#!/usr/bin/python3
import r2pipe
import sys
import os
import subprocess, re
if len(sys.argv) < 2:
sys.exit("Error: Please provide exactly one filename as argument")
program_name = sys.argv[0]
filename = sys.argv[1]
if len(sys.argv) < 3:
func="main"
else:
func=sys.argv[2]
r2 = r2pipe.open(filename)
r2.cmd('aaa')
os.system("file "+filename)
print(" ")
os.system("checksec --file "+filename)
print(" ")
print("*** list functions ***")
print(" ")
print(r2.cmd("afl"))
print("*** disassemble "+func+" ***")
print(r2.cmd("s "+func))
print(r2.cmd("pdf"))
print("*** summary "+func+" ***")
print(" ")
print(r2.cmd("pdfs"))
print("*** list strings ***")
print(" ")
print(r2.cmd("iz"))
print("*** list call instructions everywhere ***")
print(" ")
print(r2.cmd("/ad/ call"))
r2.quit()
;script python per una prima analisi statica dell'eseguibile, che utilizza la libreria python r2pipe per comunicare con radare2 e quindi estrarre tutta una serie di informazioni utili per il reversing
*** list functions ***
beleaf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6d305eed7c9bebbaa60b67403a6c6f2b36de3ca4, stripped
[*] './beleaf'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
0x000006f0 1 42 entry0
0x00000680 1 6 sym.imp.puts
0x00000690 1 6 sym.imp.strlen
0x000006a0 1 6 sym.imp.__stack_chk_fail
0x000006b0 1 6 sym.imp.printf
0x00000000 3 272 -> 226 loc.imp._ITM_deregisterTMCloneTable
0x000006c0 1 6 sym.imp.__isoc99_scanf
0x000006d0 1 6 sym.imp.exit
0x000006e0 1 6 sym.imp.__cxa_finalize
0x000008a1 10 307 main
0x000007fa 10 167 fcn.000007fa
0x000007f0 5 154 -> 67 entry.init0
0x000007b0 5 58 -> 51 entry.fini0
0x00000720 4 50 -> 40 fcn.00000720
0x00000650 3 23 fcn.00000650
*** disassemble main ***
; DATA XREF from entry0 @ 0x70d(r)
307: int main (int argc, char **argv);
; arg int argc @ rdi
; arg char **argv @ rsi
; var int64_t canary @ rbp-0x8
; var char *s @ rbp-0x90
; var uint32_t var_98h @ rbp-0x98
; var size_t var_a0h @ rbp-0xa0
; var int64_t var_a8h @ rbp-0xa8
; var int64_t var_b4h @ rbp-0xb4
; var char **var_c0h @ rbp-0xc0
0x000008a1 55 push rbp
0x000008a2 4889e5 mov rbp, rsp
0x000008a5 4881ecc00000. sub rsp, 0xc0
0x000008ac 89bd4cffffff mov dword [var_b4h], edi ; argc
0x000008b2 4889b540ffff. mov qword [var_c0h], rsi ; argv
0x000008b9 64488b042528. mov rax, qword fs:[0x28]
0x000008c2 488945f8 mov qword [canary], rax
0x000008c6 31c0 xor eax, eax
...
...
...
...
*** summary main ***
0x00000090 arg3
0x000008ac argc
0x000008b2 argv
0x000008c8 const char *format
0x000008c8 str.Enter_the_flag_n____
0x000008d4 call sym.imp.printf
0x000008e3 const char *format
0x000008ef call sym.imp.__isoc99_scanf
0x000008fb const char *s
0x000008fe call sym.imp.strlen
0x00000914 const char *s
0x00000914 str.Incorrect_
0x0000091b call sym.imp.puts
0x00000920 int status
0x00000925 call sym.imp.exit
0x0000092a:
0x00000937:
0x0000094e int64_t arg1
0x00000950 call fcn.000007fa fcn.000007fa
0x0000097f const char *s
0x0000097f str.Incorrect_
0x00000986 call sym.imp.puts
0x0000098b int status
0x00000990 call sym.imp.exit
0x00000995:
0x0000099d:
0x000009ad const char *s
0x000009ad str.Correct_
0x000009b4 call sym.imp.puts
0x000009cd call sym.imp.__stack_chk_fail
0x000009d2:
0x000009fb str.Correct_
0x00000a0c call fcn.00000650 fcn.00000650
*** list strings ***
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000a64 0x00000a64 19 20 .rodata ascii Enter the flag\n>>>
1 0x00000a7b 0x00000a7b 10 11 .rodata ascii Incorrect!
2 0x00000a86 0x00000a86 8 9 .rodata ascii Correct!
0 0x00001020 0x00201020 7 32 .data utf32le wf{_ny}
*** list call instructions everywhere ***
0x00000660 ffd0 call rax
0x00000714 ff15c6082000 call qword [rip + 0x2008c6]
0x000007ce e80dffffff call sym.imp.__cxa_finalize
0x000008d4 e8d7fdffff call sym.imp.printf
0x000008ef e8ccfdffff call sym.imp.__isoc99_scanf
0x0000091b e860fdffff call sym.imp.puts
0x00000925 e8a6fdffff call sym.imp.exit
0x00000950 e8a5feffff call fcn.000007fa
0x00000986 e8f5fcffff call sym.imp.puts
0x00000990 e83bfdffff call sym.imp.exit
0x000009b4 e8c7fcffff call sym.imp.puts
0x000009cd e8cefcffff call sym.imp.__stack_chk_fail
0x00000a0c e83ffcffff call fcn.00000650
0x00000a29 41ff14dc call qword [r12 + rbx*8]
0x00000a2a ff14dc call qword [rsp + rbx*8]
0x00000a9f ff9000000050 call qword [rax + 0x50000000]
0x00000ab7 ffd0 call rax
0x00000ac7 ff10 call qword [rax]
0x00000acf ff5801 call [rax + 1]
Edited by AKIRA BASHO - 2/5/2023, 17:00