Radare2 Learning Note (0x03)

0x00 Debug mode

(ref: Radare2 Book)

We can use $ r2 -d <binary> to open r2 with debug mode.

there are several commands in debug mode:

> d?          ; get help on debugger commands
> ds 3        ; step 3 times
> db 0x8048920  ; setup a breakpoint
> db -0x8048920 ; remove a breakpoint
> dc          ; continue process execution
> dcs        ; continue until syscall
> dd            ; manipulate file descriptors
> dm          ; show process maps
> dmp A S rwx  ; change page at A with size S protection permissions
> dr eax=33 ; set register value. eax = 33

Daily used cmds:

  • db: setup a breakpoint
    • db 0x8048920 setup a breakpoint at 0x8048920 (disassembling code address)
    • db functionname setup a breakpoint at the start of functionname()
    • db -0x8048920 remove a breakpoint at 0x8048920.
  • dc: Start or continue process execution until breakpoint or end.
  • dr: display registers
    • dr: display all the registers' values
    • dr eax: display $eax's value
    • dr eax=33: set register value. eax = 33
  • print &i: print the address of variable i.

0x01 rabin2

I'm just a beginner of radare, so currently I only know how rabin can print the GOT table of the program, which is used in Pwnable.kr - passcode.

random@ubuntu:~$ rabin2 -R random  
vaddr=0x00600fe0 paddr=0x00000fe0 type=SET_64 __gmon_start__  
vaddr=0x00601000 paddr=0x00001000 type=SET_64 puts  
vaddr=0x00601008 paddr=0x00001008 type=SET_64 system  
vaddr=0x00601010 paddr=0x00001010 type=SET_64 __libc_start_main  
vaddr=0x00601018 paddr=0x00001018 type=SET_64 __isoc99_scanf  
vaddr=0x00601020 paddr=0x00001020 type=SET_64 rand

6 relocations  

the vaddr is the function's GOT address in this program.
GOT table is on the stack, which can be overflowed or modified by other means.

When the program needs to call a outlined function, like rand() in this case, it will search in the GOT table for rand()'s actual address.
In this case, the actual address lays at vaddr=0x00601020, so the program get the value from 0x00601020, then jump to that address and execute.

So if we modify the value of 0x00601020 and change it to the start address of shellcode, the program will jump to shellcode and execute when calling rand().

That's it. Keep learning