Search Preview
Android Crackme and Structure offset propagation · The Official Radare Blog
radare.todayThe blog of radare2
.today > radare.today
SEO audit: Content analysis
| Language | Error! No language localisation is found. | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Title | Android Crackme and Structure offset propagation · The Official Radare Blog | ||||||||||||||||||||||||||||||||||||
| Text / HTML ratio | 64 % | ||||||||||||||||||||||||||||||||||||
| Frame | Excellent! The website does not use iFrame solutions. | ||||||||||||||||||||||||||||||||||||
| Flash | Excellent! The website does not have any flash contents. | ||||||||||||||||||||||||||||||||||||
| Keywords cloud | r3 > r2 ldr = file r1 offset struct JNIEnv GSoC adds SP movs blx Final lsls functions pointer ELF | ||||||||||||||||||||||||||||||||||||
| Keywords consistency |
|
||||||||||||||||||||||||||||||||||||
| Headings |
|
||||||||||||||||||||||||||||||||||||
| Images | We found 1 images on this web page. |
SEO Keywords (Single)
| Keyword | Occurrence | Density |
|---|---|---|
| r3 | 15 | 0.75 % |
| > | 12 | 0.60 % |
| r2 | 10 | 0.50 % |
| ldr | 9 | 0.45 % |
| = | 9 | 0.45 % |
| file | 7 | 0.35 % |
| r1 | 6 | 0.30 % |
| offset | 5 | 0.25 % |
| struct | 5 | 0.25 % |
| JNIEnv | 5 | 0.25 % |
| GSoC | 5 | 0.25 % |
| adds | 4 | 0.20 % |
| SP | 3 | 0.15 % |
| movs | 3 | 0.15 % |
| blx | 3 | 0.15 % |
| Final | 3 | 0.15 % |
| lsls | 3 | 0.15 % |
| functions | 3 | 0.15 % |
| pointer | 3 | 0.15 % |
| ELF | 3 | 0.15 % |
SEO Keywords (Two Word)
| Keyword | Occurrence | Density |
|---|---|---|
| we can | 5 | 0.25 % |
| ldr r3 | 4 | 0.20 % |
| can see | 3 | 0.15 % |
| JNIEnv struct | 3 | 0.15 % |
| GSoC 2018 | 3 | 0.15 % |
| that the | 3 | 0.15 % |
| blx r3 | 3 | 0.15 % |
| 9847 blx | 3 | 0.15 % |
| d358 ldr | 3 | 0.15 % |
| r3 2 | 3 | 0.15 % |
| r3 r3 | 3 | 0.15 % |
| lsls r3 | 3 | 0.15 % |
| 9b00 lsls | 3 | 0.15 % |
| 4 = | 3 | 0.15 % |
| ldr r2 | 3 | 0.15 % |
| offset propagation | 3 | 0.15 % |
| 1 12 | 3 | 0.15 % |
| from the | 3 | 0.15 % |
| px w | 2 | 0.10 % |
| 8 9 | 2 | 0.10 % |
SEO Keywords (Three Word)
| Keyword | Occurrence | Density | Possible Spam |
|---|---|---|---|
| 9b00 lsls r3 | 3 | 0.15 % | No |
| lsls r3 r3 | 3 | 0.15 % | No |
| r3 r3 2 | 3 | 0.15 % | No |
| d358 ldr r3 | 3 | 0.15 % | No |
| 9847 blx r3 | 3 | 0.15 % | No |
| B C D | 2 | 0.10 % | No |
| adds r1 r2 | 2 | 0.10 % | No |
| 081c adds r0 | 2 | 0.10 % | No |
| adds r0 r1 | 2 | 0.10 % | No |
| the code we | 2 | 0.10 % | No |
| through the code | 2 | 0.10 % | No |
| 111c adds r1 | 2 | 0.10 % | No |
| 0x00000f8a 9847 blx | 2 | 0.10 % | No |
| > px w | 2 | 0.10 % | No |
| GSoC 2018 Final | 2 | 0.10 % | No |
| we can find | 2 | 0.10 % | No |
| 0x00000f7e d358 ldr | 2 | 0.10 % | No |
| 2 0x00000f7e d358 | 2 | 0.10 % | No |
| r3 2 0x00000f7e | 2 | 0.10 % | No |
| 0x00000f7c 9b00 lsls | 2 | 0.10 % | No |
SEO Keywords (Four Word)
| Keyword | Occurrence | Density | Possible Spam |
|---|---|---|---|
| 9b00 lsls r3 r3 | 3 | 0.15 % | No |
| lsls r3 r3 2 | 3 | 0.15 % | No |
| the code we can | 2 | 0.10 % | No |
| 7 8 9 A | 2 | 0.10 % | No |
| offset 1 2 3 | 2 | 0.10 % | No |
| 1 2 3 4 | 2 | 0.10 % | No |
| 2 3 4 5 | 2 | 0.10 % | No |
| 3 4 5 6 | 2 | 0.10 % | No |
