Logo
RSS Feed

📓 REFM

Created: 23.09.2020

Rabin2

rabin2 -I [progname] # main info about the prog
rabin2 -z [progname] # the strings from the binary's data section
rabin2 -zz [progname] # all strings from the binary
rabin2 -zqq [progname] # strings only without additional info
rabin2 -x iGoat-Swift # thin the binary

R2

Info

il # libs in use
ii # or iiq to see imports 
r2 [progname] # launch radare2 
> s main # seak main function and go to it
> aa # find all strings
> v # psedu GUI mode (Hex editor)
> VV # graph mode
> afvn user_input input # rename local var and all the places it was referenced
# rename function
> s function_old_name
> afn function_new_name
> c # show cursor in visual mode
> afvd # print all local variables
> u # back?
> fs strings; f # load flag space of strings and load them
> axt @@ <address or ref> # go to the xrefs for this item (string,import,function)
> f~bio # load currently selected flag space and grep for flags containing "bio"
> fs imports;f~BiometricAuth # select imports flag space, load it and grep for "BiometricAuth"
> pds # disassemble summary

Graph mode

VV # open Graph

# go to a function via shortcut (;[ao])
o # first type 'o' key
> a # then enter the second letter from the brakets

Decompile

pga? # help for Ghidra, if Ghidra plugin is installed

Debug

r2 -d <progname> # start debug
dcu main # continue until main
ragg2 -P 100 -r #  generate a cyclic pattern called [De Bruijn Sequence](https://en.wikipedia.org/wiki/De_Bruijn_sequence)
ragg2 -P 200 -r > pattern.txt

cat profile.rr2  
#!/usr/bin/rarun2  
stdin=./pattern.txt


r2 -r profile.rr2 -d <progname>

wop?
wopO `dr eip`

Speakeasy

Windows Kernel emulation: https://github.com/mandiant/speakeasy.

CMD

rundll32.dll [dllname].dll,[dllsexportedfuncname_or_ordeal]
# rundll32.dll malicious.dll,ExportedFuncName
# rundll32.dll malicious.dll,#6

Test this https://r2wiki.readthedocs.io/en/latest/tools/radare2/. One good reference and another here.

https://labs.detectify.com/2016/05/19/7-tools-that-have-influenced-the-reversing-community/#:~:text=Radare2%20is%20similar%20to%20IDA,from%20Linux%20ELIF%20to%20ARM.

Workshop for refresh

https://malwareunicorn.org/#/workshops

Todo

Python scripts for IDA

Describe the crackme 1 and 2 solution

https://reverseveryday.com/challenges