv">afl</span> <span class="o">|</span> <span class="nv">wc</span> <span class="o">-</span><span class="nv">l</span>
<span class="err">379</span></code></pre></figure>
<p>Plenty of functions found. We can switch to visual mode and cycle through them using <code class="language-plaintext highlighter-rouge">n/N</code>. Most of them look like garbage, until we stumble upon the following:</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">pdf</span>
<span class="err">╒</span> <span class="err">(</span><span class="nf">fcn</span><span class="p">)</span> <span class="nv">fcn.00000278</span> <span class="mi">492</span>
<span class="err">│</span> <span class="c1">; var int local_24h @ ebp-0x24</span>
<span class="err">│</span> <span class="c1">; var int local_23h @ ebp-0x23</span>
<span class="err">│</span> <span class="c1">; var int local_1fh @ ebp-0x1f</span>
<span class="err">│</span> <span class="c1">; var int local_1bh @ ebp-0x1b</span>
<span class="err">│</span> <span class="c1">; var int local_17h @ ebp-0x17</span>
<span class="err">│</span> <span class="c1">; var int local_13h @ ebp-0x13</span>
<span class="err">│</span> <span class="c1">; var int local_fh @ ebp-0xf</span>
<span class="err">│</span> <span class="c1">; var int local_bh @ ebp-0xb</span>
<span class="err">│</span> <span class="c1">; var int local_7h @ ebp-0x7</span>
<span class="err">│</span> <span class="c1">; var int local_4h @ ebp-0x4</span>
<span class="err">│</span> <span class="c1">; arg int arg_8h @ ebp+0x8</span>
<span class="err">│</span> <span class="c1">; CALL XREF from 0x0000046f (fcn.00000468)</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000278</span> <span class="mi">55</span> <span class="nv">push</span> <span class="nb">ebp</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000279</span> <span class="mi">8</span><span class="nv">bec</span> <span class="nv">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">esp</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0000027b</span> <span class="mi">83</span><span class="nv">ec24</span> <span class="nv">sub</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x24</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0000027e</span> <span class="nv">c645dc00</span> <span class="nv">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_24h</span><span class="p">],</span> <span class="mi">0</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000282</span> <span class="mi">33</span><span class="nv">c0</span> <span class="nv">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000284</span> <span class="mi">8945</span><span class="nv">dd</span> <span class="nv">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_23h</span><span class="p">],</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000287</span> <span class="mi">8945</span><span class="nv">e1</span> <span class="nv">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_1fh</span><span class="p">],</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0000028a</span> <span class="mi">8945</span><span class="nv">e5</span> <span class="nv">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_1bh</span><span class="p">],</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0000028d</span> <span class="mi">8945</span><span class="nv">e9</span> <span class="nv">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_17h</span><span class="p">],</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000290</span> <span class="mi">8945</span><span class="nv">ed</span> <span class="nv">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_13h</span><span class="p">],</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000293</span> <span class="mi">8945</span><span class="nv">f1</span> <span class="nv">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_fh</span><span class="p">],</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000296</span> <span class="mi">8945</span><span class="nv">f5</span> <span class="nv">mov</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_bh</span><span class="p">],</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000299</span> <span class="mi">8845</span><span class="nv">f9</span> <span class="nv">mov</span> <span class="kt">byte</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_7h</span><span class="p">],</span> <span class="nb">al</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0000029c</span> <span class="mi">8</span><span class="nv">b4d08</span> <span class="nv">mov</span> <span class="nb">ecx</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">+</span> <span class="nv">arg_8h</span><span class="p">]</span> <span class="c1">; [0x8:4]=0</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0000029f</span> <span class="mi">83</span><span class="nv">c14b</span> <span class="nv">add</span> <span class="nb">ecx</span><span class="p">,</span> <span class="mh">0x4b</span>
<span class="err">│</span> <span class="err">----------------------------</span> <span class="nf">SNIP</span> <span class="o">----------------------------</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000460</span> <span class="mi">8</span><span class="nv">be5</span> <span class="nv">mov</span> <span class="nb">esp</span><span class="p">,</span> <span class="nb">ebp</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x00000462</span> <span class="mi">5</span><span class="nv">d</span> <span class="nv">pop</span> <span class="nb">ebp</span>
<span class="err">╘</span> <span class="err">0</span><span class="nf">x00000463</span> <span class="nv">c3</span> <span class="nv">ret</span></code></pre></figure>
<p>It has a single argument, which it loads in the <code class="language-plaintext highlighter-rouge">ecx</code> register, and then it moves all sorts of hardcoded values onto the stack. There are two directions we can go from here:</p>
<ol>
<li>Dump this function into an assembly source file, call it from main, assemble the file and run it in a debugger.</li>
<li>ESIL.</li>
</ol>
<p>We’ll obviously go with the second option, since it’s faster.</p>
<p>ESIL will need to perform some writes in memory, and since we opened the file in read-only mode, we’re going to need to enable caching. Then we will initialize the ESIL VM. All ESIL-related commands are preceded by <code class="language-plaintext highlighter-rouge">ae</code>. You can view them by inputing <code class="language-plaintext highlighter-rouge">ae?</code></p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">ae?</span>
