Skip to content

Instantly share code, notes, and snippets.

@donkey-hotei

donkey-hotei/dbg_with_radare2.md

Last active June 17, 2019 15:17
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save donkey-hotei/4c824a85c8f1058cd6771225ab0bd451 to your computer and use it in GitHub Desktop.
Save donkey-hotei/4c824a85c8f1058cd6771225ab0bd451 to your computer and use it in GitHub Desktop.
Download ZIP
Using radare2 for dynamic analysis
Raw
dbg_with_radare2.md

Reverse Engineering with Radare2

Dynamic analysis using radare2 opens the floodgates into understanding how assembly programs work. Often it is useful to be able to reassure one's understanding of x86 assembly by watching the program execute step-by-step, making predictions about what one expects to happen next and verifying that it does! Below is a short how-to on using radare2 for debugging in a way familiar to those who are more familiar with gdb.

Using netcat as client with the radare2 suite

To emulate the same kind of environment one would see in CTF-style challenges, of owning a box over a TCP/IP connection, we must write a configuration file for the program rarun2 with at least a single directive like below,

#!/usr/bin/rarun2
connect=localhost:9999

Save this file as debug.rr2 or what-ever-you please. This is all we need for our simple example, but there are a number of other simple directives one can use launch the program with different arguments, permissions, et cetera. As per the man page, "this is useful when one needs to run a program using long arguments or pass long data to stdin or things like that usually required for exploiting crackmes :)".

With this we can open a terminal and run netcat on the port specified above:

nc -lvp 9999

This is where you'll pass in input as well, so if you wanted to feed some input into your target binary then say, for example:

nc -lvp 9999 < <(python -c "print 'A' * 42")

Any scripting language can be used to experiment with your inputs. Sometimes it's useful to generate patterned strings to locate what parts of your input are used and where, by the program.

With your netcat client running, open another terminal (or tmux pane) and begin radare2 with the following arguments.

r2 -d -AAA binary -e dbg.profile=debug.rr2

Where binary is, of course, whatever binary you are examining.

The netcat client, called with the -v flag, should a emit a message saying that a connection has been made.

Debugging in Visual Mode

The -AAA flag tells radare2 to run the aaa command before the prompt to analyze all referenced code. This will help later, as radare will look through and name all of the functions and strings referenced, as well as inferring function arguments, and global and local variables.

To enter visual mode, type V at the prompt and press enter. At first you will be given a hexdump of the binary loaded into memory. Pressing p will cycle you through various representations of the binary. The most useful being the disassembly with stack and register information at the top.

In visual mode you can also enter in commands as you would in text mode, just press SHIFT + : to get a prompt at the bottom of your terminal. Try typing afl to get a list of all the functions and subroutines found in the binary. Pressing ENTER again will bring you back to visual mode.

To seek to a particular function and view it's disassembly, press o when in visual mode and type the name of one of the functions above. This should take you to the beginning of the prologue of that function. Pressing V again will reveal a colorful ascii flowchart that shows where jump statements go in an easy to read manner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment