In the previous article we learned how to load a executable and do basic analysis in the radare2. This article is based on a picoCTF 2018 challenge “learn the gdb”. If you read the article about gdb you might know it already. The file is here.
Load it into the radare. r2 <filename>. Let’s analyse the functions aaa.
We see the decrypt_flag function name here. I would want to see that. Lets go to that location using seek. s sym.decrypt_flag. And let’s see the function. pdf And woah! It’s will blow up like some animal took a shit on your monitor. lol,lmfao,lol (I’m just little sad rn).
There’s lot of things that’s going on there and I’m pretty afraid to read it right now. But what it does is…
- Program loads
- There is a flag in the memory somewhere encrypted
- This function decrypts it
- And then without giving us the flag program exits.
What we should do is figure out a way to stop the program from exiting and retrieve the flag from memory. Sounds simple? Let’s hope so.
We have to run the program to put a breakpoint somewhere. So to reload the file in debugger mode. ood and let’s put a breakpoint in the end of the decrypt_flag function. db 0x0040090a.
And run the program until the breakpoint hits. dc
We can see if we scan the assembly code from the above pdf @ sym.decrypt_flag we can see the address where the flag is stored in the memory. let’s try to see what it has.
As we know it will be a string we can use ps @ <address>.
And profit!!! We will continue to learn radare2 in future articles.
Sala's Blog 
One thought on “Beginners guide to radare2-Part 2”