I am doing a reverse engineering practice with radare2. I want to patch the vim binary file (linux), so that when a user presses "i" it is replaced with "e".
How I can find what is read from the keyboard in the disassembly file using radare2?
Asked
Active
Viewed 179 times
1
-
What part of that task, particularly, you're having difficulties with? – NirIzr Jun 08 '18 at 01:25
-
find the function that read from keyboard. – sMojtaba Mar Sep 09 '18 at 06:26
1 Answers
1
Assuming that I could not read the source code, I will approach the problem as follows:
- Create a non-writable file, open with vim and press "i". Vim will give you a warning "Changing a readonly file"
- Do the following in radare2
$>r2 /usr/bin/vim
[0x00072220]> #Perform analysis
[0x00072220]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x00072220]> aae
[0x00072220]> #Search for the warning string from earlier
[0x00072220]> f~str~Changing
0x002a1db8 39 str.W10:_Warning:_Changing_a_readonly_file
[0x00072220]> #Find xref to string
[0x00072220]> axt 0x002a1db8
sym.change_warning 0x138f29 [STRING] lea rsi, str.W10:_Warning:_Changing_a_readonly_file
sym.change_warning 0x138f4c [STRING] lea rsi, str.W10:_Warning:_Changing_a_readonly_file
[0x00072220]> #Find xref to symbol
[0x00072220]> f~sym.change_warning
0x00138e70 369 sym.change_warning
[0x00072220]> axt 0x00138e70
sym.ex_diffgetput 0x8875a [CALL] call sym.change_warning
sym.edit 0x97242 [CALL] call sym.change_warning
sym.changed 0x139058 [CALL] call sym.change_warning
sym.u_undo 0x21d716 [CALL] call sym.change_warning
sym.u_savecommon 0x21de85 [CALL] call sym.change_warning
sym.undo_time 0x21f38c [CALL] call sym.change_warning
sym.undo_time 0x21f635 [CALL] call sym.change_warning
[0x00072220]>
- You'll end up with a list of function call that you could investigate further. You may want to inspect each function individually or identify which function use scanf()
