From 81a2d20326ea78eebc43825eee5804880f586d4d Mon Sep 17 00:00:00 2001 From: firmianay Date: Thu, 28 Sep 2017 14:13:00 +0800 Subject: [PATCH] add radare2 --- doc/2.5_radare2.md | 357 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 357 insertions(+) diff --git a/doc/2.5_radare2.md b/doc/2.5_radare2.md index 969dc43..cf79a0f 100644 --- a/doc/2.5_radare2.md +++ b/doc/2.5_radare2.md @@ -1 +1,358 @@ # 2.4 Radare2 + +- [简介](#简介) +- [安装](#安装) +- [基本使用方法](#基本使用方法) +- [在 CTF 中的运用](#在-ctf-中的运用) + + +## 简介 +IDA Pro 昂贵的价格令很多二进制爱好者望而却步,于是在开源世界中催生出了一个新的逆向工程框架——Radare2,它拥有非常强大的功能,包括反汇编、调试、打补丁、虚拟化等等,而且可以运行在几乎所有的主流平台上(GNU/Linux、Windows、BSD、iOS、OSX……)。Radare2 开发之初仅提供了基于命令行的操作,尽管现在也有非官方的GUI,但我更喜欢直接在终端上运行它,当然这也就意味着更高陡峭的学习曲线。Radare2 是由一系列的组件构成的,这些组件赋予了 Radare2 强大的分析能力,可以在 Radare2 中或者单独被使用。 + +这里是 Radare2 与其他二进制分析工具的对比。([Comparison Table](http://rada.re/r/cmp.html)) + + +## 安装 +#### 安装 +``` +$ git clone https://github.com/radare/radare2.git +$ cd radare2 +$ ./sys/install.sh +``` + +#### 更新 +``` +$ ./sys/install.sh +``` + +#### 卸载 +``` +$ make uninstall +$ make purge +``` + + +## 基本使用方法 +#### 小工具 +Radare2 是由一些命令行小工具组成的: +- radare2:十六进制编辑器和调试器的核心。 +- rabin2:从可执行二进制文件中提取信息。 +- rasm2:汇编和反汇编。 +- rahash2:基于块的哈希工具。 +- radiff2:二进制文件或代码差异比对。 +- rafind2:查找字节模式。 +- ragg2:r_egg 的前端,将以简单高级语言编写的程序编译成x86、x86-64和ARM的二进制文件。 +- rarun2:用于在不同环境中运行程序。 +- rax2:数据格式转换。 + +#### radare2/r2 +``` +$ r2 -h +Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] + [-s addr] [-B baddr] [-M maddr] [-c cmd] [-e k=v] file|pid|-|--|= + -- run radare2 without opening any file + - same as 'r2 malloc://512' + = read file from stdin (use -i and -c to run cmds) + -= perform !=! command to run all commands remotely + -0 print \x00 after init and every command + -a [arch] set asm.arch + -A run 'aaa' command to analyze all referenced code + -b [bits] set asm.bits + -B [baddr] set base address for PIE binaries + -c 'cmd..' execute radare command + -C file is host:port (alias for -c+=http://%s/cmd/) + -d debug the executable 'file' or running process 'pid' + -D [backend] enable debug mode (e cfg.debug=true) + -e k=v evaluate config var + -f block size = file size + -F [binplug] force to use that rbin plugin + -h, -hh show help message, -hh for long + -H ([var]) display variable + -i [file] run script file + -I [file] run script file before the file is opened + -k [k=v] perform sdb query into core->sdb + -l [lib] load plugin file + -L list supported IO plugins + -m [addr] map file at given address (loadaddr) + -M do not demangle symbol names + -n, -nn do not load RBin info (-nn only load bin structures) + -N do not load user settings and scripts + -o [OS/kern] set asm.os (linux, macos, w32, netbsd, ...) + -q quiet mode (no prompt) and quit after -i + -p [prj] use project, list if no arg, load if no file + -P [file] apply rapatch file and quit + -R [rarun2] specify rarun2 profile to load (same as -e dbg.profile=X) + -s [addr] initial seek + -S start r2 in sandbox mode + -t load rabin2 info in thread + -u set bin.filter=false to get raw sym/sec/cls names + -v, -V show radare2 version (-V show lib versions) + -w open file in write mode + -X [rr2rule] specify custom rarun2 directive + -z, -zz do not load strings or load them even in raw +``` + +#### rabin2 +``` +$ rabin2 -h +Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr] + [-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb] + [-o str] [-O str] [-k query] [-D lang symname] | file + -@ [addr] show section, symbol or import at addr + -A list sub-binaries and their arch-bits pairs + -a [arch] set arch (x86, arm, .. or _) + -b [bits] set bits (32, 64 ...) + -B [addr] override base address (pie bins) + -c list classes + -C [fmt:C:D] create [elf,mach0,pe] with Code and Data hexpairs (see -a) + -d show debug/dwarf information + -D lang name demangle symbol name (-D all for bin.demangle=true) + -e entrypoint + -E globally exportable symbols + -f [str] select sub-bin named str + -F [binfmt] force to use that bin plugin (ignore header check) + -g same as -SMZIHVResizcld (show all info) + -G [addr] load address . offset to header + -h this help message + -H header fields + -i