Radare2 Course - Lesson 0x9 Cross References - Radare Tutorial скачать в хорошем качестве

Radare2 Course - Lesson 0x9 Cross References - Radare Tutorial

This is lecture #9 from the Reverse Engineering with Radare2 course that is available from Aether Security Lab @ aetherlab.net. Aether Security Labs sells several courses related to information security. In this course we will learn about the Radare reverse engineering framework. While this works as a stand alone lesson, you can buy the entire course here: https://hackademy.aetherlab.net/p/rad... === What is Radare2? === Radare2 is a huge framework for reverse engineering and analysis. The framework revolves around the Radare2 disassembler which supports a large number of platforms, architectures & formats. Radare started as a forensic tool with scriptable command line hex editor but has grown to be much much more with r2 which can be used to both disassemble and debug programs. It is also an open source free alternative to IDA Pro. I started to work with it because I think nobody will buy IDA Pro unless it is paid by your employer. Radare2 is a perfect free alternative, its only disadvantage is that it could be hard to start using it. This is where this course comes in. My goal was to get you over the hard part as fast as possible. So that you can get comfortable with Radare2. This Radare2 tutorial is lesson 0x9 of the Radare2 course ===Other Aether Security Lab Courses=== Become a Web Pentester - Web Hacking: https://hackademy.aetherlab.net/p/web... Learn Burp Suite: https://hackademy.aetherlab.net/p/bur... ===AetherLab Socials=== Blog:   / gergely.revay   Twitter: @geri_revay   / geri_revay   Facebook:   / aetherlab.net   Discussion: https://guidedhacking.com/threads/rad... ===Transcript of the video=== In this lecture I am gonna show you how you can navigate around in the binary with radare. Even if we cannot execute the binary, from the info we learnt a lot. We found out that the application idoes something on the network, that there is somekind of login, and there are no binary protections in place. As we said our first target can be the login mechanism. Let's start reversing the program. When you start the radare you will be put to the entry point of the app. $ r2 server.exe Let's do the analysis. $ aaa Just to get thigs strait. The server.exe is not running right now. We are just disassembling the program and not executing it. To go the main, we can do $ s sym.main The sym.main is just a reference created by radare to the address of the main function. In case of main we can also do: $ s main As you can see the address where we stand has changed because we are standing now at the beginning of the main function. Let's look at the list of functions: $ afl There is a function called 'authenticate', that could be interesting: $ s sym.authenticate What do you think is the command to see the dissassembled code? P for print under that d for disassembly and f for functions. $ pdf Which stands for 'print dissassemble function'. This show the assembly code of the function where we are standing. We can also say things like: $ pdf @sym.authenticate The @ literally means 'at' in radare. It can be followed by an address, register containing an address or a symbol like what we used. This is useful, because you don't have to change your position in the code to check out other parts of the code. What you can see in this function is that after some string length calls the 'check_username' function is called. So let's go there: $ s sym.check_username; pdf If you look around, there are some logging built in, reading username, and then an interesting function is called, the 'compare_username'. Its parameters could be interesting. It is called with two local variables. And if you look closer one of them is initialized here: 0x08048af7 c785e4fbffff. mov dword [ebp - local_41ch], 0x6262616a 0x08048b01 66c785e8fbff. mov word [ebp - local_418h], 0x61 Let's see what is the value that is used in these variable. Just to prove again that the ? Is the most valuable command, you can do calculations with the '?' as well, in this case simply: $ ? 0x6262616a Or with the next line together: ? 0x616262616a That looks really good. I can test quickly whether that works. Ohh yeah, so the username is jabba. Now we only need the password. Which we will see in the next lecture. You can also do things like: $ ? 0x10 + 6 In IDA you would add comments to the code to not forget things you have already found out about the code. You can do this in radare as well: $ s 0x08048af7 $ CC username=jabba In this lecture we have seen how the seek command works and how you can move around in the binary. Try to look at other interesting functions. After that join me in the next lecture. Donate on our Forum : http://bit.ly/2HkOco9 Support us on Patreon : http://bit.ly/38mnveC #Radare2 #Radare #ReverseEngineering