Reverse engineering a Gameboy ROM with radare2

Standard

 Prologue

A month ago in Barcelona I was attending to r2con for the first time. This is the official congress of the radare2 community where everyone can learn more about radare2 framework and dive deep into different aspects of reverse engineering, malware analysis, fuzzing, exploiting and more. It also the place where all of us, the contributors and developers of radare2, can meet, discuss and argue about every other line of code in the framework.

This was the second congress of radare2, after the success of the first congress in last year which was also a celebration for radare’s 10 years old birthday. This year the conference was bigger, fancier and probably organized much better. r2con was four days long, starting at September 6 and lasted until September 9. The first two days were dedicated to training and took place at Universitat de Barcelona. The other two days were talks days and took place at the MediaPro.

Crackmes Competition

During r2con this year there was a Crackmes competition where all the attendees were given with the same 5 challenges and had to publish a writeups to all the challenges they had solved. The scoring was based on the quality of the writeups along with the quantity of solved challenges.

I won the competition and got myself some cool swag!

  • Flag of radare2
  • POC | GTFO book
  • Orange PI with 3D printed case of r2con logo
  • Radare2 stickers
  • A beer 🍺

 

I thought of sharing some of my writeups with you, so you can taste a bit from what we had in the competition and so that others, coming from google, twitter and such, could learn how to use radare2 for solving different challenges. This article is aimed to those of you who are familiar with radare2. If you are not, I suggest you to start from part 1 of my series “A Journy Into Radare2”.

Getting radare2

Installation

Radare2’s development is pretty quick – the project evolves every day, therefore it’s recommended to use the current git version over the stable one. Sometimes the stable version is less stable than the current git version!

If you don’t want to install the git version or you want the binaries for another machine (Windows, OS X, iOS, etc) check out the download page at the radare2 website.

Updating

As I said before, it is highly recommended to always use the newest version of r2 from the git repository. All you need to do to update your r2 version from the git is to execute:

And you’ll have the latest version from git. I usually update my version of radare2 in the morning, while watching cat videos.

 

Playing with Gameboy ROM

This post will describe how I solved simple.gb, a Gameboy ROM challenge written by @condret. It was actually my first time reversing a Gameboy ROM — and it was awesome!

First thing I did was to open the binary in radare2 and check for its architecture and format:

$ r2 simple.gb
— For a full list of commands see strings /dev/urandom
[0x00000100]> i~format
format   ningb
[0x00000100]> i~machine
machine  Gameboy

The i command gives us information about the binary. Check i? for more commands.

Tilde (~) is r2’s internal grep.

Surprise, surprise, it is a Gameboy ROM — dah. After reading a bit about its instruction set we should go to the mission. 

The obvious thing to do is open the ROM in an Gameboy emulator. I downloaded the good old emulator I used back in the days when I played Pokemon: VisualBoy Advance.

Let’s open the ROM in our emulator and see what we have:


Woops, wrong file. Bad habits… Let’s try again:

Cool! It’s a simple game where, by using the arrow keys, you increase/decrease 5 digits. We ‘simply’ need to find the correct password.

Continue reading

Share

A journey into Radare 2 – Part 2: Exploitation

Standard

Prologue

Welcome back to the second part of our journey into the guts of radare2! In this part we’ll cover more of the features of radare2, this time with the focus on binary exploitation.

A lot of you waited for the second part, so here it is! Hope to publish the next part faster, much faster. If you didn’t read the first part of the series I highly recommend you to do so. It describes the basics of radare2 and explains many of the commands that I’ll use here.

In this part of the series we’ll focus on exploiting a simple binary. radare2 has many features which will help us in exploitation, such as mitigation detection, ROP gadget searching, random patterns generation, register telescoping and more. You can find a Reference Sheet at the end of this post. Today I’ll show you some of these great features and together we’ll use radare2 to bypass nx protected binary on an ASLR enabled system. I assume that you are already familiar with the following prerequisites:

It’s really important to be familiar with these topics because I won’t get deep into them, or even won’t briefly explain some of them.

Updating radare2

First of all, let’s update radare2 to its newest git version:

We have a long journey ahead so while we’re waiting for the update to finish, let’s get some motivation boost — cute cats video!