<span class="err">|</span><span class="nl">Usage:</span> <span class="nf">ae</span><span class="p">[</span><span class="nv">idesr?</span><span class="p">]</span> <span class="p">[</span><span class="nv">arg</span><span class="p">]</span><span class="nb">ESI</span><span class="nv">L</span> <span class="nv">code</span> <span class="nv">emulation</span>
<span class="err">|</span> <span class="nf">ae?</span> <span class="nv">show</span> <span class="nv">this</span> <span class="nv">help</span>
<span class="err">|</span> <span class="nf">ae??</span> <span class="nv">show</span> <span class="nb">ESI</span><span class="nv">L</span> <span class="nv">help</span>
<span class="err">|</span> <span class="nf">aei</span> <span class="nv">initialize</span> <span class="nb">ESI</span><span class="nv">L</span> <span class="nv">VM</span> <span class="nv">state</span> <span class="p">(</span><span class="nv">aei</span><span class="o">-</span> <span class="nv">to</span> <span class="nv">deinitialize</span><span class="p">)</span>
<span class="err">|</span> <span class="nf">aeim</span> <span class="nv">initialize</span> <span class="nb">ESI</span><span class="nv">L</span> <span class="nv">VM</span> <span class="nv">stack</span> <span class="p">(</span><span class="nv">aeim</span><span class="o">-</span> <span class="nv">remove</span><span class="p">)</span>
<span class="err">|</span> <span class="nf">aeip</span> <span class="nv">initialize</span> <span class="nb">ESI</span><span class="nv">L</span> <span class="nv">program</span> <span class="nv">counter</span> <span class="nv">to</span> <span class="nv">curseek</span>
<span class="err">|</span> <span class="nf">ae</span> <span class="p">[</span><span class="nv">expr</span><span class="p">]</span> <span class="nv">evaluate</span> <span class="nb">ESI</span><span class="nv">L</span> <span class="nv">expression</span>
<span class="err">|</span> <span class="nf">aex</span> <span class="p">[</span><span class="nv">hex</span><span class="p">]</span> <span class="nv">evaluate</span> <span class="nv">opcode</span> <span class="nv">expression</span>
<span class="err">|</span> <span class="nf">ae</span><span class="p">[</span><span class="nv">aA</span><span class="p">][</span><span class="nv">f</span><span class="p">]</span> <span class="p">[</span><span class="nv">count</span><span class="p">]</span> <span class="nv">analyse</span> <span class="nb">esi</span><span class="nv">l</span> <span class="nv">accesses</span> <span class="p">(</span><span class="nv">regs</span><span class="p">,</span> <span class="nv">mem..</span><span class="p">)</span>
<span class="err">|</span> <span class="nf">aep</span> <span class="p">[</span><span class="nv">addr</span><span class="p">]</span> <span class="nb">ch</span><span class="nv">ange</span> <span class="nb">esi</span><span class="nv">l</span> <span class="nv">PC</span> <span class="nv">to</span> <span class="nv">this</span> <span class="nv">address</span>
<span class="err">|</span> <span class="nf">aef</span> <span class="p">[</span><span class="nv">addr</span><span class="p">]</span> <span class="nv">emulate</span> <span class="nv">function</span>
<span class="err">|</span> <span class="nf">aek</span> <span class="p">[</span><span class="nv">query</span><span class="p">]</span> <span class="nv">perform</span> <span class="nv">sdb</span> <span class="nv">query</span> <span class="nv">on</span> <span class="nb">ESI</span><span class="nv">L.info</span>
<span class="err">|</span> <span class="nf">aek</span><span class="o">-</span> <span class="nv">resets</span> <span class="nv">the</span> <span class="nb">ESI</span><span class="nv">L.info</span> <span class="nv">sdb</span> <span class="nv">instance</span>
<span class="err">|</span> <span class="nf">aec</span> <span class="nv">continue</span> <span class="nv">until</span> <span class="o">^</span><span class="nv">C</span>
<span class="err">|</span> <span class="nf">aecs</span> <span class="p">[</span><span class="nv">sn</span><span class="p">]</span> <span class="nv">continue</span> <span class="nv">until</span> <span class="nv">syscall</span> <span class="nv">number</span>
<span class="err">|</span> <span class="nf">aecu</span> <span class="p">[</span><span class="nv">addr</span><span class="p">]</span> <span class="nv">continue</span> <span class="nv">until</span> <span class="nv">address</span>
<span class="err">|</span> <span class="nf">aecue</span> <span class="p">[</span><span class="nb">esi</span><span class="nv">l</span><span class="p">]</span> <span class="nv">continue</span> <span class="nv">until</span> <span class="nb">esi</span><span class="nv">l</span> <span class="nv">expression</span> <span class="nv">match</span>
<span class="err">|</span> <span class="nf">aetr</span><span class="p">[</span><span class="nb">esi</span><span class="nv">l</span><span class="p">]</span> <span class="nv">Convert</span> <span class="nv">an</span> <span class="nb">ESI</span><span class="nv">L</span> <span class="nv">Expression</span> <span class="nv">to</span> <span class="nv">REIL</span>
<span class="err">|</span> <span class="nf">aes</span> <span class="nv">perform</span> <span class="nv">emulated</span> <span class="nv">debugger</span> <span class="nv">step</span>
<span class="err">|</span> <span class="nf">aeso</span> <span class="nv">step</span> <span class="nv">over</span>
<span class="err">|</span> <span class="nf">aesu</span> <span class="p">[</span><span class="nv">addr</span><span class="p">]</span> <span class="nv">step</span> <span class="nv">until</span> <span class="nv">given</span> <span class="nv">address</span>
<span class="err">|</span> <span class="nf">aesue</span> <span class="p">[</span><span class="nb">esi</span><span class="nv">l</span><span class="p">]</span> <span class="nv">step</span> <span class="nv">until</span> <span class="nb">esi</span><span class="nv">l</span> <span class="nv">expression</span> <span class="nv">match</span>