imports (symbols imported from libraries) + -I binary info + -j output in json + -k [sdb-query] run sdb query. for example: '*' + -K [algo] calculate checksums (md5, sha1, ..) + -l linked libraries + -L [plugin] list supported bin plugins or plugin details + -m [addr] show source line at addr + -M main (show address of main symbol) + -n [str] show section, symbol or import named str + -N [min:max] force min:max number of chars per string (see -z and -zz) + -o [str] output file/folder for write operations (out by default) + -O [str] write/extract operations (-O help) + -p show physical addresses + -P show debug/pdb information + -PP download pdb file for binary + -q be quiet, just show fewer data + -qq show less info (no offset/size for -z for ex.) + -Q show load address used by dlopen (non-aslr libs) + -r radare output + -R relocations + -s symbols + -S sections + -u unfiltered (no rename duplicated symbols/sections) + -v display version and quit + -V Show binary version information + -x extract bins contained in file + -X [fmt] [f] .. package in fat or zip the given files and bins contained in file + -z strings (from data section) + -zz strings (from raw bins [e bin.rawstr=1]) + -zzz dump raw strings to stdout (for huge files) + -Z guess size of binary program +``` + + +#### rasm2 +``` +$ rasm2 -h +Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax] + [-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|- + -a [arch] Set architecture to assemble/disassemble (see -L) + -A Show Analysis information from given hexpairs + -b [bits] Set cpu register size (8, 16, 32, 64) (RASM2_BITS) + -c [cpu] Select specific CPU (depends on arch) + -C Output in C format + -d, -D Disassemble from hexpair bytes (-D show hexpairs) + -e Use big endian instead of little endian + -E Display ESIL expression (same input as in -d) + -f [file] Read data from file + -F [in:out] Specify input and/or output filters (att2intel, x86.pseudo, ...) + -h, -hh Show this help, -hh for long + -i [len] ignore/skip N bytes of the input buffer + -k [kernel] Select operating system (linux, windows, darwin, ..) + -l [len] Input/Output length + -L List Asm plugins: (a=asm, d=disasm, A=analyze, e=ESIL) + -o [offset] Set start address for code (default 0) + -O [file] Output file name (rasm2 -Bf a.asm -O a) + -p Run SPP over input for assembly + -s [syntax] Select syntax (intel, att) + -B Binary input/output (-l is mandatory for binary input) + -v Show version information + -w What's this instruction for? describe opcode + -q quiet mode +``` + +#### rahash2 +``` +$ rahash2 -h +Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ... + -a algo comma separated list of algorithms (default is 'sha256') + -b bsize specify the size of the block (instead of full file) + -B show per-block hash + -c hash compare with this hash + -e swap endian (use little endian) + -E algo encrypt. Use -S to set key and -I to set IV + -D algo decrypt. Use -S to set key and -I to set IV + -f from start hashing at given address + -i num repeat hash N iterations + -I iv use give initialization vector (IV) (hexa or s:string) + -S seed use given seed (hexa or s:string) use ^ to prefix (key for -E) + (- will slurp the key from stdin, the @ prefix points to a file + -k show hash using the openssh's randomkey algorithm + -q run in quiet mode (-qq to show only the hash) + -L list all available algorithms (see -a) + -r output radare commands + -s string hash this string instead of files + -t to stop hashing at given address + -x hexstr hash this hexpair string instead of files + -v show version information +``` + +#### radiff2 +``` +$ radiff2 -h +Usage: radiff2 [-abcCdjrspOxuUvV] [-A[A]] [-g sym] [-t %] [file] [file] + -a [arch] specify architecture plugin to use (x86, arm, ..) + -A [-A] run aaa or aaaa after loading each binary (see -C) + -b [bits] specify register size for arch (16 (thumb), 32, 64, ..) + -c count of changes + -C graphdiff code (columns: off-A, match-ratio, off-B) (see -A) + -d use delta diffing + -D show disasm instead of hexpairs + -e [k=v] set eval config var value for all RCore instances + -g [sym|off1,off2] graph diff of given