 people coming in. This is cool. Hi, who said hi to me? Someone. I'll just wave at you all. Just saying, we've got like a two-hour tutorial. Why not sit next to each other and make a brand new friend? Just an idea. Then again, it's Linux. Yeah, so everyone's obviously here for a reason. We're here for Andrew's talk, tutorial even. There is going to be a break in the middle if you need to go to the bathroom, ask questions, that sort of thing. That will be like halfway through and you can do whatever you like. So this is Andrew McDonnell. He seems pretty cool. And let's let him start. High five. What it says on the screen. There's a fortune cookies feature that comes up when you first run the program. And I saw a few interesting and unexpected words pop up. So I don't want to be responsible for violating the code of conduct. I do believe, and I'm thankful a bug report has actually been submitted. So maybe they'll sort that out for us. So today, I'm going to be introducing a piece of software called Radar 2. I don't actually know how it's correctly pronounced. So if you are in the project and watch this, I apologize. So we're going to have an introduction and work through how to use the software. I'm going to have a break partway through for general questions because this is a tutorial. So I do encourage some interactivity, although I want to try and keep things moving a bit. So we'll play it a bit by ear. After that, I'll be doing a bit of a brief presentation on MIPS architecture because that's something you find in a lot of embedded devices. And it has a few quirks compared to some other systems on how you might have to go about disassembling the software. If I get a bit of time, I'll just do a quick demo of how to unpack a firmware if you actually find something to pull it out of. And if you're following along, you don't have to use the examples I've got. If you've got other numbers or another binary you want to have a play with, you know, go for it because we're here to learn. I discovered this software myself only about six months ago and thought it was so awesome I had to share it with people. So that's why I've ended up here. And I think that's a duplicate slide. So I'm just going to tell a quick story. This is a gadget which about six months ago I was wandering around and I went to cache converters, which in Australia is a secondhand recycling shop. In the bit next to all the iPhones and all the rest of it, they have USB modems and other things. And this was in a little black box. And it was one of those USB-powered Wi-Fi repeater things. It's a generation older than what you get now. And I dickered them down from $15 to $10 and took it home because I thought, well, I'll pull it apart and see if I can run Linux on it. It turns out it does actually run a form of Linux, but it's not supported by OpenWRT and it was not really supportable for various reasons, which I won't go into. But I had trouble actually getting into it in the first place. You can see there there's like pins I've soldered in. So if you ever want to try this, most devices you buy when you pull them apart, there will be four little pins and you can Google that to get pictures on the internet where you can solder in a connector and connect the USB serial port and actually get to the device without having to go through the web firmware. And I wanted to boot my own Linux because I managed to get an OpenWRT image and attempt to boot it, but I couldn't upload it in there. I could get into their Linux using the USB and I was able to copy it off onto my computer to look at it, but I couldn't get one back in there because I couldn't understand the boot loader. It wasn't you boot like most of these devices have. And so that led me down this path of how do I reverse engineer this boot loader to get into it? And that's how I discovered Radar 2. And it turned out that this boot loader had a hidden mode that they weren't showing you the help where you could download firmware across the serial port using something called Y-Modem, which was used 20 to 30 years ago when we had dial-up modems before the current internet to actually connect to BBSS. So that was an interesting journey. So that's what today is about, is finding gadgets and trying to work out what's inside them, for example, and various other reasons. And I need to press that button and do that. That's awesome. So Radar is a reverse engineering framework, or that's what I call it. So it's a piece of software that lets you do a variety of things. You can use it to disassemble program code that's in binary form back to something called assembly language. I'm going to guess that most people here know what that is. It's like the bottom level of instructions you get when you compile a program in C. Now that alone, you can already do that with a program called GNU, OdgDump, and other programs. So that's not particularly interesting. But what a reverse engineering framework lets you do is attempt to discover higher level features in the disassembled code. In particular, visually, you can see links like jump instructions and function calls. You can use it to script it and try and unravel data structures which you might not get just by looking at Aurora assembly. And people use these tools to modify existing software and do something called fuzzing, which is usually used to look for security-related bugs where someone has forgotten to correctly write memory buffering. Is anyone following along with the software? That was on the Wiki. Was there any issues? Everyone got it sorted? Cool. So why would you want to reverse engineer something? Because it may have slightly dodgy connotations to some people, but there's very good reasons. You might want to have an existing device and you want to make it work with something else. You may have your own... I've come across businesses that have got their own software and they've actually lost the source code to it and they need to work at how to connect to it and get it started again. You might just want to learn how something works. Often some compilers can actually have bugs in the compiler, and sometimes you need to look at the disassembled code of what the code they produced to work out why your code doesn't work. And people will use these tools to analyse malware to try and work out how they work and then come up with defences against it. And that pretty much repeats everything I just said, except RADAR supports all those features. So today's a tutorial, so I'm going to stop talking a bit so much now. One of the things about RADAR that I found most useful was not just the software itself, but it comes with a suite of ancillary tools that are built in a unixy type way. So you can do one thing and combine them together in shell scripts if you just want to do parts of an analysis or deal with conversions. So if you're following along, I'm going to switch to the first one. So there's a program called RACS2. Oops, that's the wrong one. And that's used for just doing number conversions. And in its simplest form, you just give it a decimal number and it gives you the hex. You can already do that in bash, but this one has a whole bunch of other ways of doing it. So I'm going to type in a hexadecimal number and it automatically works out that it's hex and we'll convert it back to decimal. So this bit, this first part of the tutorial is a bit mickey mouse, so we'll try and zoom through it very quickly, but I found these tools incredibly useful. So where it gets a bit more interesting is you can convert between string types to hex and vice versa, and binary numbers really easy. And this is the most useful bit I've found because trying to sometimes work out off the top of your head what a binary number is can sometimes be a bit tricky when you're in a hurry. The reason I've put echo on the end of the line is by default, I'll show you without it. Hang on. This is going to give me... One, two, three. There we go. So the reason I've put an echo is, as you can see, it's actually just done the conversion from binary straight to an ASCII character, one character. So if you wanted to make a new line, it's just why there's an extra echo. So that feature alone was when I thought, it's cool, I can write a shell script where I've got to manipulate binary numbers, and I can do it on a real simple command line. And you can see the string one there, so feel free to follow on. I guess I'll continue doing them all. Rax two, minus s, hello. So I've typed in Rax two. The capital S, you just give it a bunch of string and it will return you the hexadecimal form of that. And the reverse in lowercase. I'm not going to type in the whole lot, but you're participating, you can do that. So go. Does anyone need to pause on its life for a second? Sure. Good. The next tool is called RABn2 or Rabin2. It's, I guess, a bit like Binutil's obstump, but it does have report various types of similar information about binary programs. I'm using slash VMlinux just because I can, but feel free to put in any program there and just see what it reports. Because it's VMlinux, I have to do it with sudo, so you may choose just to pick another user space program, any binary, and try it. I should have done that earlier. And I've struck a snappy that worked earlier. Let's try this. Oh, no. What have I done? All right, moving on. You can see the output that I'm expecting there, so if it works for you, that's even better. The second one, when it runs, it prints out a bunch of strings that it searches for in segments in the binary file. The next one is RASM2, which lets you assemble and disassemble a single assembly instruction from the command