標籤:

linux逆向基礎

radare2

radare2 是一款和ida差不多的逆向工具,跨平台,甚至可以在手錶、手機上運行

  • 安裝

簡單的方法就是通過github進行安裝,github.com/radare/radar clone下來直接執行sys下面的install.sh

安裝成功後會出現以下工具

r2 – 主程序

rabin2 – 分析文件(導入、導出、字元串…)

rax2 – 數據格式轉換

radiff2 – 查找不同

rahash2 – 從文件塊或整個文件創建哈希

rasm2 – 彙編指令幫助

默認使用r2進行反編譯

幾個簡單的命令

aaa 反編譯所有

is 查看符號信息

afl 查看所有的函數列表

s 定位函數

pdf 列印逆向的代碼

VV 邏輯視圖

p 進入邏輯視圖後更改視圖類型

tab 切換視圖查看函數

喜歡命令行的可以直接使用命令行進行調試,他本身還有個web gui,開啟命令r2 -c=H binary 但是感覺並不好用

  • iaito

有第三方的gui工具:

github.com/hteso/iaito

這個可以嘗試下

依賴 CMake >= 3.1 和Qt 5.6

直接安裝cmake

QT安裝:

mirrors.tuna.tsinghua.edu.cn

直接安裝上

安裝iaito:

github.com/hteso/iaito/

arm運行及交叉編譯環境

  • qemu-user-static

qemu-user-static 是個模擬運行的環境,在不安裝qemu的請看下運行arm程序

sudo apt-get install qemu-user-static

直接安裝就可以了

  • 交叉編譯環境

--2016-01-20 22:53:34-- https://buildroot.org/downloads/buildroot-2015.11.1.tar.gznResolving buildroot.org (buildroot.org)... 140.211.167.224nConnecting to buildroot.org (buildroot.org)|140.211.167.224|:443… connected.nHTTP request sent, awaiting response… 200 OKnLength: 5460407 (5.2M) [application/x-gzip]nSaving to: 『buildroot-2015.11.1.tar.gz』nn100%[======================================>] 5,460,407 87.5KB/s in 57s nn2016-01-20 22:54:33 (92.7 KB/s) - 『buildroot-2015.11.1.tar.gz』 saved [5460407/5460407]nn$ tar xzf buildroot-2015.11.1.tar.gzn$ cd buildroot-2015.11.1/nnb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ lsnarch build Config.in.legacy docs Makefile README toolchainnboard CHANGES configs fs Makefile.legacy supportnboot Config.in COPYING linux package systemn

然後運行make menuconfig,需要注意的是

選擇Target---->MIPS little endian and ELF and mips32

選擇Toolkit->C Library to uClibc

選擇Toolkit->Build cross gdb for the host

後面直接保存就好了

運行make等一段時間就可以了

然後會出現output文件夾

arch build Config.in.legacy dl linux output supportnboard CHANGES configs docs Makefile package systemnboot Config.in COPYING fs Makefile.legacy README toolchainnb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1 $ cd output/nb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output $ lsnbuild host images staging targetnb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output $ cd host/usr/nb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr $ lsnbin include lib libexec mipsel-buildroot-linux-uclibc share x86_64-unknown-linux-gnunb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr $ cd bin/nb1ack0wl@b1ack0wl-VM ~/DVRF/buildroot-2015.11.1/output/host/usr/bin $ ls *-build*nmipsel-buildroot-linux-uclibc-addr2line mipsel-buildroot-linux-uclibc-gcovnmipsel-buildroot-linux-uclibc-ar mipsel-buildroot-linux-uclibc-gdbnmipsel-buildroot-linux-uclibc-as mipsel-buildroot-linux-uclibc-gprofnmipsel-buildroot-linux-uclibc-cc mipsel-buildroot-linux-uclibc-ldnmipsel-buildroot-linux-uclibc-cc.br_real mipsel-buildroot-linux-uclibc-ld.bfdnmipsel-buildroot-linux-uclibc-c++filt mipsel-buildroot-linux-uclibc-ldconfignmipsel-buildroot-linux-uclibc-cpp mipsel-buildroot-linux-uclibc-lddnmipsel-buildroot-linux-uclibc-cpp.br_real mipsel-buildroot-linux-uclibc-nmnmipsel-buildroot-linux-uclibc-elfedit mipsel-buildroot-linux-uclibc-objcopynmipsel-buildroot-linux-uclibc-gcc mipsel-buildroot-linux-uclibc-objdumpnmipsel-buildroot-linux-uclibc-gcc-4.9.3 mipsel-buildroot-linux-uclibc-ranlibnmipsel-buildroot-linux-uclibc-gcc-4.9.3.br_real mipsel-buildroot-linux-uclibc-readelfnmipsel-buildroot-linux-uclibc-gcc-ar mipsel-buildroot-linux-uclibc-sizenmipsel-buildroot-linux-uclibc-gcc.br_real mipsel-buildroot-linux-uclibc-stringsnmipsel-buildroot-linux-uclibc-gcc-nm mipsel-buildroot-linux-uclibc-stripnmipsel-buildroot-linux-uclibc-gcc-ranlibn

