Inżynieria odwrotna z Radare2: Jak zacząć

Good morning. I'm sorry, maybe it's not a nice way to start, but I'm sorry for my voice, I'm still a bit sick, it's better anyway, because I didn't speak two days ago, so forgive me for some throat noises that might come out. I work on replacement equipment, Somehow, surprisingly, my work Mac, which I normally connect everywhere and just works, today he said that he has probably exhausted the limit of external devices to which I can connect it. I restarted, restarted, piramid, some S something, I just googled everything that was possible, nothing worked. So forgive me if I do something stupid during some connection, because it's not my computer, not my system, etc. My first question is: who

of you was at Pawel's presentation about Radar yesterday? Great, most of them were. I will try not to repeat what Paweł said. I will have to do two things, because I want this presentation to be a whole. First I will tell you what made me to talk about radar and reverse engineering. Then I will briefly tell you how to start this adventure. Basic use of radar for binaries analysis, static and dynamic analysis etc. Two words about me. I work at Trustwave Spider Labs. If any of you can associate Trustwave, it's probably because of the security mod. It's the most well-known product related to the web. Almost all of the prelegents here said that their companies are recruiting. I don't

know exactly how it is with us, but they probably recruit from time to time. Generally, I invite you. We do different cool things. The whole spider lab that works within Trustwave also has two legs, let's say. One leg is the research that I also work in, among other things, and the other is the service pen test. So if someone would like to, likes it and so on, to test it, it can also be done. And besides that, we have some manage services, SOCs and so on. So for people who know the network and who like to monitor various things, some threat analysis and so on, it's like there. So I recommend it. And besides work,

I would like to recommend Warsaw Hackerspace. Great. Generally speaking, if you came here, there is a good chance that you have a lot of common topics and interests with people who work there. Recently, Hackerspace moved to a new, extra headquarters, which is not far from here, at the other end of Muranów, near the Volusia Rata. It's a great place, great location. You can do what you normally do at home in the evening, that is, you sit at the laptop, you can sit at the laptop with boys and girls in the hackerspace, but you can also loot something there, there are oscilloscopes, printers, electronics, 3D printers, laser cutters and there is also a bit of heavy equipment, to the president Remigiusz,

it's just great, big milling machine, it's a lathe, it's now industrial robotic arm, etc. So it's just great and I really recommend it. On IRC, on the free node hackerspace.pl or the website hackerspace.pl. Check it out, on Thursdays there are open days, you can come and see what's going on there. And I play CTFs. Does anyone else play CTFs here? - Do you have a few people? - Not really. - Ok, then it's great. I'll tell you why it's worth playing CTFs. I play with a very passionate Dragon Sector team, which Mac had a presentation on Friday and generally I catch some complexes, because when there is a CTF and we play and talk on the air, sometimes I don't

even know what they are doing there. I'm just thin, but it's motivating, so it's cool. So why this talk? I was interested in this kind of issues for a long time. The first thing I did with Assembler was to make a living on Commodore 64. There was a nice newspaper, Commodore Yamiga, and there were Assembler's basics, various things were described. I had a Commodore with cassette tape recorder and I wrote something there. Then I did it. Then, of course, there were some obligatory items from microcontroller programming at the university, but then I somehow threw it away. And at some point the idea came up to investigate what was going on there, not to treat it as some kind of binaries are being launched and that's it.

Just to see what's going on there. And these CTFs are a good option because I think that many of you can share this story. Today we have a little overload of information, indicators and everything and you probably also have a million tabs in the browser with things that you need to read or learn or some kind of magic file. I want to learn this and that, check this and that. And this list is growing, usually much faster than anything else. And CTF is the best option to actually do something and learn something. CTF is a competition called Capture the Flag, where we have to hack various things. And it happens here and now. It usually

takes place there on weekends from 1 p.m. to 1 p.m. or from one day to another. And there are no excuses that later, when we play, we play, we sit down and do it. Of course, sometimes it takes a lot of time to solve a task, sometimes a little less, but looking from the perspective of playing for over a year and a half, I have to say that I learned a lot of things on CTFs from different fields, not only reversing, because there are some cryptography, forensic, analyzing some network traffic, etc. It's great, so I really recommend it. And that's when this radar appeared to me. Because, as Paweł said yesterday, if you are not a stage reverse engineer,

you probably don't have a professional ID, and you probably won't buy it, because it is such a government of magnitude that it does not justify buying for home, hobby or even semi-professional purposes. Free IDE, 64-bit binaries can't do it, even on CTFs there are more and more 64-bit ones, not to mention that in reality, in the real world as well. There are now options, for example, Binary Ninja, which is much cheaper, I don't know, it costs 80 or 90 euros, so it's becoming an option that you can afford, possibly, as part of some kind of funabery. I liked this radar because it's free, free, developed quickly and in a wonderful and friendly community. People were afraid that it's terrible because

