Avec radaRE2 finis les excuses “Je comprend rien en assembleur”. Ce petit ustensoire contient un mode d’affichage qui ne décontenancera plus le néophyte (sous certaines réserves.)
Reprenons une fois de plus notre chall vu dans le premier tutorial. Si on désassemble le programme principal… C’est bien de l’assembleur qui est proposé.
$ radare2 crackkids -- Setup dbg.fpregs to true to visualize the fpu registers in the debugger view. [0x004004c0]> aa [0x004004c0]> pdf@main | ; DATA XREF from 0x004004dd (entry0) / (fcn) main 105 | 0x004005cc 55 push rbp | 0x004005cd 4889e5 mov rbp, rsp | 0x004005d0 4883ec30 sub rsp, 0x30 | 0x004005d4 c745f070617. mov dword [rbp-0x10], 0x73736170 ; "pass" ; 0x73736170 | 0x004005db 66c745f42100 mov word [rbp-0xc], 0x21 ; "!" ; 0x00000021 | 0x004005e1 bff0064000 mov edi, str.ChalleasyforRadaredissection ; 0x004006f0 | 0x004005e6 e895feffff call sym.imp.puts | sym.imp.puts(unk) | 0x004005eb 488d45d0 lea rax, [rbp-0x30] | 0x004005ef 4889c6 mov rsi, rax | 0x004005f2 bf11074000 mov edi, str._16s ; 0x00400711 | 0x004005f7 b800000000 mov eax, 0x0 | 0x004005fc e8affeffff call sym.imp.__isoc99_scanf | sym.imp.__isoc99_scanf() | 0x00400601 488d55d0 lea rdx, [rbp-0x30] | 0x00400605 488d45f0 lea rax, [rbp-0x10] | 0x00400609 4889d6 mov rsi, rdx | 0x0040060c 4889c7 mov rdi, rax | 0x0040060f e88cfeffff call sym.imp.strcmp | sym.imp.strcmp() | 0x00400614 85c0 test eax, eax | ,=< 0x00400616 eb00 jmp loc.00400618 | | ; JMP XREF from 0x00400616 (fcn.0040059c) |- loc.00400618 29 | `-> 0x00400618 bf16074000 mov edi, str.YouWin ; 0x00400716 | 0x0040061d e85efeffff call sym.imp.puts | sym.imp.puts() | ,==< 0x00400622 eb0a jmp loc.0040062e | | 0x00400624 bf1e074000 mov edi, str.YouFailed ; 0x0040071e | | 0x00400629 e852feffff call sym.imp.puts | | sym.imp.puts() | | ; JMP XREF from 0x00400622 (fcn.0040059c) |- loc.0040062e 7 | `--> 0x0040062e b800000000 mov eax, 0x0 | 0x00400633 c9 leave \ 0x00400634 c3 ret
Il existe cependant des autres mode. Est-ce plus clair avec le mode asm.pseudo ?
[0x004004c0]> e asm.pseudo = true [0x004004c0]> pdf@main | ; DATA XREF from 0x004004dd (entry0) / (fcn) main 105 | 0x004005cc 55 push rbp | 0x004005cd 4889e5 rbp = rsp | 0x004005d0 4883ec30 rsp -= 0x30 | 0x004005d4 c745f070617. dword [rbp-0x10] = 0x73736170 ; "pass" ; 0x73736170 | 0x004005db 66c745f42100 word [rbp-0xc] = 0x21 ; "!" ; 0x00000021 | 0x004005e1 bff0064000 edi = str.ChalleasyforRadaredissection ; 0x004006f0 | 0x004005e6 e895feffff call sym.imp.puts | sym.imp.puts(unk) | 0x004005eb 488d45d0 rax = [rbp-0x30] | 0x004005ef 4889c6 rsi = rax | 0x004005f2 bf11074000 edi = str._16s ; 0x00400711 | 0x004005f7 b800000000 eax = 0x0 | 0x004005fc e8affeffff call sym.imp.__isoc99_scanf | sym.imp.__isoc99_scanf() | 0x00400601 488d55d0 rdx = [rbp-0x30] | 0x00400605 488d45f0 rax = [rbp-0x10] | 0x00400609 4889d6 rsi = rdx | 0x0040060c 4889c7 rdi = rax | 0x0040060f e88cfeffff call sym.imp.strcmp | sym.imp.strcmp() | 0x00400614 85c0 cmp eax, eax | ,=< 0x00400616 eb00 goto loc.00400618 | | ; JMP XREF from 0x00400616 (fcn.0040059c) |- loc.00400618 29 | `-> 0x00400618 bf16074000 edi = str.YouWin ; 0x00400716 | 0x0040061d e85efeffff call sym.imp.puts | sym.imp.puts() | ,==< 0x00400622 eb0a goto loc.0040062e | | 0x00400624 bf1e074000 edi = str.YouFailed ; 0x0040071e | | 0x00400629 e852feffff call sym.imp.puts | | sym.imp.puts() | | ; JMP XREF from 0x00400622 (fcn.0040059c) |- loc.0040062e 7 | `--> 0x0040062e b800000000 eax = 0x0 | 0x00400633 c9 \ 0x00400634 c3
Il y a aussi un mode “esil” mais je ne vous cache pas qu’il est trop … étrange .. pour moi, ( mais si vous êtes motivés : e asm.esil = true). Vous l’aurez compris «e» permet de changer les paramètres. «|grep» est utilisable et «e?monparam» vous dit ce qu’il est supposé faire. Par exemple si vous êtes amis avec la syntaxe At&T (Je n’en connais pas personnellement mais bon…).
