aemmitt-ns / radius2 Goto Github PK

radius2 is a fast binary emulation and symbolic execution framework using radare2

License: MIT License

Rust 99.85% C 0.15%

radius2's Introduction

radius2 - fast symbolic execution with r2

radius2 is a fast symbolic execution and taint analysis framework using radare2 that is focused on covering many different architectures and executable formats. It also strives to be easy to use and has a CLI tool that makes some reversing tasks as easy as adding a symbolic value and setting a string to reach or avoid. Reversing challenges can be solved as easily as the example below.

$ radius2 -p ais3 -s flag 184 -X sorry

  flag : "ais3{I_tak3_g00d_n0t3s}"

Building

Install radare2 with

git clone https://github.com/radareorg/radare2.git
radare2/sys/install.sh

Install radius2 with cargo install radius2 or include radius2 as a dependency using radius2 = "1.0.26"

Supported Architectures

x86
amd64
ARM
AArch64

"Supported" Architectures

radius2 also "supports" MIPS, PowerPC, and Gameboy but they are almost entirely untested. Additionally radius2 supports execution of cBPF and eBPF programs.

radius2 can execute Dalvik bytecode only involving static methods and variables.

Finally there is also a varying amount of support for 6502, 8051, AVR, h8300, PIC, RISCV, SH-4, V810, V850, Xtensa.

Also PCode can be translated to ESIL with r2ghidra with pdgp (currently broken, actually maybe fixed now) so potentially more archs could be supported that way.

Example

use radius2::{Radius, Value};

fn main() {
    let mut radius = Radius::new("tests/r100");
    let mut state = radius.call_state(0x004006fd);
    let addr: u64 = 0x100000;
    let flag_val = state.symbolic_value("flag", 12 * 8);
    state.memory_write_value(&Value::Concrete(addr, 0), &flag_val, 12);
    state.registers.set("rdi", state.concrete_value(addr, 64));

    radius.breakpoint(0x004007a1);
    radius.avoid(&[0x00400790]);
    let mut new_state = radius.run(state, 1).unwrap();
    let flag = new_state.evaluate_string(&flag_val).unwrap();
    println!("FLAG: {}", flag);
    assert_eq!(flag, "Code_Talkers");
}

radius2 CLI tool

radius2 can also be installed from crates.io and easily included in packages. radius2 also has a CLI tool that can be installed with cargo install radius2

radius2 1.0.28
Austin Emmitt (@alkalinesec) <[email protected]>
A symbolic execution tool using r2 and boolector

USAGE:
    radius2 [FLAGS] [OPTIONS] --path <path>

FLAGS:
    -M, --automerge    Automatically merge states
    -V, --color        Use color output
        --crash        Execution stops on invalid memory access
    -h, --help         Prints help information
    -j, --json         Output JSON
    -z, --lazy         Evaluate symbolic PC values lazily
    -K, --merge-all    Merge all finished states
        --no-sims      Do not simulate imports
    -N, --no-modify    Disallow self-modifying code (faster sometimes)
        --no-strict    Don't avoid invalid instructions and ESIL
        --plugins      Load r2 plugins
    -P, --profile      Get performance and runtime information
    -2, --stderr       Show stderr output
    -0, --stdin        Use stdin for target program
    -1, --stdout       Show stdout output
        --version      Prints version information
    -v, --verbose      Show verbose / debugging output

OPTIONS:
    -a, --address <address>                   Address to begin execution at
    -A, --arg <arg>...                        Argument for the target program
    -x, --avoid <avoid>...                    Avoid addresses
    -X, --avoid-strings <avoid_strings>...    Avoid code xrefs to strings
    -B, --break-strings <break_strings>...    Breakpoint code xrefs to strings
    -b, --break <breakpoint>...               Breakpoint at some target address
    -c, --constrain <SYMBOL> <EXPR>           Constrain symbol values with string or pattern
    -C, --constrain-after <SYMBOL> <EXPR>     Constrain symbol or file values after execution
        --env <env>...                        Environment variable for the target program
    -e, --eval <ESIL>...                      Evaluate ESIL expression
    -E, --eval-after <ESIL>...                Evaluate ESIL expression after execution
    -f, --file <PATH> <SYMBOL>                Add a symbolic file
    -F, --fuzz <fuzz>                         Generate testcases and write to supplied dir
    -H, --hook <ADDR> <EXPR>                  Hook the provided address with an ESIL expression
    -i, --include <SYMBOL> <EXPR>             Assert symbol contains a string
    -L, --libs <libs>...                      Load libraries from path
        --max <max>                           Maximum number of states to keep at a time
    -m, --merge <merge>...                    Set address as a mergepoint
    -I, --not-include <SYMBOL> <EXPR>         Assert symbol does not contain a string
    -p, --path <path>                         Path to the target binary
    -r, --r2-cmd <CMD>...                     Run r2 command on launch
    -S, --set <REG/ADDR> <VALUE> <BITS>       Set memory or register values
    -s, --symbol <NAME> <BITS>                Create a symbolic value

This tool can be used to solve the same r100 crackme as above like

$ radius2 -p tests/r100 -a 0x4006fd -x 0x400790 -s flag 96 -S A0 0x100000 64 -S 0x100000 flag 96
  flag : "Code_Talkers"

Or even more quickly with strings using

$ radius2 -p tests/r100 -s stdin 96 -X Incorrect
  stdin : "Code_Talkers"

radius2's People

Contributors

Stargazers

Watchers

radius2's Issues

Strange allocation and fail of example code r100 with strings

The second example from the readme crashes with a huge allocation:
➜ radius git:(main) ✗ ./target/debug/radius2 -p tests/r100 -s stdin 96 -X Incorrect
memory allocation of 137421126912 bytes failed
[1] 4102 IOT instruction (core dumped) ./target/debug/radius2 -p tests/r100 -s stdin 96 -X Incorrect

Or does one need to have 130gb free for allocation?

[Question] Does radius support under-constrained symbolic execution?

Hey!

As the title suggests, does radius support under-constrained symbolic execution out of the box? Paper

`brk` syscall implementation.

Hi, I have a question regarding this piece of code:
https://github.com/aemmitt-ns/radius/blob/1a6d76a9b04eb3f6913404e2c28ca7c39f87c813/radius/src/sims/syscall.rs#L235-L244

Is this part really implementing the brk syscall?
Isn't it instead implementing the glibc wrapper function?

Please have a look at the section "C library/kernel differences" in the man page:
https://man7.org/linux/man-pages/man2/brk.2.html

However, the actual Linux system call returns the new
program break on success. On failure, the system call returns
the current break. The glibc wrapper function does some work
(i.e., checks whether the new break is less than addr) to provide
the 0 and -1 return values described above.

(I'm currently working on some kind of user-space emulator and also have to implement the brk and sbrk syscalls and I remembered your project from Twitter so I thought I'd look at how you implemented it :))

search strings api byte index issue

For whatever reason, search_strings api throws an error:

➜  radius git:(main) ✗ target/debug/radarx
==========================================
[Radarx] Profiling ======> [ais3]
==========================================
[Radarx] - Main: 0x4005C5
thread 'main' panicked at 'byte index 2 is out of bounds of ``', radius/src/r2_api.rs:790:43
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Looking into the source code, it seems slicing is not working for hex value:

 pub fn search_strings(&mut self, string: &str) -> R2Result<Vec<u64>> {     
        let result = self.cmd(&format!("izz~[2]~{}", string))?;                
                                                                               
        Ok(result                                                              
            .trim()                                                            
            .split('\n').map(|x| u64::from_str_radix(&x[2..], 16).unwrap_or_default())      <---    here                                               
            .filter(|x| *x != 0)                                               
            .collect())                                                        
    }

So I made the following change which fixed the issue:

pub fn search_strings(&mut self, string: &str) -> R2Result<Vec<u64>> {     
        let result = self.cmd(&format!("izz~[2]~{}", string))?;                
                                                                               
        Ok(result                                                              
            .trim()                                                            
            .split('\n').map(|x| u64::from_str_radix(x.trim_start_matches("0x"), 16).unwrap_or_default())      <---  here                                                 
            .filter(|x| *x != 0)                                               
            .collect())                                                        
    }

not support 128 bit?