you have to use command lines, and I always liked it and generally prefer it, so I decided why not. If it's difficult, then you can also treat it as a challenge. And in fact, Paweł said, I agree with it, that the philosophy of moving around the radar and its various commands is very similar to WIMA. This is the language where some single letters mean something and from it such a language is built. But in general, conceptually, I think that the radar is very similar to Emacs, because it is one tool in which you can do everything and you can not get out of it at all. For example, there is also 2048J in Emacs, and many other

games. Pancake, which Radar wrote, I remember that he had a slide on some presentation that people use and he's changing ID, binary walk, this, that, just some 100 tools, and I'm using Radar here. And that's more or less how it looks. It is also worth mentioning that from the very beginning, from what I know, Radar was created as a set of fast tools that are supposed to help in such works like forensics. So what we associate with opening binaries is clear, it is the main area of activity at the moment. But some things related to file analysis, system files, unpacking, searching, checking entropy, pulling pieces, etc. are in this radar and it is not that it was so strongly attached, but in fact this is

how this radar started. I'm not a weird person, I like Emacs, so I thought maybe Radar would work. As I said, it starts with Ere, because when I'm working I often analyze network traffic in Wireshark rather than binaries in Radar or anything else, but I have fun with it. I'm sorry, but I like to have everything defined, so Wikipedia generally says that reverse engineering is a process of some kind of research and drawing knowledge about various things done by man. Because let's face it, research, how it happens that trees grow, it's not reverse engineering, because we assume it wasn't engineering, so there's no reverse engineering. So it has to be done by a human. And then you can

narrow down this definition. In our case, we are talking about extracting this knowledge and information about the way of working from binary programming, i.e. binaries or libraries. So what do we want to do? At the top you can see a piece of a byte and this is how the file looks like. The computer analyzes the bytes, but it's a bit hard to read, so at the bottom on the left we have disassembly. If you pay attention, in the middle column these numbers that are there, they are covered with what we have there above, for example, 55, it turns out that it is push Rbp, 48, 89, E5, it is there move Rbp, Rsp, etc. So, as if, the

disassembly itself is not something terribly complicated, because it is only about arranging this with bytecode, demonic instructions. But Disassembler does some additional things, for example, you can see a little higher, that there is cross-reference to this place in the code from some other place or that it is a function and it is called add and that it has two local variables. So these are the things that additionally disassembler quickly displays and shows us that we don't have to do it ourselves. And the decompilation is just a arrow from the top and from the side because generally it is You can decompile it right away, try it out. And for example, there is such an x-ray in id, which is paid mainly and which somehow does it

and can immediately from these bytes somehow report how this code looked at the beginning. And the goal of our reverse engineering is to, based on the analysis of this deassembled code, somehow, either in the head or somehow, to produce this image that this is exactly what this function does, that it takes two ints, adds them to itself and then returns them. Here, maybe it's not so clear, I'll tell you what it's about. As long as the compilation is, I won't say simple, but simpler, then the decompilation is a bit more difficult, as shown by this example, because on the left side there is a C code and there are two functions that do exactly the same thing, only in one

of them there are two arguments in the reference, but it doesn't change the result completely. The order of actions is the same as it should be. And now the produced If we compile this GCC program, we have what's inside. So in this first function, it figured out that we are actually returning zero, because XOR, AX, AX, it gives us zero. And in this second case, the assumption produces some terrible operations. And C_Lang, for example, does exactly the opposite, i.e. he decided that this is some kind of space and he is doing some terrible things here, and in the second function he decides that it is not p times p, so 0 comes out of it, so it will be 0, so

we return 0. And it also shows how difficult it is to use such a function, disassembly, to produce a code that actually makes sense, especially in more complicated cases. So it's just that even if someone has access to HexRays, it will not replace, unfortunately, knowledge, experience and looking at these binaries themselves. I wanted to say that Radar also has some experimental decompiler, but I have to admit that I haven't tried it, because from what I read, I understood that it is an early phase of development experiment, it is not known what will happen with it, and I decided that I just want to learn reverse engineering, so it makes no sense to make it so easy and seemingly make it easier by playing with this decompiler.

