Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
1 like1,195 views
Radare2 is a comprehensive framework for reverse engineering and binary analysis, focusing on better API design, portability across various operating systems, and modularity with about 40 modules. The 0.4 release aims for compatibility with the older version, offering significantly improved performance and a range of scripting and language bindings. Key features include a debugging API, a relocatable code compiler, and enhanced data/code analysis capabilities with a focus on supporting multiple binary formats.
![Scripting demo
$ python
>>> import libr
>>> core = libr.RCore()
>>> core.loadlibs()
>>> file = core.file_open("dbg:///bin/ls", False)
>>> core.dbg.use("native")
>>> core.cmd0("dp=%d"%file.fd)
$ lua
> require "r_bin"
> file = arg[1] or "/bin/ls"
> b = r_bin.RBin ()
> b:load (file, "")
> baddr = b:get_baddr ()
> s = b:get_sections ()
> for i=0,s:size()-1 do
> print (string.format (’0x%08x va=0x%08x size=%05i %s’,
s[i].offset, baddr+s[i].rva, s[i].size, s[i].name))
> end](https://image.slidesharecdn.com/sergialvarezroimartin-radare2preview-100328043046-phpapp02/85/Sergi-Alvarez-Roi-Martin-Radare2-Preview-RootedCON-2010-5-320.jpg)
![Demo
Sample debugging session
$ r2 -V
radare2 0.4 @ linux-lil-x86
$ r2 -d ls
[0x080498a0]> ds # step one instruction
[0x080498a0]> dsl # step source line
[0x080498a0]> dr= # display registers
eip 0xb7883812 oeax 0xffffffff eax 0xbfd89800
ecx 0x00000000 edx 0x00000000 esp 0xbfd89800
esi 0x00000000 edi 0x00000000 eflags 0x00000292
[0x080498a0]> dcu sym.main # continue until sym.main
[0x080498a0]> dpt # display process threads
6064 s (current)
6064 s thread_0
[0x080498a0]> dbt # display backtrace
NOTE: Debugger commands no longer relay on IO backend ’!’](https://image.slidesharecdn.com/sergialvarezroimartin-radare2preview-100328043046-phpapp02/85/Sergi-Alvarez-Roi-Martin-Radare2-Preview-RootedCON-2010-10-320.jpg)
![r2rc the relocatable code compiler
* Simple and minimal compiler for x86 32/64
- arm and powerpc suppor t will follow
- C-like syntax, with low-level hints
- Allows to generate assembly code ready to be injected
- Used as interface for native and crossplatform injection
* Accessible thru shell and API
# r_sys_cmd_str -> r_asm_massemble -> r_debug_inject
$ r2rc main.r > main.asm
$ rasm2 -f main.asm > main.hex
$ r2 -d ls
[0x08048594]> wF main.hex @ eip # write hexpairs
[0x08048594]> dc # continue execution](https://image.slidesharecdn.com/sergialvarezroimartin-radare2preview-100328043046-phpapp02/85/Sergi-Alvarez-Roi-Martin-Radare2-Preview-RootedCON-2010-11-320.jpg)
![r2rc code example
main@global(128) {
.var80 = "argc = %dn"; # arguments
printf (.var80, .arg0);
.var80 = "0x%08x : argv[%02d] = %sn";
.var0 = 0;
.var4 = *.arg1;
while (.var0 <= .arg0) {
printf (.var80, .var4, .var0, .var4);
.var0 += 1; # increment counter
.arg1 += 4; # increment pointer
.var4 = *.arg1; # get next argument
}
.var80 = "0x%08x : envp[%02d] = %sn"; # environ
.var0 = 0;
.var4 = *.arg2;
{ printf (.var80, .var4, .var0, .var4);
.var0 += 1; # increment counter
.arg2 += 4; # increment pointer
.var4 = *.arg2; # get next environ
} while (.var4);
0;
}](https://image.slidesharecdn.com/sergialvarezroimartin-radare2preview-100328043046-phpapp02/85/Sergi-Alvarez-Roi-Martin-Radare2-Preview-RootedCON-2010-12-320.jpg)
![Demo
* Format-agnostic API
$ python imports.py ls
$ python imports.py user32.dll
$ python imports.py osx-ls.1
$ cat imports.py
#!/usr/bin/python
from libr import *
import sys
if (len (sys.argv) == 2):
file = sys.argv[1]
else:
file = "/bin/ls"
b = RBin ()
b.load(file, None)
baddr= b.get_baddr()
print ’-> Imports’
for i in b.get_imports ():
print ’offset=0x%08x va=0x%08x %s’ % (
i.offset, baddr+i.rva, i.name)](https://image.slidesharecdn.com/sergialvarezroimartin-radare2preview-100328043046-phpapp02/85/Sergi-Alvarez-Roi-Martin-Radare2-Preview-RootedCON-2010-19-320.jpg)
![Demo (XorPacker)
$ rabin2 -S test | cut -d ’ ’ -f 2,6-7
[...]
