October 22, 2015 Radare2 workshop hack.lu 2015 shikata ga nai
Jaime (@NighetMan) Peñalba. This workshop is based on ideas and scripts from 2 disclaimer
3 Please look at the shikata_ga_nai folder in the virtual machine where to find the material?
what are we going to do?
5 Unpack Shikata ga nai! shikata ga nai
• 320 lines of msf-powered OOP Ruby • Polymorphic • We want the unpacked shellcode 6 shikata ga nai
how do we do it?
• Use radare2 with ESIL! • Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine 8 solutions
• Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine • Use radare2 with ESIL! 8 solutions
• Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine • Use radare2 with ESIL! 8 solutions
• Run it on your machine and see what happens • Step-step-step-step-step-… in gdb • Trace the execution in a virtual machine 8 solutions • Use radare2 with ESIL!
but what is esil?
• Evaluable String Intermediary Language • Yet another intermediary language • RPN-ish 10 esil • jz 0 xaabbccdd : zf , ? , 0 xaabbccdd , eip , = ,
what can we do with this ���� ?
• Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil
• Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil
• Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil
• Used for • Emulation • Decompilation • Analysis • Flamewars against other IL 12 esil
how does emulation help us to dump the shellcode?
We can emulate the shellcode, but where do we stop? • Instructions aren’t fixed. • Blocks are permutated. • Registers are dynamically selected. So what can we do? 14 where to stop?
So we can emulate the shellcode, and dump the result from It seems that the last instruction will always be loop. the last loop instruction till then end. 15 reading the source code
So we can emulate the shellcode, and dump the result from It seems that the last instruction will always be loop. the last loop instruction till then end. 15 reading the source code
how do we use radare2/esil anyway?
17 r2pipe
npm install r2pipe pip install r2pipe gem install r2pipe 18 languages NodeJS Python Ruby
so let’s use esil?
• FPU is currently not supported in ESIL :D • Polymorphic FPU instructions 20 plot twist • FPU is used to get EIP with FNSTENV
20 plot twist
can we emulate them the ������ ��� ?
• You’ve got the hello_world.py code family • Feel free to do it in your favourite language! 22 are those detected as fpu by r2? • Check if every opcode in the test_fpu.py one has the fpu
23 my solution
ready to unpack shikata ga nai?
1. Initialize the ESIL vm 2.1 We’re at the end! 2.2 Dump from the last encountered loop instruction to the end 3. Else, if the instruction is an fpu one 3.2 Else, store eip 4. Else, if the instruction is loop, store its location 25 sum up 2. If the instruction is invalid 3.1 If it’s fnstenv, write the previously stored eip at esp 5. Step and goto 2 .
your turn!
27 my solution
conclusion
• Still WIP • ESIL is cool • More to come! 29 conclusion
You should use it. Radare2 is nice. 29 conclusion
• Github repo • Official website • The r2 blog • The r2 book • Twitter 30 resources
Recommend
More recommend