What is Radar? Paweł said a lot. On the website they have a list of probably the most important things. What we are interested in is that it can deassemble and assemble for many different architectures. And it is really, as Paweł said, and for example my beloved Commodore 64 can do it too. I was doing a CTF for the spring and one task from reverse engineering for Commodore also came out quite well. It can debug, it can also connect to remote debuggers, according to their protocols, for example GDB, or for example, and it also works, WineDBG, so you can run it under Linux, analyze Windows binaries through Wine and it also works. Windows, but I don't know, because I don't use Windows, so

I'm not going to tell you, but it probably works. And another great option is that it works on almost everything you might want, the most popular ones, or even less popular ones like Haiku. But it works on Android, iOS, PCs, Macs. As I said, there are many things for forensics, so it works too. And another great thing is that it's scriptable. I've met with such opinions of people who use IDY so intensively professionally, I don't use it so I can only rely on these opinions. that while IDA is great, scripting radar in Python is much easier, more comfortable, faster, etc. than scripting that can be done in IDA. I know people who use IDA for a day, but when

they want to script something, they just run the radar and write scripts for the radar. And a great option is also that you can quickly patch binarka, for example, to improve something in it or add some functionality and I will also show it. Some advanced analysis options and so on. I'll try to see if I can let it go. Will it work? Oh, no, it won't work, sorry. Ok, it won't work. These slides will be available later, you'll click and see. Anyway, I also recommend a profile on Twitter, r2gifmemes. It's funny for people who use radars and for people who don't use and don't like radars, it's funny too. The story started with the fact

that radars develop very quickly. That's why using distribution packages is such a weak idea. And Debian, as you probably know, especially in the stable version, is just some kind of total antique. And on the network channel, the radar, now it's less, but there was a wave of people who appeared and complained that this radar didn't work at all, because they were using some kind of antique version from many years ago, which they had from packages, in total, there is a package, it will install it, why not. So generally it is a topic to be laughed at. Maybe you can't see exactly on this chart, but generally this is the number There are weeks when there are more than

100 commits, even at the end of August there was a big rebase, and now you understand that using something from packages from 3 months ago is pointless. But fortunately it's super fast and easy to install a radar, which I did on this laptop, which I used. You just need to clone the repository, go inside and run script install. Radar, everything it needs, so it actually uses Capstone, DISA assembler. But there are no big dependencies, you just need to have a compiler and that's it. Everything is in. R2 is an alias to RADAR2, commands to write faster, -v displays the version and this is generally the first thing that we are asked on IRC if we have any problem, we say that something is not

working, in the documentation it is that it works and it does not work. And if someone can't really compile, or for example on iOS or Android claims that it's too difficult, then on the home radar's homepage there is a section called Download and there are some fresh things. For example, now we've got a perfect moment for a presentation, because 3 days ago there was a 2.0 version of the radar, so tagged, and now there's even 2.0.1. And you can download it, so they will certainly be much fresher than what you will find in most distribution packages, so it's an option too. Paweł mentioned something, so let's go quickly. There is a package manager, there are 115 packages at the moment and there

are a lot of different things. There are some plugins for Yara, additional architectures that are not in the core, additional debuggers, just a lot of things. There is a rabbi who, rabbi, it's a nice name, who It is used to extract various information from binaries and generally it is still such a note that most of the things that these tools provide as if in the console itself, radars can also be done using various commands, but just sometimes not to start the whole thing or we are scripting something, it is faster to just use such a ready-made small binaries. Radiff is for defoing. Mac said on Friday that something was falling out there. I even did some tests

and there I did a div on some binaries of a dozen or so megabytes and it didn't work out. But it's okay. Mac warned me that it was a few years ago, so it's possible that there is such good news that it is already fixed. It is quite useful. You can find various things with raffaind. in binary files, you can count hashes, this rarun2 is extra, in addition to what Paweł said, that you can set the starting arguments, change the env, i.e. the environmental process change, etc., etc. I only warn you that I didn't do it just now, From what I read, you can also run processes on other architectures in a QEMU flight. When we have

QEMU with these various emulations of various other processors, you can actually make such a script for yourself and, for example, run something on some other architecture. RASM, well, we want to quickly disassemble some piece of it, and RACS, such a simple calculator, well, I don't know, from three examples. So at the top, yes, architecture, SPARC, that's what I did on CTF recently, -e changes to Bigendian, because normally x86 is Little Endian architecture, so it's about turning those bytes there, and -d, that we want to disassemble, and there we got some save SP, something like that. On the other hand, if we don't give -D, it thinks that we need to assemble, so for example -A arm, so for arm,

and some bytes were produced there, -A x86, and produced on x86. Rax, apart from the fact that you can add something there and, as you can see on the right side, present it in any system, 16, 2, as we want, for example, you can change bytes to strings or strings to bytes, so quite useful. with some different analyses and what I said with this with this rafine that in addition to some searching there I don't know strings also based on regular expressions which is sometimes very useful. Here's a piece of a screenshot I don't know how much you can see but there was also some task recently where there was a file that is JPG and you could also binary walk to find out that he still has

a zip at the end, but rafind also went there, of course, along the way, he also detects some stupidity, because somewhere there are a few bytes and he agrees that there is some flash there or something that is not necessarily so, but binwalk does the same, if we tell him to search so aggressively and stick to everything, then he will also find us some million things, but at the end he found this zip and you can also unpack it there. So, you can do most things. Rabin, as I said, various information. Maybe I'll show you one cool thing. I'll sit down for a moment. Can you still hear me? So, if we have, for example, such a bin, we'll do

it like this, so that it's on top of the screen. These letters are a little small. Ctrl +. It will be better. If we do something like this with strings, it will display some strings that it found in this bin. And we have here some "Hello, can you find me?" etc. But if we do the same with rabin, it turns out that after "can you find me?" there was a funny little guy. Because Rabin, unlike strings, can also analyze and display such multibytes, which is also useful when we have binaries. I think it's a cool option sometimes. And now, again, a great picture with this learning curve. Because in fact, most tutorials, and also funny, when

