GSoC qualifications

Attention, people of the internet!

Gather round, we've got incredible good news for everyone!

We're incredibly happy to announce the acceptance of two students for the Google Summer of Code 2015:

David Kreuter and Sushant Dinesh.

Both students have already completed complex tasks, just as a qualification: an ESIL implementation for the 8051 architecture, and an ESIL-to-REIL converter.

We hope that they'll continue hard work at the same tempo and will make decompilation for radare2 much better Hex-Rays' decompiler.

Thank you Google for organizing this, and to OpenWall for giving us two slots!

lame picture

Rop'n'roll

You may have already read this article 8 months ago, but since we changed a lot the ROP-related syntax, we're quite sure that you won't mind reading an updated version

As attackers are moving forwards, so does the defense. Since a couple of years, every decent operating system has non-executable stack, defeating the classic 'put your shellcode on the stack and execute it' modus operanti.

This is why attackers are now using (among other things) Return Oriented Programming, also known as ROP, to bypass this protection.

Because radare2 (also) aims to be useful to exploits writers and make their life easier, it can:

  • hunt for gadgets, with a configurable depth
  • filter gadgets
  • do this for multiples archs
[0x08048320]> /R
Do you want to print 468.9K chars? (y/N)  

Well, let's filter.

[0x08048350]> /R call eax
  0x080483a3   0085c0741155  add byte [ebp + 0x551174c0], al
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483a8             55  push ebp
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483ac             ec  in al, dx
  0x080483ad           1468  adc al, 0x68
  0x080483af           24a0  and al, 0xa0
  0x080483b1           0408  add al, 8
  0x080483b3           ffd0  call eax

[0x08048350]> 

You can also display them in a linear manner, à la ROPGadget, you just have to use /Rl:

[0x08048350]> /Rl leave
0x080483b3: call eax; add esp, 0x10; leave; ret;  
0x080483b6: les edx, [eax]; leave; ret;  
0x080483ed: call ecx; add esp, 0x10; leave; ret;  
0x080483f0: les edx, [eax]; leave; ret;  
0x0804840f: call 0x8048390; mov byte [0x804a024], 1; leave; ret;  
0x08048419: or byte [ecx], al; leave; ret;  
0x08048440: call edx; add esp, 0x10; leave; jmp 0x80483c0;  
0x08048443: les edx, [eax]; leave; jmp 0x80483c0;  
0x080484af: call 0x8048320; add esp, 0x10; mov edi, dword [ebp - 4]; leave; ret;  
0x080484b3: inc dword [ebx + 0x7d8b10c4]; cld; leave; ret;  
0x080484b5: les edx, [eax]; mov edi, dword [ebp - 4]; leave; ret;  
0x080484b8: jge 0x80484b6; leave; ret;  
0x080484ee: adc byte [eax], bh; mov ecx, dword [ebp - 4]; leave; lea esp, [ecx - 4]; ret;  
0x080484ef: mov eax, 0; mov ecx, dword [ebp - 4]; leave; lea esp, [ecx - 4]; ret;  
0x080484f2: add byte [eax], al; mov ecx, dword [ebp - 4]; leave; lea esp, [ecx - 4]; ret;  
0x080484f5: dec ebp; cld; leave; lea esp, [ecx - 4]; ret;  

If you're searching for a ret-to-reg gadget, you're only interested into call reg ones; you can do this with regexp, with /R/

[0x08048350]> /R/ call e[abcd]x
  0x080483a3   0085c0741155  add byte [ebp + 0x551174c0], al
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483a8             55  push ebp
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483ac             ec  in al, dx
  0x080483ad           1468  adc al, 0x68
  0x080483af           24a0  and al, 0xa0
  0x080483b1           0408  add al, 8
  0x080483b3           ffd0  call eax

  0x080483e2           89e5  mov ebp, esp
  0x080483e4         83ec10  sub esp, 0x10
  0x080483e7             50  push eax
  0x080483e8     6824a00408  push 0x804a024
  0x080483ed           ffd1  call ecx