實例練習

聯繫的環境可以採用路由器漏洞環境:

github.com/praetorian-i

  • 開始

首先使用的Firmware下面的DVRF_v03.bin

binwalk 提取固件

binwalk -Me DVRF_v03.bin 直接提取固件

? /DVRF/Firmware/_DVRF_v03.bin.extracted   master  lsn192728.squashfs piggy squashfs-rootn? /DVRF/Firmware/_DVRF_v03.bin.extracted   master  cd squashfs-rootn? /DVRF/Firmware/_DVRF_v03.bin.extracted/squashfs-root   master  lsnbin dev etc lib media mnt proc pwnable sbin sys tmp usr var wwwn? /DVRF/Firmware/_DVRF_v03.bin.extracted/squashfs-root   master n

運行程序

b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ cp `which qemu-mipsel-static` ./nb1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ lsnbin etc media proc qemu-mipsel-static sys usr wwwndev lib mnt pwnable sbin tmp varnb1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $n

b1ack0wl@b1ack0wl-VM ~/DVRF/_DVRF_v01.bin.extracted/squashfs-root $ sudo chroot . ./qemu-mipsel-static ./pwnable/Intro/stack_bof_01 test123nWelcome to the first BoF exercise!nnYou entered test123nTry Againn

調試程序

chroot . ./qemu-mipsel-static -g 1234 ./pwnable/Intro/stack_bof_01 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn

使用 -g可以開啟1234埠可供調試使用

另起一個shell,在buildroot/output/host/usr/bin下面運行./mipsel-buildroot-linux-uclibc-gdb

GNU gdb (GDB) 7.11.1nCopyright (C) 2016 Free Software Foundation, Inc.nLicense GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>nThis is free software: you are free to change and redistribute it.nThere is NO WARRANTY, to the extent permitted by law. Type "show copying"nand "show warranty" for details.nThis GDB was configured as "--host=x86_64-pc-linux-gnu --target=mipsel-buildroot-linux-uclibc".nType "show configuration" for configuration details.nFor bug reporting instructions, please see:n<http://www.gnu.org/software/gdb/bugs/>.nFind the GDB manual and other documentation resources online at:n<http://www.gnu.org/software/gdb/documentation/>.nFor help, type "help".nType "apropos word" to search for commands related to "word".n(gdb) target remote 127.0.0.1:1234nRemote debugging using 127.0.0.1:1234n0x767b9a80 in ?? ()n(gdb) cnContinuing.nnProgram received signal SIGSEGV, Segmentation fault.n0x41414141 in ?? ()n(gdb) i rn zero at v0 v1 a0 a1 a2 a3n R0 00000000 fffffff8 00000041 767629b8 0000000a 767629c3 0000000b 00000000n t0 t1 t2 t3 t4 t5 t6 t7n R8 81010100 7efefeff 41414141 41414141 41414141 41414141 41414141 41414141n s0 s1 s2 s3 s4 s5 s6 s7n R16 00000000 00000000 00000000 ffffffff 76fff274 0040059c 00000002 004007e0n t8 t9 k0 k1 gp sp s8 ran R24 766e65e0 766ef270 00000000 00000000 00448cd0 76fff198 41414141 41414141n sr lo hi bad cause pcn 20000010 0000000a 00000000 41414140 00000000 41414141n fsr firn 00000000 00739300n

radare2 的使用

todo


推薦閱讀:

有Android逆向基礎如何學習Android漏洞挖掘?
威鋒網友寫的 360 App 逆向分析結果可信么?
安全行業的逆向工程有多難?

TAG:逆向工程 |