Redare2 Book https://github.com/radareorg/awesome-radare2
Plugins: Diaphora, a Free and Open Source program diffing tool Use a local instance of retdec to decompile functions in radare2 Snowman Decompiler for r2
Get all function addresses from file:
>> > radare2 -A - q - c" afl ~[0]" r_config_set: variable ' asm.relsub'
0x00031200 0x00044ecc 0x0005205c 0x00052040 0x0005200c 0x00051f54 0x0005204c 0x0005203c 0x00051f44 0x00051f50 0x00051fbc 0x00052048 0x00052050 0x00052038 0x00051fe0 0x00051f90 Get all Exported Functions:
>> > radare2 -A - q - c" iE ~[1,6]" r_config_set: variable ' asm.relsub'
paddr lib
0x0005205c Java_com_tencent_mm_protocal_MMProtocalJni_genSignature
0x00052040 Java_com_tencent_mm_protocal_MMProtocalJni_rsaPublicEncrypt
0x0005200c Java_com_tencent_mm_protocal_MMProtocalJni_unpack
0x00051f54 Java_com_tencent_mm_protocal_MMProtocalJni_pack
0x0005204c Java_com_tencent_mm_protocal_MMProtocalJni_computerKeyWithAllStr
0x0005203c Java_com_tencent_mm_protocal_MMProtocalJni_aesDecryptFile
0x00051f44 Java_com_tencent_mm_protocal_MMProtocalJni_mergeSyncKey
0x00051f50 Java_com_tencent_mm_protocal_MMProtocalJni_setIsLite
0x00051fbc Java_com_tencent_mm_protocal_MMProtocalJni_packHybridEcdh
0x00052048 Java_com_tencent_mm_protocal_MMProtocalJni_generateECKey
0x00052050 Java_com_tencent_mm_protocal_MMProtocalJni_genClientCheckKVRes
0x00052038 Java_com_tencent_mm_protocal_MMProtocalJni_aesEncrypt
0x00051fe0 Java_com_tencent_mm_protocal_MMProtocalJni_packDoubleHybrid
0x00051f90 Java_com_tencent_mm_protocal_MMProtocalJni_packHybrid
0x00000107 WX_BUILD_INFO
0x00051f4c Java_com_tencent_mm_protocal_MMProtocalJni_setClientPackVersion
0x00051f3c Java_com_tencent_mm_protocal_MMProtocalJni_setProtocalJniLogLevel
0x00052034 Java_com_tencent_mm_protocal_MMProtocalJni_aesDecrypt
0x00052018 Java_com_tencent_mm_protocal_MMProtocalJni_decodeSecureNotifyData
0x00052044 Java_com_tencent_mm_protocal_MMProtocalJni_rsaPublicEncryptPemkey
0x00051f48 Java_com_tencent_mm_protocal_MMProtocalJni_verifySyncKey
Get Linked Libraries:
il
[Linked libraries]
libc++_shared.so
libwechatxlog.so
libz.so
libwechatnormsg.so
libc.so
libm.so
libdl.so
7 libraries
List strings:
>> > radare2 -A - q - c" iz" Warning: run r2 with - e
[Strings] nth paddr vaddr len size section type string
――――――――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00019650 0x00019650 11 12 .rodata ascii dev_ino_pop
1 0x000196c8 0x000196c8 10 11 .rodata ascii sort_files
2 0x000196d3 0x000196d3 6 7 .rodata ascii posix-
3 0x000196da 0x000196da 4 5 .rodata ascii main
4 0x00019790 0x00019790 10 11 .rodata ascii ? pcdb-lswd
5 0x000197a0 0x000197a0 65 66 .rodata ascii 6 0x000197e2 0x000197e2 72 73 .rodata ascii
List strings and what function they are referenced:
>> > radare2 -A - q - c" axt @ @ str.*" Warning: run r2 with - e
main 0x5b76 [ DATA] lea rcx, str.dev_ino_pop
fcn.000080a0 0x828c [ DATA] lea rcx, str.sort_files
main 0x4e58 [ DATA] lea rbp, str.posix_
( nofunc ) 0x5aa6 [ DATA] lea rcx, str.main
( nofunc ) 0x5b32 [ DATA] lea rcx, str.main
fcn.0000b930 0xbbd6 [ DATA] lea rdx, str._pcdb_lswd