<span class="err">|</span> <span class="nf">aer</span> <span class="p">[</span><span class="nv">..</span><span class="p">]</span> <span class="nv">handle</span> <span class="nb">ESI</span><span class="nv">L</span> <span class="nv">registers</span> <span class="nv">like</span> <span class="s">'ar'</span> <span class="nv">or</span> <span class="s">'dr'</span> <span class="nv">does</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">e</span> <span class="nv">io.cache</span> <span class="err">=</span> <span class="nv">true</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aei</span> <span class="err">#</span> <span class="nv">initialize</span> <span class="nv">VM</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aeim</span> <span class="err">#</span> <span class="nv">initialize</span> <span class="nv">memory</span><span class="o">/</span><span class="nv">stack</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aeip</span> <span class="err">#</span> <span class="nv">set</span> <span class="nv">EIP</span> <span class="nv">to</span> <span class="nv">current</span> <span class="nv">offset</span></code></pre></figure>
<p>Now we can emulate the function by stepping until <code class="language-plaintext highlighter-rouge">0x00000460</code> and print <code class="language-plaintext highlighter-rouge">ebp</code> at that point.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aesu</span> <span class="mh">0x460</span>
<span class="nf">ADDR</span> <span class="nv">BREAK</span>
<span class="err">[0</span><span class="nf">x00000447</span><span class="p">]</span><span class="o">></span> <span class="nv">ps</span> <span class="err">@</span> <span class="nb">ebp</span> <span class="o">-</span> <span class="mh">0x24</span>
<span class="nl">KD:</span><span class="nf">K</span><span class="err">=</span><span class="nv">r</span><span class="p">[</span><span class="nv">XkXcfjjnfekjkfgljt</span></code></pre></figure>
<p>Hmm, this doesn’t look like a flag. Luckily, we know what the flag should look like: <code class="language-plaintext highlighter-rouge">TMCTF{...}</code>. Remember that this function receives an argument, which is assigned to <code class="language-plaintext highlighter-rouge">ecx</code>. Then, the value <code class="language-plaintext highlighter-rouge">0x4b</code>, corresponding to the letter <code class="language-plaintext highlighter-rouge">K</code> is added to it. We can figure out that <code class="language-plaintext highlighter-rouge">ecx</code> needs to be the value <code class="language-plaintext highlighter-rouge">0x9</code> in order to get <code class="language-plaintext highlighter-rouge">T</code> as the first letter of the flag.</p>
<p>Let’s rewind a bit and set the argument for our function at <code class="language-plaintext highlighter-rouge">ebp+0x8</code> to <code class="language-plaintext highlighter-rouge">0x9</code>.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x0000027e</span><span class="p">]</span><span class="o">></span> <span class="nv">s</span> <span class="mh">0x278</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aeim</span><span class="o">-</span>
<span class="nf">Deinitialized</span> <span class="nv">mem.0x100000_0xf0000</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aei</span><span class="o">-</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aei</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aeim</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aeip</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="mi">13</span><span class="nv">aes</span> <span class="err">#</span> <span class="nv">step</span> <span class="mi">13</span> <span class="nv">times</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="o">*</span><span class="p">(</span><span class="nb">ebp</span><span class="o">+</span><span class="mh">0x8</span><span class="p">)</span> <span class="err">=</span> <span class="mh">0x9</span> <span class="err">#</span> <span class="nv">set</span> <span class="nv">function</span> <span class="nv">argument</span> <span class="nv">to</span> <span class="mi">9</span>
<span class="err">[0</span><span class="nf">x00000278</span><span class="p">]</span><span class="o">></span> <span class="nv">aesu</span> <span class="mh">0x460</span> <span class="err">#</span> <span class="nv">step</span> <span class="nv">until</span> <span class="nv">right</span> <span class="nv">before</span> <span class="nb">cl</span><span class="nv">eaning</span> <span class="nv">the</span> <span class="nv">stack</span> <span class="nv">frame</span>
<span class="nf">ADDR</span> <span class="nv">BREAK</span>
<span class="err">[0</span><span class="nf">x00000447</span><span class="p">]</span><span class="o">></span> <span class="nv">ps</span> <span class="err">@</span> <span class="nb">ebp</span><span class="o">-</span><span class="mh">0x24</span>
<span class="nf">TMCTF</span><span class="err">{</span><span class="nv">datalosswontstopus</span><span class="err">}</span></code></pre></figure>
<p>And there’s our flag!</p>monosourceContextSolving Radare2 Explorations Tutorial 2 with angr2016-06-28T00:25:06+00:002016-06-28T00:25:06+00:00https://monosource.github.io/tutorial/2016/06/28/solving-tut2-angr<h1 id="context">Context</h1>
<p>I’ve been looking into symbolic execution lately and, more specifically, <a href="http://angr.io/">angr</a>, a binary analysis framework which is also capable of symbolically executing binaries.</p>
<h1 id="so-whats-all-this-symbolic-execution-about">So what’s all this “symbolic” execution about?</h1>
<p>It’s simpler to explain visually. Suppose we have the following simple C program:</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">scanf</span><span class="p">(</span><span class="s">"%d"</span><span class="p">,</span> <span class="o">&</span><span class="n">x</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">x</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">printf</span> <span class="p">(</span><span class="s">"x is even</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">else</span>
<span class="n">printf</span> <span class="p">(</span><span class="s">"x is odd</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>When executing this program, after the user supplies the value of <code class="language-plaintext highlighter-rouge">x</code> (i.e. 5), it is set in stone from that point on (or until the program ends or changes the value of <code class="language-plaintext highlighter-rouge">x</code> somehow). We say that <code class="language-plaintext highlighter-rouge">x</code> has a <em>concrete</em> value. Since <code class="language-plaintext highlighter-rouge">x</code> is fixed, we can safely say that the program will only run through one of the two possible paths.</p>