line. Now, I'll point out with RADAR2, it has quite a good coverage of a whole bunch of processes, including some interesting ones like an old and veneral ones like the 6502, but support varies, some can only disassemble, some that can only assemble. The main ones like x86, obviously, you can do everything. It's a worldwide open-source project, so like most open-source projects, people contribute what they're familiar with or what they're interested in. So the first one, I'm going RASM2, mine is A, x86 says it's x86 assembler. The quotes are important. If you don't put them in, it will not work. What it's produced there is the binary assembler code for that assembly instruction. People that are disassembling malware will probably potentially put this sort of thing in a shell script if they're trying to work out what's going on and they might want to do four bytes of random code at a time. It's also handy if you're studying and what was the code for that again or if you're working on... what's a microcontroller that you still have to write a symbol for? PIC, I guess, would be a good one. You type in the numbers and see what it comes up with. And we have the reverse, so we'll disassemble. The miner's B32 says it forces it to be 32-bit. Sorry? Did I type it in wrong? B8. Oh, OK. It's produced something... Oh, that doesn't matter because... Yeah, it's just a different register. So you can see it's produced a single line of assembly from that binary hex. So... Oh, yes, we'll get to that later. Yes, there's... Yeah. Actually, that's a good question. There's a config file for the main RedR2. Whether it goes into this, so you just have to experiment. Again, these are like... I'm going through the moment, I like Unixi tools where you can run them in a shell script, so you might not bother, but... There was a bug where if you... Which one am I doing? Didn't type in a number, but just typed in a string. It would actually silently work, silently fail, but that's been fixed. So if you get the older version out of... probably the Android one, if it hasn't been patched, off of Ubuntu or Debian, it may have that bug in it. So previously, the line on the screen would have silently failed, which is interesting if you've got FFs, and if you've got the 0x, and then you get completely different stuff. So the next one is called RADIF, which is a binary diffing tool. There's already CMP in Unix, but this one adds some extra functionality that's useful for a reverse engineering context. I'm demonstrating this one with a shell script because what I do is I'm going to generate a random file and then change some data in it to illustrate the diffing tool. So you can run that and then look at the source code. So if I just run it first... This assumes you're sitting in the top root of the clone of the tutorial repository if you're following along. And then I'll bring up the code for that. Oops, do it that way. If anyone knows why G it is so slow, and it's just a text editor, I'd love to know. So it's a fairly simple example. I've just generated a random file. By the way, this one may fail. I know it creates a temp directory now, so that's good. So it basically just makes a couple of random files. So you can see on that... Probably you can't see that. If you look at the output, and I've got changing four bytes, I've changed four bytes in one file, and so the binary differ has picked up one line, and then I change four bytes and it finds them again. So it's a very simple example, but CMP has a minus B, which tells you the byte number and some other stuff, but one of the good things about RADIF is it can do some other interesting features. In this case, this example, what it actually attempts to do is find code similarity, which is different from just the raw binary. So it will interpret an ELF file, which is a Linux binary, for example, and try and show you where in the program there might be differences in the code, which is different from just raw data, which if you're looking to compare, say, two versions of software which are similar, but you don't have the source code for either, it can give you an idea of how significant the change in the file is. So again, if I run the example, the program's in this example. The C source code is all present as well as the binaries in the GitHub, so if you're interested in how I made them, a couple of Mickey Mouse programs, but you can look at that and try it yourself later, and that's, I've forgotten the command line option, so let's try that. There we go. You notice the slide, I chopped half of it off just to make it fit, so there's a bit more in the software. So actually, I will bring up the C for this just to make it more obvious. So in this particular case, what I did, it's a C program that just mungers a couple of numbers and does a loop, and one of them prints something different from the other, and I controlled that with an ifdev when I built it. And the bit of different, I keep putting my finger there, so you can see the bit of the ifdev where the case statement is that, is that unmatch in main, so that's why the diff program is telling you that. So that can be handy if you're trying to see what's happened. There's a sort of an ongoing problem in software to do with provability that a lot of the crypto people were interested in where how do you repeatedly build a piece of software to be identical every time so that you can make sure that someone hasn't changed something on you without you knowing. So being able to search for differences is a useful thing. RA Find 2 is a binary search tool. So in the example repository, I've grabbed just a standard OpenWRT Linux image and dropped it in there just to demonstrate. And normal diff searches, sorry, normally you can grep a text file. Grepping binary is, you know, well, it's binary so it doesn't work that well. So this is like a grep for binary files. So that file that it's doing is in the data directory if I spell it right. Oops, what did I forget? So the string goes there. And what's really useful about that is it prints the hexadecimal decoding as well as the string it finds plus the nearby bytes. Now one thing I'll say with all the programs are and all the rest of them, if you go RA Find 2, mind that the help is actually pretty good. All of these programs have a lot of options. So I'm way too many to cover in here. So if you wonder, can it do this? Just have a look and try it. It's an awesome program to experiment with. So those are some of the tools that come with Redar 2. Just by themselves, they're useful. But the main reason we're here is to have a look at Redar 2 itself. It is designed to do similar stuff. It doesn't yet have a fancy GUI, but I'm sure the people that build it would love someone to come along and write one. There is a web GUI, which has just come up. And it's in beta, so it's a bit buggy, but we'll have a very, very brief look at that later. Sorry? Oh, there is one. Okay, awesome. Oh, okay. Yeah, so apparently there is a GUI that someone else wrote that didn't write Redar that wrote a GUI for Redar. But this is cool. We can learn from each other here. I love this place. So I did an example here just to use Sbin in it. You don't have to use that. You could pick a different binary. This is just to demonstrate some of the things you can do with Redar 2, some of the simplest bits and just get a feel for how it works. So to run it, you just type Redar 2. Now, when you run it, I'm just going to do it that way for the moment, you get a prompt with an address. If you hadn't typed in that config file that I showed at the start, there would have been a fortune cookie in between there, which most of the time gives you useful information about the program. So the usual way you run it is you give it a program name. And if it's in a binary that's ELF or portable executable, if you're looking at Windows or various others, it will actually detect that and understand it. Or you can give it an option to look at a raw binary. What it does is the number on the prompt is the address of the starting entry point for the binary if it's not a raw binary. The prompt is in color, which is incredibly useful, but if you don't like that, you can go into the config to turn it off and we'll take a brief look at where you find that later. Every command in Redar has help. All the commands are based on single-letter commands, so it's a bit succinct, but it's designed to also be scriptable, and it's a Unix-y type program. So any letter that... I'll start with the first one. If you just go question mark, it shows you all the commands, and if you give it a command and a question mark, it shows you the variance of that command. There's never a space before the question mark if you want to help. Some of them, if you put in a space and use a question mark, it will interpret it as a string or whatever and you'll not get what you expect. So let's get into some actual disassembly. So I've loaded a program. In this case, it happens to be the unit on my laptop. PD, I mean, P for print, D for disassemble, and then question mark shows you different ways you can disassemble. PD32. So what that's saying is just give me a disassembly from the current address into the program for 32 instructions, and I always get this backwards, yes, 32 instructions. Awesome. And it's given you a colorized disassembly, which is incredibly useful because you often want to find stuff in a hurry and if you like me, unfortunately, it's often late at night too. So I find this works best on a black background, but again, you can color it and change the colors when you get to that later. You can see at the top, under the PD32, it's already detected certain labels out of the software. So entry zero is the entry point for a ELF binary, which is a Linux binary. x86 is one of the ones that does this best at. So you can see on the right-hand side, it's worked out that the memory address in that assembly instruction is pointing to what could be a string. It might not be, but it does its best to guess like how the strings command works in Unix. And down here on the bottom, it's worked out there's a branch. So with the x86 assembly, if you're not familiar with it, there's a jump instruction after the comparison and the jump is a jump if it's greater than a less than or whatever you need to do. And it actually gives you a call graph. Now, this is one of the most useful things about this that you're not going to get if you're using, say, Obstump to just do this assembly. One of the next cool things about RADAR is it can do in-line math on instructions when you're navigating around. I probably should have split this one. So for navigation, the main command you use is s, seek. You can see different addresses in the binary or in the memory you're looking at. So the first thing I'm going to do is I'm just going to jump forward 100 bytes. And then if I go pd32, again it's now disassembling from 100 bytes further down from before. And you can see, if I move the mouse, maybe I should do it that way, that would be better. So where the mouse is, you can see the pointer was previously at 804a, whatever it was, it's now 100 bytes. It's in approximately 100 bytes because the similar instructions are different lengths. And if you remember when we looked at racks 2 and it would just automatically detect different types of numbers and convert between them, the same functionality is all built in here because all these programs use a similar back-end library. So if I go x10, it's the same as if I want 16 instructions. And that can be incredibly handy because it saves you sometimes having to convert in your head if you've got a number in one format for another. The other thing is, it will pull labels out of ELF binaries or portable evacables if they are present. So most of them go into a symbol space. So I can go sm... dot underscore init. And that's actually seats to the address to the underscore init function that's in that binary. And then I can... Awesome. So you can do tab, so you've confirmed that tab completion works. That's great. I'm still finding my way. There's so many features in this program. So what you're getting today is a lot of what I've found useful. So p capital D will actually do it in bytes instead of in assembly instructions. So they've thought of everything because again you want to run this stuff from a script a lot of the time and if you can have as much variety in how you use it, flexibility, it's a really useful tool. The next command I'm going to run will look for in our function analysis. So what it will do is we're sitting at init, af will analyze that function and if you go pdf instead of pd it will print to just the end of that function instead of 32 or 100 or the default number of bytes and instructions. And you can see now again I will use the mouse rather than trying to turn it on point that blue line on the outside is where the analyzer has detected that that is the length of the function. So it's able to look for say a return instruction and other similar constructs and work out that that's what it thinks the function is. It's not always right because if people code in more assembly instead of from C or another language they can do all sorts of tricks that can violate some of the common ways this work but most of the time that will work. So where was I? And as I was saying before in line math in the commands as you use them which can be very handy as well. So in theory that will jump me a bit under 384 bytes or not. Let's try again. Yes. So that is approximately whatever that odds up to be further down. Which is very useful if you're writing a script for this stuff. Another important feature is you can edit data or modify data or code. So it's like a generic binary editing tool. So what I'm going to do is as well as files that understand special URLs. So a Maliquan says just give me this many bytes of free memory to play with as a virtual file. If you just go redar to minus it gives you 512 bytes by default. So in this case I'm saying just give me 32 bytes and it's addressed automatically from zero. And what I can do then is directly assemble into that memory. So what I'm doing first is if anyone recognises this I'm telling it that the next bytes are going to be in something called 6502 assembly. If you've ever watched um ah Sorry? No, no, it's in Terminator 2. I was thinking of the cartoon which has a robot called Bender and that's the one, yes Futurama and so his brain has a 6502 but so does Apple 2s and Commodore 64 has a variant. So I thought for old time's sake we'll have a go at that. So um this is where the tutorial gets slightly annoying because I've got to type all this in now but um AD00 Actually I'm going to skip this because um if I just write that to a file I've got a script that does this in a minute and I'll show you that instead so but feel free to copy and paste it no you probably can't because I haven't uploaded the slide yet. If I just assemble where I just went you can see I've typed in the A9018D 0002 is those first two assembly instructions so we've basically assembled some raw code into this memory map and we can write that out to just the junk file or whatever we feel like which is the W command. So again if you want to find out what options all these commands have just use the question mark so I've saved that one to disk. So in the examples directory um there is a program called where is it? Bender there you go. So which is the robot's name and that does the example I just showed so if you wanted to see the complete we can actually run that script and get the actual output. There you go. So instead of typing all that in I've scripted it so there's an example of how to script it and we'll look at that a bit more in a minute. And the second example on the screen is the opposite operation I'm assembling assembly language instead of binary assembly I'm assembling opcode instructions instead of the raw binary numbers for the assembler so about to this time I'm using x86 but I'm going to use 16-bit x86 which is what was around on DOS computers before we moved up to more modern chips. This is just a simple hello world example um what you can do is in about the same number of instructions format someone's hard drive from DOS so luckily we're running Linux and I haven't put any accident typos so you're not going to blow anything up. You can get DOS box and free DOS and various other programs that you can run emulators inside Linux or on Android or whatever and you can find your old DOS games and play them which is quite interesting so now in this case I've got quotes around it because of all the spaces so I'm going to go WA oops sorry they will be afterwards yes I've got to upload them to the um I probably could actually I'm going to cut and paste from see then I've got to find it in there and it will get all messed up so that's a good idea I'll have to remember that if there's a next time yeah so basically I can walk through that it's yeah printing a string and exit as was pointed out so if you were to do all that you would see actually you won't actually see anything on the screen because it's going to give you a program on disk that if you run it on a DOS computer would do that so I just use that as a very simple and interesting example um am I right to move on for this screen or are people still looking at it so ah and in any case here we go this is another scripting example so that's one of the big things I'm trying to demonstrate with this is it's really useful for scripting this tool so um actually I'll stay there a second so there are multiple ways to skin a cat as with a lot of unixy type programs so the first one I'm specifying on the command line that there will be a script that will be using x86 assembly and 16-bit mode and it will be opening a file in right mode to save it um as was pointed out earlier there is a configuration file which I'll get to as well where you can make some of the change some of the defaults the second example has no options on the command line other than saying run this script and inside that script it sets the same stuff so there's different ways to do it depending on however you're building up what you need to work on so I'll just run the second one just to um they both do exactly the same thing so I was just going to run the second one to keep moving for everybody um but the cool thing with this is you can encourage you to try other commands on the command line that are similar to what I'm doing with your own numbers or binaries um and then I'll be taking some session explicitly for questions in a bit if you come across any problems doing that um minors i where am I example dos so whoops where did I miss double minors so if you don't give any file name to rodatu it complains so double minors means I'm not actually specifying a file name it's actually going to be set in the script so I'll open that script up in a sec so that's a perfect example of how you use this in a script the entire script does all it can produce some output that you can potentially pipe into somewhere else and it saved me typing all that in so you can see it's generated the bytes for that data um keep pointing it you can see near the mouse it's generated the data and written it out to a file and then I've