SlideShare a Scribd company logo

Radare2 @ ndh2k15 : First r2babies steps

M
Maijin

Presentation of Radare2, the reverse engineering framework dedicated for beginners.

Software
1 of 39
Download to read offline
radare2 First r2babies steps Maxime Morin (@Maijin212) June 22, 2015 Nuit du Hack 2015
about me ∙ 22 y/o french expat @ Luxembourg ∙ Food?, Food., Food! <3 ∙ I hate Bullshit ∙ Malware.lu CERT team leader (2days/week) and incident response @ European Commission CSIRC (3days/week) ∙ User of radare2 (impossibru!) ∙ I’m creating tests + documentation 1
generality on radare2 framework ∙ r1 2006, r2 2009 ∙ Multi-(OSes|Archs|Bindings|FileFormats|...) ∙ 10 tools based on the framework ∙ Around 111 contributors ∙ GSOC + RSOC ∙ CLI/VisualMode/GUI/WebGUI ∙ around 350K LOC 2
Installation ! 3
installation ∙ Always use git version! ∙ Use the provided VM on SSH (radare:radare / root:root) ∙ git clone http://github.com/radare/radare2 && cd radare2 && ./sys/install.sh ∙ Use the Windows installer http://bin.rada.re/radare2.exe 4
utilities
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 6
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 7
utilities: rax2 rax2 — Base converter $ rax2 10 0xa $ rax2 33 0x41 0101b 0x21 65 0x5 $ rax2 -s 4142434445 ABCDE $ rax2 0x5*101b+5 30 8
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 9
utilities: rabin2 rabin2 — Binary program info extractor $ rabin2 -e Entrypoints $ rabin2 -i Shows imports $ rabin2 -zz Shows strings $ rabin2 -g Show all possible information 10
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 11
utilities: rasm2 rasm2 — assembler and disassembler tool $ rasm2 -a x86 -b 32 ’mov eax, 33’ Assemble $ rasm2 -d 9090 Disassemble $ rasm2 -L List supported asm plugins $ rasm2 -a x86 -b 32 ’mov eax, 33’ -C Output in C format 12
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 13
utilities: radiff2 radiff2 — unified binary diffing utility $ radiff2 original patched Code diffing $ radiff2 -C original patched Code diffing using graphdiff algorithm $ radiff2 -g main -a x86 -b32 original patched Graph diff output of given symbol, or between two functions, at given offsets: one for each binary. 14
utilities: radiff2 — graph example /bin/true /bin/false 15
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 16
utilities: rafind2 rafind2 — Advanced commandline hexadecimal editor $ rafind2 -X -s passwd dump.bin Search for the string passwd 17
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 18
utilities: rahash2 rahash2 — block based hashing utility $ rahash2 -a all binary.exe Display hashes of the whole file with all algos $ rahash2 -B -b 512 -a md5 Compute md5 per block of 512 $ rahash2 -B -b 512 -a entropy Compute md5 per block of 512 $ echo -n ”admin” | rahash2 -a md5 -s ” Compute md5 of the string admin 19
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 20
radare2 — command line
1 command <—> 1 reverse-engineering’notion Keep in mind that: 1. Every character has a meaning i.e (w = write, p = print) 2. Every command is a succession of character i.e pdf = p <-> print d <-> disassemble f <-> function 3. Every command is documented with cmd?, i.e pdf?,?, ???, ???, ?$?, ?@? 22
the # command — hashing command 1. Open a file with radare2 radare2 file.exe 2. Get Usage on the command #? Usage: #algo <size> @ addr 3. List of all existing algorithms ## 4. SHA1 #sha1 5. Hashing from the begin #sha1 @ 0 6. with a hash block size corresponding to the size of the file #sha1 $s @ 0x0 This command is same as rahash2 -a sha1 file.exe 23
the i command — information command 1. Get Usage on the command i? 2. Same as rabin2 3. izj for displaying in json 4. internal commands: ,̃ ls, {}, .. 24
radare2 — ’major’ command example: pf Quick Demo 25
radare2 — cli main commands 1. r2 -A or r2 then aaa : Analysis 2. s : Seek 3. pdf : Print disassemble function 4. af? : Analyse function 5. ax? : Analyse XREF 6. /? : Search 7. ps? : Print strings 8. C? : Comments 9. w? : Write 26
radare2 — visual mode
radare2 — visual mode main commands 1. V? : Visual help 2. p/P : rotate print modes 3. move using arrows/hjkl 4. o : seek to 5. e : r2configurator 6. v : Function list 7. _ : HUD 8. V : ASCII Graph 28
radare2 — webui
radare2 — webui r2 -A -c=H filename 30
radare2 — debugger
radare2 — debugger 1. radare2 -d 2. Quickly switch to Visual debugger mode: Vpp 3. OllyDBG/IDApro shortcuts friendly 32
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 33
rarun2 Rarun2 — run programs in exotic environments 1. Environnment setup tools for radare2 2. most useful with debugger 3. aslr, stdout, arguments, r2preload ... 34
utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 35
ragg2/ragg2-cc Ragg2/Ragg2-cc — frontend for compiling shellcodes Demo time ! 36
documentation ∙ Website: http://rada.re/ ∙ Blog: http://radare.today ∙ Book: http://maijin.gitbooks.io/radare2book/content/ 37
Now your turn ! 38