<p>Symbolic execution allows for variables, registers, memory regions and even file descriptors to be <em>symbolic</em>. This means that in a symbolic context, <code class="language-plaintext highlighter-rouge">x</code> is no longer the (concrete) value supplied by the user, but rather a symbolic value. This new type of value will reach the <code class="language-plaintext highlighter-rouge">if</code> statement which will trigger the symbolic execution engine to <em>fork</em> on two different paths: one in which <code class="language-plaintext highlighter-rouge">x % 2 == 0</code> holds true (<code class="language-plaintext highlighter-rouge">x</code> still being symbolic, and the entire expression as well) and one in which the negation holds true. This way, the engine explores all possible paths of the program.</p>
<p>As the paths are explored, symbolic expressions are built and constraints are added to the forked states. These constraints can then be passed on to an SMT solver like <a href="https://github.com/Z3Prover/z3">Z3</a> which will determine a <em>concrete</em> value which satisfies said constraints.</p>
<h1 id="how-does-this-help-me-in-a-practical-way">How does this help me in a practical way?</h1>
<p>Think of a program which requires a valid input to grant you access to some file or network. A program can be seen as a complex graph of basic blocks of code. This graph most likely has a “start” node, a “success” node and a “failure” node, among many other intermediate nodes. You want to find the answer to the question: how do I get from the “start” node to the “success” node while avoiding the “failure” node? The answer to your question can be given through symbolic execution.</p>
<p>There are practical limitations to symbolic execution, such as path explosion, which won’t be discussed in this post.</p>
<h1 id="example">Example</h1>
<p>We’ll use the binary from <a href="https://github.com/monosource/radare2-explorations-binaries/tree/master/tut2-memory">tutorial 2</a> from <a href="https://monosource.gitbooks.io/radare2-explorations/content/">Radare2 Explorations</a>.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>./xor
Enter the password: 1234
Wrong!</code></pre></figure>
<p>Let’s have a look at the internals of this binary using radare2.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">╒</span> <span class="err">(</span><span class="nf">fcn</span><span class="p">)</span> <span class="nv">sym.main</span> <span class="mi">256</span>
<span class="err">│</span> <span class="err">---------------</span><span class="nf">CUT</span><span class="o">--------------------</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048440</span> <span class="mi">6880860408</span> <span class="nv">push</span> <span class="nv">str.Enter_the_password</span><span class="p">:</span> <span class="c1">; str.Enter_the_password: ; "Enter the password: " @ 0x8048680</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804845d</span> <span class="nv">e8eefeffff</span> <span class="nv">call</span> <span class="nv">sym.imp.printf</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048462</span> <span class="mi">58</span> <span class="nv">pop</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048463</span> <span class="mi">5</span><span class="nv">a</span> <span class="nv">pop</span> <span class="nb">edx</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048464</span> <span class="mi">57</span> <span class="nv">push</span> <span class="nb">edi</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048465</span> <span class="mi">6895860408</span> <span class="nv">push</span> <span class="nv">str._32s</span> <span class="c1">; str._32s ; "%32s" @ 0x8048695</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804846a</span> <span class="nv">e821ffffff</span> <span class="nv">call</span> <span class="nv">sym.imp.__isoc99_scanf</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804846f</span> <span class="mi">59</span> <span class="nv">pop</span> <span class="nb">ecx</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048470</span> <span class="mi">58</span> <span class="nv">pop</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048471</span> <span class="mi">8</span><span class="nv">d45d7</span> <span class="nv">lea</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_29h</span><span class="p">]</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048474</span> <span class="mi">50</span> <span class="nv">push</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048475</span> <span class="mi">57</span> <span class="nv">push</span> <span class="nb">edi</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048476</span> <span class="nv">e835010000</span> <span class="nv">call</span> <span class="nv">sym.check</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804847b</span> <span class="mi">83</span><span class="nv">c410</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x10</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x0804847e</span> <span class="mi">85</span><span class="nv">c0</span> <span class="nv">test</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">┌─<</span> <span class="err">0</span><span class="nf">x08048480</span> <span class="mi">741</span><span class="nv">c</span> <span class="nv">je</span> <span class="mh">0x804849e</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048482</span> <span class="mi">83</span><span class="nv">ec0c</span> <span class="nv">sub</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0xc</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048485</span> <span class="mi">68</span><span class="nv">a1860408</span> <span class="nv">push</span> <span class="nv">str.Good_job__</span><span class="p">:</span><span class="nv">_</span> <span class="c1">; str.Good_job__:_ ; "Good job! :)" @ 0x80486a1</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x0804848a</span> <span class="nv">e8d1feffff</span> <span class="nv">call</span> <span class="nv">sym.imp.puts</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x0804848f</span> <span class="mi">83</span><span class="nv">c410</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x10</span>
<span class="err">│</span> <span class="err">│</span> <span class="c1">; JMP XREF from 0x080484ae (sym.main)</span>
