radare2 workshop
play

radare2 workshop Freshly graduated I dont know Windows 1 whoami - PowerPoint PPT Presentation

October 22, 2015 Writing a crack for hack.lu 2015 radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin) Voisin French 2 Piracy is bad, mkay. disclaimer 3 what is this? 4 and what is this?


  1. October 22, 2015 Writing a crack for hack.lu 2015 radare2 workshop

  2. ∙ Freshly graduated ∙ I don’t know Windows 1 whoami Julien (jvoisin) Voisin ∙ French

  3. 2 Piracy is bad, m’kay. disclaimer

  4. 3 what is this?

  5. 4 and what is this?

  6. While knowing close to nothing about the Windows world. Time to write a compatibility enhancement hotfix! 5 but i still want to play!

  7. While knowing close to nothing about the Windows world. Time to write a compatibility enhancement hotfix! 5 but i still want to play!

  8. 6 In your virtual machine, in the nocd folder. where to look

  9. 7 finding the right function

  10. 8 You’ve got this one in your .radare2rc in the VM lets script some documentation fetcher for r2

  11. 8 You’ve got this one in your .radare2rc in the VM lets script some documentation fetcher for r2

  12. ∙ 0x4d65f6 ∙ 0x5352ee ∙ afi 0x4d65f6 ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called

  13. ∙ 0x4d65f6 ∙ 0x5352ee ∙ afi 0x4d65f6 ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called

  14. ∙ 0x4d65f6 ∙ 0x5352ee ∙ afi 0x4d65f6 ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called

  15. ∙ 0x5352ee ∙ afi 0x4d65f6 ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called ∙ 0x4d65f6

  16. ∙ afi 0x4d65f6 ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called ∙ 0x4d65f6 ∙ 0x5352ee

  17. ∙ afi 0x4d65f6 ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called ∙ 0x4d65f6 ∙ 0x5352ee

  18. ∙ afi 0x4d65f6 ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called ∙ 0x4d65f6 ∙ 0x5352ee

  19. ∙ afi 0x5352ee ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called ∙ 0x4d65f6 ∙ 0x5352ee ∙ afi 0x4d65f6

  20. ∙ It’s likely an analysis command, about xref to something ∙ There are two locations: ∙ In what function do they belong? ∙ Still in analysis, function related, about information 9 find where it’s called Your turn! ∙ Find where GetDriveTypeA is called ∙ 0x4d65f6 ∙ 0x5352ee ∙ afi 0x4d65f6 ∙ afi 0x5352ee

  21. ∙ 0x004d6550 ∙ 0x004ab1aa ∙ Which one is the relevant one? (check with VV ) ∙ 0x004d6550 is the cd-check routine! 10 find where it’s called (cont.) Your turn! ∙ 0x4d65f6 is called from two locations:

  22. ∙ 0x004ab1aa ∙ Which one is the relevant one? (check with VV ) ∙ 0x004d6550 is the cd-check routine! 10 find where it’s called (cont.) Your turn! ∙ 0x4d65f6 is called from two locations: ∙ 0x004d6550

  23. ∙ Which one is the relevant one? (check with VV ) ∙ 0x004d6550 is the cd-check routine! 10 find where it’s called (cont.) Your turn! ∙ 0x4d65f6 is called from two locations: ∙ 0x004d6550 ∙ 0x004ab1aa

  24. ∙ 0x004d6550 is the cd-check routine! 10 find where it’s called (cont.) Your turn! ∙ 0x4d65f6 is called from two locations: ∙ 0x004d6550 ∙ 0x004ab1aa ∙ Which one is the relevant one? (check with VV )

  25. ∙ 0x004d6550 is the cd-check routine! 10 find where it’s called (cont.) Your turn! ∙ 0x4d65f6 is called from two locations: ∙ 0x004d6550 ∙ 0x004ab1aa ∙ Which one is the relevant one? (check with VV )

  26. 2. Hardcode a return value for fcn.0x004d6550 3. Play the game without the CD! 11 patching time 1. Reopen the binary in write mode with oo+

  27. 12 my solution

  28. ∙ Age of Empire is cool, ∙ Having no CD reader sucks, ∙ So is radare2. 13 conclusion

  29. You should use it. Radare2 is nice. 13 conclusion

  30. ∙ Github repo ∙ Official website ∙ The r2 blog ∙ The r2 book ∙ Twitter 14 resources

Recommend


More recommend