Recommended

Malicious ELF Binaries: A Landscape
Malicious ELF Binaries: A LandscapeMalicious ELF Binaries: A Landscape
Malicious ELF Binaries: A LandscapeMarcus Botacin
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephAnthony Jose
 
Debian Linux Overview
Debian Linux OverviewDebian Linux Overview
Debian Linux OverviewDarshanRamjiyani
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
linux file sysytem& input and output
linux file sysytem& input and outputlinux file sysytem& input and output
linux file sysytem& input and outputMythiliA5
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 

Recommended

Malicious ELF Binaries: A Landscape
Malicious ELF Binaries: A LandscapeMalicious ELF Binaries: A Landscape
Malicious ELF Binaries: A LandscapeMarcus Botacin
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephAnthony Jose
 
Debian Linux Overview
Debian Linux OverviewDebian Linux Overview
Debian Linux OverviewDarshanRamjiyani
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
linux file sysytem& input and output
linux file sysytem& input and outputlinux file sysytem& input and output
linux file sysytem& input and outputMythiliA5
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersBrendan Gregg
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - IntroductionStephane Manciot
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting ProcessGaurav Sharma
 
Introduction to the linux command line.pdf
Introduction to the linux command line.pdfIntroduction to the linux command line.pdf
Introduction to the linux command line.pdfCesleySCruz
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Linux presentation
Linux presentationLinux presentation
Linux presentationNikhil Jain
 
systemd
systemdsystemd
systemdnussbauml
 
Linux architecture
Linux architectureLinux architecture
Linux architectureICI Bucharest - roTLD
 
SystemV vs systemd
SystemV vs systemdSystemV vs systemd
SystemV vs systemdAll Things Open
 
virtualization (Hyper-V)
virtualization (Hyper-V)virtualization (Hyper-V)
virtualization (Hyper-V)Mohamed Hesham
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and CompilationBud Siddhisena
 
OS multiprocessing -.pptx
OS multiprocessing -.pptxOS multiprocessing -.pptx
OS multiprocessing -.pptxamirdawood3
 
Linux OS presentation
Linux OS presentationLinux OS presentation
Linux OS presentationSahilGothoskar
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linuxPapu Kumar
 
Process management in linux
Process management in linuxProcess management in linux
Process management in linuxMazenetsolution
 
USENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFUSENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFTaeung Song
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting ProcessSysPlay eLearning Academy for You
 
Linux device drivers
Linux device driversLinux device drivers
Linux device driversAbhishek Sagar
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортSergey Platonov
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonoveurobsdcon
 

More Related Content

What's hot

Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersBrendan Gregg
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting ProcessGaurav Sharma
 
Introduction to the linux command line.pdf
Introduction to the linux command line.pdfIntroduction to the linux command line.pdf
Introduction to the linux command line.pdfCesleySCruz
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Linux presentation
Linux presentationLinux presentation
Linux presentationNikhil Jain
 
virtualization (Hyper-V)
virtualization (Hyper-V)virtualization (Hyper-V)
virtualization (Hyper-V)Mohamed Hesham
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and CompilationBud Siddhisena
 
OS multiprocessing -.pptx
OS multiprocessing -.pptxOS multiprocessing -.pptx
OS multiprocessing -.pptxamirdawood3
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linuxPapu Kumar
 
Process management in linux
Process management in linuxProcess management in linux
Process management in linuxMazenetsolution
 
USENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFUSENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFTaeung Song
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 

What's hot (20)

Linux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF SuperpowersLinux 4.x Tracing Tools: Using BPF Superpowers
Linux 4.x Tracing Tools: Using BPF Superpowers
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
 
Linux booting Process
Linux booting ProcessLinux booting Process
Linux booting Process
 
Introduction to the linux command line.pdf
Introduction to the linux command line.pdfIntroduction to the linux command line.pdf
Introduction to the linux command line.pdf
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101
 
Linux presentation
Linux presentationLinux presentation
Linux presentation
 
systemd
systemdsystemd
systemd
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
SystemV vs systemd
SystemV vs systemdSystemV vs systemd
SystemV vs systemd
 
virtualization (Hyper-V)
virtualization (Hyper-V)virtualization (Hyper-V)
virtualization (Hyper-V)
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and Compilation
 
OS multiprocessing -.pptx
OS multiprocessing -.pptxOS multiprocessing -.pptx
OS multiprocessing -.pptx
 
Linux OS presentation
Linux OS presentationLinux OS presentation
Linux OS presentation
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linux
 
Process management in linux
Process management in linuxProcess management in linux
Process management in linux
 
USENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPFUSENIX Vault'19: Performance analysis in Linux storage stack with BPF
USENIX Vault'19: Performance analysis in Linux storage stack with BPF
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting Process
 
Linux device drivers
Linux device driversLinux device drivers
Linux device drivers
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
 

Similar to Radare2 @ ndh2k15 : First r2babies steps

Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортSergey Platonov
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonoveurobsdcon
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB DevroomMore on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB DevroomValeriy Kravchuk
 
Efficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesEfficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesNetronome
 
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisPositive Hack Days
 
Docker 활용법: dumpdocker
Docker 활용법: dumpdockerDocker 활용법: dumpdocker
Docker 활용법: dumpdockerJaehwa Park
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdbRoman Podoliaka
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfAdityamd4
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBbmbouter
 
Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Wim Godden
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Basic linux commands for bioinformatics
Basic linux commands for bioinformaticsBasic linux commands for bioinformatics
Basic linux commands for bioinformaticsBonnie Ng
 

Similar to Radare2 @ ndh2k15 : First r2babies steps (20)

Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репорт
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
 
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB DevroomMore on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
 
Efficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesEfficient JIT to 32-bit Arches
Efficient JIT to 32-bit Arches
 
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
 
Docker 활용법: dumpdocker
Docker 활용법: dumpdockerDocker 활용법: dumpdocker
Docker 활용법: dumpdocker
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Boosting Developer Productivity with Clang
Boosting Developer Productivity with ClangBoosting Developer Productivity with Clang
Boosting Developer Productivity with Clang
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDB
 
Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo Pavesi3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo Pavesi
 
Basic linux commands for bioinformatics
Basic linux commands for bioinformaticsBasic linux commands for bioinformatics
Basic linux commands for bioinformatics
 

Recently uploaded

DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 

Recently uploaded (20)

DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 

Radare2 @ ndh2k15 : First r2babies steps

  • 1. radare2 First r2babies steps Maxime Morin (@Maijin212) June 22, 2015 Nuit du Hack 2015
  • 2. about me ∙ 22 y/o french expat @ Luxembourg ∙ Food?, Food., Food! <3 ∙ I hate Bullshit ∙ Malware.lu CERT team leader (2days/week) and incident response @ European Commission CSIRC (3days/week) ∙ User of radare2 (impossibru!) ∙ I’m creating tests + documentation 1
  • 3. generality on radare2 framework ∙ r1 2006, r2 2009 ∙ Multi-(OSes|Archs|Bindings|FileFormats|...) ∙ 10 tools based on the framework ∙ Around 111 contributors ∙ GSOC + RSOC ∙ CLI/VisualMode/GUI/WebGUI ∙ around 350K LOC 2
  • 5. installation ∙ Always use git version! ∙ Use the provided VM on SSH (radare:radare / root:root) ∙ git clone http://github.com/radare/radare2 && cd radare2 && ./sys/install.sh ∙ Use the Windows installer http://bin.rada.re/radare2.exe 4
  • 7. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 6
  • 8. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 7
  • 9. utilities: rax2 rax2 — Base converter $ rax2 10 0xa $ rax2 33 0x41 0101b 0x21 65 0x5 $ rax2 -s 4142434445 ABCDE $ rax2 0x5*101b+5 30 8
  • 10. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 9
  • 11. utilities: rabin2 rabin2 — Binary program info extractor $ rabin2 -e Entrypoints $ rabin2 -i Shows imports $ rabin2 -zz Shows strings $ rabin2 -g Show all possible information 10
  • 12. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 11
  • 13. utilities: rasm2 rasm2 — assembler and disassembler tool $ rasm2 -a x86 -b 32 ’mov eax, 33’ Assemble $ rasm2 -d 9090 Disassemble $ rasm2 -L List supported asm plugins $ rasm2 -a x86 -b 32 ’mov eax, 33’ -C Output in C format 12
  • 14. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 13
  • 15. utilities: radiff2 radiff2 — unified binary diffing utility $ radiff2 original patched Code diffing $ radiff2 -C original patched Code diffing using graphdiff algorithm $ radiff2 -g main -a x86 -b32 original patched Graph diff output of given symbol, or between two functions, at given offsets: one for each binary. 14
  • 16. utilities: radiff2 — graph example /bin/true /bin/false 15
  • 17. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 16
  • 18. utilities: rafind2 rafind2 — Advanced commandline hexadecimal editor $ rafind2 -X -s passwd dump.bin Search for the string passwd 17
  • 19. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 18
  • 20. utilities: rahash2 rahash2 — block based hashing utility $ rahash2 -a all binary.exe Display hashes of the whole file with all algos $ rahash2 -B -b 512 -a md5 Compute md5 per block of 512 $ rahash2 -B -b 512 -a entropy Compute md5 per block of 512 $ echo -n ”admin” | rahash2 -a md5 -s ” Compute md5 of the string admin 19
  • 21. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 20
  • 23. 1 command <—> 1 reverse-engineering’notion Keep in mind that: 1. Every character has a meaning i.e (w = write, p = print) 2. Every command is a succession of character i.e pdf = p <-> print d <-> disassemble f <-> function 3. Every command is documented with cmd?, i.e pdf?,?, ???, ???, ?$?, ?@? 22
  • 24. the # command — hashing command 1. Open a file with radare2 radare2 file.exe 2. Get Usage on the command #? Usage: #algo <size> @ addr 3. List of all existing algorithms ## 4. SHA1 #sha1 5. Hashing from the begin #sha1 @ 0 6. with a hash block size corresponding to the size of the file #sha1 $s @ 0x0 This command is same as rahash2 -a sha1 file.exe 23
  • 25. the i command — information command 1. Get Usage on the command i? 2. Same as rabin2 3. izj for displaying in json 4. internal commands: ,̃ ls, {}, .. 24
  • 26. radare2 — ’major’ command example: pf Quick Demo 25
  • 27. radare2 — cli main commands 1. r2 -A or r2 then aaa : Analysis 2. s : Seek 3. pdf : Print disassemble function 4. af? : Analyse function 5. ax? : Analyse XREF 6. /? : Search 7. ps? : Print strings 8. C? : Comments 9. w? : Write 26
  • 29. radare2 — visual mode main commands 1. V? : Visual help 2. p/P : rotate print modes 3. move using arrows/hjkl 4. o : seek to 5. e : r2configurator 6. v : Function list 7. _ : HUD 8. V : ASCII Graph 28
  • 31. radare2 — webui r2 -A -c=H filename 30
  • 33. radare2 — debugger 1. radare2 -d 2. Quickly switch to Visual debugger mode: Vpp 3. OllyDBG/IDApro shortcuts friendly 32
  • 34. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 33
  • 35. rarun2 Rarun2 — run programs in exotic environments 1. Environnment setup tools for radare2 2. most useful with debugger 3. aslr, stdout, arguments, r2preload ... 34
  • 36. utilities ∙ rax2 ∙ rabin2 ∙ rasm2 ∙ radiff2 ∙ rafind2 ∙ rahash2 ∙ radare2 ∙ rarun2 ∙ ragg2/ragg2-cc 35
  • 37. ragg2/ragg2-cc Ragg2/Ragg2-cc — frontend for compiling shellcodes Demo time ! 36
  • 38. documentation ∙ Website: http://rada.re/ ∙ Blog: http://radare.today ∙ Book: http://maijin.gitbooks.io/radare2book/content/ 37