Pancake makes some presentations, he always wants to show something from the Radar's features, so he just opens binls in this Radar. It's the first binary that comes to mind, so generally everyone is laughing at this binls. And it looks a bit like this, that we're doing git clone, we're doing this R2 binls, but we still don't know anything. But to know something, it's just so hard. I don't know. Maybe it's not exactly like that. It turned out that it wasn't just me who had this weird thing. That saying that learning is a steep and crooked path is a bit pointless. Because if we draw time and our degree of skill of something, Very steep curve of learning is in a circle and a cross, because we

know everything very quickly, and in chess it is very easy, but it seems that it came from the fact that it sounds so complicated, that it is so steep, so steep curve of learning, we push this stone up, I don't know. I couldn't find the tweet, but I think it's a great statement about this learning curve. Some people say that Radar 2 has a very steep and difficult learning curve, but it's not like that at all. You just go to IRC, ask how to do something and Pancake will just throw you ready-made Radar commands. And that's how it really happens. This is an example. The project is constantly changing and as I will show you

in a moment, some things can be done in four different ways and they also try to simplify it, for example, throw out some things so that it is not complicated afterwards. There was a configuration option called cfg-write, which meant that it was possible to modify the binary. I was preparing this presentation and it was like: "There is no such thing". And where is the next minute. I knew there was a plus, but it's okay that it can be done like that, but it can be super helpful. Okay, now maybe I'll show you a few things that you can do at the beginning.

Let's take for example... I don't know... Everything... Oh, to make it up, right? Ok, I'll do it in a moment. Cool. Yes, yes, yes, sorry. Yes. Whatever, we'll create something there. First thing, we don't know what to do. When I read the first tutorial about radars, it was to press AAAA, as Paweł said, or A4 or A5, I'll tell you about it in a moment. And then do PDF at mine. PDF, acrobat reader, etc. So the idea is that we can always enter a question mark, which will show us the main categories of comments. And there we have that from A, for example, the commands for analysis begin, from D to bagger, from P to

display various things, etc. And we know that we would like to display something, but what? Well, P, wait a minute, maybe it won't be visible, sorry, maybe I'll try this window somehow, so that it's not so... Wow, I've analyzed it quite well, I was smart. Sorry, sorry. Can I get them a little closer? OK. Sorry, but in a second, I think it will be better if it's not completely this window. All right. Yes. Is it OK now? Cool. Well, okay. Well, we want to display something, but we don't know what yet. Well, then P and a question mark. And there we have it again, that there is What we can display there. PDE is for example disassemble and something else. Aha, then

closer, then okay, PDE and again aha, okay, PDE, disassemble function, cool. PDB, disassemble basic block, etc. So this is the idea of just moving around it. You can imagine it like this, that it's just a tree. with many branches and then many more branches grow out of them. Some of these commands have 3 or 4 letters. Plus there are some special signs, for example, this pdf.add_main, this add means Temporary Seek, so it's a temporary search, that we are actually in the file where we are, we are at the address 00400400 and we don't want to move anywhere, but we want to display what the whole main indicates. We can do it like this, because if we do it, it will display it for us, but

we can also do S, I'm already advancing a bit, but S is Seek, we can go to this main. And then we just need to do PDF and it will display exactly the same. We are in this function, we don't have to give anything. What else can be shown here? For example, there is such a built-in pipe, sorry, such a built-in grep that is made with a tilde. And for example, if we do this PDE, And for example we will do something like this: "Funds" Sorry, I wanted "Help" to "PD". "PD", "Help", "Stack". Ok, so it would over-grep this whole output, which would normally display for all these "PD" related commands, only because of this. And

this is very useful for configuration, because there is also auto-completion. For example, if we want to edit something there, some variable, When we type tab, there is a lot of it. And for example, we know that there was something with some UTF, so we do UTF. Cool. We have two options that have this UTF. And just like with any of these, we have there, for example, and these are information. information about the binaries, all of them are displayed. If we only want to check the canaries, we can do it like this. And as I say, it's just a language that comes out of it. In turn, there are two monkeys there. It's a kind of for each.

