radare2是一个开源的逆向分析工具, 基于capstone。使用简单方便,是我最喜爱的工具之一。
官方文档: https://radare.gitbooks.io/radare2book/
安装: https://radare.mikelloc.com/list
TODO: 加入radare2分析脚本的编写
TODO: 完善静态分析指令的介绍内容
静态分析 #
- 分析文件格式(可执行程序、文档类文件、配置文件、资源文件)
- 分析文件内容
通用操作 #
格式转换 #
https://radare.gitbooks.io/radare2book/tools/rax2/intro.html
rax2:radare2自带的一个格式转换工具, 使用简单。我们可以方便的进行进制转换、编码转换等操作。
例如:
- 进制转换。
$ rax2 10 # 10进制转16进制
0xa
$ rax2 0xa # 16进制转10进制
10
$ rax2 b30 # 10进制转2进制
11110b
- 编码转换: base64加解码。
$ rax2 -E 1291029019234 # base64编码
MTI5MTAyOTAxOTIzNA==
$ rax2 -D MTI5MTAyOTAxOTIzNA== # base64解码
1291029019234
$
hash计算 #
https://radare.gitbooks.io/radare2book/tools/rahash2/intro.html
rahash2是一个进行加解密算法计算的工具,使用简单方便。
例:
- 计算文件的hash(sha256/md5):
#计算文件sha256
$ rahash2.exe -a sha256 .\WeiyunInstall_Beta_1_3.9.0.2340_20191024_160241_r0.exe
.\WeiyunInstall_Beta_1_3.9.0.2340_20191024_160241_r0.exe: 0x00000000-0x03f126cf sha256: 343c1653de94ddd4822e12b2373e48a3748d574083e8f7c82471669746cd0afe
#计算文件md5
$ rahash2.exe -a md5 .\WeiyunInstall_Beta_1_3.9.0.2340_20191024_160241_r0.exe
.\WeiyunInstall_Beta_1_3.9.0.2340_20191024_160241_r0.exe: 0x00000000-0x03f126cf md5: a3a30a5f5ae641f30e50aaf75dee7028
$
- 查看支持的算法:
$ rahash2.exe -L
Available Hashes:
h md5
h sha1
h sha256
h sha384
h sha512
h md4
h xor
h xorpair
h parity
h entropy
h hamdist
h pcprint
h mod255
h xxhash
h adler32
h luhn
h crc8smbus
h crc15can
h crc16
h crc16hdlc
h crc16usb
h crc16citt
h crc24
h crc32
h crc32c
h crc32ecma267
h crc32bzip2
h crc32d
h crc32mpeg2
h crc32posix
h crc32q
h crc32jamcrc
h crc32xfer
h crc64
h crc64ecma
h crc64we
h crc64xz
h crc64iso
h fletcher8
h fletcher16
h fletcher32
h fletcher64
Available Encoders/Decoders:
e base64
e base91
e punycode
Available Crypto Algos:
c rc2
c rc4
c rc6
c aes-ecb
c aes-cbc
c ror
c rol
c rot
c blowfish
c cps2
c des-ecb
c xor
c serpent-ecb
$
汇编指令 #
https://radare.gitbooks.io/radare2book/content/tools/rasm2/intro.html
rasm2:我们可以使用该工具来对汇编指令进行反汇编和汇编。
例如:
- 操作x86指令,
-a指定指令架构,-b指令指令集位数
$ rasm2.exe -a x86 -b 32 'push ebp'
55
$ rasm2.exe -a x86 -b 32 'mov ebp, esp'
89e5
$
- 操作x64指令,
-D表示反汇编
$ rasm2.exe -a x86 -b 64 -D 89e5
0x00000000 2 89e5 mov ebp, esp
$ rasm2.exe -a x86 -b 64 'mov rbp, rsp'
4889e5
$
- 操作arm指令
$ rasm2.exe -a arm -b 32 'push LR'
00002de9
$
- 操作thumb指令(16bit arm指令)
$ rasm2.exe -a arm -b 16 'B 0x10'
06e0
$
- 查看支持的架构:
$ rasm2.exe -L
_dAe 8 16 6502 LGPL3 6502/NES/C64/Tamagotchi/T-1000 CPU
_dAe 8 8051 PD 8051 Intel CPU