000000000001c8ec:  str x7, [sp, 0x128]                      |  x7,296,sp,+,DUP,tmp,=,=[8]
000000000001c8f0:  str **q0,** [sp, 0x70]                       |  q0,112,sp,+,DUP,tmp,=,=[16]
Unknown word: q0
thread '<unnamed>' panicked at 'attempt to shift right with overflow', /r2/radius/radius/src/memory.rs:595:47

I'm seeing this when run radius for aarch64.

Question on Dalvik Execution

Hi,

the readme states:

"radius2 can execute Dalvik bytecode only involving static methods and variables."

Is this also given for a PCode representation? And what about odex elf binaries?

As r2frida is working on debugging capabilities, could this be used to have a concrete state for the symbolic execution to start and might help radius on execution of dalvik code? See nowsecure/r2frida#284

why not able to solve correctly?

Hi,
Assume I have below program:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main()
{
  char buf[5];

  memset(buf, 0, 5);

  if (!read(0, buf, 5))
    printf("read error\n");

  if (buf[0] == 'c')
    if (buf[1] == 'r')
      if (buf[2] == 'a')
        if (buf[3] == 's')
          if (buf[4] == 'h')
            abort();

  return 0;
}

I want radius2 to solve the stdio to crash.

Executing the program and output

radius2 -p crash -s stdin 128

  stdin : "crbsh\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}"

why it's crbsh not crash?

Given -F flag also doesn't generate crash, the max string it can get is cras. Any idea?

Trying EsCrackMe.apk with Frida

When trying to recreate
how-to-perform-symbolic-execution-of-mobile-apps-with-r2frida-esilsolve i get the following base.odex representation:

From the video in the blog the code looks quite the same (so i suppose its not a radare issue):

I try solving with the following code: https://gist.github.com/GanbaruTobi/1821f9c4cedbc98f07a2c15c22bfae5f

Expected result: 0xcafebabe
Got result: 0xbadd000c
The resulting flag is wrong:

Besides, if u have an idea how to pull the address correctly for each attachment, we could at this to the repo (when its working correctly).

Any presentation for this great tool?

Move the repo to radareorg

rename it to radius2 to be in sync with the plugin name?
- or maybe use r2radius?
or just rename the plugin to be radius.$dll

Why don't you publish the project on crates.io so you can use it without building on your computer?

Frida hook doesn't work in iOSCrackMe example

I'm using latest r2frida (5.7.8) version.
I've noticed that polling condition in the init_frida function never handles.
self.cmd(&format!("ps 1 @ {}", alloc))?.trim() always returns "/xFF".

Also I've found that newer r2frida requires to use hex value for ":db" command.
So we need to change Frida command to something like that to suspend app.

 let script_data = format!(
            ": Interceptor.attach(ptr('0x{:x}'),function(){});:db 0x{:x}",
            addr, func, addr
  );

But this won't help to trigger hook. ESILSolver works just fine, tho there is another scripting logic.

Bug creates overflow in processor.rs

When trying to solve the challenge:
https://github.com/angr/angr-doc/blob/master/examples/defcon2019quals_veryandroidoso/ooo.defcon2019.quals.veryandroidoso.apk

My code:

https://gist.github.com/GanbaruTobi/a01b31216e7dfc2c2e795b092eb290ca

creates a panic:

thread 'main' panicked at 'attempt to add with overflow', radius/src/processor.rs:712:17
stack backtrace:
0: rust_begin_unwind
at /rustc/7466d5492b2d28d2ba5114dbe71511a6502ac822/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /rustc/7466d5492b2d28d2ba5114dbe71511a6502ac822/library/core/src/panicking.rs:142:14
2: core::panicking::panic
at /rustc/7466d5492b2d28d2ba5114dbe71511a6502ac822/library/core/src/panicking.rs:48:5
3: radius2::processor::Processor::fetch_instruction
at ./radius/src/processor.rs:712:17
4: radius2::processor::Processor::execute_instruction
at ./radius/src/processor.rs:718:9
5: radius2::processor::Processor::step
at ./radius/src/processor.rs:742:13
6: radius2::processor::Processor::run
at ./radius/src/processor.rs:853:38
7: radius2::radius::Radius::run_until
at ./radius/src/radius.rs:467:9
8: dex::main
at ./examples/dex/src/main.rs:95:25
9: core::ops::function::FnOnce::call_once
at /rustc/7466d5492b2d28d2ba5114dbe71511a6502ac822/library/core/src/ops/function.rs:248:5
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.