  0x080483e5             ec  in al, dx
  0x080483e6         105068  adc byte [eax + 0x68], dl
  0x080483e9           24a0  and al, 0xa0
  0x080483eb           0408  add al, 8
  0x080483ed           ffd1  call ecx

  0x08048434   0085d274f255  add byte [ebp + 0x55f274d2], al
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x08048436       d274f255  sal byte [edx + esi*8 + 0x55], cl
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x08048438           f255  push ebp
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x08048439             55  push ebp
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x0804843b           e583  in eax, -0x7d
  0x0804843d             ec  in al, dx
  0x0804843e           1450  adc al, 0x50
  0x08048440           ffd2  call edx

Well, we only want the call reg part, we don't care about the previous operands:

[0x08048350]> /R/ call e[abcd]x~call
  0x080483b3           ffd0  call eax
  0x080483b3           ffd0  call eax
  0x080483b3           ffd0  call eax
  0x080483ed           ffd1  call ecx
  0x080483ed           ffd1  call ecx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx

Ho, by the way, if you want to search for several gadgets, the separator is ;, which also happen to be the one to seperate commands in r2. This is why you need to quote the whole command like this:

[0x08048350]> "/R/ inc *;ret" 
  0x08048413           ffc6  inc esi
  0x08048415     0524a00408  add eax, 0x804a024
  0x0804841a           01c9  add ecx, ecx
  0x0804841c           f3c3  ret

  0x080484b3   ff83c4108b7d  inc dword [ebx + 0x7d8b10c4]
  0x080484b9             fc  cld
  0x080484ba             c9  leave
  0x080484bb             c3  ret

  0x0804867c             41  inc ecx
  0x0804867d             c3  ret

[0x08048350]> 

It's possible to change the depth of the search, to speed-up the hunt:

[0x08048320]> e search.roplen = 4
[0x08048320]> /R mov ebp,call eax
0x08048386 call eax  
  0x0804837a         89e5  mov ebp, esp
  0x0804837c       83ec18  sub esp, 0x18
  0x0804837f c7042420a00408  mov dword [esp], 0x804a020
  0x08048386         ffd0  call eax

0x0804840f call eax  
  0x08048403         89e5  mov ebp, esp
  0x08048405       83ec18  sub esp, 0x18
  0x08048408 c70424109f0408  mov dword [esp], 0x8049f10
  0x0804840f         ffd0  call eax

[0x08048320]>

And as always, you can append j to get a JSON output.

The next step might be ROP chain assembling and manipulation, and why not automatic-construction, à la mona.py? Or maybe a semantic search powered by ESIL?

Anyway, contributions are welcome, and if you're using radare2 to pop somes shells, we'll be delighted to know about it!

We have been acquired by Hex-Rays

[edit] Of course, this article was an April fool.

img

This will be the final post here (you can now follow us on this one instead), as radare has been acquired by Hex-Rays, and the radare2 project will be soon ported to ida-python. This has several advantages :

  • Maintaining such a big software in such an old language like C is tiresome, using a high-level one will allow use to write more features in less lines of code.
  • Everyone (especially our lead-dev, pancake) enjoys Python.

Within the next few hours, we will do our best to delete all traces of the radare code base from the internet, as we no longer think that free or open-source is the best way for us to go. Closed-source will allow us to provide paying updates and bugfixes, selling formations and support, thus supporting our development expenses and fees.

You'll become also more credible to your management when you'll speak about radare2; because it has now an expensive licensing scheme, instead of being a dodgy hippie free-licensed software

Speaking of good news, as you may be aware of, Hex-Rays creates a decompiler, and the next release will be based on ESIL, adding emulation capabilities to it (a bit like x86emu) allowing much more accurate an readable decompilation!

We'd like to thank Ilfak and the whole Hex-rays crew for hiring most of the core dev, and welcoming them in their Belgium offices!

Stay tuned, and see you around a beer in Lièges :)