Fallschirmjäger
New User
- 4
- 10/19/16
- 8
Code:
Note: radare2 is supposed to be cross-platform tools, but on this tutorial I'm using Arch LinuxIntroduction
>What is radare2?
From github: r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. Radare project started as a forensics tool, a scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, ..
Link:
>pros and cons?Link:
A brief completely unfair comparisons beetween IDA, r2, and Hopper
. Yes, you can use radare2 on your Android, just cross-compile it with ndk toolchain.
>How to install this?I'm not going to explain how to install this. Just goto their github repo and google in case you have problem(s) while building it. If you're using Kali Linux, i'd suggest you for install from their git since radare2 package is really old on Kali.
>How to use?I only explain some basic command for r2, look their wiki for command cheatsheet. Or add ? every command for show help(exp: wa?, is?, i?, etc.)
>Why?I'm on tight schedule in last few weeks. But i have prepared a spare time for pwning ctf and Modding on weekend(Saturday). The problem is firing up IDA to load ~10MB files took long time on my old laptop(You can turn off the auto analysis though). Generally, In this tutorial i'll explain how to use disassembler without auto-analysis.
Main Content
For example, i'm going to mod DemonSouls (ActionRPG) - VER 2.3.9, Playstore link. Our goals are make unlimited money and stone mods without using auto-analysis.
1. Decompile or unzip apk, and goto lib/armeabi/ (Self explanatory)
2. Create a backup file(copy) for libcocos2dlua.so (*optional*, you can use "e io.cache=true" and commit after you're sure about the changes)
3. Load libcocos2dlua.so into r2 with write mode
I'm new for radare2, if you know a better solution rather than use -w arg, just reply to this thread. Yes, it'll spawn r2 shell.
4. Lookup for *Stone symbols and *Money symbols
is for print all symbols information insde binary, and ~ used for grep the output. Why not use pipeline grep like usually used on terminal? Ater some tests, its best to use radare2 grep than pipelining(It'll throw out error on android)
output:
do the same for Money. Note that grep(~) is case-sensitive.
5. After getting the virtual address(vaddrr), seek to that offset.
or
On this tutorial example, seek to LKPlayer::getStone, so it'll be
6. Analyze the function, use af or aF. Then disassemble function, pdf.
output:
7. Back to our goals, since we need a really high value. Just return r7(mov r0, r7;bx lr). For write opcode to binary, use wa command. More info use wa?.
so 1, used for seek to next opcode. Do the same for Money.
8. Check if the patch is properly written, use pdf @ sym.symbolname or pdf @ vaddr, if yes then exit r2 shell.
And yes, its written properly. yay!
9. Just to make sure if changes are made, use binary diff.
10. End.
2. Create a backup file(copy) for libcocos2dlua.so (*optional*, you can use "e io.cache=true" and commit after you're sure about the changes)
3. Load libcocos2dlua.so into r2 with write mode
Code:
r2 libcocos2dlua.so -w4. Lookup for *Stone symbols and *Money symbols
Code:
is ~getStoneoutput:
Code:
vaddr=0x004918d6 paddr=0x004918d6 ord=16065 fwd=NONE sz=6 bind=UNKNOWN type=FUNC name=LKPlayer::getStone
vaddr=0x0053b232 paddr=0x0053b232 ord=25463 fwd=NONE sz=6 bind=UNKNOWN type=FUNC name=LKMonster::getStoneImg5. After getting the virtual address(vaddrr), seek to that offset.
Code:
s 0xvaddr_offset
Code:
s sym.symname
Code:
s sym.LKPlayer::getStoneoutput:
Code:
[0x004918d6]> aF
[0x004918d6]> pdf
╒ (fcn) sym.LKPlayer::getStone 6
│ sym.LKPlayer::getStone ();
│ 0x004918d6 fc30 r0 += 0xfc
│ 0x004918d8 806d r0 = [r0 + 0x58]
╘ 0x004918da 7047 bx lr
Code:
[0x004918d6]> wa mov r0, r7
Written 2 bytes (mov r0, r7) = wx 3846
[0x004918d6]> so 1
[0x004918d8]> wa bx lr
Written 2 bytes (bx lr) = wx 70478. Check if the patch is properly written, use pdf @ sym.symbolname or pdf @ vaddr, if yes then exit r2 shell.
Code:
[0x004918d8]> pdf
╒ (fcn) sym.LKPlayer::getStone 6
│ sym.LKPlayer::getStone ();
│ 0x004918d6 3846 mov r0, r7
│ 0x004918d8 7047 bx lr
╘ 0x004918da 7047 bx lr9. Just to make sure if changes are made, use binary diff.
Code:
circleous@WINDOWS > ~Work/.../armeabi $ radiff2 libcocos2dlua.so libpatch.so -D
--- 0x004918ca
adds r0, 0xfc
ldr r0, [r0, 0x54]
+++ 0x004918ca
mov r0, r7
bx lr
--- 0x004918d6
adds r0, 0xfc
ldr r0, [r0, 0x58]
+++ 0x004918d6
mov r0, r7
bx lrAfter words
Radare2 is a great tool to explore despite it being free(compared to IDA, hopper, and Binary Ninja). The supported arch can be seen with rasm2 -L. It has large community and many How to use tutorial writeup.
Quote
Code:
[0x00000000]> fo
-- This software comes with no brain included. Please use your own.Some useful links:
Git:
Cheatsheet:
EBook:
Last edited: