Environment Information

System information: UOS Home Edition 21.3

Tools involved: gcc, edb-debugger, ghidra, radare2

Note: This is a translation of the article previously written into English version, if you can not see the message I improve the translation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
edb-debugger installation
# Install the required dependencies for the build // Set developer mode to enable root privileges.
apt-get install git
apt-get install pkg-config
apt-get install cmake
apt-get install build-essential
apt-get install libboost-dev
apt-get install libqt5xmlpatterns5-dev
apt-get install qtbase5-dev
apt-get install qt5-default
apt-get install libgraphviz-dev
apt-get install libqt5svg5-dev
apt-get install libcapstone-dev

# Build and run // only intend to run edb-debugger in the build directory
git clone --recursive https://github.com/eteran/edb-debugger.git
cd edb-debugger
mkdir build
cd build
cmake ..
make
./edb
# All users install in the system
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/ ..
make
make install
edb

Test code test.c

C:

1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>



void main() {
    puts("test");
}

图片

Basic information

You can use r2 -A . /helllo to open the file to be analyzed Parsing the command: Run the “aaa” command to analyze all referenced code

图片

it //command parsing: calculate file hash information

图片

iI //Command parsing: Display file binary information

图片

ii //Command parsing: Display file import information

图片

iz // command parsing: list the strings in the data segment

图片

iE // Command resolution: Export (global symbols)

图片

afl // Command resolution:Show functions

图片

s main //jump to main function address Command Explanation: To move in the file we are checking, we need to change the offset with the s command.

px hex view

pdf disassembly

图片

or use the pdf@main command to view //@ specify the function name

图片

Or use agf to view the basic function view

图片

View hex information for crucial addresses

图片

Note: If you can’t enter the command, you can enter the v command to enter the graphical operation interface.

Debugging

  • Run after loading
    edb open the generated hello file and detect the function entry point to automatically pause

See the crucial code address - 0x402004

图片

  • Jump to the corresponding address
    Right click in the disassembly area and select Goto Expression… Enter the corresponding address

图片

Right click to edit

图片

See this area corresponding to te

图片

The next line corresponds to st

图片

Binary edit string to modify te to fe

图片

Return to see the corresponding data has changed // Right click Goto Rip to return

图片

Output Verification

图片

Decompile check

Use Ghidra to load the hello file, find the main function in the Symbol Tree module’s Functios folder, and click into it

The decompiled pseudo-code is found to be error-free and readable in crucial locations compared to the actual code

图片

Modify file

Note: It is recommended to make a backup of the original files involved before modifying

Write mode for analysis

图片

crucial code data corresponding address information: 0x402004

图片

check address citations

图片

Original

图片

Modification

图片

Testing

图片

This is the end of the preliminary exploration section, we will meet again if we have the chance