run a second thing I'll show you if I go back to the screen oh actually I'll get the script up so jeez so this is what we just ran so I'll walk through it um the only difference from the first one which I haven't bothered to run is that it doesn't have the e in the first one because that's done on the command line instead so where it's going e is it's specifying a configuration variable and I'll talk about that on another slide in a minute but it's setting x86 16 bit mode it's using the o command to open a new file that we're going to write to we then assemble to the seek pointer which we went through before those instructions um skip forward 20 to 32 bytes and then we write into the same binary the string hello world so the dat 20 there near the carrot is the address that we've seek to where that's going to go so it's a bit of a hard core way to assemble some code but it demonstrates the example and px is printing the hex dump that you saw in the color um so if I go back to there and there's the result on the screen from running that example so the next really useful thing that I've discovered with this software is shell interaction so all the commands that are built into it you can send to a pipe or you can grab input from somewhere else and integrate that which is what makes this so powerful where I've used it found it useful so in the first example I'm going to go back to the one I did before which was just look at a binary pd dump the default number of bytes which is like 256 I think off the top of my head or the default instructions it's piping it after the pipe I've just got a plain old unix command word count wc-minusl will tell me how many lines we're in that disassembly so if I was to run that without it and manually count it there's 68 now that's an approximation because as you can see near the mouse it's putting references to various other parts of the binary file but you can turn those you can tweak that output with some of the configuration options and if you need to get an accurate count to do that this is quite an interesting one because you can see there's a few spots in here where it's doing jumps that it's detected the second one I'm not going to run that because that script doesn't actually exist I just did it to tell you about it you can the back ticks like in the Unix shell script you can run a command and grab the result say if it's a number or something and pass it into a radar command and the third one hopefully is reasonably obvious I can send the output to just some file and then the fourth one the bang will run a arbitrary shell command to do something with that so I can actually go cat there and I get the same thing but not in color obviously because all it's done is run the cat so as you can see that's quite handy if you are in say a tight terminal because you've installed this on an android or something you don't have to go out to another shell to actually run a command F is a flag command in radar so it's to do with manipulating those symbols that we saw before and I just use that in this case just to show you that I can use less if there's a lot of data to page it of course the downside of paging through less is you lose color at least in the default and the last one no prizes for guessing where 42 comes from it's the life of the universe and everything but so I'm basically saying disassemble 42 bytes but in this case it's actually getting 42 from running shell command so I'm not going to work through this one I've just provided it as an example that you may choose to do in your own time because I don't want to be responsible for someone destroying their partition sector so basically I'm using red R2 there I've run it with no program at all and then I've opened up a device under Unix or Linux and I've dumped 512 bytes which is the boot sector of a well until a couple of years ago nearly every computer that was running x86 and then I'm disassembling the boot sector code so yes that's the kind of thing that this tool can be quite handy for if you like me and you like playing with old computers and you're trying to work out what's going on so I've mentioned this a few times Radar has a pretty good configuration interface so the E command is the access to a lot of that so if I go E double question mark there's a great big list of options that configure things like color how wide the screen is and fine tuning for the analyzer that looks for functions and calls prefixes and various other information and you saw a couple in one of the scripts I did already where for example it sets the number of bits so x86 you can do 16 30 to 64 disassembly architecture which changes the CPU architecture and so on so it's got help there and there's an example there if you go, if I do a disassembly and then I go E as in dot line width I do a big one so that it's really obvious that something happened that's just change the indent to the left so if you're looking at something that's quite a complicated function which has a lot of these call graph sections you might want to shift it across so you can see them more clearly and if you remember back at the start I got you to make a config file you can save all of those e-commands or any command in there and have them run automatically every time you run it if you have a particular preference for colors or whichever other configuration you need the next command I'm showing here is I which shows you information on the currently accessed file which if it's an L for a PE look at metadata about the file you're looking at and I'm going to run IS so that will show me a whole bunch of symbols that is detected out of that file and that's just repeating what I just said so I guess there's homework if you're looking at this afterwards or you're doing it while I'm talking about other things later you can tweak a disassembly layout so look at the script, look at the E question mark and see what you can fiddle with and I believe there's one that lets you retain your history for when you restart it so you can go up arrow like in GDB or whatever and see your commands you've run in a previous session yep hang on yes so if you've got a binary with callbacks or debug information in it it uses that where it can the other thing is you can set your own symbol names on addresses I'm not going to cover too much of that today because we don't have enough time but yeah it's very useful so is that the same slide twice, interesting there's a bug in my presentation so this is one of the more where it starts to get interesting if you've used IDER one of the main things about that is you can do graphical call graphs so RADAR2 will do that as best it can as well so I'm going to open up this time the I think that one that says temp should actually say examples so if I go RADAR2 examples I can see similar one yeah so that slide has a bug and then I go AA what it will attempt to do is analyze as much of it as it can and find all function calls that are in there including ones that aren't labeled if there are any and then I go AFL it will list all the functions that it can find and you notice some of them are just FCN dot so what it does is it thinks it's found a function at that address and it doesn't know it's name so it's just giving it a label and what you can do is rename that if you need to which comes in really handy when you're trying to understand some code that doesn't have symbols in it and then what I'm going to do is I'm going to run a command called AG which generates something called a dot file so it uses a program called graph vis to generate the graphics so one good thing about this is it leverages existing libraries to do useful things and I'm not going to run that without the redirection to a file because it will produce a fair bit of output I'm just going to call it that and then using the function I showed you before where you can run a program straight from the shell I'll use X dot if you have that available and then the name and oh no I had it there yesterday what's going on ugh okay I'm just going to have to wing that one so luckily there is a hard to see if you've got X dot you'll get a much better picture of a snapshot the first example of just run actually has a really wide and very hard to see and you've got a zoom writing because it graphs everything it finds in the file including even random functions that the linker left in there for whatever reason so the second example I'm going to run it's actually giving it the function name and I wonder if this is a buggy I did test this bit so I don't know what's happening on my computer I reckon app2get has gone and taken something back off that I had which is nasty anyway when you run the second command you actually get the output that's really hard to see on this slide but if you've run it on your own screen you'll see it up close and so the big one is actually main and then there's another function coming off it and what you can do if you're interested again the source code is there you can look at it and see how the call graph lines up with what you did and often especially if you're using an optimizing compiler things don't always match because the compiler may hide functions and sometimes they also drop in functions called intrinsic functions so you think you're doing math and the compiler will actually be doing a function call rather than just raw code and you can automate all that as I can see on the screen there's a sequence of commands that you could put in a shell script and run it I suspect that may fail really badly and if I haven't got x.working properly and did I put in the examples an output I can show please let's see yes