_dA_ 32 amd29k LGPL3 AMD 29k RISC CPU (by deroad)
_dA_ 16 32 arc GPL3 Argonaut RISC Core
a___ 16 32 64 arm.as LGPL3 as ARM Assembler (use ARM_AS environment) (by pancake)
adAe 16 32 64 arm BSD Capstone ARM disassembler
_dA_ 16 32 64 arm.gnu GPL3 Acorn RISC Machine CPU
_d__ 16 32 arm.winedbg LGPL2 WineDBG's ARM disassembler
adAe 8 16 avr GPL AVR Atmel
adAe 16 32 64 bf LGPL3 Brainfuck (by pancake, nibble) v4.0.0
_dA_ 32 chip8 LGPL3 Chip8 disassembler
_dA_ 16 cr16 LGPL3 cr16 disassembly plugin
_dA_ 32 cris GPL3 Axis Communications 32-bit embedded processor (by pancake)
adA_ 32 64 dalvik LGPL3 AndroidVM Dalvik
ad__ 16 dcpu16 PD Mojang's DCPU-16
_dA_ 32 64 ebc LGPL3 EFI Bytecode (by Fedor Sakharov)
adAe 16 gb LGPL3 GameBoy(TM) (z80-like) (by condret)
_dAe 16 h8300 LGPL3 H8/300 disassembly plugin
_dAe 32 hexagon LGPL3 Qualcomm Hexagon (QDSP6) V6 (by xvilka)
_d__ 32 hppa GPL3 HP PA-RISC
_dAe i4004 LGPL3 Intel 4004 microprocessor
_dA_ 8 i8080 BSD Intel 8080 CPU
adA_ 32 java Apache Java bytecode
_d__ 32 lanai GPL3 LANAI
_d__ 8 lh5801 LGPL3 SHARP LH5801 disassembler
_d__ 32 lm32 BSD disassembly plugin for Lattice Micro 32 ISA (by Felix Held)
_dA_ 32 m68k BSD Capstone M68K disassembler
_dA_ 8 32 m680x BSD Capstone M680X Disassembler
_dA_ 32 malbolge LGPL3 Malbolge Ternary VM (by condret)
_dA_ 32 mcore LGPL3 Motorola MCORE disassembler
_d__ 16 mcs96 LGPL3 condrets car
adAe 16 32 64 mips BSD Capstone MIPS disassembler
adAe 32 64 mips.gnu GPL3 MIPS CPU
_dA_ 16 msp430 LGPL3 msp430 disassembly plugin
_dA_ 32 nios2 GPL3 NIOS II Embedded Processor
_dAe 8 pic LGPL3 PIC disassembler
_dAe 32 64 ppc BSD Capstone PowerPC disassembler (by pancake)
_dA_ 32 64 ppc.gnu GPL3 PowerPC
_dA_ 32 propeller LGPL3 propeller disassembly plugin
_dA_ 32 64 riscv GPL RISC-V
_dAe 32 rsp LGPL3 Reality Signal Processor
_dAe 32 sh GPL3 SuperH-4 CPU
_dA_ 8 16 snes LGPL3 SuperNES CPU
_dAe 32 64 sparc BSD Capstone SPARC disassembler
_dA_ 32 64 sparc.gnu GPL3 Scalable Processor Architecture
_d__ 16 spc700 LGPL3 spc700, snes' sound-chip
_d__ 32 sysz BSD SystemZ CPU disassembler
_dA_ 32 tms320 LGPLv3 TMS320 DSP family (c54x,c55x,c55x+,c64x)
_d__ 32 tms320c64x BSD Capstone TMS320c64x disassembler
_d__ 32 tricore GPL3 Siemens TriCore CPU
_dAe 32 v810 LGPL3 v810 disassembly plugin (by pancake)
_dAe 32 v850 LGPL3 v850 disassembly plugin
_dAe 8 32 vax GPL VAX
adAe 32 wasm MIT WebAssembly (by cgvwzq) v0.1.0
_dA_ 32 ws LGPL3 Whitespace esotheric VM