address=0x08048340 privileges=-r-x name=.text
address=0x080484fc privileges=-r-x name=.fini
address=0x08048518 privileges=-r-- name=.rodata
[...]](https://image.slidesharecdn.com/sergialvarezroimartin-radare2preview-100328043046-phpapp02/85/Sergi-Alvarez-Roi-Martin-Radare2-Preview-RootedCON-2010-23-320.jpg)
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
- 1. radare2 //rooted pancake [email protected] nibble [email protected]
- 2. Overview radare2 is a rewrite of radare (r1) focusing on: - API (refactor, clean) - Por tability (osx,linux,bsd,w32) - Modularity (˜40 modules) - Scripting and bindings (valaswig) Status of 0.4 - Aiming to be as compatible as possible with r1 - Some command and concepts has been redefined - Runtime >10x faster - Smar t and cleaner code (40% of LOCs) - Refactoring never ends -:)
- 3. radare2 // 0.4 release Download sources: http://www.radare.org/get/radare2-0.4.tar.gz Debian packages: http://www.radare.org/get/r2deb Chiptune session: (Thanks neuroflip!) http://www.radare.org/get/r2-0.4.mp3 6 months from 0.3 and ˜300 commits
- 4. Language bindings * C is fun, but people love to loose CPU cycles.. - Automatic bindings generated by valaswig - Vala and Genie by default - Python, Perl, Lua and Ruby (more will come) - Access to full internal API - Binded code can use native instances and viceversa - Transparent access to generics, collections, iterators, classes, enums, structures, arrays, basic types.. * Valaswig is a .vapi to .i translator $ hg clone http://hg.youterm.com/valaswig $ wget http://radare.org/get/valaswig-0.1.tar.gz
- 5. Scripting demo $ python >>> import libr >>> core = libr.RCore() >>> core.loadlibs() >>> file = core.file_open("dbg:///bin/ls", False) >>> core.dbg.use("native") >>> core.cmd0("dp=%d"%file.fd) $ lua > require "r_bin" > file = arg[1] or "/bin/ls" > b = r_bin.RBin () > b:load (file, "") > baddr = b:get_baddr () > s = b:get_sections () > for i=0,s:size()-1 do > print (string.format (’0x%08x va=0x%08x size=%05i %s’, s[i].offset, baddr+s[i].rva, s[i].size, s[i].name)) > end
- 6. Scripting demo (2) $ ruby <<EOF require ’libr’ core = Libr::RCore.new core.file_open("/bin/ls", 0); print core.cmd_str("pd 20"); EOF $ perl <<EOF require "r2/r_asm.pm"; sub disasm { my ($a, $arch, $op) = @_; $a->use ($arch); my $code = $a->massemble ($op); if (defined($code)) { my $buf = r_asmc::RAsmCode_buf_hex_get ($code); print "$op | $arch | $bufn"; } } my $a = new r_asm::RAsm(); disasm ($a, ’x86.olly’, ’mov eax, 33’); disasm ($a, ’java’, ’bipush 33’); EOF
- 7. r2w Aims to be a web frontend for radare2 - Written in python (no dependencies) - jQuer y and CSS hardly simplifies the design of the gui - At the moment it is just a PoC - Assembler/disassembler, debugger, hasher demos $ python main.py Process with PID 20951 started... URL=http://127.0.0.1:8080/ ROOT=/home/pancake/prg/r2w/www $ surf http://127.0.0.1:8080 ... (demo)
- 8. Searching bytes * One of the very basic features of r1 has been rewritten in order to offer a clean API to search keywords with binar y masks, patterns, regular expressions and strings. /* Genie example search patterns */ uses Radare.RSearch init var s = new RSearch (Mode.KEYWORD) s.kw_add ("lib", "") s.begin () var str = "foo is pure lib" s.update_i (0, str, str.len ())
- 9. Debugging * Several APIs affected: (debug, reg, bp, io) - No os/arch specific stuff - Same code works on w32, OSX, BSD and GNU/Linux - Basics on x86-32/64, PowerPC, MIPS and ARM - Not all functionalities of r1 implemented (work in progress) - Debugger is no longer an IO backend - Program transplant between different backends - Some basics on backtrace, process childs and threads - Memor y management (user/system memory maps) - Only software breakpoints atm - Traptracing, and software stepping implemented
- 10. Demo Sample debugging session $ r2 -V radare2 0.4 @ linux-lil-x86 $ r2 -d ls [0x080498a0]> ds # step one instruction [0x080498a0]> dsl # step source line [0x080498a0]> dr= # display registers eip 0xb7883812 oeax 0xffffffff eax 0xbfd89800 ecx 0x00000000 edx 0x00000000 esp 0xbfd89800 esi 0x00000000 edi 0x00000000 eflags 0x00000292 [0x080498a0]> dcu sym.main # continue until sym.main [0x080498a0]> dpt # display process threads 6064 s (current) 6064 s thread_0 [0x080498a0]> dbt # display backtrace NOTE: Debugger commands no longer relay on IO backend ’!’