 

Getting familiar with our binary

Our binary this time is quite similar to the one from the previous post with a few slight changes to the main() function:

  • Compiled without -fno-stack-protector and -z execstac to enable NX bit
  • Receives user input with scanf and not from program’s arguments
  • Uses mostly puts to print to screen
  • Little changes to the program’s output

This was the previous main():

 

And now main looks like this:

 

You can download the binary from here, and the source from here.
If you want to compile the source by yourself, use the following command:

The functionality of the binary is pretty simple and we went through it in the previous post — It asks for user input, performs rot13 on the input and compares it with the result of rot13 on the string “Megabeets”. Id est, the input should be ‘Zrtnorrgf’.

 

It’s all well and good but today our post is not about cracking a simple Crackme but about exploiting it. Wooho! Let’s get to the work.

Understanding the vulnerability

As with every exploitation challenge, it is always a good habit to check the binary for implemented security protections. We can do it with rabin2 which I demonstrated in the last post or simply by executing i from inside radare’s shell. Because we haven’t opened the binary with radare yet, we’ll go for the rabin2 method:

As you can see in the marked lines, the binary is NX protected which means that we won’t have an executable stack to rely on. Moreover, the file isn’t protected with canariespic  or relro.

Continue reading

Share

A journey into Radare 2 – Part 1: Simple crackme

Standard

Prologue

I was playing a lot with radare2 in the past year, ever since I began participating in CTFs and got deeper into RE and exploitation challenges. I found radare2 very helpful with many CTFs tasks and my solutions had shortened significantly. It’s sometimes also my go-to tool for malware analysis tasks such as configuration retrievals. Sadly, I believe that only few people are familiar with radare2. It might be because they’re afraid to break out of their comfort zone (IDA Pro, OllyDBG, gdb) or they have simply not heard of it. Either way, I honestly believe that you must include radare2 in your toolbox.

Because I got really enthusiastic about the project and I want more and more researchers to be familiar with it, use it and hopefully contribute to the project, I decided to create a series of articles and use-cases of r2. Since these articles aim to teach you the basics of radare2, its features and capabilities, I’ll explain much more than you actually need to know in order to solve each task.

Welcome to IDA 10.0. (see radare2/doc/fortunes.fun for more fortunes)

radare2

radare2 is an open source framework for reverse engineering and binaries analysis which implements a rich command line interface for disassembling, analyzing data, patching binaries, comparing data, searching, replacing, visualizing and more. It has great scripting capabilities, it runs on all major platforms (GNU/Linux, .Windows *BSD, iOS, OSX, Solaris…) and it supports tons of architectures and file formats. But maybe above all of its features stands the ideology – radare2 is absolutely libre.

This framework is composed of a set of utilities that can be used either together from r2 shell or independently – We’ll get familiar with tools such as rahash2, rabin2, ragg2. Together they create one of the most powerful tools in the field of static and dynamic analysis, hex editing and exploitation (I’ll dive deeper in the following articles).

It is important to note that r2’s learning curve is pretty steep – although r2 have a GUI and a WebUI, none of them is quite enough to compete with the GUI or the convenience of IDA, IMHO. The CLI, however, including its Visual Mode, is still the core of radare2 and where its power lays. Because of its complexity I’ll try to make things as clear and simple as I can.

This is more or less how r2 learning curve works.

This is more or less how r2 learning curve works.

Before we begin you can check out the “Unfair comparison between r2, IDA Pro and Hopper” to get an idea of what we’re dealing with.

 

Getting radare2

Installation

Radare2’s development is pretty quick – the project evolves every day, therefore it’s recommended to use the current git version over the stable one. Sometimes the stable version is less stable than the current git version!

If you don’t want to install the git version or you want the binaries for another machine (Windows, OS X, iOS, etc) check out the download page at the radare2 website.

Updating

As I said before, it is highly recommended to always use the newest version of r2 from the git repository. All you need to do to update your r2 version from the git is to execute:

And you’ll have the latest version from git. I usually update my version of radare2 in the morning, while watching cat videos.

Uninstalling

I Can’t think of a reason for you to uninstall radare2 so early in the article but if you do have you can simply execute:

Getting Started

You can download the first challenge here.

