ROP Emporium Challenges<\/h1>\n
Of course, you should never run un-trusted binaries on your regular computer. I’ll be working in a VirtualBox<\/a> VM running Arch Linux<\/a>. It’s not that I don’t trust the ROP Emporium creators, it’s about maintaining good habits.<\/p>\n Each challenge has a 32-bit and 64-bit version. If there’s a difference between the two (aside from addresses), I’ll try to complete the challenge for both.<\/p>\n Aside from learning ROP, my alternative goal is to learn how to use radare2<\/a>, an open source, fully-featured reverse engineering and debugging framework. The ROP Emporium Beginner’s Guide<\/a> even states that radare2 should have everything you need to complete every challenge on the site. So every challenge I attempt here, I’ll use radare2 as much as possible. Installing radare2 in Arch Linux is as simple as $ sudo pacman -S radare2<\/span>. I’m sure a package exists for most package managers in other distros. Otherwise, you can just install from their GitHub repo<\/a>.<\/p>\n One thing you’ll discover very quickly about radare2 is that it has a very<\/em> steep learning curve. And as they say, the best way to learn something is to teach it to someone else. I think the hardest part of learning radare2 is remembering all the commands. Fortunately, it has a very good, hierarchical help system. Simply entering The radare2 prompt starts you off at the entrypoint address for the binary. Let’s use the help menus to figure out how we can verify that. I know that I want to get “information” on the binary. The entrypoint address is listed in the ELF header. With any of these commands, you can append a question mark to the end to get the next level of help. Another nice feature is the internal grep command. The tilde (~) character will allow you to grep the output. Following that with a plus (+) makes the search case insensitive:<\/p>\n So we’ll probably want the “i” command. Let’s see what we can glean from that:<\/p>\n And there it is, the virtual entrypoint address is 0x00400650. As we move around the binary, that prompt will change.<\/p>\n There’s a lot you can do to customize radare2. I know I’ve only scratched the surface. Much like the Introduction After completing the Exploit Education Phoenix challenges, I started looking to advance my exploit development learning. A good next step would be learning about Return Oriented Programming (ROP) toContinue readingROP Emporium | Setup<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-896","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=896"}],"version-history":[{"count":17,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/896\/revisions"}],"predecessor-version":[{"id":961,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/896\/revisions\/961"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}radare2<\/h1>\n
Getting Help<\/h2>\n
?<\/code> without anything else gives you the top-level help menu. Since ret2win<\/a> is the first challenge, I’ll use that binary as an example:<\/p>\n![\"radare2](\"https:\/\/blog.lamarranet.com\/wp-content\/uploads\/2019\/10\/r2help.png\")
<\/p>\n\r\n[0x00400650]> ? ~+ info\r\n| i[?] [file] get info about opened file from r_bin\r\n<\/pre>\n
\r\n[0x00400650]> i? ~+ entry\r\n| ie Entrypoint\r\n| iee Show Entry and Exit (preinit, init and fini)\r\n[0x00400650]> ie\r\n[Entrypoints]\r\nvaddr=0x00400650 paddr=0x00000650 haddr=0x00000018 hvaddr=0x00400018 type=program\r\n\r\n1 entrypoints\r\n<\/pre>\n
Customization<\/h2>\n
~\/.gdbinit<\/code> file that can customize your GDB environment, you can use a ~\/.radare2rc<\/code> file. Here are the customizations I’ve made so far. I’m sure I’ll keep modifying this file.<\/p>\n\r\n# Disable fortunes\r\ne cfg.fortunes = false\r\n\r\n# Enable truecolor\r\ne scr.color = 3\r\n\r\n# Start at main() in debug mode\r\ne dbg.bep = main\r\n\r\n# Set the prompt to follow PC in debug mode\r\ne dbg.follow = 1\r\n\r\n# Do not show instruction bytes\r\ne asm.bytes = false\r\n\r\n# Use UTF-8 to have pretty arrows and borders\r\ne scr.utf8 = true\r\n\r\n# Set the color theme to bright\r\neco bright\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"