In this post, I will show you how to do some tinkering inside of memory in Linux binary. Before i start i just want to remind you this material is based on:
- Exercise: https://github.com/monosource/radare2-explorations-binaries (clone this repository to your local directory)
we are going to use the second binary name "xor". Now, once you clone the repository and inside the "tut2-memory" you need to build the executable using
~# make
after that, the executable will be available inside the directory. Try to run it and as you can see the executable requires a password, we are going to find out what is the password.
to examine the executable we need to open the binary using "debugging mode" in radare2. Debugging mode enables us to place a breakpoint and read/write memory, this is very effective when we want to dig deep in on how the executable is behaved.
List all the function and we got two functions that really interesting "main" and "sym.check". Let's open the main function to get to know the big picture of the executable.
Ok wow! there is a lot of assigning byte there lol. So as you guess this might be the secret string but unfortunately this is encrypted and we found out by scrolling down it is show that the secret string and our input are pass to the "sym.check" function.
push eax=> pass encrypted string as parameter to "check" function
push esi => pass our string as parameter to "check" function
call sym.check => call the function
before you can examine the memory you must put a breakpoint inside the executable so we can start dissecting the register, type:
~# dcu main => it means debuggingcontinueuntil main (this will stop at the beginning of main function)
next
~# dcu check => it means debuggingcontinueuntil check (this will stop at the beginning of check function)
now we can examine the memory register by typing:
~# ps @ eax (this will print the content inside eax register which is the encrypted string)
and
~# ps @ esi (this will print the content inside esi register which is our input)
you can play with how much length of byte you want to print by appending "!"
for example
ps @ eax ! 2 => means that print the first 2 byte of the eax register
ps @ eax ! 32 => means that print the first 32 byte of the eax register
let's try to examine the "check" function:
now from the result we can see that there is a xor operation, notice the command:
~# xor byte[edx],al
this means that register edx that contain our input will be xor by register al (8-bit value of eax that means 42 => *) and the value of eax will be a loop and incremented by 3 until it reaches 0x8a (138)
by understanding the logic of the execution, we just reveal how to make the key. all we need to do is to generate char from 42 until 138 (increment by 3)
you have two choices, create python script or use radare2:
for python
1. you need to obtain the hex of the encrypted string, use the previous command that I just you show to examine the register
2. create a python script
for radare2:
1. there is a command that called "woe" that able to generate a pattern of key that we desired:
~# woe 42 3 @ esi ! 32
this command will generate char from 42 to 138 and will replace the register esi contain our value since it is rubbish. Don't forget to append "! 32" This is very crucial since it is told the radare to stop at the byte 32 or it will rewrite everything
2. now that we have the key all you have to do is just to xor the binary to the register eax (contain encrypted string) using "wox"
~# wox `p8 32 @ esi` @ eax ! 32
"`" this symbol helps us to nest command inside a command inside radare.
That's all thank you, folks :)
Comments
Post a Comment