search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.37k stars 2.97k forks source link

Decode additional strings. #11085

Open MariasStory opened 6 years ago

MariasStory commented 6 years ago

Please decode strings from some simple obfuscation: string1

It might be already implemented, but it would be nice to have the string in the strings list ;-)

radare commented 6 years ago

Use esil, anal.strings and theres another one that statically analyzes stack movements to find strings constructed like this but i dont remember ir right now.

and no, you wont see this in the strings list, because the string list you get is from RBin, aka by parsing the binary headrs, not by emulating the program, you’ll find a flag

On 14 Aug 2018, at 15:39, MariasStory notifications@github.com wrote:

Please decode strings from some simple obfuscation: https://user-images.githubusercontent.com/6576335/44095047-134280b8-9fd8-11e8-98c0-ad19ff6c95cf.png It might be already implemented, but it would be nice to have the string in the strings list ;-)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/11085, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lsdf6jgcfgvRpmpbTXhwOCTRvFrmks5uQtMggaJpZM4V8dID.

XVilka commented 6 years ago

It makes sense though to create something like emu.str.* namespace where to put the found strings after emulation.

radare commented 6 years ago

Flagspace?

On 15 Aug 2018, at 11:46, Anton Kochkov notifications@github.com wrote:

It make sense though to create something like emu.str.* namespace where to put the found strings after emulation.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

XVilka commented 6 years ago

Yes, flagspace, where to push the flags for strings found during emulation, lets say during aaaa command. It might be very imprecise and error-prone, but certainly useful in some cases.

malware-kitten commented 6 years ago

Emulation would be a great way to solve this issue, especially if the strings are pushed out of order.
IE:

index[0] = 'h'
index[4] = 'o'
index[1] = 'e'
index[2] = 'l'
index[3] = 'l'

There is an existing project on github that uses unicorn and yara to do a variant of this -> https://gist.github.com/williballenthin/ea1fef4984ea31ae92e333f04e9d0110

I've posted a blog talking about this, and posted a cutter script to rebuild these. It could be easily repurposed work commandline with radare2. (https://securitykitten.github.io/2018/07/06/unstacking-strings-with-cutter-and-radare2.html) and the script is here -> (https://github.com/securitykitten/cutter_scripts/blob/master/scripts/cutter_stackstrings.py)

I would like to see the emulation of this solved, I took a couple unsuccessful stabs at the problem, but I think that most of it is just my ignorance on r2's emulation.

As a side note (probably more of a version 2), there are going to be more pattens to look for, take for example the following rust application, the stack string is 'Moon'

radare commented 6 years ago

Anal.strings do that but its not imprecise

On 15 Aug 2018, at 16:57, Anton Kochkov notifications@github.com wrote:

Yes, flagspace, where to push the flags for strings found during emulation, lets say during aaaa command. It might be very imprecise and error-prone, but certainly useful in some cases.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

MariasStory commented 6 years ago

Someone wants to try his skills on the this shellcode? download.zip You know the pass ;-) I am sure that you can find out where it comes from.

Would be nice to see your results. This one is related to the first screenshot that I posted.

MariasStory commented 5 years ago

Hi team. Did someone check the shellcode? If so, did you get the strings extracted? There are some more strings that also can be extracted but not seen in the disassembly.

radare commented 5 years ago

if you seek at the begining of the movs, enable emu.str=1 and do aepc $$ and aeim in there, the string will appear while you step in.. but its’ not automatically resolved with anal.strings because it doesnt assume the strings are constructred in the stack. so the issue is not solved, but you can write a script to automate that solution

On 26 Sep 2018, at 07:52, MariasStory notifications@github.com wrote:

Hi team. Did someone check the shellcode? If so, did you get the strings extracted? There are some more strings that also can be extracted but not seen in the disassembly.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/11085#issuecomment-424744977, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lqIRi95kaEA61tBj0taeU98UN5JIks5ue5TIgaJpZM4V8dID.

radare commented 5 years ago
screen shot 2018-09-27 at 15 12 40
MariasStory commented 5 years ago

Hi @radare, Thanks for your interest in this topic. I have another example where an executable is reconstructed in memory using the "mov" obfuscation. It would be nice if r2 would extract the stuff without execution. Is it possible/planned?

radare commented 5 years ago

Can you share it?

On 5 Nov 2018, at 09:01, MariasStory notifications@github.com wrote:

Hi @radare, Thanks for your interest in this topic. I have another example where an executable is reconstructed in memo using the "mov" obfuscation. It would be nice if r2 would extract the stuff without execution. It is possible/planned?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

MariasStory commented 5 years ago

Sure. Here you go. shellDll_movJMP.zip

MariasStory commented 4 years ago

Hi, did someone improve such strings detection/extraction? I have more samples to play with ;-)

radare commented 4 years ago

can you give us some pointers about what you want exactly?

MariasStory commented 4 years ago

Hi Radare,

It would be nice to have something similar to the flare-floss - "FireEye Labs Obfuscated String Solver". Instead the strings could appear in r2 analysis and in extracted strings list (like zzz) of radare2. I know floss can export .r2 file and it kind of works. I think that this functionality is better to be implemented in r2 and used in the native environment. Although, if you think that it is not worth the effort, you can close the issue and I will use the floss.

Thanks, Tolik

radare commented 4 years ago

Yes i think this feature makes sense to have it in r2 directly. Using anal.strings and aae it may resolve the strings referenced via esil. So i guess that enabling this and io.cache will be enough to get all the strings with f str.

Which command/action do u think it makes more sense to do this?

On 12 Oct 2019, at 00:16, forensicator notifications@github.com wrote:

 Hi Radare,

It would be nice to have something similar to the flare-floss - "FireEye Labs Obfuscated String Solver". Instead the strings could appear in r2 analysis and in extracted strings list (like zzz) of radare2. I know floss can export .r2 file and it kind of works. I think that this functionality is better to be implemented in r2 and used in the native environment. Although, if you think that it is not worth the effort, you can close the issue and I will use the floss.

Thanks, Tolik

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

radare commented 4 years ago

We can also just extract strings out of the immediates in the instructions, but sometimes this is scrambled or xored before written into stack

On 12 Oct 2019, at 00:16, forensicator notifications@github.com wrote:

 Hi Radare,

It would be nice to have something similar to the flare-floss - "FireEye Labs Obfuscated String Solver". Instead the strings could appear in r2 analysis and in extracted strings list (like zzz) of radare2. I know floss can export .r2 file and it kind of works. I think that this functionality is better to be implemented in r2 and used in the native environment. Although, if you think that it is not worth the effort, you can close the issue and I will use the floss.

Thanks, Tolik

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

MariasStory commented 4 years ago

Thanks, for following this idea. I suggest to have approach similar to z vs zz vs zzz. I mean that there should be option to have all strings logged/shown in r2 interface (in comments) or less noisy options for only stack related strings or strings that are kind of sorted out. From forensic point of view, every string that was reconstructed/used/manipulated in binary can give a hint for finding the evidence (let's say in memory). Possibly, I would emulate the (all) code with esil (maybe with some additional option) and get all possible strings that are generated/modified in this binary. I know that you implemented part of it in the visible field. Maybe it can be extended to have it as a part of complete analysis results? Also, it would be nice to have it in the way that is easy to use. Let's say you get additional results if you use more that 3z.