Radare2
Radare2¶
Redare2 Book
https://github.com/radareorg/awesome-radare2
Plugins:
Diaphora, a Free and Open Source program diffing tool
Use a local instance of retdec to decompile functions in radare2
Snowman Decompiler for r2
Options¶
e emu.str=true;
Commands¶
Get all function addresses from file:
>>> radare2 -A -q -c "afl ~[0]" ./libMMProtocalJni.so
r_config_set: variable 'asm.relsub' not found
0x00031200
0x00044ecc
0x0005205c
0x00052040
0x0005200c
0x00051f54
0x0005204c
0x0005203c
0x00051f44
0x00051f50
0x00051fbc
0x00052048
0x00052050
0x00052038
0x00051fe0
0x00051f90
Get all Exported Functions:
>>> radare2 -A -q -c "iE ~[1,6]" ./libMMProtocalJni.so
r_config_set: variable 'asm.relsub' not found
paddr lib
0x0005205c Java_com_tencent_mm_protocal_MMProtocalJni_genSignature
0x00052040 Java_com_tencent_mm_protocal_MMProtocalJni_rsaPublicEncrypt
0x0005200c Java_com_tencent_mm_protocal_MMProtocalJni_unpack
0x00051f54 Java_com_tencent_mm_protocal_MMProtocalJni_pack
0x0005204c Java_com_tencent_mm_protocal_MMProtocalJni_computerKeyWithAllStr
0x0005203c Java_com_tencent_mm_protocal_MMProtocalJni_aesDecryptFile
0x00051f44 Java_com_tencent_mm_protocal_MMProtocalJni_mergeSyncKey
0x00051f50 Java_com_tencent_mm_protocal_MMProtocalJni_setIsLite
0x00051fbc Java_com_tencent_mm_protocal_MMProtocalJni_packHybridEcdh
0x00052048 Java_com_tencent_mm_protocal_MMProtocalJni_generateECKey
0x00052050 Java_com_tencent_mm_protocal_MMProtocalJni_genClientCheckKVRes
0x00052038 Java_com_tencent_mm_protocal_MMProtocalJni_aesEncrypt
0x00051fe0 Java_com_tencent_mm_protocal_MMProtocalJni_packDoubleHybrid
0x00051f90 Java_com_tencent_mm_protocal_MMProtocalJni_packHybrid
0x00000107 WX_BUILD_INFO
0x00051f4c Java_com_tencent_mm_protocal_MMProtocalJni_setClientPackVersion
0x00051f3c Java_com_tencent_mm_protocal_MMProtocalJni_setProtocalJniLogLevel
0x00052034 Java_com_tencent_mm_protocal_MMProtocalJni_aesDecrypt
0x00052018 Java_com_tencent_mm_protocal_MMProtocalJni_decodeSecureNotifyData
0x00052044 Java_com_tencent_mm_protocal_MMProtocalJni_rsaPublicEncryptPemkey
0x00051f48 Java_com_tencent_mm_protocal_MMProtocalJni_verifySyncKey
Get Linked Libraries:
il
[Linked libraries]
libc++_shared.so
libwechatxlog.so
libz.so
libwechatnormsg.so
libc.so
libm.so
libdl.so
7 libraries
List strings:
>>> radare2 -A -q -c "iz" /bin/ls
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00019650 0x00019650 11 12 .rodata ascii dev_ino_pop
1 0x000196c8 0x000196c8 10 11 .rodata ascii sort_files
2 0x000196d3 0x000196d3 6 7 .rodata ascii posix-
3 0x000196da 0x000196da 4 5 .rodata ascii main
4 0x00019790 0x00019790 10 11 .rodata ascii ?pcdb-lswd
5 0x000197a0 0x000197a0 65 66 .rodata ascii # Configuration file for dircolors, a utility to help you set the
6 0x000197e2 0x000197e2 72 73 .rodata ascii # LS_COLORS environment variable used by GNU ls with the --color option.
List strings and what function they are referenced:
>>> radare2 -A -q -c "axt @ @ str.*" /bin/ls
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
main 0x5b76 [DATA] lea rcx, str.dev_ino_pop
fcn.000080a0 0x828c [DATA] lea rcx, str.sort_files
main 0x4e58 [DATA] lea rbp, str.posix_
(nofunc) 0x5aa6 [DATA] lea rcx, str.main
(nofunc) 0x5b32 [DATA] lea rcx, str.main
fcn.0000b930 0xbbd6 [DATA] lea rdx, str._pcdb_lswd
main 0x566b [DATA] lea r12, str._Configuration_file_for_dircolors__a_utility_to_help_you_set_the
main 0x5690 [DATA] lea rsi, str._Configuration_file_for_dircolors__a_utility_to_help_you_set_the
(nofunc) 0x19a05 [CODE] jb str.TERM_gnome
(nofunc) 0x19adc [CODE] jns str.TERM_rxvt
fcn.0000ac90 0xae4f [DATA] mov rax, qword [str..t7z_01_31]
Ghidra C Decomplation:
[0x000040d0]> pdg
Do you want to print 1247 lines? (y/N)
[...]