a___ 16 32 64 x86.as LGPL3 Intel X86 GNU Assembler
_dAe 16 32 64 x86 BSD Capstone X86 disassembler
a___ 16 32 64 x86.nasm LGPL3 X86 nasm assembler
a___ 16 32 64 x86.nz LGPL3 x86 handmade assembler
_dA_ 16 xap PD XAP4 RISC (CSR)
_dA_ 32 xcore BSD Capstone XCore disassembler (by pancake)
_dAe 32 xtensa GPL3 XTensa CPU
adA_ 8 z80 GPL Zilog Z80 (by condret)
$
Dump内容 #
w命令可以写内容
# wtf 写内容到文件中
[0x0040225a]> wtf hi.bin 0x1000
Dumped 4096 bytes from 0x0040225a into hi.bin
# wtf! 写当前位置到eof的所有数据到文件中
[0x0040225a]> wtf! hi.bin
文件格式分析 #
https://radare.gitbooks.io/radare2book/tools/rabin2/intro.html
拿到一个文件,我们首先要做的就是分析文件格式,了解文件大致信息。
我们可以使用工具rabin2。
- 文件属性识别,
-I
$ rabin2.exe -I .\radare2_installer-msvc_64-4.0.0.exe
arch x86
baddr 0x400000
binsz 20660224
bintype pe
bits 32
canary false
retguard false
class PE32
cmp.csum 0x013b6631
compiled Wed Apr 6 22:39:04 2016
crypto false
endian little
havecode true
hdr.csum 0x00000000
laddr 0x0
lang c
linenum true
lsyms true
machine i386
maxopsz 16
minopsz 1
nx true
os windows
overlay true
pcalign 0
pic true
relocs true
signed false
sanitiz false
static false
stripped false
subsys Windows GUI
va true
$
- 程序段分析。
-S
$ rabin2.exe -S .\radare2_installer-msvc_64-4.0.0.exe
[Sections]
Nm Paddr Size Vaddr Memsz Perms Name
00 0x00000400 62464 0x00401000 65536 -r-x .text
01 0x0000f800 4096 0x00411000 4096 -r-x .itext
02 0x00010800 3584 0x00412000 4096 -rw- .data
03 0x00011600 0 0x00413000 24576 -rw- .bss
04 0x00011600 4096 0x00419000 4096 -rw- .idata
05 0x00012600 0 0x0041a000 4096 -rw- .tls
06 0x00012600 512 0x0041b000 4096 -r-- .rdata
07 0x00012800 43008 0x0041c000 45056 -r-- .rsrc
$
- 程序入口点分析,
-e。
$ rabin2.exe -e .\radare2_installer-msvc_64-4.0.0.exe
[Entrypoints]
vaddr=0x004117dc paddr=0x0000ffdc haddr=0x00000128 type=program
1 entrypoints
$
- 导入表、导出表分析。
-e,-E
# 导入表分析
$ rabin2.exe -i .\radare2_installer-msvc_64-4.0.0.exe
[Imports]
Num Vaddr Bind Type Name
1 0x00419304 NONE FUNC oleaut32.dll_SysFreeString
2 0x00419308 NONE FUNC oleaut32.dll_SysReAllocStringLen
3 0x0041930c NONE FUNC oleaut32.dll_SysAllocStringLen
1 0x00419314 NONE FUNC advapi32.dll_RegQueryValueExW
2 0x00419318 NONE FUNC advapi32.dll_RegOpenKeyExW
3 0x0041931c NONE FUNC advapi32.dll_RegCloseKey
1 0x00419324 NONE FUNC user32.dll_GetKeyboardType
2 0x00419328 NONE FUNC user32.dll_LoadStringW
3 0x0041932c NONE FUNC user32.dll_MessageBoxA
4 0x00419330 NONE FUNC user32.dll_CharNextW
1 0x00419338 NONE FUNC kernel32.dll_GetACP
.........
