ul
Amancio Mccrae
We managed to get the passwords without having to run the program multiple times and without having to guess the password at all. By reverse engineering the application it was like the program was just handing us the information we needed. Reverse engineering is a very handy tool to have in any setting as you can use it to find out everything an application is doing. I hope this introduction to radare2 was helpful to those wanting to get started in the field. You can follow me on Twitter or LinkedIn if you need any more help or guidance!
A couple of weeks back, the folks at RPISEC posted the lecture slides and lab contents of their Modern Binary Exploitation course, held earlier this year. The course is designed to take somebody with basic C skills and have them work their way through a series of reverse engineering challenges of increasing difficulty.
This seemed like a great opportunity to fire up Radare2 and put it to work. This series of posts will work through each of the lecture challenges and labs, with a focus on solving them using Radare2 (and a little help from gdb and friends along the way).
The main UI is reminiscent of a Meterpreter shell, but capable of much more. It has its own commands and state which you can use to explore a file, as well as editing and running it with a debugger. To illustrate how shell-like Radare2 is, you can navigate the file system just like you would in bash:
The first thing you see when launching r2, besides the start-up message, is the input section preceded by a memory address. This memory address indicates your current position in the file. If you were to print out the next 16 hex values, for example, it would do so from that address:
To navigate the binary, there is the seek command, s. To learn how seek works, give the help operator, ?, a try. It can be appended to any r2 command, so in this situation you would use s?. It can also be used on its own to print a generalized help message.
Alright, time for round 2. Open up crackme0x00b in r2, use aa to analyze the file and its symbols, then disassemble main using pdf @ main. The disassembly is largely uninteresting, but this section sticks out.
Alright, that was a long shot. The wcscmp function is interesting though. Perhaps it can be used to figure out if something is preventing the true password from being printed. The man page for wcscmp has this to say:
As predicted, the password was being prematurely terminated by r2. The program is reading in characters in 32-bit pieces (each hex digit is 4 bits, and there are 8 hex digits per character). The ASCII values of the hex to the right hand side reveal the password: w0wgreat.
crackme0x01 is another nice, simple puzzle. After going through the usual analyze-then-disassemble routine, the main function quickly reveals the solution. There are two calls to printf, followed by a call to scanf which expects an integer as an argument.
Although these challenges were pretty simple, this is a solid starting point. The next entries in this series will eventually work towards challenges which feature buffer overflows, encryption, ROP chaining, and more. Have fun!
Update (2020): Since writing this article, it has become, in a way, the go-to tutorial for learning radare2. Your feedback was amazing and I am very happy for the opportunity to teach new people about radare2.
A lot has changed since I wrote this tutorial, both with radare2 and with me. I am now, for several years, a core member in the radare2 team and a maintainer of Cutter, a modern, GUI-based, reverse engineering framework that is powered by radare2.
rabin2 allows extracting information from binary files including Sections, Headers, Imports, Strings, Entrypoints, etc. It can then export the output in several formats. rabin2 is able to understand many file formats such as ELF, PE, Mach-O, Java CLASS.
As I said before, the goal of this tutorial is to teach radare2 and present some of its capabilities, not to teach assembly. Therefore I will not go through the code deeply and explain what it does. The binary is really simple, you should get it even with a basic understanding of reverse engineering.
radare2 is equipped with a very strong and efficient suite of Visual Modes. The Visual Mode is much more user-friendly and takes the reversing experience using r2 to a whole new level. Pressing V will bring us to the Visual Mode screen. Use p/P to change between modes. At the top of the screen you can see the command which was used to generate the view. Navigate to the disassembly view using p. To go back from a specific screen, press q.
As in similar disassemblers, radare2 has a Graph view. You can access Visual Graph mode from your shell by running VV, move Left/Down/Up/Right using the arrows or h/j/k/l and jump to a function using g and the key shown next to the jump call (e.g gd).
Hence, 128 bytes are allocated for the buffer in the stack, the next 4 bytes would be the saved ebp pointer of the previous stack frame, and the next 4 bytes will be the return address, this sums up to 136.
