Radare2 is an open-source reverse engineering toolkit, consisting of a disassembler, debugger and hex editor. In this article I will show you the basics by reversing some shellcode I found on Project Shellcode.
To put this into context let's briefly discuss what we mean by the term "shellcode", not to be confused with "shellscript", which is something else entirely. "Shellcode" is a term colloquially used to refer to the payload of an exploit. Typically this would be code injected to start a shell.
...
In this new article I will explain some of the r_anal features through the
creation of a small tool that we will call "itrace", which is mainly
focused on tracing/hooking of imports execution based on LD_PRELOAD + global
hooking. I presented this method and POC on rooted'10, so you can give a
look to the slides [1] if you want a quick summary and source [2] for testing
it.
Imagine the following scenario, we have a binary and we want to trigger an event
each time that an import is called. Obviously, we could hook all the imports and
exec whatever we want preloading a library coded by us with LD_PRELOAD, but this
aproximation has a very big problem: the imports used by each target binary will
change, so we would need to code a library adapted to each binary every time.
...
One of the key features behind r2 is how easily it can be extended with new
libraries or plugins. In this paper, we will see the steps needed for adding
a new plugin in radare.
Let's say we want to add a new plugin for r_asm because we are working with
binaries of an architecture not supported by r2. Of course, adding a new plugin
for another lib would be mostly the same.
...
Under some situations you need to automatize or extend the features of radare.
There are so many scripting languages out there: python, ruby, perl, lua between others.
All of them are supported by the radare package and you can use them from inside r2 using
r_lang plugins and the '#!' command or externally with the r2-swig.
The main issue on scripting languages is performance. The code is interpreted and all the
api bindings are wrapped, so linked list accesses and function calls are highly penalized.
When analyzing big binaries text-only view is probably not enought to understand the whole program.
radare and radare2 can generate graphs in graphviz format.
When compiling radare1 with gtk, you will be able to use the 'ag' command. This command opens a gtk window with the graph analysis starting at the current seek
There are three ways to work with graphs using radare:
...
One of the main programs distributed with radare and radare2 is 'rasm' (and 'rasm2).
This tool permits to assemble and disassemble stream of bytes or opcodes from pipes or files.
The way to disassemble some bytes is easy:
$ rasm2 'nop'
90
$ rasm2 -d '90'
nop
Appending more than one opcode is done by the ';' character:
...
Many times you fall in the situation that you need a simple calculator and conversor tool to convert numbers from different bases, change the endianness, etc..
The 'rax' utility comes with the radare framework and aims to be a minimalistic expression evaluator for the shell useful for making base conversions easily between floating point values, hexadecimal representations, hexpair strings to ascii, octal to integer.
It supports endianness and can be used as a shell if no arguments given.
In short you have:
