Open MariasStory opened 6 years ago
Use esil, anal.strings and theres another one that statically analyzes stack movements to find strings constructed like this but i dont remember ir right now.
and no, you wont see this in the strings list, because the string list you get is from RBin, aka by parsing the binary headrs, not by emulating the program, you’ll find a flag
On 14 Aug 2018, at 15:39, MariasStory notifications@github.com wrote:
Please decode strings from some simple obfuscation: https://user-images.githubusercontent.com/6576335/44095047-134280b8-9fd8-11e8-98c0-ad19ff6c95cf.png It might be already implemented, but it would be nice to have the string in the strings list ;-)
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/11085, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lsdf6jgcfgvRpmpbTXhwOCTRvFrmks5uQtMggaJpZM4V8dID.
It makes sense though to create something like emu.str.*
namespace where to put the found strings after emulation.
Flagspace?
On 15 Aug 2018, at 11:46, Anton Kochkov notifications@github.com wrote:
It make sense though to create something like emu.str.* namespace where to put the found strings after emulation.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Yes, flagspace, where to push the flags for strings found during emulation, lets say during aaaa
command. It might be very imprecise and error-prone, but certainly useful in some cases.
Emulation would be a great way to solve this issue, especially if the strings are pushed out of order.
IE:
index[0] = 'h'
index[4] = 'o'
index[1] = 'e'
index[2] = 'l'
index[3] = 'l'
There is an existing project on github that uses unicorn and yara to do a variant of this -> https://gist.github.com/williballenthin/ea1fef4984ea31ae92e333f04e9d0110
I've posted a blog talking about this, and posted a cutter script to rebuild these. It could be easily repurposed work commandline with radare2. (https://securitykitten.github.io/2018/07/06/unstacking-strings-with-cutter-and-radare2.html) and the script is here -> (https://github.com/securitykitten/cutter_scripts/blob/master/scripts/cutter_stackstrings.py)
I would like to see the emulation of this solved, I took a couple unsuccessful stabs at the problem, but I think that most of it is just my ignorance on r2's emulation.
As a side note (probably more of a version 2), there are going to be more pattens to look for, take for example the following rust application, the stack string is 'Moon'
Anal.strings do that but its not imprecise
On 15 Aug 2018, at 16:57, Anton Kochkov notifications@github.com wrote:
Yes, flagspace, where to push the flags for strings found during emulation, lets say during aaaa command. It might be very imprecise and error-prone, but certainly useful in some cases.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Someone wants to try his skills on the this shellcode? download.zip You know the pass ;-) I am sure that you can find out where it comes from.
Would be nice to see your results. This one is related to the first screenshot that I posted.
Hi team. Did someone check the shellcode? If so, did you get the strings extracted? There are some more strings that also can be extracted but not seen in the disassembly.
if you seek at the begining of the movs, enable emu.str=1 and do aepc $$ and aeim in there, the string will appear while you step in.. but its’ not automatically resolved with anal.strings because it doesnt assume the strings are constructred in the stack. so the issue is not solved, but you can write a script to automate that solution
On 26 Sep 2018, at 07:52, MariasStory notifications@github.com wrote:
Hi team. Did someone check the shellcode? If so, did you get the strings extracted? There are some more strings that also can be extracted but not seen in the disassembly.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/11085#issuecomment-424744977, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lqIRi95kaEA61tBj0taeU98UN5JIks5ue5TIgaJpZM4V8dID.
Hi @radare, Thanks for your interest in this topic. I have another example where an executable is reconstructed in memory using the "mov" obfuscation. It would be nice if r2 would extract the stuff without execution. Is it possible/planned?
Can you share it?
On 5 Nov 2018, at 09:01, MariasStory notifications@github.com wrote:
Hi @radare, Thanks for your interest in this topic. I have another example where an executable is reconstructed in memo using the "mov" obfuscation. It would be nice if r2 would extract the stuff without execution. It is possible/planned?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Sure. Here you go. shellDll_movJMP.zip
Hi, did someone improve such strings detection/extraction? I have more samples to play with ;-)
can you give us some pointers about what you want exactly?
Hi Radare,
It would be nice to have something similar to the flare-floss - "FireEye Labs Obfuscated String Solver". Instead the strings could appear in r2 analysis and in extracted strings list (like zzz) of radare2. I know floss can export .r2 file and it kind of works. I think that this functionality is better to be implemented in r2 and used in the native environment. Although, if you think that it is not worth the effort, you can close the issue and I will use the floss.
Thanks, Tolik
Yes i think this feature makes sense to have it in r2 directly. Using anal.strings and aae it may resolve the strings referenced via esil. So i guess that enabling this and io.cache will be enough to get all the strings with f str.
Which command/action do u think it makes more sense to do this?
On 12 Oct 2019, at 00:16, forensicator notifications@github.com wrote:
Hi Radare,
It would be nice to have something similar to the flare-floss - "FireEye Labs Obfuscated String Solver". Instead the strings could appear in r2 analysis and in extracted strings list (like zzz) of radare2. I know floss can export .r2 file and it kind of works. I think that this functionality is better to be implemented in r2 and used in the native environment. Although, if you think that it is not worth the effort, you can close the issue and I will use the floss.
Thanks, Tolik
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
We can also just extract strings out of the immediates in the instructions, but sometimes this is scrambled or xored before written into stack
On 12 Oct 2019, at 00:16, forensicator notifications@github.com wrote:
Hi Radare,
It would be nice to have something similar to the flare-floss - "FireEye Labs Obfuscated String Solver". Instead the strings could appear in r2 analysis and in extracted strings list (like zzz) of radare2. I know floss can export .r2 file and it kind of works. I think that this functionality is better to be implemented in r2 and used in the native environment. Although, if you think that it is not worth the effort, you can close the issue and I will use the floss.
Thanks, Tolik
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Thanks, for following this idea. I suggest to have approach similar to z vs zz vs zzz. I mean that there should be option to have all strings logged/shown in r2 interface (in comments) or less noisy options for only stack related strings or strings that are kind of sorted out. From forensic point of view, every string that was reconstructed/used/manipulated in binary can give a hint for finding the evidence (let's say in memory). Possibly, I would emulate the (all) code with esil (maybe with some additional option) and get all possible strings that are generated/modified in this binary. I know that you implemented part of it in the visible field. Maybe it can be extended to have it as a part of complete analysis results? Also, it would be nice to have it in the way that is easy to use. Let's say you get additional results if you use more that 3z.
Please decode strings from some simple obfuscation:
It might be already implemented, but it would be nice to have the string in the strings list ;-)