<span class="err">│</span> <span class="err">┌──></span> <span class="err">0</span><span class="nf">x08048492</span> <span class="mi">8</span><span class="nv">d65f8</span> <span class="nv">lea</span> <span class="nb">esp</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_8h</span><span class="p">]</span>
<span class="err">│</span> <span class="err">││</span> <span class="err">0</span><span class="nf">x08048495</span> <span class="mi">31</span><span class="nv">c0</span> <span class="nv">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">││</span> <span class="err">0</span><span class="nf">x08048497</span> <span class="mi">59</span> <span class="nv">pop</span> <span class="nb">ecx</span>
<span class="err">│</span> <span class="err">││</span> <span class="err">0</span><span class="nf">x08048498</span> <span class="mi">5</span><span class="nv">f</span> <span class="nv">pop</span> <span class="nb">edi</span>
<span class="err">│</span> <span class="err">││</span> <span class="err">0</span><span class="nf">x08048499</span> <span class="mi">5</span><span class="nv">d</span> <span class="nv">pop</span> <span class="nb">ebp</span>
<span class="err">│</span> <span class="err">││</span> <span class="err">0</span><span class="nf">x0804849a</span> <span class="mi">8</span><span class="nv">d61fc</span> <span class="nv">lea</span> <span class="nb">esp</span><span class="p">,</span> <span class="p">[</span><span class="nb">ecx</span> <span class="o">-</span> <span class="mi">4</span><span class="p">]</span>
<span class="err">│</span> <span class="err">││</span> <span class="err">0</span><span class="nf">x0804849d</span> <span class="nv">c3</span> <span class="nv">ret</span>
<span class="err">│</span> <span class="err">││</span> <span class="c1">; JMP XREF from 0x08048480 (sym.main)</span>
<span class="err">│</span> <span class="err">│└─></span> <span class="err">0</span><span class="nf">x0804849e</span> <span class="mi">83</span><span class="nv">ec0c</span> <span class="nv">sub</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0xc</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x080484a1</span> <span class="mi">689</span><span class="nv">a860408</span> <span class="nv">push</span> <span class="nv">str.Wrong_</span> <span class="c1">; str.Wrong_ ; "Wrong!" @ 0x804869a</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x080484a6</span> <span class="nv">e8b5feffff</span> <span class="nv">call</span> <span class="nv">sym.imp.puts</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x080484ab</span> <span class="mi">83</span><span class="nv">c410</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x10</span>
<span class="err">╘</span> <span class="err">└──<</span> <span class="err">0</span><span class="nf">x080484ae</span> <span class="nv">ebe2</span> <span class="nv">jmp</span> <span class="mh">0x8048492</span></code></pre></figure>
<p>The program seems fairly simple. It reads a password from stdin, calls the <code class="language-plaintext highlighter-rouge">sym.check</code> function, and then prints “Good job! :)” or “Wrong!” depending on the result of the verification.</p>
<p>We’re going to solve this blindly. <code class="language-plaintext highlighter-rouge">angr</code> is going to do all of the work for us. We don’t even care what the check function does. We just need to tell <code class="language-plaintext highlighter-rouge">angr</code> that we want an input which gets us at <code class="language-plaintext highlighter-rouge">0x08048485</code>, which is our “success” state, and avoid <code class="language-plaintext highlighter-rouge">0x080484a1</code>, which is our “failure” state.</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="nn">angr</span>
<span class="k">def</span> <span class="nf">main</span><span class="p">():</span>
<span class="n">p</span> <span class="o">=</span> <span class="n">angr</span><span class="p">.</span><span class="n">Project</span><span class="p">(</span><span class="s">"./xor"</span><span class="p">,</span> <span class="n">load_options</span><span class="o">=</span><span class="p">{</span><span class="s">'auto_load_libs'</span><span class="p">:</span> <span class="bp">False</span><span class="p">})</span>
<span class="n">ex</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">surveyors</span><span class="p">.</span><span class="n">Explorer</span><span class="p">(</span><span class="n">find</span><span class="o">=</span><span class="p">(</span><span class="mh">0x08048485</span><span class="p">,),</span> <span class="n">avoid</span><span class="o">=</span><span class="p">(</span><span class="mh">0x080484a1</span><span class="p">,))</span>
<span class="n">ex</span><span class="p">.</span><span class="n">run</span><span class="p">()</span>
<span class="k">return</span> <span class="n">ex</span><span class="p">.</span><span class="n">found</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">state</span><span class="p">.</span><span class="n">posix</span><span class="p">.</span><span class="n">dumps</span><span class="p">(</span><span class="mi">0</span><span class="p">).</span><span class="n">strip</span><span class="p">(</span><span class="s">'</span><span class="se">\0\n</span><span class="s">'</span><span class="p">)</span>
<span class="k">if</span> <span class="n">__name__</span><span class="o">==</span><span class="s">'__main__'</span><span class="p">:</span>
<span class="k">print</span> <span class="n">main</span><span class="p">()</span></code></pre></figure>
<p>Let’s see how well it does.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">time </span>python solve.py
MONO[th4t_wa5~pr3tty<span class="o">=</span>ea5y_r1gh7]
real 0m2.210s
user 0m2.084s
sys 0m0.104s
<span class="nv">$ </span>./xor
Enter the password: MONO[th4t_wa5~pr3tty<span class="o">=</span>ea5y_r1gh7]
Good job! :<span class="o">)</span></code></pre></figure>
<p>Almost feels like cheating, doesn’t it?</p>
<p>Have fun with angr in your future endeavors!</p>monosourceContextSolving CMU Binary Bomb Phase 2 (the smug way)2016-06-20T10:25:06+00:002016-06-20T10:25:06+00:00https://monosource.github.io/2016/06/20/solving-bomb-phase2<h1 id="context">Context</h1>
<p>In this post, I will cover a dynamic solution for the second phase of the <a href="https://csapp.cs.cmu.edu/3e/bomb.tar">CMU Binary Bomb</a>, which is a lot of fun and teaches you how some C basics, such as switch statements, recursion, linked lists, end up as assembly.</p>