# 导出表分析
$ rabin2.exe -E .\radare2_installer-msvc_64-4.0.0.exe
[Exports]
Num Paddr Vaddr Bind Type Size Name
$
可执行程序分析 #
a分析
aa分析入口函数,aaa分析所有的函数调用, afl列出分析后的函数
$ radare2 .\ChromeSetup.exe
-- Control the signal handlers of the child process with the 'dk' command
[0x00404eb3]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x00404eb3]> afl
0x00404eb3 21 390 -> 337 entry0
0x0040225a 12 203 main
[0x00404eb3]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00404eb3]> afl
0x00404eb3 21 390 -> 337 entry0
0x0040225a 12 203 main
0x00413932 5 83 fcn.00413932
0x00413985 1 35 fcn.00413985
0x004059c0 24 346 fcn.004059c0
0x00401097 4 40 fcn.00401097
0x00405139 1 21 fcn.00405139
0x004050fe 4 59 fcn.004050fe
0x00401026 1 19 fcn.00401026
0x0040103b 1 33 fcn.0040103b
0x0040111c 4 28 fcn.0040111c
0x00413c28 1 14 fcn.00413c28
0x00413f1d 6 48599 -> 68 fcn.00413f1d
0x0040a7b9 3 19 fcn.0040a7b9
0x0040a468 11 133 fcn.0040a468
0x0040a740 7 67 fcn.0040a740
0x00401168 6 65 fcn.00401168
0x0040569e 3 17 -> 266 fcn.0040569e
0x004056d7 3 249 loc.004056d7
0x0041392c 1 6 sub.KERNEL32.dll_IsProcessorFeaturePresent
0x004056af 1 40 fcn.004056af
...
s定位
# ~: 与grep类似
[0x00404eb3]> afl~main
0x0040225a 12 203 main
# s 定义到目标地址, 此处定位到main函数地址
[0x00404eb3]> s main
# pdf, 反汇编当前函数
[0x0040225a]> pdf
;-- eip:
┌ (fcn) main 203
│ int main (int argc, char **argv, char **envp);
│ ; var int32_t var_24h @ ebp-0x24
│ ; var int32_t var_20h @ ebp-0x20
│ ; var int32_t var_1ch @ ebp-0x1c
│ ; var int32_t var_18h @ ebp-0x18
│ ; var int32_t var_14h @ ebp-0x14
│ ; var int32_t var_10h @ ebp-0x10
│ ; var int32_t var_ch @ ebp-0xc
│ ; var int32_t var_8h @ ebp-0x8
│ ; var int32_t var_4h @ ebp-0x4
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_10h @ ebp+0x10
│ ; CALL XREF from entry0 @ 0x404e2a
│ 0x0040225a 55 push ebp
│ 0x0040225b 8bec mov ebp, esp
│ 0x0040225d 83ec24 sub esp, 0x24
│ 0x00402260 685cb94100 push str.SetDefaultDllDirectories ; 0x41b95c ; "SetDefaultDllDirectories"
│ 0x00402265 68f4b84100 push str.kernel32.dll ; 0x41b8f4 ; u"kernel32.dll" ; HMODULE hModule
│ 0x0040226a ff1528604100 call dword [sym.imp.KERNEL32.dll_GetModuleHandleW] ; 0x416028 ; "R\xc7\x01" ; HMODULE GetModuleHandleW(LPCWSTR lpModuleName)
│ 0x00402270 50 push eax ; LPCSTR lpProcName
│ 0x00402271 ff1564604100 call dword [sym.imp.KERNEL32.dll_GetProcAddress] ; 0x416064 ; "j\xc8\x01" ; FARPROC GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
│ 0x00402277 85c0 test eax, eax
│ ┌─< 0x00402279 7407 je 0x402282
│ │ 0x0040227b 6800080000 push 0x800 ; 2048
│ │ 0x00402280 ffd0 call eax