Now that radare2 is installed on your system and you have downloaded the binary, we are ready to start exploring the basic usage of radare2. I’ll work on a Remnux machine but most of the commands and explanations (if not all of them) would be the same for Windows machines and others.

Command Line Arguments

As most command line utilities, the best approach to reveal the list of the possible arguments is to execute the program with the -h flag.

I won’t paste here the full output, Instead I’ll point out those which I usually use in my daily work:

Continue reading

Fantastic Malware and Where to Find Them

Standard

We, as malware analysts, are always in need for new samples to analyze in order to learn, train or develop new techniques and defenses. One of the most common question I get is “Where to find malware to analyze?” so I’m sharing here my private collection of repositories, databases and lists which I use on a daily basis. Some of them are updated frequently and some of them are not. The short description under each link wasn’t written by me, it was written by the owners of the repositories.

If you want to add another resource to the list please inform me in the comments.

Please, be careful when using these sites. Almost all of them contain malicious files. Use with caution!

theZoo
theZoo is a project created to make the possibility of malware analysis open and available to the public.

OpenMalware
Open Malware Project by Danny Quis

contagio
Contagio is a collection of the latest malware samples, threats, observations, and analyses.

Hybrid Analysis
Free malware analysis service powered by Payload Security. Using this service you can submit files for in-depth static and dynamic analysis. You can also download samples from analysis submitted by others.

AVCaesar
AVCaesar is a malware analysis engine and repository, developed by malware.lu

Das Malwerk
DAS MALWERK collects executable malware from all kinds of shady places on the internet

KernelMode.info
An active community devoted to malware analysis and kernel development

MalShare
The MalShare Project is a collaborative effort to create a community driven public malware repository that works to build additional tools to benefit the security community at large.

 

MalwareBlacklist
Repository of Malware URLs and Samples

Malwr
Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back. You can also download samples from analysis submitted by others.

Virusign
Virusign downloads malware and sort files in order of relevance, for researchers to download samples and analyze them to create new signatures.

VirusShare
A repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code.

Malwarebytes Research Center
Forums to post new threats and urls

Mobile Malware (Google Group)
A mailing list for researching mobile malware. This group allows material related to new mobile malware samples, analysis, new techniques, questions pertaining to the field, and other related material.

SecuBox Lab
Repository of french team called MAD (Malware Analysis & Diagnostic)

Malekal
Malekal’s collection of malware

Malc0de
An updated database of domains hosting malicious executables.

VX Vault
S!Ri.URZ Collection of malware and urls

Scumware
Providing access to database which contains data such as: URL, MD5, IP, TLD, etc

Sucuri Malware Labs
Latest findings that Sucuri Labs seeing in the “wild”

Zeus Tracker
ZeuS Tracker provides you the possiblity to track ZeuS Command&Control servers (C&C) and malicious hosts which are hosting ZeuS files.

Fedeo Tracker
A list of Feodo botnet C&C servers tracked by Feodo Tracker.

Cybercrime Tracker
Lists the C&C panels of certain in-the-wild botnets.

Again, please be careful when using these sites. Almost all of them contain malicious files. Use with caution!

 

Share

[Pragyan CTF] The Karaboudjan

Standard

Description

The Karaboudjan | Forensics 150 pts

Captain Haddock is on one of his ship sailing journeys when he gets stranded off the coast of North Korea. He finds shelter off a used nuke and decides to use the seashells to engrave a message on a piece of paper. Decrypt the message and save Captain Haddock.

->-.>-.—.–>-.>.>+.–>–..++++.


.+++.


.->-.->-.++++++++++.+>+++.++.-[->+++<]>+.+++++.++++++++++..++++[->+++<]>.–.->–.>.

clue.zip

 

This was funny challenge, I struggled with that Brainfuck but all it was is just brainfuck. Nothing more, we don’t need it to solve the challenge. Sorry guys.

I downloaded the zip file which was encrypted, I then cracked it using “fcrakzip” and dictionary attack. And found that the password is “dissect“. Inside the zip was a pcap file with one packet:

 

That’s it, we got the flag 🙂

The flag was pragyanctf{5n00p_d099}

Share