If we make a command that will send us, for example, how many addresses there are, we can do something for each of them. For example, display the pipes that are located under this address. So this is how it looks. We have a pipe. We can also start the command from Shell, normally not leaving the radar. So all the basic things that you can imagine on a command line, we have. And we have this beautiful graphic mode. So, if we type one V, we have a slightly worse graphic mode. With the help of small and large P we can change the view modes. There are several of them here. I also show some of them, you can see how this binar looks like. A lot

of funny things. But yes, we have something like this. And that's pretty cool. But we can do better. There is something like VV and it draws such blocks. By the way, we can do it, for example, I will show you when it comes to these configuration options. So yes, there was something with this UTF. So we have something like screen UTF-8 true. Let's do it. And just recently this option with rounded corners came, so let's turn it on, why not.

And now it's more human. I think it's quite cool. And recently, for example, the option was added that these different lines, when they cross, they cross so nicely that you can see what's going on here. So it's really cool and it's still developing, so seriously, it's worth using this radar from GIT. And now it will be a bit hard to see because it has to be big to see anything, but okay, I'll reduce it. You can reduce it with minus plus, for example, if we have a very complicated code, here it is not complicated, then you can reduce these blocks, enlarge them, so that somehow there ... I reduced it so much that ... You can't see anything anymore. And generally, we

walk like in Vim, there is Hjl. We change the active block using tab. For example, I don't know if you can see it, but now I jumped over a blue circle on this little one. When we do it with Shift, we can move it. So if we don't like how he put these blocks there, we can change it somehow. Yes, and from such basic things of movement, T and F are like jumping to these True/False branches. So if we squeeze something, I don't know, well, demo effect, but normally it worked somehow. What else is interesting about this graphic mode? I think that's it for now. I'll see what's next. You can add some things that

can be called from the command line to the RC radar file. Oh, I forgot to show you the most important thing. Shift+R changes the graphic scheme, so you can adjust it to your liking. You can also turn off all the colors, if you prefer. But yes, there is such an option. So, let's say a few basic things. And maybe I'll show you Asm. Pseudo. It does something like this. I don't know if it will be visible in this binar. Well, let's say it's not good enough, that it shows that we assign content from R15 to RDX. So it produces a pseudo C, so that you don't have to think about it sometimes if someone is not sure. Maybe I'll show it later in some

binary that does anything, it will be better visible. Okay, now two words. If we don't have a radar and we want to display something quickly, then we can use object dump. I recommend Intel components. If someone doesn't know, I'll show you in the next picture how it looks. Of course, it has to be different on Mac, so I was surprised that -M doesn't work, so you have to give it like that. And then we get a disassembled code in the Intel notation, not AT&T. Or if we want to check how something is assembled, we can write a code in C and instead of compiling it to exec, we can give minus big S options and also give that we want Intel and we will get a text file

with deassembly. The difference is that here it may not be so visible, But the main difference is that in the Intel component, maybe it's a bit strange, but the source argument is at the end, i.e. the move rbp rsp means that we move the content from RSP to RBP or, as it says here, Eax2, we put 2 to the Eax register. You have to read it from the other side, and in AT&T it is more normal that we enter 2 to Eax. I think they are doing a little bit of mixing, these are different additional signs. and also with binaries with commands that refer to a slightly more advanced way of addressing, that there are some offsets

regarding some memory address, etc. In this Intel component, it is much more readable. AT&T can be very, very weak. And in fact, Intel is also being paid for, because 90% of books Despite the fact that theoretically on Unix, by default, when we show something, we are showing AT&T, but most books show Intel components anyway. Now, yes, I had to show it, I think it's important to keep in mind that when we look at something, how it works, how some function works, to remember that at least in 32-bit binaries there are several conventions, generally. There is no one and correct technically it is possible to pass arguments of the function in any way, but there are certain conventions how compilers work, how they compile it. The difference

is that in FastCall the first two parameters are passed through ECX and EDX registers, and if there are more parameters, they are passed through STOS. and in CDECL and STD_COL everything is on the stack. In CDECL, the caller after the function finishes cleans the stack, and in the other two, the function called at the end of its operation cleans the stack. It's easier to do it on 64 bits, I gave it a question mark, because I don't know how to call it, but in general we have up to 6 registers, at least in Linux, in Windows, I think on 4. If we have six parameters or less, they go through the registers, if we have more, it goes through the stack and also the function that

triggers the cleaning. I'm sorry, but I decided that I shouldn't draw it on a piece of paper. Does everyone know how StoS works and you don't have to explain it or say, okay, I'll say two words. So this is the memory area. I drew it a bit strangely, but it reflects the idea of a stack, i.e. putting it on top. But in reality, addresses in memory grow in the opposite direction, unfortunately. It's a bit silly that when we look at the memory, the stack starts at the bottom, i.e. at higher addresses, and grows towards lower addresses. So, you have to be careful. And generally, if some code works, it has its own available piece of the stack, if it generates

some other function, then the parameters that as I said before, parameters passed by the stack, if there are any, of course, they will be there. Then there is a return address, because when the function we call will end, the processor must know from which place to resume the execution. And there is a base pointer, i.e. the basic indicator of the frame of the previous process. And then and then there is a place for local variables that already create our function. Now we can see how it looks in practice and by the way, get to know some radars. Okay, sorry. Okay, maybe park passing, why not. Let's analyze it, let's display the functions. Good.