│ │ ; CODE XREF from main @ 0x402279
│ └─> 0x00402282 56 push esi
│ 0x00402283 57 push edi
│ 0x00402284 6a02 push 2 ; 2 ; LPVOID pvReserved
│ 0x00402286 33ff xor edi, edi
│ 0x00402288 57 push edi ; DWORD dwCoInit
│ 0x00402289 ff1598614100 call dword [sym.imp.ole32.dll_CoInitializeEx] ; 0x416198 ; "$\xcd\x01" ; HRESULT CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit)
│ 0x0040228f 8bf0 mov esi, eax
│ 0x00402291 85f6 test esi, esi
│ ┌─< 0x00402293 7904 jns 0x402299
│ │ 0x00402295 8bce mov ecx, esi
│ ┌──< 0x00402297 eb10 jmp 0x4022a9
│ ││ ; CODE XREF from main @ 0x402293
│ │└─> 0x00402299 51 push ecx
│ │ 0x0040229a e8e3f0ffff call fcn.00401382
│ │ 0x0040229f 59 pop ecx
│ │ 0x004022a0 84c0 test al, al
│ │┌─< 0x004022a2 750e jne 0x4022b2
│ ││ 0x004022a4 b903070480 mov ecx, 0x80040703
│ ││ ; CODE XREF from main @ 0x402297
│ └──> 0x004022a9 e805ffffff call fcn.004021b3
│ │ 0x004022ae 8bf8 mov edi, eax
│ ┌──< 0x004022b0 eb59 jmp 0x40230b
│ ││ ; CODE XREF from main @ 0x4022a2
│ │└─> 0x004022b2 8b4508 mov eax, dword [arg_8h]
│ │ 0x004022b5 8d4de0 lea ecx, [var_20h]
│ │ 0x004022b8 ff7510 push dword [arg_10h]
│ │ 0x004022bb 8945dc mov dword [var_24h], eax
│ │ 0x004022be e82d020000 call fcn.004024f0
│ │ 0x004022c3 e818efffff call fcn.004011e0
│ │ 0x004022c8 50 push eax
│ │ 0x004022c9 8d4de4 lea ecx, [var_1ch]
│ │ 0x004022cc e836060000 call fcn.00402907
│ │ 0x004022d1 897de8 mov dword [var_18h], edi
│ │ 0x004022d4 897dec mov dword [var_14h], edi
│ │ 0x004022d7 897df0 mov dword [var_10h], edi
│ │ 0x004022da 897df4 mov dword [var_ch], edi
│ │ 0x004022dd e8feeeffff call fcn.004011e0
│ │ 0x004022e2 50 push eax
│ │ 0x004022e3 8d4df8 lea ecx, [var_8h]
│ │ 0x004022e6 e81c060000 call fcn.00402907
│ │ 0x004022eb e8f0eeffff call fcn.004011e0
│ │ 0x004022f0 50 push eax
│ │ 0x004022f1 8d4dfc lea ecx, [var_4h]
│ │ 0x004022f4 e80e060000 call fcn.00402907
│ │ 0x004022f9 8d4ddc lea ecx, [var_24h]
│ │ 0x004022fc e804f3ffff call fcn.00401605
│ │ 0x00402301 8d4ddc lea ecx, [var_24h]
│ │ 0x00402304 8bf8 mov edi, eax
│ │ 0x00402306 e885f2ffff call fcn.00401590
│ │ ; CODE XREF from main @ 0x4022b0
│ └──> 0x0040230b 81fef0010480 cmp esi, 0x800401f0
│ ┌─< 0x00402311 740a je 0x40231d
│ │ 0x00402313 85f6 test esi, esi
│ ┌──< 0x00402315 7806 js 0x40231d
│ ││ 0x00402317 ff1594614100 call dword [sym.imp.ole32.dll_CoUninitialize] ; 0x416194 ; void CoUninitialize(void)
│ ││ ; CODE XREFS from main @ 0x402311, 0x402315
│ └└─> 0x0040231d 8bc7 mov eax, edi
│ 0x0040231f 5f pop edi
│ 0x00402320 5e pop esi
│ 0x00402321 c9 leave
└ 0x00402322 c21000 ret 0x10
[0x0040225a]>
- 高级分析
afafi: 分析当前函数, 得到stackframe, 指令bits, 基本块, 交叉引用等信息
[0x0040225a]> afi
#
offset: 0x0040225a
name: main
size: 203
is-pure: false
realsz: 203
stackframe: 84
call-convention: cdecl
cyclomatic-cost : 114
cyclomatic-complexity: 6
bits: 32
type: sym [NEW]
num-bbs: 12
edges: 16
end-bbs: 1
call-refs: 0x00416028 C 0x00416064 C 0x00402282 J 0x00416198 C 0x00402299 J 0x004022a9 J 0x00401382 C 0x004022b2 J 0x004021b3 C 0x0040230b J 0x004024f0 C 0x004011e0 C 0x00402907 C 0x004011e0 C 0x00402907 C 0x004011e0 C 0x00402907 C 0x00401605 C 0x00401590 C 0x0040231d J 0x0040231d J 0x00416194 C
data-refs: 0x0041b95c 0x0041b8f4
code-xrefs: 0x00404e2a C 0x00402279 J 0x00402293 J 0x00402297 J 0x004022a2 J 0x004022b0 J 0x00402311 J 0x00402315 J
in-degree: 8
out-degree: 15
data-xrefs:
locals: 9
args: 2
var int32_t var_24h @ ebp-0x24
var int32_t var_20h @ ebp-0x20
var int32_t var_1ch @ ebp-0x1c
var int32_t var_18h @ ebp-0x18
var int32_t var_14h @ ebp-0x14
var int32_t var_10h @ ebp-0x10
var int32_t var_ch @ ebp-0xc
var int32_t var_8h @ ebp-0x8
var int32_t var_4h @ ebp-0x4
arg int32_t arg_8h @ ebp+0x8
arg int32_t arg_10h @ ebp+0x10
diff: type: new
[0x0040225a]>
afb:列出当前函数所有的基本块
[0x0040225a]> afb
0x0040225a 0x0040227b 01:53E7 33 j 0x00402282 f 0x0040227b
0x0040227b 0x00402282 01:53EE 7 j 0x00402282
0x00402282 0x00402295 01:53EF 19 j 0x00402299 f 0x00402295
0x00402295 0x00402299 01:53F6 4 j 0x004022a9
0x00402299 0x004022a4 01:53F7 11 j 0x004022b2 f 0x004022a4
0x004022a4 0x004022a9 01:53FA 5 j 0x004022a9
0x004022a9 0x004022b2 00:0000 9 j 0x0040230b
0x004022b2 0x0040230b 01:53FC 89 j 0x0040230b
0x0040230b 0x00402313 01:540D 8 j 0x0040231d f 0x00402313
0x00402313 0x00402317 01:540E 4 j 0x0040231d f 0x00402317
0x00402317 0x0040231d 00:0000 6 j 0x0040231d
0x0040231d 0x00402325 01:540F 8
[0x0040225a]>
afx:列出当前函数所有的交叉引用
[0x0040225a]> afx
d 0x00402260 -> 0x0041b95c
d 0x00402265 -> 0x0041b8f4
C 0x0040226a -> 0x00416028
C 0x00402271 -> 0x00416064
c 0x00402279 -> 0x00402282
C 0x00402289 -> 0x00416198
c 0x00402293 -> 0x00402299
c 0x00402297 -> 0x004022a9
C 0x0040229a -> 0x00401382
c 0x004022a2 -> 0x004022b2
C 0x004022a9 -> 0x004021b3
c 0x004022b0 -> 0x0040230b
C 0x004022be -> 0x004024f0
C 0x004022c3 -> 0x004011e0
C 0x004022cc -> 0x00402907
C 0x004022dd -> 0x004011e0
C 0x004022e6 -> 0x00402907
C 0x004022eb -> 0x004011e0
C 0x004022f4 -> 0x00402907
C 0x004022fc -> 0x00401605
C 0x00402306 -> 0x00401590
c 0x00402311 -> 0x0040231d
c 0x00402315 -> 0x0040231d
C 0x00402317 -> 0x00416194
[0x0040225a]>
help #
工具help #
rax2 #
PS C:\Users\L0phTg> rax2 --help
Usage: rax2 [options] [expr ...]
