Determine type of file
file filename
High Level Overview of process
To view plaintext (potentially passwords and text printing to screen)
Try simple buffers to input functions:
python -c 'print "A"*2000'
to view library calls
to view system calls
Break down and disassemble
set disassembly-flavor intel
disass main
review the calls and any cmp and jne functions. May lead to potential passwords which are used in the compare function or jump if not equal.
view functions may be an easy win
info fucntions
call <name of interesting function>
to start
r2 -d filename
start code analysis
> aaa
to print all functions
to move location to main function (seek to location of function main)
>s [name of main function from previous command]
to view the dissassembyl of current function
To enter visual mode helpful for stepping thorugh and debugging
to see visual mode like IDA
# you can hit ? to view all options within this mode
to see visual mode that also shows registers, stack and dissassembly
to enter command mode
: #colon enters the command mode
to exit command mode
[enter key] #enter key exits command mode
to run the application with parameters in debug
>:ood [parameter] #initiate
>:dc #execute
set a breakpoint
>:db 0x00460649
then above two commands to rerun
to view registers
to view hex dump of bytes
:pxq #how hexadecimal quad-words dump (64bit)
:pxw #show hexadecimal words dump (32bit)
to step once
to enter cursoe mode (to manuall set break points
use arrows to move around and tab to switch panes
to set breakpoint in cursor mode use
Remember to view help at anytime in radare it's simply "?". Also when in visual mode, use ":" to enter cmd mode and <enter> to exit cmd mode.
to start
gdb filename
disassemble main function
disassemble main
start with inspecting functions (note: gets and strcpy are vulnerable to buffer overflows)
> info functions
to find the value of the vulnerable buffer in the instance of a gets or strcpy:
Look for a something similarly to right before the call
lea eax,[esp+0x1e]
in the preceding case the buffer is 30 bytes (decimal version of the hex value 1e)
if looking for a flag and find a flag type function
(gdb) break main
(gdb) r
(gdb) call <nameofflagfunction)
#If the program required input and thus the call function you can input with the following syntax
#in this case 1234
(gdb) call <nameofflagfunction)(1234)
download ghidra from website (
create new project
click dragon(code browser)
file->import file-> target app
analyze it->select all->go
To start off looking at main function: functions->main (on the left hand side under symbol tree)