1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using Radare2 for Binary Patch

Discussion in 'Tutorials' started by Fallschirmjäger, Oct 20, 2016.

  1. Fallschirmjäger

    Fallschirmjäger New Member

    Joined:
    Oct 19, 2016
    Messages:
    4
    Likes Received:
    7
    Code:
    Note: radare2 is supposed to be cross-platform tools, but on this tutorial I'm using Arch Linux
    [​IMG]

    Introduction

    >What is radare2?
    From github: r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. Radare project started as a forensics tool, a scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, ..
    Link: GitHub - radare/radare2: unix-like reverse engineering framework and commandline tools
    >pros and cons?
    A brief completely unfair comparisons beetween IDA, r2, and Hopper comparisons · radare/radare2 Wiki · GitHub. Yes, you can use radare2 on your Android, just cross-compile it with ndk toolchain.​
    >How to install this?
    I'm not going to explain how to install this. Just goto their github repo and google in case you have problem(s) while building it. If you're using Kali Linux, i'd suggest you for install from their git since radare2 package is really old on Kali.​
    >How to use?
    I only explain some basic command for r2, look their wiki for command cheatsheet. Or add ? every command for show help(exp: wa?, is?, i?, etc.)​
    >Why?
    I'm on tight schedule in last few weeks. But i have prepared a spare time for pwning ctf and Modding on weekend(Saturday). The problem is firing up IDA to load ~10MB files took long time on my old laptop(You can turn off the auto analysis though). Generally, In this tutorial i'll explain how to use disassembler without auto-analysis.​

    Main Content

    For example, i'm going to mod DemonSouls (ActionRPG) - VER 2.3.9, Playstore link. Our goals are make unlimited money and stone mods without using auto-analysis.
    1. Decompile or unzip apk, and goto lib/armeabi/ (Self explanatory)
    2. Create a backup file(copy) for libcocos2dlua.so (*optional*, you can use "e io.cache=true" and commit after you're sure about the changes)
    3. Load libcocos2dlua.so into r2 with write mode
    Code:
    r2 libcocos2dlua.so -w
    I'm new for radare2, if you know a better solution rather than use -w arg, just reply to this thread. Yes, it'll spawn r2 shell.
    4. Lookup for *Stone symbols and *Money symbols
    Code:
    is ~getStone
    is for print all symbols information insde binary, and ~ used for grep the output. Why not use pipeline grep like usually used on terminal? Ater some tests, its best to use radare2 grep than pipelining(It'll throw out error on android)
    output:
    Code:
    vaddr=0x004918d6 paddr=0x004918d6 ord=16065 fwd=NONE sz=6 bind=UNKNOWN type=FUNC name=LKPlayer::getStone
    vaddr=0x0053b232 paddr=0x0053b232 ord=25463 fwd=NONE sz=6 bind=UNKNOWN type=FUNC name=LKMonster::getStoneImg
    do the same for Money. Note that grep(~) is case-sensitive.
    5. After getting the virtual address(vaddrr), seek to that offset.
    Code:
    s 0xvaddr_offset
    or
    Code:
    s sym.symname
    On this tutorial example, seek to LKPlayer::getStone, so it'll be
    Code:
    s sym.LKPlayer::getStone
    6. Analyze the function, use af or aF. Then disassemble function, pdf.
    output:
    Code:
    [0x004918d6]> aF
    [0x004918d6]> pdf
    ╒ (fcn) sym.LKPlayer::getStone 6
    │   sym.LKPlayer::getStone ();
    │           0x004918d6      fc30           r0 += 0xfc
    │           0x004918d8      806d           r0 = [r0 + 0x58]
    ╘           0x004918da      7047           bx lr 
    7. Back to our goals, since we need a really high value. Just return r7(mov r0, r7;bx lr). For write opcode to binary, use wa command. More info use wa?.
    Code:
    [0x004918d6]> wa mov r0, r7
    Written 2 bytes (mov r0, r7) = wx 3846
    [0x004918d6]> so 1
    [0x004918d8]> wa bx lr
    Written 2 bytes (bx lr) = wx 7047
    so 1, used for seek to next opcode. Do the same for Money.
    8. Check if the patch is properly written, use pdf @ sym.symbolname or pdf @ vaddr, if yes then exit r2 shell.
    Code:
    [0x004918d8]> pdf
    ╒ (fcn) sym.LKPlayer::getStone 6
    │   sym.LKPlayer::getStone ();
    │           0x004918d6      3846           mov r0, r7
    │           0x004918d8      7047           bx lr
    ╘           0x004918da      7047           bx lr
    And yes, its written properly. yay!
    9. Just to make sure if changes are made, use binary diff.
    Code:
    circleous@WINDOWS > ~Work/.../armeabi $ radiff2  libcocos2dlua.so libpatch.so -D
    --- 0x004918ca
    adds r0, 0xfc
    ldr r0, [r0, 0x54]
    
    +++ 0x004918ca
    mov r0, r7
    bx lr
    
    --- 0x004918d6
    adds r0, 0xfc
    ldr r0, [r0, 0x58]
    
    +++ 0x004918d6
    mov r0, r7
    bx lr
    10. End.​

    After words

    Radare2 is a great tool to explore despite it being free(compared to IDA, hopper, and Binary Ninja). The supported arch can be seen with rasm2 -L. It has large community and many How to use tutorial writeup.

    Quote
    Code:
    [0x00000000]> fo
    -- This software comes with no brain included. Please use your own.

    Some useful links:
    Git: GitHub - radare/radare2: unix-like reverse engineering framework and commandline tools
    Cheatsheet: cheatsheets/radare2.md at master · pwntester/cheatsheets · GitHub
    EBook: introduction · Radare2 Book

     
    #1 Fallschirmjäger, Oct 20, 2016
    Last edited: Oct 23, 2016
    NEMESIS and ZEDjy like this.
Loading...
  • About Us

    Android Republic - Android Game Hacks - Offering only the most advanced and exclusive android hacks, protections like Xigncode are easily bypassed by our team.

    Exclusive Android hacks, android protections cracked, only the best available games, here you will find only the best games such as Kritika, Summoners War, Raven, Dragon Striker, Avabel, Evil Bane, 7knights and seven knights, Darkness Reborn, Soul Seeker all fully hacked and waiting for you! easy xigncode and dxshield bypass too!, way better than alpha gamers or alphagamers no need for booster or root, simple the best android cheat apk available.