Using Radare2 for Binary Patch

Fallschirmjäger

New User
4
10/19/16
8
Thread Author
Code:
Note: radare2 is supposed to be cross-platform tools, but on this tutorial I'm using Arch Linux
Radare2.jpg

Introduction

>What is radare2?
From github: r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. Radare project started as a forensics tool, a scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, ..
Link: GitHub - radare/radare2: unix-like reverse engineering framework and commandline tools
>pros and cons?
A brief completely unfair comparisons beetween IDA, r2, and Hopper comparisons · radare/radare2 Wiki · GitHub. Yes, you can use radare2 on your Android, just cross-compile it with ndk toolchain.​
>How to install this?
I'm not going to explain how to install this. Just goto their github repo and google in case you have problem(s) while building it. If you're using Kali Linux, i'd suggest you for install from their git since radare2 package is really old on Kali.​
>How to use?
I only explain some basic command for r2, look their wiki for command cheatsheet. Or add ? every command for show help(exp: wa?, is?, i?, etc.)​
>Why?
I'm on tight schedule in last few weeks. But i have prepared a spare time for pwning ctf and Modding on weekend(Saturday). The problem is firing up IDA to load ~10MB files took long time on my old laptop(You can turn off the auto analysis though). Generally, In this tutorial i'll explain how to use disassembler without auto-analysis.​

Main Content

For example, i'm going to mod DemonSouls (ActionRPG) - VER 2.3.9, Playstore link. Our goals are make unlimited money and stone mods without using auto-analysis.
1. Decompile or unzip apk, and goto lib/armeabi/ (Self explanatory)
2. Create a backup file(copy) for libcocos2dlua.so (*optional*, you can use "e io.cache=true" and commit after you're sure about the changes)
3. Load libcocos2dlua.so into r2 with write mode
Code:
r2 libcocos2dlua.so -w
I'm new for radare2, if you know a better solution rather than use -w arg, just reply to this thread. Yes, it'll spawn r2 shell.
4. Lookup for *Stone symbols and *Money symbols
Code:
is ~getStone
is for print all symbols information insde binary, and ~ used for grep the output. Why not use pipeline grep like usually used on terminal? Ater some tests, its best to use radare2 grep than pipelining(It'll throw out error on android)
output:
Code:
vaddr=0x004918d6 paddr=0x004918d6 ord=16065 fwd=NONE sz=6 bind=UNKNOWN type=FUNC name=LKPlayer::getStone
vaddr=0x0053b232 paddr=0x0053b232 ord=25463 fwd=NONE sz=6 bind=UNKNOWN type=FUNC name=LKMonster::getStoneImg
do the same for Money. Note that grep(~) is case-sensitive.
5. After getting the virtual address(vaddrr), seek to that offset.
Code:
s 0xvaddr_offset
or
Code:
s sym.symname
On this tutorial example, seek to LKPlayer::getStone, so it'll be
Code:
s sym.LKPlayer::getStone
6. Analyze the function, use af or aF. Then disassemble function, pdf.
output:
Code:
[0x004918d6]> aF
[0x004918d6]> pdf
╒ (fcn) sym.LKPlayer::getStone 6
│   sym.LKPlayer::getStone ();
│           0x004918d6      fc30           r0 += 0xfc
│           0x004918d8      806d           r0 = [r0 + 0x58]
╘           0x004918da      7047           bx lr
7. Back to our goals, since we need a really high value. Just return r7(mov r0, r7;bx lr). For write opcode to binary, use wa command. More info use wa?.
Code:
[0x004918d6]> wa mov r0, r7
Written 2 bytes (mov r0, r7) = wx 3846
[0x004918d6]> so 1
[0x004918d8]> wa bx lr
Written 2 bytes (bx lr) = wx 7047
so 1, used for seek to next opcode. Do the same for Money.
8. Check if the patch is properly written, use pdf @ sym.symbolname or pdf @ vaddr, if yes then exit r2 shell.
Code:
[0x004918d8]> pdf
╒ (fcn) sym.LKPlayer::getStone 6
│   sym.LKPlayer::getStone ();
│           0x004918d6      3846           mov r0, r7
│           0x004918d8      7047           bx lr
╘           0x004918da      7047           bx lr
And yes, its written properly. yay!
9. Just to make sure if changes are made, use binary diff.
Code:
circleous@WINDOWS > ~Work/.../armeabi $ radiff2  libcocos2dlua.so libpatch.so -D
--- 0x004918ca
adds r0, 0xfc
ldr r0, [r0, 0x54]

+++ 0x004918ca
mov r0, r7
bx lr

--- 0x004918d6
adds r0, 0xfc
ldr r0, [r0, 0x58]

+++ 0x004918d6
mov r0, r7
bx lr
10. End.​

After words

Radare2 is a great tool to explore despite it being free(compared to IDA, hopper, and Binary Ninja). The supported arch can be seen with rasm2 -L. It has large community and many How to use tutorial writeup.

Quote
Code:
[0x00000000]> fo
-- This software comes with no brain included. Please use your own.

Some useful links:
Git: GitHub - radare/radare2: unix-like reverse engineering framework and commandline tools
Cheatsheet: cheatsheets/radare2.md at master · pwntester/cheatsheets · GitHub
EBook: introduction · Radare2 Book

 
Last edited:
Top Bottom