It took me three months to finish writing this article. I had so many tasks on my to-do list that sadly this one was pushed down to the bottom of the list. Last weekend I made a promise to myself that until Sunday I’m going to finish writing it, I successfully kept my word and here it is, another radare2 tutorial.
Today we’ll solve a very nice challenge, “packedup”, written by ad3l for r2con 2017 competition. It is not the first writeup that I publish from r2con competition, you can check out “Reverse engineering a Gameboy ROM with radare2” as well, make sure not to miss the cool swags I got from winning the competition.
This article is aimed to those of you who are familiar with radare2. If you are not, I suggest you to start from part 1 of my series “A Journey Into Radare2”.
So, without further ado, let’s dig into the binary.
Radare2’s development is pretty quick – the project evolves every day, therefore it’s recommended to use the current git version over the stable one. Sometimes the stable version is less stable than the current git version!
$ git clone https://github.com/radare/radare2.git
$ cd radare2
If you don’t want to install the git version or you want the binaries for another machine (Windows, OS X, iOS, etc.) check out the download page at the radare2 website.
As I said before, it is highly recommended to always use the newest version of r2 from the git repository. All you need to do to update your r2 version from the git is to execute:
And you’ll have the latest version from git. I usually update my version of radare2 in the morning with a scheduled task, so I can wake up to the latest version available. If you’re using radare2 often, I recommend you do the same.
You can download packedup from here. I suggest you to star (★) the repository to get updates about more radare2 tutorials 🙂
First thing to do, obviously, is to execute the binary and get a basic feeling of what we are going to face.
Welcome to packedup for r2crackmes :)
Flag << MEGABEETS
packedup is executed, it requests us to give it a flag. It then probably does some calculations at the backend to see if the inputted flag is the right one. I entered “MEGABEETS” which is likely not the correct flag and finished with the fail message — “Try again!”.
Now for our favorite part, let’s open the binary with radare2 and try to figure out how packedup is checking the submitted flag:
|$ r2 ./packedup
— Here be dragons.
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
I usually begin with executing
aa (analyze all) or with
aas (to analyze functions, symbols and more). The name is misleading because there is a lot more to analyze (check
aa?) but it’s enough to start with for most of the binaries I examined. This time we’ll start straight with
aaa to make things simpler and due to the binary’s small size. You can also run radare2 with the
-A flag to analyze the binary straight at startup using
r2 -A ./packedup).
Note: as I mentioned in the previous posts, starting with
aaa is not always the recommended approach since analysis is very complicated process. I wrote more about it in this answer — read it to better understand why.
So now that we opened our binary with radare2, we have been located automatically at the program’s entrypoint. But before we start working on the code itself It’s a good approach to get to know our binary characteristics. radare2 can show us the information we need using the
i command (I removed some information for the sake of readability):
type EXEC (Executable file)
machine AMD x86-64 architecture
i command used for getting info about the opened file. It’s a wrapper around
rabin2 which is an information extractor tool in the radare2 framework. radare2 offers us tons amount of information about the binary. Check out
i? to list the information’s subcommands.
packedup is a 64-bit stripped ELF binary. Cool. Let’s move on.