[0x004004c0]> e | grep asm
asm.os = linux
asm.bytes = true
asm.cmtflgrefs = true
asm.cmtright = false
asm.comments = false
asm.decode = false
asm.dwarf = false
asm.esil = false
asm.filter = true
asm.flags = true
asm.lbytes = true
asm.lines = true
asm.linescall = false
asm.linesout = false
asm.linesright = false
asm.linesstyle = false
asm.lineswide = false
asm.middle = false
asm.offset = true
asm.pseudo = false
asm.size = false
asm.stackptr = false
asm.cycles = true
asm.tabs = 0
asm.trace = false
asm.ucase = false
asm.varsub = true
asm.arch = x86
asm.parser = x86.pseudo
asm.segoff = false
asm.cpu = x86
asm.profile = default
asm.xrefs = true
asm.functions = true
asm.syntax = intel
asm.nbytes = 6
asm.bytespace = false
asm.bits = 64
asm.lineswidth = 7
[0x004004c0]> e?asm.syntax
asm.syntax: Select assembly syntax
[0x004004c0]> e asm.syntax = att
[0x004004c0]> pdf@main
| ; DATA XREF from 0x004004dd (entry0)
/ (fcn) main 105
| 0x004005cc 0 55 push %rbp
| 0x004005cd 0 4889e5 mov %rsp, %rbp
| 0x004005d0 0 4883ec30 sub $0x30, %rsp
| 0x004005d4 0 c745f070617. mov $0x73736170, -0x10(%rbp) ; "pass" ; 0x73736170
| 0x004005db 0 66c745f42100 mov $0x21, -0xc(%rbp) ; "!" ; 0x00000021
| 0x004005e1 0 bff0064000 mov $str.ChalleasyforRadaredissection, %edi ; 0x004006f0
| 0x004005e6 0 e895feffff call sym.imp.puts
| sym.imp.puts(unk)
| 0x004005eb 0 488d45d0 lea -0x30(%rbp), %rax
| 0x004005ef 0 4889c6 mov %rax, %rsi
| 0x004005f2 0 bf11074000 mov $str._16s, %edi ; 0x00400711
| 0x004005f7 0 b800000000 mov $0x0, %eax
| 0x004005fc 0 e8affeffff call sym.imp.__isoc99_scanf
| sym.imp.__isoc99_scanf()
| 0x00400601 0 488d55d0 lea -0x30(%rbp), %rdx
| 0x00400605 0 488d45f0 lea -0x10(%rbp), %rax
| 0x00400609 0 4889d6 mov %rdx, %rsi
| 0x0040060c 0 4889c7 mov %rax, %rdi
| 0x0040060f 0 e88cfeffff call sym.imp.strcmp
| sym.imp.strcmp()
| 0x00400614 0 85c0 test %eax, %eax
| ,=< 0x00400616 0 eb00 jmp loc.00400618
| | ; JMP XREF from 0x00400616 (fcn.0040059c)
|- loc.00400618 29
| `-> 0x00400618 0 bf16074000 mov $str.YouWin, %edi ; 0x00400716
| 0x0040061d 0 e85efeffff call sym.imp.puts
| sym.imp.puts()
| ,==< 0x00400622 0 eb0a jmp loc.0040062e
| | 0x00400624 0 bf1e074000 mov $str.YouFailed, %edi ; 0x0040071e
| | 0x00400629 0 e852feffff call sym.imp.puts
| | sym.imp.puts()
| | ; JMP XREF from 0x00400622 (fcn.0040059c)
|- loc.0040062e 7
| `--> 0x0040062e 0 b800000000 mov $0x0, %eax
| 0x00400633 0 c9 leave
\ 0x00400634 0 c3 ret
Et voila…
“Ce petit ustensoire ” Un ustensile ostentatoire ? Oo