Environment Information
System information: UOS Home Edition 21.3
Tools involved: gcc, edb-debugger, ghidra, radare2
Note: This is a translation of the article previously written into English version, if you can not see the message I improve the translation
Code:
Test code test.c
C:
Basic information
You can use r2 -A . /helllo to open the file to be analyzed Parsing the command: Run the "aaa" command to analyze all referenced code
it //command parsing: calculate file hash information
iI //Command parsing: Display file binary information
ii //Command parsing: Display file import information
iz // command parsing: list the strings in the data segment
iE // Command resolution: Export (global symbols)
afl // Command resolution:Show functions
s main //jump to main function address Command Explanation: To move in the file we are checking, we need to change the offset with the s command.
px hex view
pdf disassembly
or use the pdf@main command to view //@ specify the function name
Or use agf to view the basic function view
View hex information for crucial addresses
Note: If you can't enter the command, you can enter the v command to enter the graphical operation interface.
Debugging
See the crucial code address - 0x402004
Right click to edit
See this area corresponding to te
The next line corresponds to st
Binary edit string to modify te to fe
Return to see the corresponding data has changed // Right click Goto Rip to return
Output Verification
Decompile check
Use Ghidra to load the hello file, find the main function in the Symbol Tree module's Functios folder, and click into it
The decompiled pseudo-code is found to be error-free and readable in crucial locations compared to the actual code
Modify file
Note: It is recommended to make a backup of the original files involved before modifying
Write mode for analysis
crucial code data corresponding address information: 0x402004
check address citations
Original
Modification
Testing
This is the end of the preliminary exploration section, we will meet again if we have the chance
System information: UOS Home Edition 21.3
Tools involved: gcc, edb-debugger, ghidra, radare2
Note: This is a translation of the article previously written into English version, if you can not see the message I improve the translation
Code:
Code:
edb-debugger installation
# Install the required dependencies for the build // Set developer mode to enable root privileges.
apt-get install git
apt-get install pkg-config
apt-get install cmake
apt-get install build-essential
apt-get install libboost-dev
apt-get install libqt5xmlpatterns5-dev
apt-get install qtbase5-dev
apt-get install qt5-default
apt-get install libgraphviz-dev
apt-get install libqt5svg5-dev
apt-get install libcapstone-dev
# Build and run // only intend to run edb-debugger in the build directory
git clone --recursive https://github.com/eteran/edb-debugger.git
cd edb-debugger
mkdir build
cd build
cmake ..
make
./edb
# All users install in the system
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/ ..
make
make install
edbC:
Code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>
void main() {
puts("test");
}Basic information
You can use r2 -A . /helllo to open the file to be analyzed Parsing the command: Run the "aaa" command to analyze all referenced code
it //command parsing: calculate file hash information
iI //Command parsing: Display file binary information
ii //Command parsing: Display file import information
iz // command parsing: list the strings in the data segment
iE // Command resolution: Export (global symbols)
afl // Command resolution:Show functions
s main //jump to main function address Command Explanation: To move in the file we are checking, we need to change the offset with the s command.
px hex view
pdf disassembly
or use the pdf@main command to view //@ specify the function name
Or use agf to view the basic function view
View hex information for crucial addresses
Note: If you can't enter the command, you can enter the v command to enter the graphical operation interface.
Debugging
- Run after loading
See the crucial code address - 0x402004
- Jump to the corresponding address
Right click to edit
See this area corresponding to te
The next line corresponds to st
Binary edit string to modify te to fe
Return to see the corresponding data has changed // Right click Goto Rip to return
Output Verification
Decompile check
Use Ghidra to load the hello file, find the main function in the Symbol Tree module's Functios folder, and click into it
The decompiled pseudo-code is found to be error-free and readable in crucial locations compared to the actual code
Modify file
Note: It is recommended to make a backup of the original files involved before modifying
Write mode for analysis
crucial code data corresponding address information: 0x402004
check address citations
Original
Modification
Testing
This is the end of the preliminary exploration section, we will meet again if we have the chance