there's a solutions directory by the way which is going to save my skin here because I can do this yeah there we go so this is that one that's really hard to fit on a slide but now because I've got it up I can zoom in so for the benefit of people who don't have the tool in front of them that doesn't look like the same one but anyway whoops but you get the general idea .files look like this which is a reason to not normally look inside them but to use a tool that understands them so yeah if you run examples gem main call craft it is a script that does the code that's there and produces the same output so I'm going to move on to strings so what I'm doing here is again I'm looking at just a program and then I'm going to do a search so if I go with r2 sbm forward slash so it's a bit vimish or vish awesome whoops where am I we'll search the program that's just loaded and look for that string for some reason my version that I'm running on this laptop has it one less than when I did it on my 64 bit laptop so that's interesting so then I can go print a string so the address for that one is at now this is where you've got to be a bit careful because some of the instructions are required to put the app symbol when you're referring to an address so remember that if things work a bit strange you've probably dropped an app so 080 48f3b just illustrates and that's a string that happens to be at that point in memory so if I go to ps question mark and it can print out different types of strings so if you're dealing with say looking at a delphi program which is pascal half the time you can actually say print a pascal string or if you know it's got a zero terminator occasionally you might do something accidental like this or um sim dot main and it will say it'll give you that warning which is actually better because most of the time it says pops up a message and it says do you want to print out 465,000 bytes and you kind of going no because it can play havoc with your terminal the other thing is the search actually generated a temporary label so I can always do it this way hit 0 which is a bit more convenient than having to sit there and read the address and then type it back in and the last one is I'm doing a hex dump at that same place so what I'm actually going to do is seek so I'm going to change the pointer from where I'm currently actually pointing at assembly code to point into data code so pointing into the data space so depending on your laptop the numbers will probably vary in your case because each computer each operating system spin everything up in a different address or if your computer is smart enough to use address space allow randomization they may be different every time you run actually they won't be because you're not running it we're just examining it so that was a silly thing to say um if I go px so you'll notice I've done the ps command to the address where the string is and I've done that should have said s not ps it's now changed the address to what's going on there we go yeah there's a typo on the slide there there should be no at's on the s command as I say it's a bit confusing for some reason some commands you need an at when you do an address usually the print ones so I've jumped the pointer from what was assembly to what was data if I try and disassemble that it gives me junk but if I do a hex dump pxl so that's actually an lpxl and the one says do one line so I could go 10 and get a hex dump of whatever is in memory the 10 lines at that point and I'm going to run the analyzer again now it has this concept of flag spaces so the default one has function name symbols that's pulled out of the elf but it has a second on where it tries to detect strings so if I go fs it says switch flag space to strings and now we go f to print the flags what it's actually done is it's found all the strings in the binary and it's generated a label for them and that sort of matches the ASCII but it does safeness so if it had binary unicode things in it it should put an underscore I think I haven't played with that enough to check because everything I've disassembled didn't have that problem and then I can go f grep rlimit and we'll see how many times it found a string with that in it and that example has just failed on me which is interesting and pd1 pd1 yeah junk because it's a string what I was expecting to happen there maybe that's because I've used a few when I tested that before what's supposed to happen is it's got a label so if I was to seek if I go back to the strings and I pick one say str.once and then I go s str.once it actually shows you what you might see in an assemble program when you've got a data specification in the assembly we briefly touched on this before so I might just skip through this a bit quickly so except to url for memory the minus sign is a default give you 5 and 12 bytes the minus w means that you're able to write to that file so if you don't specify that without taking explicit commands you can't accidentally clobber something the last one you can specify a different offset for the elf from the default or if it's a raw binary and you don't know what it is but you happen to know where the bootloader is going to load it you can force it to override that and I don't have a file called bootloader to demonstrate that with me but when I was working on the gadget I showed you before that was how I was looking at it because I knew the kernel, the bootloader was trying to load it to that address and I wanted it to try and match it in RIDAR and there's some other features that I don't have time to go through which is a sort of a GUI with a more interactive way than having to remember some of the commands there is a web interface which I will jump into just very briefly no what have I done wrong there that's the 2E I've been wrong okay I've got a typo going on there I've stuffed something up but there is a beta there's a clipboard so what you can do is take data out of memory and then paste it somewhere else or use it in a macro which is another facility which is quite handy if you want to automate stuff and so on and there's also dollar sign variables which are similar to the configuration but used for querying information now if we get time at the end so I've got this as a homework challenge in the git repository is an Arduino binary the whole solution I've listed there but it shows how you can use RIDAR and tools for parsing various binary formats to take a program and then modify it and try to find out how it works along with a technique for doing that so Arduinos have hex files so there's a program called srecord that we're object copy to convert it out to binary so we can look at it in RIDAR and then there's another program called srecord that we use afterwards after using RIDAR to modify it to turn it back perhaps and also if you for example knew all about MIPS already which is what I'm going to talk about next who's to work on that now so questions if anybody has any yep we'll be running the mic I'm one of the people who came in through the door late and annoyed you could you please let us know where I can get the examples the git repository there's a wiki page on the conference wiki under tutorials and it's all listed there so you can just git clone it questions are all online they want me to post the slides somewhere I'm going to upload them to my website but they'll be eventually on the conference somewhere too the switch okay it's simply when you run yep I'm not sure why I'm having to do that here because when I've got it built on my desktop computer it uses that w command so obviously something's changed so I guess if you open that in a browser oops that's a good trick wrong browser actually I can probably just go do that and if we get really lucky this is actually conqueror so it may not work that well because I've only tried it in Firefox but yeah because it's a modern web GUI it doesn't understand it so how about I just yeah so this is a beta so it doesn't quite work but when it's finished I think this is going to be actually awesome because it's a lot easier than having to remember all those commands so you can see you've got your color coded disassembly and you can click on things in browse to it if the JSON was working but this is the wrong browser so I'm not going to demonstrate it anybody else yep this is a question you might choose not to answer but I understand the way open WIT got started off was they could prove that the router that they started with in fact used free software so they demanded copies of the source under GPL did you think of doing that with the thing you started with oh no there's actually okay if you're referring to the one I've got they've actually released the GPL software for it but there was no information on how to get into it and do it and I had to work out how to get into the boot loader because it wasn't new boot so that's why I disassembled it but yeah I think you're correct I've only found open WIT about three years ago but yeah there have been all sorts of issues with embedded software and people using busybox and other programs are not actually doing what they're supposed to do anyone else might as well keep going sorry so we'll try that so I'm just going to talk about a few things that are relevant to where you might use this tool or why but there's traditional microcontrollers which Arduino is probably one of the most topical ones for this conference but it goes all the way back to 8051 and arms and picks and all the rest they will generally be running bare metal so there's no operating system so you don't get the benefit of a binary file like an elf that gives you