Reverse Engineering (RE) is an ad hoc and creative process of extracting the knowledge of design and implementation information from anything we use in reality. Similarly, reversing a software is a practice of analysing the software to examine its internals when we don't have the source code and utilizing the knowledge we make fun from it in a beneficial manner.
radare2 is an open source reverse engineering framework used for static and dynamic analysis, digital forensics or software exploitation supporting multiple platforms, architectures and binary formats. Radare2 is shipped with a few other important tools for file metadata extraction, base conversion, unified binary diffing and many others. This program, is not only a great disassembler but also a good debugger, especially when you love working on CLI (command-line interface). Mastering radare2 is not simple since one must remember a multitude of commands in order to use it. But again, it has intuitive command-line control to write, as compared to writing code using the IDA bindings. If you are familiar with IDA Pro or Hopper and you are a CTF player then you should try radare2.
At Loginsoft, we believe that radare2 is an essential tool for reverse engineering any software. In this series of articles, we are going to walk you through the basics of software reverse engineering using radare2 by analysing the crackme challenge (crackme0x04) which can be downloaded here.
Now, it is very clear that a simple ordinary brute force technique is not going to work to capture the flag. It's time to utilize radare2 libraries to extract the information of the binary 'crackme0x04'. Using rabin2, retrieve information out of a binary like strings, sections, entry points.
One of the most important commands in radare2 is '?'. It not only lists all the commands available but also works with almost every subcommand. For any binary which we want to dissect, ir can be analysed by the command 'aaa'. In our case, to find the list of functions in the binary and the address of entry point and main function, we use the commands
By observing the functions listed above, we can see several functions 'printf', 'scanf', 'main', 'check' being used in the binary. On performing dynamic analysis initially, the function 'sym.check' seems interesting. We can use command 'axt $address' to check where exactly the code was referenced. The function 'check' is called in the 'main' function at the address '0x8048559'. From this we can determine whether or not the validation part exists in the function. Let's dig into the function using the command seek 's'. As previously mentioned, we can view a list of subcommands by using '?' as a suffix to the seek command.
Now the fun part comes with disassembling the function 'check'. Radare2 provides another command to print disassembly code of the function using 'pdf'. 'pdf @ main' will analyse the main function and print its disassembly. Similarly, 'pdf @ sym.check' prints its disassembly of the 'check' function.
Observing the above disassembled code, we can see a comparison happening 'cmp dword [local_8h], 0xf' at the address '0x080484d6' after the call 'sscanf'. We can crack this challenge by analysing the instruction 'cmp dword [ebp-0x8], 0xf' (which compares the sum of input with 15 in decimal); once it matches, it prints the text "Password OK!"
Another way we can do this is by modifying the binary at address '0x080484da' by overwriting with NOP (\x90) to avoid the conditional jump and to print "Password OK!" on any input that user provides. In order to do that, we must run the binary with writable mode (-w) using radare2. Here comes the final solution.
Challenges like 'crackme' will help us learn how to reverse software. We will look at a few other features of radare2 by cracking another challenge in the next article. We hope this guide has given you a better understanding of radare2.
Radare2 is an open-source, command-line based reverse engineering framework for Linux, macOS, Windows and many other platforms. It includes a set of tools for reverse engineering and analysing executable files (compiled programs). Radare2 can be used to perform both static and dynamic analysis.
Cutter is the official GUI for radare2, allowing you to make use of all of the features of the command-line version while being able to better organise the information on your screen and make use of additional tools such as the built-in Jupyter notebook.
Some examples of flags include ZF (Zero Flag), which is set to 1 if the result of an arithmetic operation is 0, and CF (Carry Flag), which is used to indicate that an artithmetic operation requires a carry.
At first, this interface looks very daunting and may be overwhelming. There is lots of information being displayed and many menus available, however in most cases only a few sections and tools are actually needed.
The disassembly panel shows the disassembled machine code of the program. This is known as assembly language, and contains raw instructions such as mov, push and call and the arguments that go along with them.
795a8134c1