THC2018

THC2018 PDF 필요한 슬라이드만 뽑아봄

 

v1: 2020/01/02

 

 

Seek History
>s- :undo
> s+:redo

 

- Usee u and U keys to go back/forward in the visual seek history.

- 비쥬얼 모드에서 !를 입력하면 Panel로 바꿀 수 있다.

- 스페이스바를 통해 그래프모드<>비쥬얼모드 전환 가능하다.

- 쉘에서 Vc를 입력하면 비쥬얼 커서모드를 이용할 수 있다.

 

- pds: 디스어셈블 요약
- pdc: C슈도코드

 

radare2 지원 디컴파일러
● Boomerang Abandoned
● Snowman Supported
● Retdec supported
● Radeco wip (gsoc)
● r2dec Actively maintained

프로그램의 모든 것을 분석하는 것은 적절하지 않다.
like aaa

The proper way to analyze programs is not to rely on the default analysis loops under aaa, but rather understand
what each command does and which one fits better to solve the problems you are facing.
● Not all xrefs are usually required, so finding only the ones you are interested in is interesting to save some time.
● anal.from/to can be used to restrict boundaries.
● aab and aac are pretty useful to find all functions and call refs.

코드 찾기
We can search for some specific code in a binary or memory.

● /R [expr] search for ROP gadgets
● /r sym.imp.printf find references to this address
● /m search for magic headers
● Yara identify crypto algorithms
● /a [asm] assemble code and search bytes
● /A [type] find instructions of this type
● /c [code] find strstr matching instructions
● /v4 1234 search for this number in memory
● pxa disasm all possible instructions

참조(Refernences)

Finding references to strings is an important task and r2 have different commands that may help on the analysis.
> aav
> aae
> /r
> pD $SS @ $S~Hello

디버깅 명령어

We can open a process or debug it:
$ r2 -d vs r2 dbg://

ds step
db breakpoint
dr show regs
dso step over
dcu continue-until
dx code-inject
dc continue
dm memory-maps
dd file-desc

 

The process state is represented by this information:
● Memory (maps, dm)
● Registers
● Threads (shared memory, unique regs)
● File Descriptors

This state can be saved and restored with the dmp command.