Okay, and we see here that indeed, wait a minute, maybe first without sense, first maybe I'll show the binary. Okay, well, there is no great philosophy, I just call out functions with seven arguments to show that one there will actually be over 100 on 64 bits, and not on 32. OK, and at the beginning there is this fragment that corresponds to what I showed here, that is, we put this return address and base pointer on the stack. These are the first two instructions, push ebp and move esp. And then we put it on the stack because we are on 32 bits, so all these variables are put on the stack and they are put in

reverse order from the middle to the first and then we call the function. And then, as you can see, when this function returns, we do something on this stack and that's cleaning. So if we clean, and all arguments are through STOS, then it is CDECR. If we do it this way now, then you can see that the seventh argument, as we said, 6 is in the registers, so the seventh is no longer in the registers, so the seventh goes to STOS. And these go as they were supposed to be: EDI, ESI, EDX, etc. This one and then it cleans the function again, so it works. We can now see... Sorry, how much time do I have left? I didn't look at the clock when

I started. Okay, I won't show it by myself, but it will be quick. OOD opens in debug mode, because I would like to see what is happening there in turn. I set breakpoint to main function. Now DC, which is continue execution. And now it has hit the breakpoint. Sorry. I had to do something exactly. There is also a super magic mode that is useful in debugging. When we press the exclamation mark, we get additional windows on the sides, in which you can see, for example, the stoss, registers, and other cool things. And now, look, but a little smaller, so that anything here would have a chance to fit. Let's do something like this. I'll draw it, I'll move it like this. It also moves

these windows with these different "J"s, etc. The tab goes through them, so if we want to scroll through them later, we scroll through them. Okay, so now we can do this. The letter "S" just goes there for another step. And now there's something like this, that we throw in And I don't know if you can see it, but in this window where it says "stack" this 3 has been put back on the stack, which will be passed. If we do "s" again, this 1 will also be transferred to us. Now we call our strange function. And here, in fact, this address, we also have to remember that we are on Little Andian, so it is 08048451. If we look at 8.4.5.1, we will see that I

was not lying and this is the instruction that is after the return. The one on the top is the call and here is what is happening next. So it's true. You go to the point where you were with this call.

And now we are in this function and it displays the old content of the register of this eBP, i.e. the base pointer of the previous function. Now the stack pointer, i.e. the current stop pointer, is entered into eBP, i.e. now we set the base address of our function. And here we make a place on the stop, 20 bytes. 16 and 4, 20. No, 16, sorry. And this function continues to work. And when it ends, it's all taken away. If someone at this point, looking at it, thinks: "Ah, aha, if there were any functions, to give a very long argument longer than she thought it would be possible to write the return address, then of course it is true. You have found Stacksmashing, which was mentioned yesterday. In

the basic version, it doesn't work very well today, because there are too many security issues, There are canaries on the StoS, there are randomized addresses, StoS is not executable, etc. etc. But it's worth to learn more about it. And that's it. This is the paper that was mentioned at the end of the presentation. It already has such a historical value today. This Smashing the Stack for Fun and Profit. You will probably notice at various conferences that "for fun and profit" is often used in the titles of presentations, because it is simply a cult thing, so people make a bit of a fuss about it. And last year, when it was 20 years ago, Avi Koder wrote a slightly newer version, a bit more modern. But if you

want to exploit something, there are a lot of different added security, so I recommend starting with articles on Wikipedia, from Stack Buffer Overflow, because there are also references to various articles about various technologies that make life difficult. There is static and dynamic analysis. We analyze the program without starting it, so to speak. And it's safer because we don't run it, so we don't spoil the computer, we don't modify files. It can also be a program that modifies itself, so when we run it, it will modify itself and that's it. And the plus is that you can analyze things for architecture that we don't have access to physically, we can't run the program. In dynamic we run it. In

a way, it's easier, as I just showed, you can follow up on what's going on in the stack, what's going on in the registers, it allows you to understand it better. It can sometimes give bad results, because when we analyze, for example, some malicious code or not only malicious, programs sometimes have some detection, debugging or being in a virtual machine and change their behavior and just show something else. So that's a weak point. And such an automated dynamic analysis allows us to detect bugs, for example, because we can run some functions there a million times, giving them various arguments at the input and observe what is happening. And, for example, it turns out that there is some kind of buffer overflow. I will show