=[base] ; rax2 =10 0x46 -> output in base 10
int -> hex ; rax2 10
hex -> int ; rax2 0xa
-int -> hex ; rax2 -77
-hex -> int ; rax2 0xffffffb3
int -> bin ; rax2 b30
int -> ternary ; rax2 t42
bin -> int ; rax2 1010d
ternary -> int ; rax2 1010dt
float -> hex ; rax2 3.33f
hex -> float ; rax2 Fx40551ed8
oct -> hex ; rax2 35o
hex -> oct ; rax2 Ox12 (O is a letter)
bin -> hex ; rax2 1100011b
hex -> bin ; rax2 Bx63
ternary -> hex ; rax2 212t
hex -> ternary ; rax2 Tx23
raw -> hex ; rax2 -S < /binfile
hex -> raw ; rax2 -s 414141
-l ; append newline to output (for -E/-D/-r/..
-a show ascii table ; rax2 -a
-b bin -> str ; rax2 -b 01000101 01110110
-B str -> bin ; rax2 -B hello
-d force integer ; rax2 -d 3 -> 3 instead of 0x3
-e swap endianness ; rax2 -e 0x33
-D base64 decode ;
-E base64 encode ;
-f floating point ; rax2 -f 6.3+2.1
-F stdin slurp code hex ; rax2 -F < shellcode.[c/py/js]
-h help ; rax2 -h
-i dump as C byte array ; rax2 -i < bytes
-k keep base ; rax2 -k 33+3 -> 36
-K randomart ; rax2 -K 0x34 1020304050
-L bin -> hex(bignum) ; rax2 -L 111111111 # 0x1ff
-n binary number ; rax2 -n 0x1234 # 34120000
-o octalstr -> raw ; rax2 -o \162 \62 # r2
-N binary number ; rax2 -N 0x1234 # \x34\x12\x00\x00
-r r2 style output ; rax2 -r 0x1234
-s hexstr -> raw ; rax2 -s 43 4a 50
-S raw -> hexstr ; rax2 -S < /bin/ls > ls.hex
-t tstamp -> str ; rax2 -t 1234567890
-x hash string ; rax2 -x linux osx
-u units ; rax2 -u 389289238 # 317.0M
-w signed word ; rax2 -w 16 0xffff
-v version ; rax2 -v
rahash2 #
$ rahash2.exe -h
Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ...
-a algo comma separated list of algorithms (default is 'sha256')
-b bsize specify the size of the block (instead of full file)
-B show per-block hash
-c hash compare with this hash
-e swap endian (use little endian)
-E algo encrypt. Use -S to set key and -I to set IV
-D algo decrypt. Use -S to set key and -I to set IV
-f from start hashing at given address
-i num repeat hash N iterations
-I iv use give initialization vector (IV) (hexa or s:string)
-S seed use given seed (hexa or s:string) use ^ to prefix (key for -E)
(- will slurp the key from stdin, the @ prefix points to a file
-k show hash using the openssh's randomkey algorithm
-q run in quiet mode (-qq to show only the hash)
-L list all available algorithms (see -a)
-r output radare commands
-s string hash this string instead of files
-t to stop hashing at given address
-x hexstr hash this hexpair string instead of files
-v show version information
$
rasm2 #
$ rasm2.exe -h
Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax]
[-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|-
-a [arch] Set architecture to assemble/disassemble (see -L)
-A Show Analysis information from given hexpairs
-b [bits] Set cpu register size (8, 16, 32, 64) (RASM2_BITS)
-B Binary input/output (-l is mandatory for binary input)
-c [cpu] Select specific CPU (depends on arch)
-C Output in C format
-d, -D Disassemble from hexpair bytes (-D show hexpairs)
-e Use big endian instead of little endian
-E Display ESIL expression (same input as in -d)
-f [file] Read data from file
-F [in:out] Specify input and/or output filters (att2intel, x86.pseudo, ...)
-h, -hh Show this help, -hh for long
-i [len] ignore/skip N bytes of the input buffer
-j output in json format
-k [kernel] Select operating system (linux, windows, darwin, ..)
