Installation
#apt-get install build-essential#git clone https://github.com/radare/radare2.git#radare2/sys/user.sh#radare2/sys/user.sh#r2pm init#r2pm -i r2dec#r2pm -l
Analyzing
#r2 challenge#r2 -A challenge#r2 -A -q -c 'iI' challenge# execute iI command and exit
[Command mode]
[addr]>aaa# Analysis = aa + aar + aac + aan [addr]>aaaa# Experimental analysis = aaa + aae + aat + aav [addr]>pd 10# print disassemble 10 instructions at current seek [addr]>3 pd 10# 3 times, print disassemble 10 instructions at current seek [addr]>pd 10 @ main# print disassemble 10 instructions at main [addr]>pd @ main ! 10# print disassemble at current seek and limit to 10 bytes [addr]>b 64# set block size to 64 [addr]>i~machine,os# grep machine or os, at info output [addr]>drr~[0]# awk first column [addr]>drr~:0# grep first line [addr]>drr~:0[0]# grep first line and awk first column [addr]>/ secret ; px @@ hit0_*# find secret string and foreach hit, print hexdump [addr]>? 0x7a69# quick numeric conversion [addr]>i?# like rabin2 [addr]>f myflag @ main+123# set a flag at main+123 [addr]>afl# list functions [addr]>s sym.main# seek to addr/symbol [addr]># print disassemble function
[Visual mode]
[addr]>vV# view graph p/P# rotate graph modes <# global callgraph ># function callgraph
Decompiling
#r2 -A challenge[addr]>pdd[addr]>pdda
Debugging
#r2 -Ad `pgrep challenge`# attach and debug pid #r2 -Ad challenge# run and debug program #r2 -Ad rarun2 script.rr2# debug in a custom environment
[Command mode]
[addr]>db# list breakpoints [addr]>ds 10# step into 10 instructions [addr]>dso 10# step over 10 instructions [addr]>dcu main# continue until main [addr]>drr# show registers references (telescoping) [addr]>db 0x0040081d# add breakpoint [addr]>dbc 0x0040081d drr# run command when breakpoint is hit [addr]>dm# list memory maps [addr]>dm=# list memory maps (ascii art)
[Visual mode]
[addr]>vpp# debug view :<cmd># run radare command ;# comment b# breakpoint o# seek to offset p/P# rotate print modes _# fuzzy flag searcher x/X# show xrefs/refs d# define function f# analyze function d# define r# rename function fun.callme# function name
Editing
# r2 -w challenge[Command mode]
[addr]>oo+# Reopen the current file in read-write [addr]>wz "See you in shell"# write string\00 at current seek [addr]>wx 0xcafe @ 0x100# write 0xcafe at 0x100 [addr]>wb 0x010203# write the current block cycling 0x010203 pattern [addr]>woe 42 3 @ edi ! 32# a = 42; for i in xrange(32): edi[i] = a; a += 3 [addr]>wox 0xcafe @ ebx ! 2# cf = [0xca, 0xfe]; for i in xrange(2): ebx[i] ^= cf[i]
[Visual mode]
[addr]>v# hex view c# cursor <tab># switch between hex and plain areas i# insert values <shift><hjkl> + y# select and copy <hjkl> + Y# find position and paste [addr]>v# hex view a# assemble code A# visual assembler
ESIL (Evaluable String Intermediate Language)
[addr]>vip:>s 0x08048486:>e asm.emu = true# Run ESIL emulation analysis on disasm :>e asm.esil = true# Show ESIL instead of mnemonic :>e io.cache = true# Enable cache for io changes :>aei# initialize ESIL VM state :>aeip# initialize ESIL pc to curseek :>aer eax=0x1234:>aer:>"aecue 0x1234,eax,^"# Continue until evil expression is true :>s `aer~eip[1]`:>pd -1
Exploiting
[addr]>iI~canary,nx,pic,crypto,class,arch,bits,stripped,static[addr]>wopD 100 @ eax# Write a De Bruijn pattern [addr]>wopO 0x41614141# or wopO $$ - Finds the value into a De Bruijn pattern [addr]>gi exec# Compile shellcode [addr]>wx `g` @ eax# Write shellcode at @eax [addr]>wb 0x90 @ eax+24 ! 52[addr]>wv `/R call eax~eax:1[0]` @ eax+76# Write value (address) [addr]>pcp 80 @ eax# Print Code Python
Project management
[addr]>Ps <name># save project [addr]>Po <name># open project [addr]>Pn# show project notes [addr]>Pn -# edit project notes
No comments:
Post a Comment