shikata ga nai
play

shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on - PowerPoint PPT Presentation

October 22, 2015 Radare2 workshop hack.lu 2015 shikata ga nai Jaime (@NighetMan) Pealba. This workshop is based on ideas and scripts from 2 disclaimer 3 Please look at the shikata_ga_nai folder in the virtual machine where to find the


  1. October 22, 2015 Radare2 workshop hack.lu 2015 shikata ga nai

  2. Jaime (@NighetMan) Peñalba. This workshop is based on ideas and scripts from 2 disclaimer

  3. 3 Please look at the shikata_ga_nai folder in the virtual machine where to find the material?

  4. what are we going to do?

  5. 5 Unpack Shikata ga nai! shikata ga nai

  6. • 320 lines of msf-powered OOP Ruby • Polymorphic • We want the unpacked shellcode 6 shikata ga nai

  7. how do we do it?

  8. • Use radare2 with ESIL! • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine 8 solutions

  9. • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine • Use radare2 with ESIL! 8 solutions

  10. • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine • Use radare2 with ESIL! 8 solutions

  11. • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine 8 solutions • Use radare2 with ESIL!

  12. but what is esil?

  13. • Evaluable String Intermediary Language • Yet another intermediary language • RPN-ish 10 esil • jz 0 xaabbccdd : zf , ? , 0 xaabbccdd , eip , = ,

  14. what can we do with this ���� ?

  15. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  16. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  17. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  18. • Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil

  19. how does emulation help us to dump the shellcode?

  20. We can emulate the shellcode, but where do we stop? • Instructions aren’t fixed. • Blocks are permutated. • Registers are dynamically selected. So what can we do? 14 where to stop?

  21. So we can emulate the shellcode, and dump the result from It seems that the last instruction will always be loop. the last loop instruction till then end. 15 reading the source code

  22. So we can emulate the shellcode, and dump the result from It seems that the last instruction will always be loop. the last loop instruction till then end. 15 reading the source code

  23. how do we use radare2/esil anyway?

  24. 17 r2pipe

  25. npm install r2pipe pip install r2pipe gem install r2pipe 18 languages NodeJS Python Ruby

  26. so let’s use esil?

  27. • FPU is currently not supported in ESIL :D • Polymorphic FPU instructions 20 plot twist • FPU is used to get EIP with FNSTENV

  28. 20 plot twist

  29. can we emulate them the ������ ��� ?

  30. • You’ve got the hello_world.py code family • Feel free to do it in your favourite language! 22 are those detected as fpu by r2? • Check if every opcode in the test_fpu.py one has the fpu

  31. 23 my solution

  32. ready to unpack shikata ga nai?

  33. 1. Initialize the ESIL vm 2.1 We’re at the end! 2.2 Dump from the last encountered loop instruction to the end 3. Else, if the instruction is an fpu one 3.2 Else, store eip 4. Else, if the instruction is loop, store its location 25 sum up 2. If the instruction is invalid 3.1 If it’s fnstenv, write the previously stored eip at esp 5. Step and goto 2 .

  34. your turn!

  35. 27 my solution

  36. conclusion

  37. • Still WIP • ESIL is cool • More to come! 29 conclusion

  38. You should use it. Radare2 is nice. 29 conclusion

  39. • Github repo • Official website • The r2 blog • The r2 book • Twitter 30 resources

More recommend