<h1 id="phase-2-of-the-bomb">Phase 2 of the Bomb</h1>
<p>Although this phase can easily be <a href="https://unlogic.co.uk/2016/04/20/binary-bomb-with-radare2-phase-2/">done by hand</a>, or <a href="http://ctfhacker.com/ctf/python/symbolic/execution/reverse/radare/2015/11/28/cmu-binary-bomb-flag2.html">symbolic execution</a>, the solution I will be presenting can be easily adapted for more complex tasks.</p>
<p>We’ll start by loading the binary in radare2, in debug mode.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>r2 <span class="nt">-Ad</span> bomb</code></pre></figure>
<p>We’ll continue until <code class="language-plaintext highlighter-rouge">sym.phase_2</code></p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">xf76fbd00</span><span class="p">]</span><span class="o">></span> <span class="nv">dcu</span> <span class="nv">sym.phase_2</span></code></pre></figure>
<p>I’ll not spoil the solution for <code class="language-plaintext highlighter-rouge">phase_1</code>, even though it’s fairly easy to get to it.</p>
<p>If we look at the code of <code class="language-plaintext highlighter-rouge">phase_2</code>, we’ll notice that it reads six numbers and then compares them with some values in a loop.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">╒</span> <span class="err">(</span><span class="nf">fcn</span><span class="p">)</span> <span class="nv">sym.phase_2</span> <span class="mi">79</span>
<span class="err">│</span> <span class="c1">; var int local_28h @ ebp-0x28</span>
<span class="err">│</span> <span class="c1">; var int local_18h @ ebp-0x18</span>
<span class="err">│</span> <span class="c1">; arg int arg_1h @ ebp+0x1</span>
<span class="err">│</span> <span class="c1">; arg int arg_8h @ ebp+0x8</span>
<span class="err">│</span> <span class="c1">; CALL XREF from 0x08048a7e (sym.main)</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b48</span> <span class="mi">55</span> <span class="nv">push</span> <span class="nb">ebp</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b49</span> <span class="mi">89</span><span class="nv">e5</span> <span class="nv">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">esp</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b4b</span> <span class="mi">83</span><span class="nv">ec20</span> <span class="nv">sub</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x20</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b4e</span> <span class="mi">56</span> <span class="nv">push</span> <span class="nb">esi</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b4f</span> <span class="mi">53</span> <span class="nv">push</span> <span class="nb">ebx</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b50</span> <span class="mi">8</span><span class="nv">b5508</span> <span class="nv">mov</span> <span class="nb">edx</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">+</span> <span class="nv">arg_8h</span><span class="p">]</span> <span class="c1">; [0x8:4]=-1 ; 8</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b53</span> <span class="mi">83</span><span class="nv">c4f8</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="o">-</span><span class="mi">8</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b56</span> <span class="mi">8</span><span class="nv">d45e8</span> <span class="nv">lea</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_18h</span><span class="p">]</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b59</span> <span class="mi">50</span> <span class="nv">push</span> <span class="nb">eax</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b5a</span> <span class="mi">52</span> <span class="nv">push</span> <span class="nb">edx</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b5b</span> <span class="nv">e878040000</span> <span class="nv">call</span> <span class="nv">sym.read_six_numbers</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b60</span> <span class="mi">83</span><span class="nv">c410</span> <span class="nv">add</span> <span class="nb">esp</span><span class="p">,</span> <span class="mh">0x10</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b63</span> <span class="mi">837</span><span class="nv">de801</span> <span class="nv">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_18h</span><span class="p">],</span> <span class="mi">1</span> <span class="c1">; [0x1:4]=-1 ; 1</span>
<span class="err">│</span> <span class="err">┌─<</span> <span class="err">0</span><span class="nf">x08048b67</span> <span class="mi">7405</span> <span class="nv">je</span> <span class="mh">0x8048b6e</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048b69</span> <span class="nv">e88e090000</span> <span class="nv">call</span> <span class="nv">sym.explode_bomb</span>
<span class="err">│</span> <span class="err">└─></span> <span class="err">0</span><span class="nf">x08048b6e</span> <span class="nv">bb01000000</span> <span class="nv">mov</span> <span class="nb">ebx</span><span class="p">,</span> <span class="mi">1</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b73</span> <span class="mi">8</span><span class="nv">d75e8</span> <span class="nv">lea</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_18h</span><span class="p">]</span>
<span class="err">│</span> <span class="err">┌─></span> <span class="err">0</span><span class="nf">x08048b76</span> <span class="mi">8</span><span class="nv">d4301</span> <span class="nv">lea</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebx</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="c1">; 0x1 ; 1</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048b79</span> <span class="mi">0</span><span class="nv">faf449efc</span> <span class="nv">imul</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ebx</span><span class="o">*</span><span class="mi">4</span> <span class="o">-</span> <span class="mi">4</span><span class="p">]</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048b7e</span> <span class="mi">39049</span><span class="nv">e</span> <span class="nv">cmp</span> <span class="kt">dword</span> <span class="p">[</span><span class="nb">esi</span> <span class="o">+</span> <span class="nb">ebx</span><span class="o">*</span><span class="mi">4</span><span class="p">],</span> <span class="nb">eax</span> <span class="c1">; [0x13:4]=-1 ; 19</span>