some labels so you're really working down at the bare metal for those and the other type is embedded Linux capable systems for example the gadget I pulled apart here the one on the screen is called a Karambola which is an open sourced gadget you can buy from a company in Europe I paid about 30 euros for one and Raspberry Pi is another one that's the same sort of class and these all run Linux so one particular chip set that's common on these is called the MIPS which is actually an architecture that's been around for quite a long time for a bit of trivia the original PlayStation and some of the Nintendo's actually ran a MIPS processor and there was the the SGI was a well known the Indy was well known a few rather a while ago now so Linux runs on MIPS and basically a large number of the cheapest end home routers and gadgets like this the TP-links and the D-link and all of those all run MIPS system on chips so if you happen to be wanting to get into a MIPS device like the one that I showed you earlier you need to know a bit about the architecture to understand it because many people are familiar with say x86 and then you go look at a MIPS computer and you like me the first time you do it you get really confused for a long time until you actually decide you should go read the manual and find out how it really works so they have a pipeline architecture so to make it more performance efficient different parts of different instructions will be in different parts of the computer at the same time so that it can run in different parts of the decoding and execution and memory access and currently what that means is that you can get some interesting optimizations that make your life difficult with disassembly and that's why I'm pointing this out so I'll get to that in a second MIPS has a large number of registers and they can be used for various things there's conventional usages which compilers will follow so there's an A0 to A3 use holding addresses T0 to T9 one thing that gets interesting with MIPS if you've got to disassemble it is different places sometimes called registers different names so you might be looking at someone else's disassembly and it doesn't look like yours and different disassemblers will sometimes shorten two instructions into one as a convenience which can also make it confusing so I'm just going to jump to a MIPS program with RIDAR just to show you the difference and that again should not say temp it should say examples MIPS so this is an ELF MIPS binary that I built with an OpenWRT toolchain let's hope this works yep s in dot main af pdf so this is MIPS disassembler that's the easiest one I'll keep going to point and it's not going to work it's like any other disassembler it's got its own instructions one interesting difference with x86 every instruction shown here is all 32 bits exactly so you don't have to worry about alignment it's all forced into alignment as an example the first instruction there is it's adding two numbers together so if I go back to the slide I said it's got the destination register on the left and the source on the right so it's saying stack pointer minus 28x bytes back into the stack pointer so this has come from C this is where it starts getting interesting when you reverse engineering you're generally looking at code most of the time it's probably come from a compiler like C which gives you a bit of an advantage because there will be common patterns that you can look for and the same with x86 and anything else so a very common pattern is if you have any temporary or automatic variables or stack variables as they're known in a C program you can generally see at the start of a function that it will be saving space on the stack equal to the number of bytes taken by that variable and often that can be quite useful information because it gives you a key as to how much data the function might be using locally for example so I was mentioning before the pipeline which is one of the key performance advantages MIPS has in certain situations delayed branches this cost me a couple of really annoying late nights till I worked out what's going on because I had no idea what I was doing and I knew roughly what I was doing because it sort of made sense and then you would have an assembly instruction and it didn't make sense anymore and so what happens is two instructions at once will get loaded into the CPU and even if you have a jump they will both get executed so you can see where I'm pointing with the arrow there there's a jump instruction followed by a piece of assembly and what actually happens is both it does this and then it does the jump and that's to do with the pipeline and if you have a conditional branch the same thing happens so you'll generally find that if say this was a system call a system call in a Linux program after the jump is actually one of the arguments for the system call so where I was getting into trouble is I found a function that would print inside this bootloader but half the time what I thought was the string argument was rubbish and then I realized the instruction afterwards had a pointer that matched the string when I did a string search and that's when I went away and went away and read the manual and learned about the list because I'd come from an x86-6502 style world where you don't have to deal with this where am I oh come on and again you can see that in the output here so there's a branch instruction but in this case the instruction afterwards always gets executed so you'll sometimes end up with some strange looking code where if you read it sequentially it looks like it's writing a value into a register and the next instruction is writing another value into the same register which normally wouldn't make sense often you'll get knock instructions after jumps too so the compiler or the designer realized there's nothing I want to do in that slot so I'll just have a know-op other things to do with MIPS is MIPS has this instruction set extension for various reasons the most obvious example I've got there is there is a 16-bit instruction set extension even though it's 32 bits if that is present in the system on chip you can write assembly code that compacts some of the instructions in the 16 bits each so you can put two into the 32 bit space which is really awesome for saving memory OpenWRT recently enabled that by default in a lot of their builds and it's not supported by RedR2 which it's coming one thing I didn't mention before is RedR2 backends a lot of its assembly disassembly into a product called Capstone which is another open source library for doing disassembly and that's the bit that needs to do the MIPS work so that's coming at some future point but there's a lot of work to be done in various areas so cache configuration is another interesting one and I'll get onto that in a second and alignment so as you saw before everything has to be 32 bit so you need to just remember that all the instructions line up properly if you're looking at MIPS particularly if you're looking at say a bootloader or bare metal you've got to pay a bit more attention to the memory map because Linux isn't there to sort of hold your hand with that so the KSEGs are equivalent of a protected mode memory area so once Linux is up and running you use a space program and runs in Kuseg and the kernel is running in KSEG but there's some special stuff about the KSEGs so KSEG 1 as it says as it says, I'll move the pointer that is uncached so if you have an address there your hardware say HEX8000 might be linked to address 0 in RAM it will never use the cache to get to that if you address it as 8000 in your assembler but if you go to 8000 the same data is accessed but through the CPU cache it will give you faster access and what that means is then you'll generally access direct memory map registers at say an address beginning with B so BF for example there's a whole bunch of well-defined ones in the system so just things to be aware of if you're looking at disassembling code and wondering why you might sometimes see the same address done differently in two places and the top on KSEG 2 is designed to work with a memory management unit so that's typically used in Winix to load the memory modules in the kernel so getting onto a bit more interesting stuff so you do what I do, you go get one of these boards and you want to know how they work most of them are fairly typical embedded systems, there will be a system on chip so it's a CPU core plus a whole bunch of IO MIPS itself has various flavors of CPU, 34KC is probably one of the most current ones from routers. Your typical gadget these days will have Uboot which is an open source embedded boot loader and then later in memory you'll get the kernel usually, there may be a partition in between for storing Uboot information the kernel and then a file system which may be a flash file system like JFFS2 which is designed to write to flash while minimizing damage or squash FSC it reads it into a RAM disk and then runs it from there. So today's that these systems can be laid out as well so the kernel may have bundled into it in it RAMFS so you don't have to go to the effort of having a separate file system next to it and the kernel itself loads it or it loads the squash FSC into RAM so there's a couple of different ways to do that so you may or may not have bin walk on your computer did anyone see whether I had bin walk in the wiki instructions? Good, alright so we'll try this now so what I've got is as we looked at it briefly before with that RAR bin command RAR fine command is there's an open WIT system image in the data directory so I'm going to, fingers crossed