main 0x566b [ DATA] lea r12, str._Configuration_file_for_dircolors__a_utility_to_help_you_set_the
main 0x5690 [ DATA] lea rsi, str._Configuration_file_for_dircolors__a_utility_to_help_you_set_the
( nofunc ) 0x19a05 [ CODE] jb str.TERM_gnome
( nofunc ) 0x19adc [ CODE] jns str.TERM_rxvt
fcn.0000ac90 0xae4f [ DATA] mov rax, qword [ str..t7z_01_31]
Ghidra C Decomplation:
[0x000040d0] > pdgDo you want to print 1247 lines? (y/N [...] ( *_reloc.error ) (2, 0, uVar7, uVar8 ;
code_r0x00005afb: * (undefined4 * ( puVar22 + - 4 ) = 0x5b04 ;
fcn.000160c0 ((int64_t piVar6 ;
* (undefined8 * ( puVar22 + - 4 ) = 0x5b1b ;
uVar8 = (* _reloc.dcgettext ( 0, " ignoring invalid value of environment variable QUOTING_STYLE: %s" ) ;
* (undefined8 * ( puVar22 + - 4 ) = 0x5b2d ;
( *_reloc.error ) (0, 0, uVar8 ;
puVar18 = puVar22 + 4 ;
code_r0x0000558e: puVar11 = (undefined4 * puVar18 ;
* (undefined4 * ( ( int64_t ) puVar11 + 8 ) = 7 ;
if ( * (uint32_t * ) 0x241e0 != 1 goto code_r0x000042ec ;
* (undefined8 * ( ( int64_t ) puVar11 + - 8 ) = 0x55a8 ;
cVar2 = fcn.000060a0( ;
if ( cVar2 != ' \0' ) goto code_r0x000055b0 ;
goto code_r0x000042f8 ;
code_r0x000055b0: * (undefined4 * ( ( int64_t ) puVar11 + 8 ) = 3 ;
goto code_r0x000042ec ;
Ghidra ASM Decomplation:
[0x000040d0] > pdd[...] label_115: rax = fcn_000160c0 (r12 ;
edx = 5 ;
r12 = rax ;
rax = dcgettext (0, " invalid time style format %s" ;
rcx = r12 ;
esi = 0 ;
edi = 2 ;
rdx = rax ;
eax = 0 ;
error ( ) ;
label_109:
rax = fcn_000160c0 ( rbp ) ;
edx = 5 ;
r12 = rax ;
rax = dcgettext (0, " ignoring invalid value of environment variable QUOTING_STYLE: %s" ;
rcx = r12 ;
esi = 0 ;
edi = 0 ;
rdx = rax ;
eax = 0 ;
eax = error ( ;
goto label_49 ;
label_82: r8 = optarg ;
fcn_000171d0 (eax, var_40h, 0, r12 ;
label_68: fcn_00016f40 (rdi ;
label_76: rcx = " dev_ino_pop" ;
edx = 0x41d ;
rsi = " src/ls.c" ;
rdi = " dev_ino_size <= obstack_object_size (&dev_ino_obstack)" ;
assert_fail ( ) ;
Bypass Ptrace:
(hooker, dr rax=0, dc);db $$+5 @@=`axt sym.imp.ptrace~CALL~call[1]`;dbc $$+5 .(hooker) @@=`axt sym.imp.ptrace~CALL~call[1]` #bypass ptrace debugging detection
Connect to App through Frida:
r2 frida://usb//sg.vantagepoint.helloworldjni
[0x00000000] > \i arch arm
bits 64
os linux
pid 13215
uid 10096
objc false
runtime V8
java true
cylang false
pageSize 4096
pointerSize 8
codeSigningPolicy optional
isDebuggerAttached false
cwd /
dataDir /data/user/0/sg.vantagepoint.helloworldjni
codeCacheDir /data/user/0/sg.vantagepoint.helloworldjni/code_cache
extCacheDir /storage/emulated/0/Android/data/sg.vantagepoint.helloworldjni/cache
obbDir /storage/emulated/0/Android/obb/sg.vantagepoint.helloworldjni
filesDir /data/user/0/sg.vantagepoint.helloworldjni/files
noBackupDir /data/user/0/sg.vantagepoint.helloworldjni/no_backup
codePath /data/app/sg.vantagepoint.helloworldjni-1/base.apk
packageName sg.vantagepoint.helloworldjni
androidId c92f43af46f5578d
cacheDir /data/local/tmp
jniEnv 0x7d30a43c60
Searching for Strings through Memory:
[0x00000000]> \/ Hello
Searching 5 bytes: 48 65 6c 6c 6f
...
hits: 11
0x13125398 hit0_0 HelloWorldJNI
0x13126b90 hit0_1 Hello World!