<span class="err">│</span> <span class="err">┌──<</span> <span class="err">0</span><span class="nf">x08048b81</span> <span class="mi">7405</span> <span class="nv">je</span> <span class="mh">0x8048b88</span>
<span class="err">│</span> <span class="err">││</span> <span class="err">0</span><span class="nf">x08048b83</span> <span class="nv">e874090000</span> <span class="nv">call</span> <span class="nv">sym.explode_bomb</span>
<span class="err">│</span> <span class="err">└──></span> <span class="err">0</span><span class="nf">x08048b88</span> <span class="mi">43</span> <span class="nv">inc</span> <span class="nb">ebx</span>
<span class="err">│</span> <span class="err">│</span> <span class="err">0</span><span class="nf">x08048b89</span> <span class="mi">83</span><span class="nv">fb05</span> <span class="nv">cmp</span> <span class="nb">ebx</span><span class="p">,</span> <span class="mi">5</span> <span class="c1">; 5</span>
<span class="err">│</span> <span class="err">└─<</span> <span class="err">0</span><span class="nf">x08048b8c</span> <span class="mi">7</span><span class="nv">ee8</span> <span class="nv">jle</span> <span class="mh">0x8048b76</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b8e</span> <span class="mi">8</span><span class="nv">d65d8</span> <span class="nv">lea</span> <span class="nb">esp</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span> <span class="o">-</span> <span class="nv">local_28h</span><span class="p">]</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b91</span> <span class="mi">5</span><span class="nv">b</span> <span class="nv">pop</span> <span class="nb">ebx</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b92</span> <span class="mi">5</span><span class="nv">e</span> <span class="nv">pop</span> <span class="nb">esi</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b93</span> <span class="mi">89</span><span class="nv">ec</span> <span class="nv">mov</span> <span class="nb">esp</span><span class="p">,</span> <span class="nb">ebp</span>
<span class="err">│</span> <span class="err">0</span><span class="nf">x08048b95</span> <span class="mi">5</span><span class="nv">d</span> <span class="nv">pop</span> <span class="nb">ebp</span>
<span class="err">╘</span> <span class="err">0</span><span class="nf">x08048b96</span> <span class="nv">c3</span> <span class="nv">ret</span></code></pre></figure>
<p>We’re going to make this phase solve itself, because we’re too <del>lazy</del> smart to do any manual work (or any work, for that matter).</p>
<h1 id="go-solve-yourself">Go Solve Yourself</h1>
<p>We’re going to set two breakpoints. One at the <code class="language-plaintext highlighter-rouge">cmp</code> instruction within the loop, at <code class="language-plaintext highlighter-rouge">0x8048b7e</code>, and one right after the loop, at <code class="language-plaintext highlighter-rouge">0x8048b8e</code>.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="nv">db</span> <span class="mh">0x8048b7e</span>
<span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="nv">db</span> <span class="mh">0x8048b8e</span>
<span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="nv">db</span>
<span class="err">0</span><span class="nf">x08048b7e</span> <span class="o">-</span> <span class="mh">0x08048b7f</span> <span class="mi">1</span> <span class="o">--</span><span class="nv">x</span> <span class="nv">sw</span> <span class="nv">break</span> <span class="nv">enabled</span> <span class="nv">cmd</span><span class="err">=</span><span class="s">""</span> <span class="nv">name</span><span class="err">=</span><span class="s">"0x8048b7e"</span> <span class="nv">module</span><span class="err">=</span><span class="s">""</span>
<span class="err">0</span><span class="nf">x08048b8e</span> <span class="o">-</span> <span class="mh">0x08048b8f</span> <span class="mi">1</span> <span class="o">--</span><span class="nv">x</span> <span class="nv">sw</span> <span class="nv">break</span> <span class="nv">enabled</span> <span class="nv">cmd</span><span class="err">=</span><span class="s">""</span> <span class="nv">name</span><span class="err">=</span><span class="s">"0x8048b8e"</span> <span class="nv">module</span><span class="err">=</span><span class="s">""</span></code></pre></figure>
<p>Now comes the fun part. In radare2, you can add commands to be executed whenever a breakpoint is hit via <code class="language-plaintext highlighter-rouge">dbc</code>. We’ll force our values, which reside at <code class="language-plaintext highlighter-rouge">esi + ebx*4</code> to always be equal to the value in <code class="language-plaintext highlighter-rouge">eax</code>.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="s">"dbc 0x8048b7e .dr*;*(esi+ebx*4)=`dr eax`"</span>
<span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="s">"dbc 0x8048b8e pf dddddd @ esi"</span>
<span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="nv">db</span>
<span class="err">0</span><span class="nf">x08048b7e</span> <span class="o">-</span> <span class="mh">0x08048b7f</span> <span class="mi">1</span> <span class="o">--</span><span class="nv">x</span> <span class="nv">sw</span> <span class="nv">break</span> <span class="nv">enabled</span> <span class="nv">cmd</span><span class="err">=</span><span class="s">".dr*;*(esi+ebx*4)=`dr eax`"</span> <span class="nv">name</span><span class="err">=</span><span class="s">"0x8048b7e"</span> <span class="nv">module</span><span class="err">=</span><span class="s">""</span>
<span class="err">0</span><span class="nf">x08048b8e</span> <span class="o">-</span> <span class="mh">0x08048b8f</span> <span class="mi">1</span> <span class="o">--</span><span class="nv">x</span> <span class="nv">sw</span> <span class="nv">break</span> <span class="nv">enabled</span> <span class="nv">cmd</span><span class="err">=</span><span class="s">"pf dddddd @ esi"</span> <span class="nv">name</span><span class="err">=</span><span class="s">"0x8048b8e"</span> <span class="nv">module</span><span class="err">=</span><span class="s">""</span></code></pre></figure>
<p>The first <code class="language-plaintext highlighter-rouge">dbc</code> statement adds two commands to be executed whenever the breakpoint at <code class="language-plaintext highlighter-rouge">cmp</code> is hit. <code class="language-plaintext highlighter-rouge">.dr*</code> executes <code class="language-plaintext highlighter-rouge">dr*</code> as radare2 commands, to force “sync” the registers when the breakpoint is hit.