run bin walk so if I run it without an option which isn't on the slide but I'll do that first bin walk does this kind of unpacking of layers within layers because firmware for various reasons related to doing with memory conservation and obfuscation for many many manufacturers will have one file that you can send across the internet and download which you then unzip and then you put into a web browser which then gets downloaded into the firmware and then that gets unpacked and written to the flash and so on and so forth so bin walk will untangle this mess and tell you what you're looking at and so you can see if I move the mouse to it here bin walk saying is that the system upgrade or the flash image for open WIT is a thing called a U image header which is telling me that it's actually a Linux kernel that's designed to work with U boot so if we go back to the diagram on the previous page that will be saved into the flash just after the U boot end area that's where the U image is designed to get copied these are all set up to go consecutively so sometimes they will be padding to line things up and then the second big one there is a squash fs file system which is what I mentioned as well so yeah we had that one what I'm going to show you now because there's no slide telling you to run the command is and this may not have quite made into the wiki I think there's a program called unsquash fs it may be in your Linux distribution or it may not sometimes these things are a bit hit and miss but you can download it and compile it and what that will undo is unpack that squash fs image so you can actually see what's inside of it and I've actually skipped the step there so I'm going to run bimwalk again the second time I'm actually going to oops check whether I had one sitting over if I run it with minus e it will instead of just telling me what's there it will unpack all those different segments into separate files so it's taking a bit longer this time so what it's given me is and it's a bit annoying with it put stuff in the directory where the file is even though I was sitting in the directory it's made a file with starting with directory sorry starting with an underscore and that will contain the unwrapped versions of what was in that firmware image so a virus to run file against that one that it arcane Lee has called 40 and the reason for that is it names the stuff after the address within the file and that's that's actually the kernel image and but what I was actually trying to demonstrate is the squash fs so I will remove that directly the left before and run on the squash fs again so that one duree469.squash fs is it found a squash fs file system starting at that addressing to the firmware image and if I run that I've now unpacked it and it's made a directory called squash fs root and now you can finally see the user space that might get landed into your device out of that firmware so you're there through all this mark to get to that point questions oh you you don't have to but they might want you to okay yeah what's your question bin walk if it's not an open wt image yep because manufacturers are nice to you and the other thing is the guy that wrote bin walk also wrote sasquash which will detect every different variant of squash fs ever written and try and unlock it for you yeah so the comment was that to keep on top of the manufacturers you probably need to keep getting the latest source code for bin walk and recompiling it and same with squash fs because there are so many different versions of it squash fs is really really annoying because they will run them in different endings as well so they've got a magic number shsq but sometimes it's hshq and various other things and a lot of the Linux distributions will understand squash fs3 and not squash fs4 and it's a lot of fun so yeah it's good stuff so did I miss anything you suggested no good so yeah I was mentioning boot loaders uboot is open source with usually patches to support the hardware it's running on however some gadgets especially once you go back a few years before uboot became really well known will have other boot loaders which you often not be able to find information on but the system is still running Linux so you might need to go into them to find commands to be able to work at how to get Linux onto the system so with the gadget I showed under the why is it good again so this particular one here it had a boot loader that had some commands when you typed help but nothing to do with getting a firmware image in and flashing it and so I was able to use regard to reverse engineer it and look at the and I found extra strings and I thought that's interesting there's extra strings here but I can't see them from help and then I tried typing some of them in and discovered that it would let me load a why my image over the serial port so I that was actually quite interesting discovery so we'll go to that and that and that we'll get back so I just pre-empted the first point on that slide so the usual usual techniques for getting some firmware to try and unpack and have a look inside is find a serial port nearly every gadget except for really locked down gadgets from telcos for example we'll have a serial port somewhere they usually look like four little dots and you have to solder something to them before you can use them and then you can connect the USB to serial adapter and boot the thing and usually you'll get a terminal which you don't have to type a parsing because it's just a serial port and you've got immediate root access from the serial port so that you can look for flash yes is there an easy way to figure out what board rate it's using if you have an oscilloscope I was taught a trick many years ago where you put the crow on it and you get it to trigger and then you look at how wide the bits are and take a guess most of them will be 115200 or 115200 or 57600 that's all I've ever found is one of those two and they're pretty much always 8 in one the problem I have come across is sometimes minicom you've got to turn off hardware flow control before you can type into it and when you forget that it's like why isn't this working oh yes I forgot to set the setting getting the firmware off can sometimes be a challenge because often custom firmwares will have various commands you might otherwise find missing if you can get something into it often if you've got a Linux prompt one common technique is you find a tool chain that has the same chipset as the gadget you've got and you cross compile busybox and upload that into it and then you've got all the other commands you normally got if you can't do that because there is no network and this gadget I've got have Wi-Fi only and then various other issues at worst case if you have something that can do dd you can dump it into your terminal with logging on and then try and write a program that will turn it back into something in binary on your computer other techniques I've seen is you give Google OpenSSL someone was looking at a router and the only command they had was OpenSSL network connectivity and they used that to actually send the data over the network to somewhere so provided you can type into it somehow there's usually a way of getting stuff in and out so one issue we've got today is you could probably do a 5-day course on all this stuff it's a lot to cover the radar tool has many more features than what I've looked at the apprentice engineering itself is a skill that I'm probably only at the apprentice level I'm only playing with toys and you go looking at what some people have posted on the internet it's like how do they do that there are some techniques and I might just jump back now to the how much time have I got left how much what I'm going to do is I'll jump back to what I had as the homework challenge before so I have a binary that I made from Arduino and then I pretended I've lost the source code which is a reason you might want to go through this and if I load the read me and get it up on the screen and that's not the solution so because I was just going to talk about techniques so what was I talking about oh no I've lost my spot what was the original question okay I'll just go through it anyway so we've got an Arduino we've got a binary which is a hex file so the first thing we've got is we've got this binary we've lost the source code someone's given to the hex file and said oh I crashed my computer and I've got an Arduino and I'd really like to get it back and do stuff to it you can't get the source code back but you can at least look at it and if there's doing some IO you can remember you can see what you're doing so that object copy command what that is doing is it's taking the hex file and converting it back to a raw bin file which you can then look at in radar and then the next command is it's saying it's an AVR binary because Arduino use AVRs and then it's going to load that up and look at it in radar and because we've got plenty of time I'm going to attempt to do this so we're going from prepared tutorial to sort of live demo now this will be interesting so what have I got with R2 examples actually I'll cheat so I'm not going to repeat the obj dump I'm just going to go Arduino.bin so because it's a raw binary it's coming out and it says I'm going to start address 0 so I'm going to just look at the first few bytes of the program and it's a jump instruction one technique that's what I was going to talk about so one technique when you've got an unknown program is you can sometimes find another program that you do have the code to that does similar stuff and compare the structures so nearly every Arduino program is