| through the code we | 2 | 0.10 % | No |
| 0x00000f8a 9847 blx r3 | 2 | 0.10 % | No |
| 111c adds r1 r2 | 2 | 0.10 % | No |
| code we can find | 2 | 0.10 % | No |
| 4 5 6 7 | 2 | 0.10 % | No |
| 5 6 7 8 | 2 | 0.10 % | No |
| 6 7 8 9 | 2 | 0.10 % | No |
| 081c adds r0 r1 | 2 | 0.10 % | No |
| 9 A B C | 2 | 0.10 % | No |
| 8 9 A B | 2 | 0.10 % | No |
| A B C D | 2 | 0.10 % | No |
| B C D E | 2 | 0.10 % | No |
Internal links in - radare.today
Subscribe
The Official Radare Blog
The Official Radare Blog
Aug 31
Radare2 and bioinformatics: a good match? · The Official Radare Blog
Radare2 and bioinformatics: a good match? · The Official Radare Blog
Jul 3
Background Tasks in radare2 · The Official Radare Blog
Background Tasks in radare2 · The Official Radare Blog
Jun 16
Android Crackme and Structure offset propagation · The Official Radare Blog
Android Crackme and Structure offset propagation · The Official Radare Blog
Older Posts →
The Official Radare Blog · The Official Radare Blog
The Official Radare Blog · The Official Radare Blog
Radare.today Spined HTML
Android Crackme and Structure offset propagation · The Official Radare Blog ←Home http://radare.org Subscribe Android Crackme and Structure offset propagation June 16, 2018 Today we will squint into the recently introduced full-length in r2 - structure offset propagation. We will use it to solve a crackme based on reversing an Android JNI (Java Native Interface) library.Beware that the full-length is still WIP and stuff constantly improved. This rencontre is originally from NDH2012-wargame, so we are provided with an NDH.apk file, now without decompiling and using JD-GUI to scan through the lawmaking we can find some interesting functions : // Java source file static { System.loadLibrary("verifyPass"); } NDHActivity localNDHActivity = NDHActivity.this; String str1 = this.val$tv2.getText().toString(); String str2 = localNDHActivity.print(str1);Withoutreading through the lawmaking we can find that the validation routine is contained in a JNI lib file. $ file libverifyPass.so libverifyPass.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped So let’s start by opening it in IDA r2 - $ r2 ./libverifyPass.so [0x00000f50]> aaa ... [0x00000f50]> afl 0x00000f38 1 12 sym.imp.__gnu_Unwind_Find_exidx 0x00000f44 1 12 sym.imp.difftime 0x00000f50 1 12 entry0 0x00000f60 15 500 sym.Java_com_app_ndh_NDHActivity_print ... We could hands spot the “sym.(..).print” function that was tabbed from the java source file [0x00000f60]> pdf | sym.Java_com_app_ndh_NDHActivity_print (); | ; var int local_4h @ sp+0x4 .... | 0x00000f60 30b5 push {r4, r5, lr} | 0x00000f62 cdb0 sub sp, 0x134 | 0x00000f64 7e4c ldr r4, [0x00001160] | 0x00000f66 7c44 add r4, pc | 0x00000f68 0390 str r0, [sp + local_ch] // | 0x00000f6a 0291 str r1, [sp + local_8h] // Arguments stored in stack | 0x00000f6c 0192 str r2, [sp + local_4h] // .... | 0x00000f76 039b ldr r3, [sp + local_ch] | 0x00000f78 1a68 ldr r2, [r3] // JNIEnv struct loaded | 0x00000f7a a923 movs r3, 0xa9 | 0x00000f7c 9b00 lsls r3, r3, 2 | 0x00000f7e d358 ldr r3, [r2, r3] .... | 0x00000f8a 9847 blx r3 We could see that one of the arguments passed to this print function is a JNIEnv struct pointer which contains info