0x1312e220 hit0_2 Hello from C++
0x70654ec5 hit0_3 Hello
0x7d1c499560 hit0_4 Hello from C++
0x7d1c4a9560 hit0_5 Hello from C++
0x7d1c51cef9 hit0_6 HelloWorldJNI
0x7d30ba11bc hit0_7 Hello World!
0x7d39cd796b hit0_8 Hello.java
0x7d39d2024d hit0_9 Hello;
0x7d3aa4d274 hit0_10 Hello
Finding the location in memory:
[0x00000000]> \dm.@@ hit0_*
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x00000000703c2000 - 0x00000000709b5000 rw- /data/dalvik-cache/arm64/system@[email protected]
0x0000007d1c499000 - 0x0000007d1c49a000 r-x /data/app/sg.vantagepoint.helloworldjni-1/lib/arm64/libnative-lib.so
0x0000007d1c4a9000 - 0x0000007d1c4aa000 r-- /data/app/sg.vantagepoint.helloworldjni-1/lib/arm64/libnative-lib.so
0x0000007d1c516000 - 0x0000007d1c54d000 r-- /data/app/sg.vantagepoint.helloworldjni-1/base.apk
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d396bc000 - 0x0000007d3a998000 r-- /system/framework/arm64/boot-framework.vdex
0x0000007d396bc000 - 0x0000007d3a998000 r-- /system/framework/arm64/boot-framework.vdex
0x0000007d3a998000 - 0x0000007d3aa9c000 r-- /system/framework/arm64/boot-ext.vdex
Searching for Wide strings through Memory:
[0x00000000]> \/w Hello
Searching 10 bytes: 48 00 65 00 6c 00 6c 00 6f 00
hits: 6
0x13102acc hit1_0 480065006c006c006f00
0x13102b9c hit1_1 480065006c006c006f00
0x7d30a53aa0 hit1_2 480065006c006c006f00
0x7d30a872b0 hit1_3 480065006c006c006f00
0x7d30bb9568 hit1_4 480065006c006c006f00
0x7d30bb9a68 hit1_5 480065006c006c006f00
[0x00000000]> \dm.@@ hit1_*
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d30a00000 - 0x0000007d30c00000 rw-
Find Symbols in Libraries:
[0x00000000]> \is libnative-lib.so
[0x00000000]>
Find what other libraries are loaded:
[0x00000000]> \ii libnative-lib.so
0x7dbe1159d0 f __cxa_finalize /system/lib64/libc.so
0x7dbe115868 f __cxa_atexit /system/lib64/libc.so
List all exports:
[0x00000000]> \iE libnative-lib.so
0x7d1c49954c f Java_sg_vantagepoint_helloworldjni_MainActivity_stringFromJNI
View Currently loaded classes:
[0x00000000]> \ic~sg.vantagepoint.helloworldjni
sg.vantagepoint.helloworldjni.MainActivity
Display Classloader Information:
[0x00000000]> \icL
dalvik.system.PathClassLoader[
DexPathList[
[
directory "."]
,
nativeLibraryDirectories=[
/system/lib64,
/vendor/lib64,
/system/lib64,
/vendor/lib64]
]
]
[email protected] [ DexPathList[
[
zip file "/data/app/sg.vantagepoint.helloworldjni-1/base.apk"]
,
nativeLibraryDirectories=[
/data/app/sg.vantagepoint.helloworldjni-1/lib/arm64,
/data/app/sg.vantagepoint.helloworldjni-1/base.apk!/lib/arm64-v8a,
/system/lib64,
/vendor/lib64]
]
]
Show local Variables:
: > afvdarg arg1 = : rdi : 0x7ffd134f1e31
var s2 = 0x7ffd134f1e18 = " Q\x1eO\x13\xfd\x7f"
var var_8h = 0x7ffd134f1e38 = (qword 0x040bc5301d6d4a00 var s1 = 0x7ffd134f1e31 = " joshua"
var var_bh = 0x7ffd134f1e35 = (qword 0x301d6d4a00006175 var var_9h = 0x7ffd134f1e37 = (qword 0x0bc5301d6d4a0000 var var_14h = 0x7ffd134f1e2c = 22050
Patch File:
[0x00001070] > s 0x000011c9[0x000011c9] > pd 1│ ┌─< 0 x000011c9 750c jne 0x11d7
[0x000011c9] > wx 74[0x000011c9] > pd 1│ ┌─< 0 x000011c9 740c je 0x11d