OK I might not be going to make math at all, not because my last experience with chemistry was about 6-7 years ago in my high school. After all I like command-line tools after having Linux as my primary driver for some time (and maybe again in near future ;)), however, my relationship with VIM is rather not a serious one, since I still didn’t have time to fix the lack of possibility to use backspace.
I have first heard of radare2 while going through some article in some magazine for programmers, but I really tried to do anything very recently while looking for further inspirations while going on with my Linux shellcoding course on Pentester Academy. I wanted to dive deeper into those simple assemblies that I’ve created and r2 was the first thing that came to my mind.
So, ladies and gentlement, here it goes, my first experience with this awkward tool, from the perspective of total noob in the field of reverse engineering. Just before we begin, I was not expecting anything user-friendly and was ready to face the need to spend time going through documentation and reading online forums, but … all in all it’s just an experiment.
In order to make my task achievable I chose to analyze the assembly I’ve created for one of my previous blog posts – simple macOS assembly. It’s a very basic code that uses 2 syscalls to write “Hello, world!” on the screen using stdout and then exit with a hardcoded exit code.
In order to run r2 and analyze and debug code one has to pass two flags:
-A -d to the r2. I don’t know how much time it took me to discover this requirement.
Then, while entering visual mode by pressing
V one can get access to some options to manipulate functions like renaming them. By pressing
r I was able to rename the default
entry0 name to
_start as in picture below) and set a debugger trap there using
db start. Entering commands in visual mode requires entering colon before. The feeling is that one have to type a lot in order to get anything done, but the positive side is that using mouse is hardly ever necessary.
As you can see I was able to successfully set and hit breakpoint. Registers are printed using
d is in fact prefix for debugger commands) and those that have changed during last instruction execution are marked with different color.
Moving step by step I have finally reached first syscall. Below You can see the result of calling
write. Note the
rcx holding the return address of syscall. This gave me a headache while learning how to make a loop in asm since this register is used as the counter in loop so when there was a syscall in the loop this register never decremented to my desired value.
In similar way I was able to write custom values to the registers.
What turned out to be a trouble was the fact that in visual mode the indicator of current
rip position did not change when stepping through the code – the view did not get redrawn. I’ve gone through the program until I met the instruction calling
exit system call. Here I wanted to try to inject some code into the process.
dx instructions were responsible for this, but it seems macOS prevents such manipulations.
What was interesting, however, was the fact that I did manage to do this on Linux later.
I do not know whether I would use radare2 in professional career. Maybe with Cutter it would make sense. After grasping some basis I feel quite at ease with it, the commands are easy to memorize and fast to type. I am, however, keen to try out something else like the recently released to the public Ghidra for comparison.