linux逆向基礎
radare2
radare2 是一款和ida差不多的逆向工具,跨平台,甚至可以在手錶、手機上運行
- 安裝
簡單的方法就是通過github進行安裝,https://github.com/radare/radare2 clone下來直接執行sys下面的install.sh
安裝成功後會出現以下工具
r2 – 主程序
rabin2 – 分析文件(導入、導出、字元串…)rax2 – 數據格式轉換
radiff2 – 查找不同rahash2 – 從文件塊或整個文件創建哈希rasm2 – 彙編指令幫助
默認使用r2進行反編譯
幾個簡單的命令
aaa 反編譯所有
is 查看符號信息afl 查看所有的函數列表s 定位函數pdf 列印逆向的代碼VV 邏輯視圖
p 進入邏輯視圖後更改視圖類型tab 切換視圖查看函數
喜歡命令行的可以直接使用命令行進行調試,他本身還有個web gui,開啟命令r2 -c=H binary 但是感覺並不好用
- iaito
有第三方的gui工具:
https://github.com/hteso/iaito
這個可以嘗試下
依賴 CMake >= 3.1 和Qt 5.6
直接安裝cmake
QT安裝:
https://mirrors.tuna.tsinghua.edu.cn/qt/archive/qt/5.6/5.6.1/qt-opensource-linux-x64-5.6.1.run
直接安裝上
安裝iaito:
https://github.com/hteso/iaito/wiki/Compiling-with-CMake
arm運行及交叉編譯環境
- qemu-user-static
qemu-user-static 是個模擬運行的環境,在不安裝qemu的請看下運行arm程序
sudo apt-get install qemu-user-static
直接安裝就可以了
- 交叉編譯環境
--2016-01-20 22:53:34-- https://buildroot.org/downloads/buildroot-2015.11.1.tar.gznResolving buildroot.org (buildroot.org)... 140.211.167.224nConnecting to buildroot.org (buildroot.org)|140.211.167.224|:443… connected.nHTTP request sent, awaiting response… 200 OKnLength: 5460407 (5.2M) [application/x-gzip]nSaving to: 『buildroot-2015.11.1.tar.gz』nn100%[======================================>] 5,460,407 87.5KB/s in 57s nn2016-01-20 22:54:33 (92.7 KB/s) - 『buildroot-2015.11.1.tar.gz』 saved [5460407/5460407]nn$ tar xzf buildroot-2015.11.1.tar.gzn$ cd buildroot-2015.11.1/nnb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ lsnarch build Config.in.legacy docs Makefile README toolchainnboard CHANGES configs fs Makefile.legacy supportnboot Config.in COPYING linux package systemn
然後運行make menuconfig,需要注意的是
選擇Target---->MIPS little endian and ELF and mips32
選擇Toolkit->C Library to uClibc
選擇Toolkit->Build cross gdb for the host
後面直接保存就好了
運行make等一段時間就可以了
然後會出現output文件夾
arch build Config.in.legacy dl linux output supportnboard CHANGES configs docs Makefile package systemnboot Config.in COPYING fs Makefile.legacy README toolchainnb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ cd output/nb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output $ lsnbuild host images staging targetnb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output $ cd host/usr/nb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr $ lsnbin include lib libexec mipsel-buildroot-linux-uclibc share x86_64-unknown-linux-gnunb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr $ cd bin/nb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr/bin $ ls *-build*nmipsel-buildroot-linux-uclibc-addr2line mipsel-buildroot-linux-uclibc-gcovnmipsel-buildroot-linux-uclibc-ar mipsel-buildroot-linux-uclibc-gdbnmipsel-buildroot-linux-uclibc-as mipsel-buildroot-linux-uclibc-gprofnmipsel-buildroot-linux-uclibc-cc mipsel-buildroot-linux-uclibc-ldnmipsel-buildroot-linux-uclibc-cc.br_real mipsel-buildroot-linux-uclibc-ld.bfdnmipsel-buildroot-linux-uclibc-c++filt mipsel-buildroot-linux-uclibc-ldconfignmipsel-buildroot-linux-uclibc-cpp mipsel-buildroot-linux-uclibc-lddnmipsel-buildroot-linux-uclibc-cpp.br_real mipsel-buildroot-linux-uclibc-nmnmipsel-buildroot-linux-uclibc-elfedit mipsel-buildroot-linux-uclibc-objcopynmipsel-buildroot-linux-uclibc-gcc mipsel-buildroot-linux-uclibc-objdumpnmipsel-buildroot-linux-uclibc-gcc-4.9.3 mipsel-buildroot-linux-uclibc-ranlibnmipsel-buildroot-linux-uclibc-gcc-4.9.3.br_real mipsel-buildroot-linux-uclibc-readelfnmipsel-buildroot-linux-uclibc-gcc-ar mipsel-buildroot-linux-uclibc-sizenmipsel-buildroot-linux-uclibc-gcc.br_real mipsel-buildroot-linux-uclibc-stringsnmipsel-buildroot-linux-uclibc-gcc-nm mipsel-buildroot-linux-uclibc-stripnmipsel-buildroot-linux-uclibc-gcc-ranlibn