it quickly. It is a super simple program and someone could say: "Hahaha, okay, it's just a joke". But I wanted to say that last year I saw a product that costs well over 1000 PLN. And it was a program that secured encrypted PDFs. And that's how it was written. Let's do domain. And now what can we say quickly that we have something here. If something is wrong, it comes out immediately. I don't have much time left, so I'll just make a preview. This is a check if any argument has been passed. As the argument has been passed, there is a strlen here, so we know that the length is checked there. If it fits here, then this part is made. If

it fails, then this part is made. And what? It turns out that the first thing you can do is check if there are any strings in this program. And it turns out that there are. that there is an onion, a beetroot. You could write it in a blank, but let's not be so much. Let's go back here. We see that this one, we will... Let's jump to this function and see what it does. It's not a system strlen, because as you can see here under the cursor, when there are such sym_imp_puts, imp means import, so it's a system put, it's normally a slip. And here is some substrlen, so it's not a normal strlen, so let's jump. And

here it tells us the radars that it's ge, so let's jump there. Okay, and it's already doing a normal strlen. It checks if it's 5. Okay, so we already know that if not equal, we jump here and exit. Okay, so it must be 5 letters. We already know that it is 5 letters, so theoretically it could be brute-forced. I'm sorry, because it's not very visible in this code.

Yes, StringCompare is made, so it is like this, that two arguments are passed to StringCompare and we can now show what we have in these registers. I think it should work like this. Sorry, of course, something is not working for me. Oh no, sorry, sorry, sorry, sorry. Let's do it like this. Something, of course. I mixed something up, of course. Okay, sorry. I got confused. But we found out that it should be 5 letters. And when we display these strings, it is a promising Burek string. So we can try to run it. So this is the decryptor PDF. Burek 2.

And yes, it is a success. And now I will quickly show you what we can do with it. It's just not interesting to us what the password is, but we would like this program to just always go on. Well, we can do something like this. Open it. And here is this whole jump equal. And we can patch it exactly, just say that no matter what our substrlen returns to us, we just want to jump there. I hope it works. Thanks, sorry, it's just a little slower because it's not on my computer. Okay, so now.

We have to do OO+ I have a piece of paper to not forget So we want to have this file in the save mode And now let's check disassembly under this address 400613 Let's do it better We want to display 2 bytes there. And this is our 7.4.1b, so this is jump equal. And we can now replace it with nops. So we have to jump to this place. Let's check it again. Okay, we're in the right place. We replace it with nops. And now px2 and instead of 2.90 we have gites. And now

When we exit this program, I hope it will work. So it was our whole PDF decryptor and now we will give any other password and it's success. So it worked. Yes, exactly. Really, really. It would be unfair to say what it is, but my friend tells me: "Hey, listen, there's this thing, this and that, and it's like: "Hahaha, let's see what it is." And it turned out that the whole serious analysis was really enough to just fly over with strings. It's not like everyone is doing it, you know, it's like with breaks, that everyone thinks, oh, damn, hackers have zero days, etc. And then it turns out that the password is admin password, RDEB is enabled, Samba 1 is available from the

network, etc. Something like that. And it's often the case with these... with these binaries. Now, okay, I can just quickly show Radiff from Disassembly that our PDF decryptor, now it's not, sorry, because it doesn't matter anymore, because it's cracked, sorry, I could just copy it earlier. Maybe I'll be able to quickly show one thing. If we have a program that does something, there is a password check, hands, etc. Let's jump to this password check. We see that it is very complicated. It does something, has a lot of variables, bytes, operates on it, etc. and then there are some big decisions, just terrible. We don't have time to do any big analysis, but generally analyzing this code, you can conclude that they are recorded from

the address on the stack RBP minus 20, because that's it. This local 20H record actually means that from our base RBP indicator it is minus 20 bytes minus because it grows towards these adjacent addresses. So you can see it's 20, 1f, 1e. So under the next bytes some magic bytes are written here. Yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes So we can guess that we have to give a password that every byte when it will be xored with 1 will give us the bytes that came out at the output. Of course, you can somehow sculpt it manually, but you can script it yourself. And here I will make such a simple Adam Słodowy, because I will not write it now. But generally we have two options. We can do something like this. We have such a solver. A little bit worse. I have to show you how to do it. No sense. I'll

show you the better one right away.

