radare2

Radare2 Learning Note (0x03)

Miracle Yu

24 Jan 2017 — 1 min read

0x00 Debug mode

We can use $ r2 -d <binary> to open r2 with debug mode.

There are several commands in debug mode:

> d?          ; get help on debugger commands
> ds 3        ; step 3 times
> db 0x8048920  ; setup a breakpoint
> db -0x8048920 ; remove a breakpoint
> dc          ; continue process execution
> dcs        ; continue until syscall
> dd            ; manipulate file descriptors
> dm          ; show process maps
> dmp A S rwx  ; change page at A with size S protection permissions
> dr eax=33 ; set register value. eax = 33

Daily used cmds:

db: setup a breakpoint
db 0x8048920 setup a breakpoint at 0x8048920 (disassembling code address)
db functionname setup a breakpoint at the start of functionname()
db -0x8048920 remove a breakpoint at 0x8048920.
dc: Start or continue process execution until breakpoint or end.
dr: display registers
dr: display all the registers' values
dr eax: display $eax's value
dr eax=33: set register value. eax = 33
print &i: print the address of variable i.

0x01 rabin2

I'm just a beginner of radare, so currently I only know how rabin can print the GOT table of the program, which is used in Pwnable.kr - passcode.

random@ubuntu:~$ rabin2 -R random
[Relocations]
vaddr=0x00600fe0 paddr=0x00000fe0 type=SET_64 __gmon_start__
vaddr=0x00601000 paddr=0x00001000 type=SET_64 puts
vaddr=0x00601008 paddr=0x00001008 type=SET_64 system
vaddr=0x00601010 paddr=0x00001010 type=SET_64 __libc_start_main
vaddr=0x00601018 paddr=0x00001018 type=SET_64 __isoc99_scanf
vaddr=0x00601020 paddr=0x00001020 type=SET_64 rand

6 relocations

The vaddr is the function's GOT address in this program.
GOT table is on the stack, which can be overflowed or modified by other means.

When the program needs to call a outlined function, like rand() in this case, it will search in the GOT table for rand()'s actual address.
In this case, the actual address lays at vaddr=0x00601020, so the program get the value from 0x00601020, then jump to that address and execute.

So if we modify the value of 0x00601020 and change it to the start address of shellcode, the program will jump to shellcode and execute when calling rand().

That's it. Keep learning

Shadowsocks Windows Setup

1. Download the client from here, or use the following Shadowsocks-4.4.1.0Shadowsocks-4.4.1.0.zip4 MBdownload-circle 2. Download OBFS plugin here, or use the following obfs-localobfs-local.zip170 KBdownload-circle 3. unzip the obfs-local.zip, put both files in the same directory with shadowsocks.exe 4. right-click shadowsocks taskbar

Hello Again

This is M1r4c13, a brand-new site by Miracle Yu that reborn from the previous xhyumiracle website, after offline for 7 years. Many things changed, my focus also changes from security to crypto * (zk + ai). Hope I can bring you some more interesting facts in this new world. Things will be

EOS Source Code Review - 0x00

Before Start I wrote this series of posts to remind myself the way I analysis EOS src code. My purpose was to learn security handling in C++. I'll update posts as I analyzing it, so maybe it lacks of construction, forgive me on this if it does. nodeos

EOS Dev Guide 0x03

pre-requisite This part assumes you've created at least one account. If not, please check the previous post EOS Dev Guide 0x02. Compile contract contract needs to be first compiled to .wasm format as a bin file. Then generate the .abi file to serve as a function interface index