(*_reloc.error)(2, 0, uVar7, uVar8);
code_r0x00005afb:
*(undefined4 *)(puVar22 + -4) = 0x5b04;
fcn.000160c0((int64_t)piVar6);
*(undefined8 *)(puVar22 + -4) = 0x5b1b;
uVar8 = (*_reloc.dcgettext)(0, "ignoring invalid value of environment variable QUOTING_STYLE: %s", 5);
*(undefined8 *)(puVar22 + -4) = 0x5b2d;
(*_reloc.error)(0, 0, uVar8);
puVar18 = puVar22 + 4;
code_r0x0000558e:
puVar11 = (undefined4 *)puVar18;
*(undefined4 *)((int64_t)puVar11 + 8) = 7;
if (*(uint32_t *)0x241e0 != 1) goto code_r0x000042ec;
*(undefined8 *)((int64_t)puVar11 + -8) = 0x55a8;
cVar2 = fcn.000060a0();
if (cVar2 != '\0') goto code_r0x000055b0;
goto code_r0x000042f8;
code_r0x000055b0:
*(undefined4 *)((int64_t)puVar11 + 8) = 3;
goto code_r0x000042ec;
}
Ghidra ASM Decomplation:
[0x000040d0]> pdd
[...]
label_115:
rax = fcn_000160c0 (r12);
edx = 5;
r12 = rax;
rax = dcgettext (0, "invalid time style format %s");
rcx = r12;
esi = 0;
edi = 2;
rdx = rax;
eax = 0;
error ();
label_109:
rax = fcn_000160c0 (rbp);
edx = 5;
r12 = rax;
rax = dcgettext (0, "ignoring invalid value of environment variable QUOTING_STYLE: %s");
rcx = r12;
esi = 0;
edi = 0;
rdx = rax;
eax = 0;
eax = error ();
goto label_49;
label_82:
r8 = optarg;
fcn_000171d0 (eax, var_40h, 0, r12);
label_68:
fcn_00016f40 (rdi);
label_76:
rcx = "dev_ino_pop";
edx = 0x41d;
rsi = "src/ls.c";
rdi = "dev_ino_size <= obstack_object_size (&dev_ino_obstack)";
assert_fail ();
Bypass Ptrace:
(hooker, dr rax=0, dc);db $$+5 @@=`axt sym.imp.ptrace~CALL~call[1]`;dbc $$+5 .(hooker) @@=`axt sym.imp.ptrace~CALL~call[1]` #bypass ptrace debugging detection
Android Frida¶
Connect to App through Frida:
r2 frida://usb//sg.vantagepoint.helloworldjni
[0x00000000]> \i
arch arm
bits 64
os linux
pid 13215
uid 10096
objc false
runtime V8
java true
cylang false
pageSize 4096
pointerSize 8
codeSigningPolicy optional
isDebuggerAttached false
cwd /
dataDir /data/user/0/sg.vantagepoint.helloworldjni
codeCacheDir /data/user/0/sg.vantagepoint.helloworldjni/code_cache
extCacheDir /storage/emulated/0/Android/data/sg.vantagepoint.helloworldjni/cache
obbDir /storage/emulated/0/Android/obb/sg.vantagepoint.helloworldjni
filesDir /data/user/0/sg.vantagepoint.helloworldjni/files
noBackupDir /data/user/0/sg.vantagepoint.helloworldjni/no_backup
codePath /data/app/sg.vantagepoint.helloworldjni-1/base.apk
packageName sg.vantagepoint.helloworldjni
androidId c92f43af46f5578d
cacheDir /data/local/tmp
jniEnv 0x7d30a43c60
Searching for Strings through Memory:
[0x00000000]> \/ Hello
Searching 5 bytes: 48 65 6c 6c 6f
...
hits: 11
0x13125398 hit0_0 HelloWorldJNI
0x13126b90 hit0_1 Hello World!
