0x00 Debug mode
We can use
$ r2 -d <binary> to open r2 with debug mode.
there are several commands in debug mode:
> d? ; get help on debugger commands > ds 3 ; step 3 times > db 0x8048920 ; setup a breakpoint > db -0x8048920 ; remove a breakpoint > dc ; continue process execution > dcs ; continue until syscall > dd ; manipulate file descriptors > dm ; show process maps > dmp A S rwx ; change page at A with size S protection permissions > dr eax=33 ; set register value. eax = 33
Daily used cmds:
db: setup a breakpoint
db 0x8048920setup a breakpoint at 0x8048920 (disassembling code address)
db functionnamesetup a breakpoint at the start of functionname()
db -0x8048920remove a breakpoint at 0x8048920.
dc: Start or continue process execution until breakpoint or end.
dr: display registers
dr: display all the registers' values
dr eax: display $eax's value
dr eax=33: set register value. eax = 33
print &i: print the address of variable i.
I'm just a beginner of radare, so currently I only know how rabin can print the GOT table of the program, which is used in Pwnable.kr - passcode.
random@ubuntu:~$ rabin2 -R random [Relocations] vaddr=0x00600fe0 paddr=0x00000fe0 type=SET_64 __gmon_start__ vaddr=0x00601000 paddr=0x00001000 type=SET_64 puts vaddr=0x00601008 paddr=0x00001008 type=SET_64 system vaddr=0x00601010 paddr=0x00001010 type=SET_64 __libc_start_main vaddr=0x00601018 paddr=0x00001018 type=SET_64 __isoc99_scanf vaddr=0x00601020 paddr=0x00001020 type=SET_64 rand 6 relocations
the vaddr is the function's GOT address in this program.
GOT table is on the stack, which can be overflowed or modified by other means.
When the program needs to call a outlined function, like rand() in this case, it will search in the GOT table for rand()'s actual address.
In this case, the actual address lays at vaddr=0x00601020, so the program get the value from 0x00601020, then jump to that address and execute.
So if we modify the value of 0x00601020 and change it to the start address of shellcode, the program will jump to shellcode and execute when calling rand().
That's it. Keep learning