實例練習
聯繫的環境可以採用路由器漏洞環境:
https://github.com/praetorian-inc/DVRF
- 開始
首先使用的Firmware下面的DVRF_v03.bin
binwalk 提取固件
binwalk -Me DVRF_v03.bin 直接提取固件
? /DVRF/Firmware/_DVRF_v03.bin.extracted master lsn192728.squashfs piggy squashfs-rootn? /DVRF/Firmware/_DVRF_v03.bin.extracted master cd squashfs-rootn? /DVRF/Firmware/_DVRF_v03.bin.extracted/squashfs-root master lsnbin dev etc lib media mnt proc pwnable sbin sys tmp usr var wwwn? /DVRF/Firmware/_DVRF_v03.bin.extracted/squashfs-root master n
運行程序
b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ cp `which qemu-mipsel-static` ./nb1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ lsnbin etc media proc qemu-mipsel-static sys usr wwwndev lib mnt pwnable sbin tmp varnb1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $n
b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ sudo chroot . ./qemu-mipsel-static ./pwnable/Intro/stack_bof_01 test123nWelcome to the first BoF exercise!nnYou entered test123nTry Againn
調試程序
chroot . ./qemu-mipsel-static -g 1234 ./pwnable/Intro/stack_bof_01 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn
使用 -g可以開啟1234埠可供調試使用
另起一個shell,在buildroot/output/host/usr/bin下面運行./mipsel-buildroot-linux-uclibc-gdb
GNU gdb (GDB) 7.11.1nCopyright (C) 2016 Free Software Foundation, Inc.nLicense GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>nThis is free software: you are free to change and redistribute it.nThere is NO WARRANTY, to the extent permitted by law. Type "show copying"nand "show warranty" for details.nThis GDB was configured as "--host=x86_64-pc-linux-gnu --target=mipsel-buildroot-linux-uclibc".nType "show configuration" for configuration details.nFor bug reporting instructions, please see:n<http://www.gnu.org/software/gdb/bugs/>.nFind the GDB manual and other documentation resources online at:n<http://www.gnu.org/software/gdb/documentation/>.nFor help, type "help".nType "apropos word" to search for commands related to "word".n(gdb) target remote 127.0.0.1:1234nRemote debugging using 127.0.0.1:1234n0x767b9a80 in ?? ()n(gdb) cnContinuing.nnProgram received signal SIGSEGV, Segmentation fault.n0x41414141 in ?? ()n(gdb) i rn zero at v0 v1 a0 a1 a2 a3n R0 00000000 fffffff8 00000041 767629b8 0000000a 767629c3 0000000b 00000000n t0 t1 t2 t3 t4 t5 t6 t7n R8 81010100 7efefeff 41414141 41414141 41414141 41414141 41414141 41414141n s0 s1 s2 s3 s4 s5 s6 s7n R16 00000000 00000000 00000000 ffffffff 76fff274 0040059c 00000002 004007e0n t8 t9 k0 k1 gp sp s8 ran R24 766e65e0 766ef270 00000000 00000000 00448cd0 76fff198 41414141 41414141n sr lo hi bad cause pcn 20000010 0000000a 00000000 41414140 00000000 41414141n fsr firn 00000000 00739300n
radare2 的使用
todo
推薦閱讀:
※有Android逆向基礎如何學習Android漏洞挖掘?
※威鋒網友寫的 360 App 逆向分析結果可信么?
※安全行業的逆向工程有多難?
TAG:逆向工程 |