using R2 pipe, which Paweł mentioned yesterday, so we can script radar. We open this pipe and commands are just commands that we would normally enter from our finger in radar. So we do analysis, We jump to the appropriate place where the fragment that inserted the bytes started. And the AOJ function... Let's go to this one. Here are the addresses and what does this function do to us? It was AO, right? And it tells us that we have a move here. And maybe we can use this grep cleverly. pull out, sorry, I was doing it with JSON here, because you can also deal with it with grep, because you can, for example, grep this output here, because we

are interested in this opcode. We're better off because we already have one line and then I think we can do something like this to display a column. Yes, so we can hack it like this and we can do something like this that that we want to make 16 of them because we know there are 16 of them. From the next addresses and we spit out something like that. And this first exploit of mine, it worked on the basis that I did something like that, but I redirected it to the file. I can do something like that. And it will just be in the file now. And I have these bytes and I can read them in some program and do something with them. But Almost every command has a

possibility to release JSON. It looks a bit weird, but you can do this magic trick. And this JSON looks nice now. So I'm using this JSON output in this program, splitting it, I could do it nicely and clearly. I add these next bytes to the list and then I just paste them. Now let's do it like this: We run R2, we want to run a script called "Serial Protected Solver R2-Pipe" and we run "Serial Protected" And it worked. So you can do it like this, you display bytes one by one and then there's the flag. So I think it's super simple, pleasant, efficient if we want to automate some analysis of binaries, for example, and so on. Then somehow also diff with radif and so on. You

can do it all super easy. Super easy to do. Okay, so this is what I wanted to show. In dynamic, it's basically... Of course, you can show a million things, but I just wanted to, it doesn't make sense anymore. You can do it in such a way that you can run this binary dynamically and set a breakpoint in a place where these bytes are entered into memory, right? And then do it in a slightly different way, i.e. instead of analyzing these opcodes and pulling this byte from this opcode, you can just take this table from memory. So it would be the same. But generally the topic is very broad. I was planning to show some poening, more

advanced things, but it's hard to fit in it. I wanted to show things that I hope will encourage you. I hope I showed you that it's not such a black magic. And there's nothing to be ashamed of because security itself is so much divided into some industries that someone can be a great pen tester, for example, pen testing web applications and have a very poor understanding of binaries and so on. I think it's But as a matter of expanding horizons and hobbies, it's worth following something. And the radar itself, I say, is not terrible, I think. Yesterday, Paweł also mentioned that there is also such a graphical interface for it, cutter, but from what I can see, Maybe you understand, it just can't

have everything in it, because there's some basic things that can be clicked graphically, but it can't be graphically in a developed list of commands. Disassemble me from here to there, I don't know, 16 bytes forward or something there, and the result is something there, etc. But there is also a window in the graphic at the bottom of a regular radar console, so you can use it in this way, that what is more convenient to click and what needs to be entered, then enter. Use GIT versions always. Sit on Radar channel. It's really nice atmosphere, everyone is very friendly, pancake is also very funny, he has a nice sense of humor. He is on Telegram, because Bridge

is between Telegram and IRCE, so it doesn't matter if you use Telegram or IRCE. you can see it all, he just writes something there at any time of day and night. And just a little tip that there is a bot that connects this IRC and Telegram, it's probably called R2TG IRC, so don't be surprised and don't answer to R2TG IRC on IRC, only there is always in the second paragraph who actually wrote it. It always comes out funny. If you get lost, then just a question mark or a channel on IRC. And with the AAA, I will show it in the bibliography, it is not always the case that the more the better. There are several articles on this topic written by Mr. Kajka, because it is

a matter of being too self-sufficient. Sometimes it is not always good to do a lot of AAA and such a great analysis. It pays off, especially for some large and complicated binaries. And what? You have to learn. These three books will be in the bibliography in a moment. It's also in Polish, "Return to practice engineering". A great book, really. The second one is a collection work under the GENWAL editorial office. Just the first and second chapters are a must. If you want to do anything, I really can't recommend anything better than the first two chapters of this book, which show the basic things about how to use x86 the assembler works, and the second chapter is about ELF files, about their loading, sections, everything

that happens there, etc. It's just super precisely written. And the third book is like a cheeseburger, it's a free book for Beginners RE. It's in two or three different formats, such a long version, it probably has 1500 pages, there is also a shortened version. Of course, Intel Intel manuals, which describe commands, assemblers etc. etc. you want exactly. On CTF time you will always find information about what CTFs will be in the near future. And I really recommend it, much better than some crack me etc. Because I say with crack me it's like tomorrow I'll do it, in a week I'll do it. And just CTF is there and we play. And what about Radar and bibliography, then documentation on the home page, among

others, there is a book, except that as there I showed this piece from IELTS, some things are not up to date, there was some CFG, but it is not there anymore. Nobody is making progress with updating this documentation on a regular basis. So yes, documentation is fine, read, radar book, okay, but not everything will work there and you will have to ask on IELTS, because no one can do that. This analysis by default is what I was talking about. A nice article that explains exactly how much A does what it really does and when to use how many A's and when to stop with it. to work this page with this CMP, Paweł showed there

just such a comparison of various features for assemblers. And I also recommend this profile R2GIF. I don't know if there will be time for questions. There is no way to just say I'm still there. Thank you. I apologize again for the time travel problems with the equipment and so on. But I think something there. Thank you very much.