- 11. r2rc the relocatable code compiler * Simple and minimal compiler for x86 32/64 - arm and powerpc suppor t will follow - C-like syntax, with low-level hints - Allows to generate assembly code ready to be injected - Used as interface for native and crossplatform injection * Accessible thru shell and API # r_sys_cmd_str -> r_asm_massemble -> r_debug_inject $ r2rc main.r > main.asm $ rasm2 -f main.asm > main.hex $ r2 -d ls [0x08048594]> wF main.hex @ eip # write hexpairs [0x08048594]> dc # continue execution
- 12. r2rc code example main@global(128) { .var80 = "argc = %dn"; # arguments printf (.var80, .arg0); .var80 = "0x%08x : argv[%02d] = %sn"; .var0 = 0; .var4 = *.arg1; while (.var0 <= .arg0) { printf (.var80, .var4, .var0, .var4); .var0 += 1; # increment counter .arg1 += 4; # increment pointer .var4 = *.arg1; # get next argument } .var80 = "0x%08x : envp[%02d] = %sn"; # environ .var0 = 0; .var4 = *.arg2; { printf (.var80, .var4, .var0, .var4); .var0 += 1; # increment counter .arg2 += 4; # increment pointer .var4 = *.arg2; # get next environ } while (.var4); 0; }
- 13. RAnal * Data and code analysis * Analyzed data is accessible from opcode level to function level (opcode, BB, functions, vars, xrefs...) * Combine data is very quickly Eg.: Filter bb by function, graph bb hierarchy, analyze references... * Graph output in graphviz format (dot)
- 14. Demo * Code & Data analysis * Graph generation - Full - Par tial * Source code graph
- 15. RAnal
- 16. RBin * Header analysis * Suppor ts: ELF32, ELF64, PE32, PE32+, MACH-O, MACH-O64, CLASS... * Format-Agnostic API * All sub-libs have been written from scratch * All sub-libs offer a complete API for working with specific formats * Keeps reversing (and minimalism) in mind
- 17. RBin * Read support - Impor ts - Symbols (Exports) - Sections - Linked libraries - Strings - Binar y info object type endianness debug data/stripped static/dynamic...
- 18. RBin * Write support (*) - Add/Remove/Resize {sections, impor ts, symbols} - Edit header fields * Metadata support (*) (*) = Work in progress
- 19. Demo * Format-agnostic API $ python imports.py ls $ python imports.py user32.dll $ python imports.py osx-ls.1 $ cat imports.py #!/usr/bin/python from libr import * import sys if (len (sys.argv) == 2): file = sys.argv[1] else: file = "/bin/ls" b = RBin () b.load(file, None) baddr= b.get_baddr() print ’-> Imports’ for i in b.get_imports (): print ’offset=0x%08x va=0x%08x %s’ % ( i.offset, baddr+i.rva, i.name)
- 20. RAsm * (Dis)Assembly library * Suppor ts x86, x86-64, PPC, MIPS, ARM, SPARC, m68k, psosvm... * Uses: - (Dis)Assembly backed - Compile inline code in order to be injected - Assembly backend of rcc * All parameters (arch, wordsize...) can be modified in runtine, so generic injection are easy to implement
- 21. Demo * Interactive disassembler $ ./widget-asm
- 22. Demo * XorPacker - ELF structure
- 23. Demo (XorPacker) $ rabin2 -S test | cut -d ’ ’ -f 2,6-7 [...] address=0x08048340 privileges=-r-x name=.text address=0x080484fc privileges=-r-x name=.fini address=0x08048518 privileges=-r-- name=.rodata [...]
- 24. Demo (XorPacker) - Xor from .text to .rodata - Execution flow Entr ypoint -> Init -> main - Analyze entrypoint Get init address - Overwrite init with the packer payload Change page permissions with mprotect Xor from .text to .data (take care of payload code)
- 25. Demo (XorPacker) $ rabin2 -z test | grep "section=.rodata" | cut -d ’ ’ -f 1,5-6 address=0x08048520 section=.rodata string=passw0rd address=0x08048529 section=.rodata string=ROOTED! address=0x08048531 section=.rodata string=Ooops $ rabin2 -z a.out | grep "section=.rodata" | cut -d ’ ’ -f 1,5-6 address=0x08048518 section=.rodata string=jiiihiki address=0x08048528 section=.rodata string=i;&&=,-Hi& $ ./a.out foo Ooops $ ./a.out passw0rd ROOTED!
- 26. Demo * ITrace
- 27. Demo (ITrace) - Edit all plt entries but hijacked impor t - Analyze entrypoin Get init address - Write Hook code into init Push interesting parameters Call hijacked impor t Fix stack jump to the first PLT entry - LD_PRELOAD library containing hijacked impor t
- 28. Demo (ITrace) $ LD_PRELOAD=./preload.so ./a.out Fake sleep call from import 0x8 @ 0x804830c Fake sleep call from import 0x18 @ 0x804832c ROOTED! Fake sleep call from import 0x18 @ 0x804832c ROOTED! Fake sleep call from import 0x18 @ 0x804832c ROOTED! ˆC
- 29. So...
- 30. EOF • Ideas, questions? Thanks for listening!