well-nigh many callback functions (For detailed explaination well-nigh JNI , take a squint at this wiki) This program uses such type of undeniability 3 times, with the indexes 0x2A4, 0x290 and 0x29C. To retreive the names of respective functions, we can directly use jni.h file or this doc which contains indexes in JNIEnv interface function table : 0x24A / 4 = 169 --> const jbyte* GetStringUTFChars(JNIEnv *env, jstring string, jboolean *isCopy); 0x290 / 4 = 164 --> jsize GetStringLength(JNIEnv *env, jstring string); 0x29C / 4 = 167 --> jstring NewStringUTF(JNIEnv *env, const char *bytes); As you can see it’s a bit painful process, this is where our struct offset propagation comes into picture! [0x00000f60]> to ./jni.h (load the header file) [0x00000f60]> ts _JavaVM JNIInvokeInterface JNINativeInterface _JNIEnv You can either use ESIL emulation or debugging to find the write of JNIEnv struct. For sake of simplicity, we will use the write that is mapped to our SP (Stack Pointer), which is 0x00000000 as we see from the output below: :> px $w @ sp - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x00000000 7f45 4c46 .ELF As we saw from the pdf output above, the stack pointer (SP) is stuff used as the wiring pointer with variegated offsets from local variables. This ways that the wiring of our JNIEnv structure is whatever the value of SP at the time. :> px $w @ [sp] - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x464c457f ffff ffff .... From what we can see here, [SP] here is 0x464c457f. This unquestionably represents the first few shit of an ELF binary’s header. Now link both the struct and write using tl writ and watch the magic happen :) [0x00000f60]> tl JNINativeInterface = 0x464c457f [0x00000f60]> pdf ... | 0x00000f7c 9b00 lsls r3, r3, 2 | 0x00000f7e d358 ldr r3, [r2, r3] ; JNINativeInterface.GetStringUTFChars | 0x00000f84 081c adds r0, r1, 0 | 0x00000f86 111c adds r1, r2, 0 | 0x00000f88 0022 movs r2, 0 | 0x00000f8a 9847 blx r3 ... | 0x0000100e d358 ldr r3, [r2, r3] ; JNINativeInterface.GetStringLength | 0x00001010 0399 ldr r1, [sp + local_ch] | 0x00001012 019a ldr r2, [sp + local_4h] | 0x00001014 081c adds r0, r1, 0 | 0x00001016 111c adds r1, r2, 0 | 0x00001018 9847 blx r3 .... | 0x00001110 a723 movs r3, 0xa7 | 0x00001112 9b00 lsls r3, r3, 2 | 0x00001114 d258 ldr r2, [r2, r3] ; JNINativeInterface.NewStringUTF Finally moving on to the solution of this challenge, we can see that there are some string length checks happening, and at last two strings are loaded from .rodata section which is xored together to print the flag >> a = [0x52,0x1A,0x09,0x7B ...] >> b = [0x5C,0x20,0x72,0x10 ...] >> "".join( [ chr(a[i] ^ b[i]) for i in range(len(a)) ] ) 'Radare2_is_great' (obviously not the flag, try it on ur own to get it :P) The radare team https://twitter.com/radareorg Share Read increasingly GSoC 2018 Final: Debugging and Emulation Support for CutterAug 20 GSoC 2018 Final: Console Interface ImprovementesAug 19 GSoC 2018: Control Flow Structuring for Radeco-libAug 12 Gsoc 2018 Radeco Pseudo CLawmakingGenerationAug 12 GSoC'18 Final: Type inferenceAug 12 Background Tasks in radare2Jul 3 GSoC'18 Progress Report - MayMay 31 GSoC 2018 Selection ResultsApr 24 GSoC 2018Mar 5 The radare team