going to have a similar structure which makes our life really easy if you're looking at Arduino instruction so they all start with a jump somewhere else so I'm going to go s $j now I mentioned in passing before there's $ an instruction out of RADAR and use it in another command so $j is just jump to the address that's on the currently seeked instruction so that's instead of me typing 0x18 it's actually just going to jump to it like that and now I'm just going to have a call to there so what I would do at this point and I don't know if I've got the output and I don't know if there's going to be enough time to generate it so I have the way I would approach this problem so I have an Arduino binary which I dumped with OBJ dump and I don't have it here to look at so I'll skip that so you have an Arduino binary and you have that in one text editor and then you compare it to what you're looking at in RADAR and look for similarities and you think okay they're structured the same so I know what that's doing which makes your life really easy when you're trying to reverse engineer something oops let's close that so what I did in that case was I just dumped and disassembled the known one and said the code I'm looking at in RADAR at the moment looks similar to what I'm seeing in the program that I know what it does and so I can guess what the functionality is and then I was going to run AF and AFL and see what functions came up and this is one we didn't go into earlier so I'm going to rename something has not worked properly for me which is not very nice so what happened when I ran this on my other computer is it found a function that O7A8 which I knew from looking at the known Arduino binary was actually main so AFN will let you rename a label to something else so if I go AFN actually that's what I did I know I'm doing now so if I go PD again and then A7A8 PD let's go 300 I'm going to cheat and do this 0x7A I think what I've done is I've not put enough information into that read me so I've seeked to 7A8 and I've realized that this is actually the equivalent of main in an Arduino program so the current seek point is 7A8 so I'm going to go AFN main and then that gives me a label at 7, that's the wrong address 7A8 that should have been an at so the at means go absolute as opposed to offset there we go, why isn't that working alright I don't have time to deal with that so AFN will name the current point to a label instead of just the address the other thing we know about Arduino programs is they have a setup function in C and a loop in C and again the example is I used to repair this all in the repository yep when you annotate with the AFN yep can you save those between sessions there is a concept of a project that I haven't where you can save information when I was doing though I was being a bit more hackery in old school and I was just copying and pasting my command history and then pasting it back again because I was trying to log what I was doing and if I was saving it in a project that's useful in some use cases but when you're trying to learn what's going on I found I'd rather repeat the things every time using copy and paste but that was just me so yeah you can specify it's like a container project like in an IDE and it will retain that type of information so I worked out looking at an Arduino program where the main loop was and then you find it in the current one and then using Radar I searched for a string found the piece of code that was calling that string and then I patched it to do something else so you can read that example and try it afterwards and probably find some bugs in my solution because I've typed it up wrong but that just gives you a bit of a flavor of what's involved with reverse engineering it's a bit of an art as well as knowing how to use a tool you need to think of techniques like well where's something similar to what I'm doing can I look for patterns and that sort of thing so back to where I was because we're probably getting close to the end now aren't we yep okay so we'll have a good chunk of time for questions so yeah it's yep are the syscalls properly recognized for MIPS? possibly I've not done a lot of with MIPS I've been mainly playing with raw binary so you just have to check it I would guess they would be it'll pull out of an elf all the labels it knows about so if it's a function in a lib that links to there should be a label um I was just experimenting so where was I up to yeah so one thing we've discovered today is Radar2 is an awesome tool but you want to use other tools for unpacking firmware and doing other things and it's good so you can potentially write a script that's in Radar2 that actually automates bin walking if you needed to if you wanted to do something over and over so it's but yeah other tools are often needed in reverse engineering there's no one tool does everything because there's so many complicated edge cases and moving parts I can't really show you a real real world use case I'm only showing you open source software that I'm assembling because I guess there could be problems with showing non-open source software so obviously I haven't Radar2 has a whole bunch of other features that are really awesome it can be connected to GDB so I haven't actually tried this myself but I believe you can run a program in GDB and then spawn back and forth to Radar to do various operations it's got all sorts of features for information security so you can hook it into fuzzing systems use it to do something called Rop Gadget Searching which is something I haven't really looked at but it has to do with finding ways to run code on systems that try really hard to stop you running code and it's got bindings to a whole bunch of languages so you could write a Python program that calls Radar2 to do various things as a library if you want something to do in the real world it's do things like buy cheat gadgets and see if you can patch them to put your name in the web firmware or whatever else you can have a lot of fun the Kmart one is an interesting one it turns out that I bought one hooked it up to a separate network from my normal network with Wireshark running and one of the first things it does is it goes back to a country overseas to do the dynamic DNS which is really interesting and I decided not to run it connected to my normal network and just use it internally there's a really interesting example there where someone all over the net there are examples on blogs where people are using Ida to do so to be an interesting learning exercise to try and repeat what they've done in that using Radar2 if you're really really keen there are people who have jobs but they take precautions like running in a VM I've never tried this myself but I like reading about it lots I let other people do that and I just read what they did and think it's really interesting I won't repeat that one yes Radar2 is an open source project on the heavy active development they seem to be pretty friendly they've been really patient with me I've submitted a few patches I think they like the fact that some of the ones I submitted were for help it's on good GitHub they've got a regression test suite which always needs help and the web UI is in beta there was a question over here if you want a really cheap device to hack on there are $9 modems on Chinese resellers they take about a month to get here but they're very similar to the device you were showing on the screen there oh okay sorry just want to comment on how you'd get hold of the firmware to the webcam to play with it it just runs linear quickly I hold it up a serial port jumped in it runs Uboot so I was able to use Uboot to just copy it off so and then I bricked it and I've been too busy to fix it so most of them, yeah it's all serial ports how you get in if you're interested in going further Seamips Run is a book on O'Reilly wait till they have a 50% off in their bike because it's quite expensive but it's got a ton of information about how all the MIPS, pipelining and all the other stuff works in my own book which is really really useful and there's a general reverse engineering website that I came across just the other day so I thought I'll put that up there for people to look at and there's any number of people love pulling things apart and then blogging about it and showing you how I did it Hackaday website and thank you very much and I guess if there's any more questions we'll do that now yep yep some of the gadgets will have a JTAG port actually there's one on there too so even if your serial port is causing you problems if you're into hardware stuff and you know what you're doing you can get a JTAG reader does this have a zoom oh it doesn't matter I'll just move it up so that row of pins there is a JTAG connector so you can solder that up and hook it up to a JTAG thing and use that someone earlier mentioned when OpenWRT first started it's actually named after the routers that Linksys had there's a WRT54G and similar ones I had one once and I bricked it and then I discovered that I could get a parallel port and a chip and a couple of resistors and downloaded some software that hooked up to that same JTAG pins in that and it took about four hours over the parallel port and then I had my flashback and I unbricked it so there's a lot of all this stuff still documented all over the internet just a matter of knowing what to Google for half the time so anything else I'm good thank you very much so on behalf of the LTA team you've probably all been to lots of presentations here is a small gift from everyone saying thank you for putting on an awesome show presentation thank you very much