0x1312e220 hit0_2 Hello from C++
0x70654ec5 hit0_3 Hello
0x7d1c499560 hit0_4 Hello from C++
0x7d1c4a9560 hit0_5 Hello from C++
0x7d1c51cef9 hit0_6 HelloWorldJNI
0x7d30ba11bc hit0_7 Hello World!
0x7d39cd796b hit0_8 Hello.java
0x7d39d2024d hit0_9 Hello;
0x7d3aa4d274 hit0_10 Hello
Finding the location in memory:
[0x00000000]> \dm.@@ hit0_*
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x00000000703c2000 - 0x00000000709b5000 rw- /data/dalvik-cache/arm64/system@[email protected]
0x0000007d1c499000 - 0x0000007d1c49a000 r-x /data/app/sg.vantagepoint.helloworldjni-1/lib/arm64/libnative-lib.so
0x0000007d1c4a9000 - 0x0000007d1c4aa000 r-- /data/app/sg.vantagepoint.helloworldjni-1/lib/arm64/libnative-lib.so
0x0000007d1c516000 - 0x0000007d1c54d000 r-- /data/app/sg.vantagepoint.helloworldjni-1/base.apk
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d396bc000 - 0x0000007d3a998000 r-- /system/framework/arm64/boot-framework.vdex
0x0000007d396bc000 - 0x0000007d3a998000 r-- /system/framework/arm64/boot-framework.vdex
0x0000007d3a998000 - 0x0000007d3aa9c000 r-- /system/framework/arm64/boot-ext.vdex
Searching for Wide strings through Memory:
[0x00000000]> \/w Hello
Searching 10 bytes: 48 00 65 00 6c 00 6c 00 6f 00
hits: 6
0x13102acc hit1_0 480065006c006c006f00
0x13102b9c hit1_1 480065006c006c006f00
0x7d30a53aa0 hit1_2 480065006c006c006f00
0x7d30a872b0 hit1_3 480065006c006c006f00
0x7d30bb9568 hit1_4 480065006c006c006f00
0x7d30bb9a68 hit1_5 480065006c006c006f00
[0x00000000]> \dm.@@ hit1_*
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000000013100000 - 0x0000000013140000 rw- /dev/ashmem/dalvik-main space (region space) (deleted)
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d30a00000 - 0x0000007d30c00000 rw-
0x0000007d30a00000 - 0x0000007d30c00000 rw-
Find Symbols in Libraries:
[0x00000000]> \is libnative-lib.so
[0x00000000]>
Find what other libraries are loaded:
[0x00000000]> \ii libnative-lib.so
0x7dbe1159d0 f __cxa_finalize /system/lib64/libc.so
0x7dbe115868 f __cxa_atexit /system/lib64/libc.so
List all exports:
[0x00000000]> \iE libnative-lib.so
0x7d1c49954c f Java_sg_vantagepoint_helloworldjni_MainActivity_stringFromJNI
View Currently loaded classes:
[0x00000000]> \ic~sg.vantagepoint.helloworldjni
sg.vantagepoint.helloworldjni.MainActivity
Display Classloader Information:
[0x00000000]> \icL
dalvik.system.PathClassLoader[
DexPathList[
[
directory "."]
,
nativeLibraryDirectories=[
/system/lib64,
/vendor/lib64,
/system/lib64,
/vendor/lib64]
]
]
[email protected][
DexPathList[
[
zip file "/data/app/sg.vantagepoint.helloworldjni-1/base.apk"]
,
nativeLibraryDirectories=[
/data/app/sg.vantagepoint.helloworldjni-1/lib/arm64,
/data/app/sg.vantagepoint.helloworldjni-1/base.apk!/lib/arm64-v8a,
/system/lib64,
/vendor/lib64]
]
]
Debugging¶
Show local Variables:
:> afvd
arg arg1 = : rdi : 0x7ffd134f1e31
var s2 = 0x7ffd134f1e18 = "Q\x1eO\x13\xfd\x7f"
var var_8h = 0x7ffd134f1e38 = (qword)0x040bc5301d6d4a00
var s1 = 0x7ffd134f1e31 = "joshua"
var var_bh = 0x7ffd134f1e35 = (qword)0x301d6d4a00006175
var var_9h = 0x7ffd134f1e37 = (qword)0x0bc5301d6d4a0000
var var_14h = 0x7ffd134f1e2c = 22050
Patch File:
[0x00001070]> s 0x000011c9
[0x000011c9]> pd 1
│ ┌─< 0x000011c9 750c jne 0x11d7
[0x000011c9]> wx 74
[0x000011c9]> pd 1
│ ┌─< 0x000011c9 740c je 0x11d