-l [len] Input/Output length
-L List Asm plugins: (a=asm, d=disasm, A=analyze, e=ESIL)
-o,-@ [addr] Set start address for code (default 0)
-O [file] Output file name (rasm2 -Bf a.asm -O a)
-p Run SPP over input for assembly
-q quiet mode
-r output in radare commands
-s [syntax] Select syntax (intel, att)
-v Show version information
-x Use hex dwords instead of hex pairs when assembling.
-w What's this instruction for? describe opcode
If '-l' value is greater than output length, output is padded with nops
If the last argument is '-' reads from stdin
Environment:
RASM2_NOPLUGINS do not load shared plugins (speedup loading)
RASM2_ARCH same as rasm2 -a
RASM2_BITS same as rasm2 -b
R_DEBUG if defined, show error messages and crash signal
$
rabin2 #
$ rabin2.exe -h
Usage: rabin2 [-AcdeEghHiIjlLMqrRsSUvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]
[-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb]
[-o str] [-O str] [-k query] [-D lang symname] file
-@ [addr] show section, symbol or import at addr
-A list sub-binaries and their arch-bits pairs
-a [arch] set arch (x86, arm, .. or <arch>_<bits>)
-b [bits] set bits (32, 64 ...)
-B [addr] override base address (pie bins)
-c list classes
-cc list classes in header format
-C [fmt:C:D] create [elf,mach0,pe] with Code and Data hexpairs (see -a)
-d show debug/dwarf information
-D lang name demangle symbol name (-D all for bin.demangle=true)
-e entrypoint
-ee constructor/destructor entrypoints
-E globally exportable symbols
-f [str] select sub-bin named str
-F [binfmt] force to use that bin plugin (ignore header check)
-g same as -SMZIHVResizcld -SS -ee (show all info)
-G [addr] load address . offset to header
-h this help message
-H header fields
-i imports (symbols imported from libraries)
-I binary info
-j output in json
-k [sdb-query] run sdb query. for example: '*'
-K [algo] calculate checksums (md5, sha1, ..)
-l linked libraries
-L [plugin] list supported bin plugins or plugin details
-m [addr] show source line at addr
-M main (show address of main symbol)
-n [str] show section, symbol or import named str
-N [min:max] force min:max number of chars per string (see -z and -zz)
-o [str] output file/folder for write operations (out by default)
-O [str] write/extract operations (-O help)
-p show physical addresses
-P show debug/pdb information
-PP download pdb file for binary
-q be quiet, just show fewer data
-qq show less info (no offset/size for -z for ex.)
-Q show load address used by dlopen (non-aslr libs)
-r radare output
-R relocations
-s symbols
-S sections
-SS segments
-t display file hashes
-T display file signature
-u unfiltered (no rename duplicated symbols/sections)
-U resoUrces
-v display version and quit
-V Show binary version information
-w display try/catch blocks
-x extract bins contained in file
-X [fmt] [f] .. package in fat or zip the given files and bins contained in file
-z strings (from data section)
-zz strings (from raw bins [e bin.rawstr=1])
-zzz dump raw strings to stdout (for huge files)
-Z guess size of binary program
Environment:
RABIN2_LANG: e bin.lang # assume lang for demangling
RABIN2_NOPLUGINS: # do not load shared plugins (speedup loading)
RABIN2_DEMANGLE=0:e bin.demangle # do not demangle symbols
RABIN2_MAXSTRBUF: e bin.maxstrbuf # specify maximum buffer size
RABIN2_STRFILTER: e bin.str.filter # r2 -qc 'e bin.str.filter=??' -
RABIN2_STRPURGE: e bin.str.purge # try to purge false positives
RABIN2_DEBASE64: e bin.debase64 # try to debase64 all strings
RABIN2_DMNGLRCMD: e bin.demanglercmd # try to purge false positives
RABIN2_PDBSERVER: e pdb.server # use alternative PDB server
RABIN2_SYMSTORE: e pdb.symstore # path to downstream symbol store
RABIN2_PREFIX: e bin.prefix # prefix symbols/sections/relocs with a specific string
$