<code class="language-plaintext highlighter-rouge">*(esi+ebx*4)=`dr eax`</code> writes at <code class="language-plaintext highlighter-rouge">esi + ebx*4</code> (our input) the value of <code class="language-plaintext highlighter-rouge">eax</code> (the desired value). Thus, the comparison will always be true until the loop ends.</p>
<p>The second <code class="language-plaintext highlighter-rouge">dbc</code> statement prints the resulting <code class="language-plaintext highlighter-rouge">esi</code> at the end of the loop, which will be the valid input for defusing this phase of the bomb.</p>
<p>There is one last element that is out of place: execution will still break inside the loop at every iteration. We want our commands to be executed at that point, but without breaking. We can set this breakpoint to be a tracepoint instead.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="nv">dbte</span> <span class="mh">0x8048b7e</span>
<span class="err">[0</span><span class="nf">x08048b48</span><span class="p">]</span><span class="o">></span> <span class="nv">db</span>
<span class="err">0</span><span class="nf">x08048b7e</span> <span class="o">-</span> <span class="mh">0x08048b7f</span> <span class="mi">1</span> <span class="o">--</span><span class="nv">x</span> <span class="nv">sw</span> <span class="nv">trace</span> <span class="nv">enabled</span> <span class="nv">cmd</span><span class="err">=</span><span class="s">".dr*;*(esi+ebx*4)=`dr eax`"</span> <span class="nv">name</span><span class="err">=</span><span class="s">"0x8048b7e"</span> <span class="nv">module</span><span class="err">=</span><span class="s">""</span>
<span class="err">0</span><span class="nf">x08048b8e</span> <span class="o">-</span> <span class="mh">0x08048b8f</span> <span class="mi">1</span> <span class="o">--</span><span class="nv">x</span> <span class="nv">sw</span> <span class="nv">break</span> <span class="nv">enabled</span> <span class="nv">cmd</span><span class="err">=</span><span class="s">"pf dddddd @ esi"</span> <span class="nv">name</span><span class="err">=</span><span class="s">"0x8048b8e"</span> <span class="nv">module</span><span class="err">=</span><span class="s">""</span></code></pre></figure>
<p>Now we should be set. Just <code class="language-plaintext highlighter-rouge">dc</code> and enjoy.</p>
<figure class="highlight"><pre><code class="language-nasm" data-lang="nasm"><span class="err">[0</span><span class="nf">x08048b4b</span><span class="p">]</span><span class="o">></span> <span class="nv">dc</span>
<span class="nf">hit</span> <span class="nv">tracepoit</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b7e</span>
<span class="nf">fs</span><span class="o">+</span><span class="nv">regs</span>
<span class="nf">fs</span><span class="o">-</span>
<span class="nf">hit</span> <span class="nv">breakpoint</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b81</span>
<span class="nf">hit</span> <span class="nv">tracepoit</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b7e</span>
<span class="nf">fs</span><span class="o">+</span><span class="nv">regs</span>
<span class="nf">fs</span><span class="o">-</span>
<span class="nf">hit</span> <span class="nv">breakpoint</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b81</span>
<span class="nf">hit</span> <span class="nv">tracepoit</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b7e</span>
<span class="nf">fs</span><span class="o">+</span><span class="nv">regs</span>
<span class="nf">fs</span><span class="o">-</span>
<span class="nf">hit</span> <span class="nv">breakpoint</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b81</span>
<span class="nf">hit</span> <span class="nv">tracepoit</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b7e</span>
<span class="nf">fs</span><span class="o">+</span><span class="nv">regs</span>
<span class="nf">fs</span><span class="o">-</span>
<span class="nf">hit</span> <span class="nv">breakpoint</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b81</span>
<span class="nf">hit</span> <span class="nv">tracepoit</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b7e</span>
<span class="nf">fs</span><span class="o">+</span><span class="nv">regs</span>
<span class="nf">fs</span><span class="o">-</span>
<span class="nf">hit</span> <span class="nv">breakpoint</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b81</span>
<span class="nf">hit</span> <span class="nv">breakpoint</span> <span class="nv">at</span><span class="p">:</span> <span class="mi">8048</span><span class="nv">b8e</span>
<span class="err">0</span><span class="nf">xff9aa630</span> <span class="err">=</span> <span class="mi">1</span>
<span class="err">0</span><span class="nf">xff9aa634</span> <span class="err">=</span> <span class="mi">2</span>
<span class="err">0</span><span class="nf">xff9aa638</span> <span class="err">=</span> <span class="mi">6</span>
<span class="err">0</span><span class="nf">xff9aa63c</span> <span class="err">=</span> <span class="mi">24</span>
<span class="err">0</span><span class="nf">xff9aa640</span> <span class="err">=</span> <span class="mi">120</span>
<span class="err">0</span><span class="nf">xff9aa644</span> <span class="err">=</span> <span class="mi">720</span></code></pre></figure>
<p>We’re done with this phase. Those are the defusal numbers.</p>
<p>Hope you’ve enjoyed reading. Have fun with the bomb!</p>monosourceContextRadare2 Explorations Release2016-06-15T17:25:06+00:002016-06-15T17:25:06+00:00https://monosource.github.io/2016/06/15/radare2-explorations-release<p>On the 10th of June, 2016, I’ve <a href="http://radare.today/posts/radare2-explorations/">officially</a> released my humble contribution to the radare2 community, <a href="https://www.gitbook.com/book/monosource/radare2-explorations/details">radare2 Explorations</a>, a free, open-source, practical book which teaches you the basics of using radare2 in an easy-to-follow manner.</p>
<h2 id="future-plans">Future plans</h2>
<p><a href="http://rada.re/con/">R2CON 2016</a> is coming, the first edition of a con focused on radare2! I am hoping to see some innovative use of radare2 in binary exploitation and reverse engineering.</p>
<p>At some point in time, I will be working on a second book which will cover some more advanced and lesser known features of radare2.</p>monosourceOn the 10th of June, 2016, I’ve officially released my humble contribution to the radare2 community, radare2 Explorations, a free, open-source, practical book which teaches you the basics of using radare2 in an easy-to-follow manner.Hello World2016-06-14T17:25:06+00:002016-06-14T17:25:06+00:00https://monosource.github.io/2016/06/14/hello-world<h1 id="hello-world">Hello World!</h1>
<p>This blog covers some CTF-related topics, some security, some reverse engineering, some exploitation, sounds and music.</p>
<p>Enjoy!</p>monosourceHello World!