symbol, or between two offsets + -G [cmd] run an r2 command on every RCore instance created + -i diff imports of target files (see -u, -U and -z) + -j output in json format + -n print bare addresses only (diff.bare=1) + -O code diffing with opcode bytes only + -p use physical addressing (io.va=0) + -q quiet mode (disable colors, reduce output) + -r output in radare commands + -s compute text distance + -ss compute text distance (using levenstein algorithm) + -S [name] sort code diff (name, namelen, addr, size, type, dist) (only for -C or -g) + -t [0-100] set threshold for code diff (default is 70%) + -x show two column hexdump diffing + -u unified output (---+++) + -U unified output using system 'diff' + -v show version information + -V be verbose (current only for -s) + -z diff on extracted strings +``` + +#### rafind2 +``` +$ rafind2 -h +Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[m|s|S|e] str] [-x hex] file .. + -a [align] only accept aligned hits + -b [size] set block size + -e [regex] search for regular expression string matches + -f [from] start searching from address 'from' + -h show this help + -m magic search, file-type carver + -M [str] set a binary mask to be applied on keywords + -n do not stop on read errors + -r print using radare commands + -s [str] search for a specific string (can be used multiple times) + -S [str] search for a specific wide string (can be used multiple times) + -t [to] stop search at address 'to' + -v print version and exit + -x [hex] search for hexpair string (909090) (can be used multiple times) + -X show hexdump of search results + -z search for zero-terminated strings + -Z show string found on each search hit +``` + +#### ragg2 +``` +$ ragg2 -h +Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path] + [-i sc] [-e enc] [-B hex] [-c k=v] [-C file] [-p pad] [-q off] + [-q off] [-dDw off:hex] file|f.asm|- + -a [arch] select architecture (x86, mips, arm) + -b [bits] register size (32, 64, ..) + -B [hexpairs] append some hexpair bytes + -c [k=v] set configuration options + -C [file] append contents of file + -d [off:dword] patch dword (4 bytes) at given offset + -D [off:qword] patch qword (8 bytes) at given offset + -e [encoder] use specific encoder. see -L + -f [format] output format (raw, pe, elf, mach0) + -F output native format (osx=mach0, linux=elf, ..) + -h show this help + -i [shellcode] include shellcode plugin, uses options. see -L + -I [path] add include path + -k [os] operating system's kernel (linux,bsd,osx,w32) + -L list all plugins (shellcodes and encoders) + -n [dword] append 32bit number (4 bytes) + -N [dword] append 64bit number (8 bytes) + -o [file] output file + -O use default output file (filename without extension or a.out) + -p [padding] add padding after compilation (padding=n10s32) + ntas : begin nop, trap, 'a', sequence + NTAS : same as above, but at the end + -P [size] prepend debruijn pattern + -q [fragment] debruijn pattern offset + -r show raw bytes instead of hexpairs + -s show assembler + -v show version + -w [off:hex] patch hexpairs at given offset + -x execute + -z output in C string syntax +``` + +#### rarun2 +``` +$ rarun2 -h +Usage: rarun2 -v|-t|script.rr2 [directive ..] +``` + +#### rax2 +``` +$ rax2 -h +Usage: rax2 [options] [expr ...] + =[base] ; rax2 =10 0x46 -> output in base 10 + int -> hex ; rax2 10 + hex -> int ; rax2 0xa + -int -> hex ; rax2 -77 + -hex -> int ; rax2 0xffffffb3 + int -> bin ; rax2 b30 + int -> ternary ; rax2 t42 + bin -> int ; rax2 1010d + float -> hex ; rax2 3.33f + hex -> float ; rax2 Fx40551ed8 + oct -> hex ; rax2 35o + hex -> oct ; rax2 Ox12 (O is a letter) + bin -> hex ; rax2 1100011b + hex -> bin ; rax2 Bx63 + hex -> ternary ; rax2 Tx23 + raw -> hex ; rax2 -S < /binfile + hex -> raw ; rax2 -s 414141 + -b bin -> str ; rax2 -b 01000101 01110110 + -B str -> bin ; rax2 -B hello + -d force integer ; rax2 -d 3 -> 3 instead of 0x3 + -e swap endianness ; rax2 -e 0x33 + -D base64 decode ; + -E base64 encode ; + -f floating point ; rax2 -f 6.3+2.1 + -F stdin slurp C hex ; rax2 -F < shellcode.c + -h help ; rax2 -h + -k keep base ; rax2 -k 33+3 -> 36 + -K randomart ; rax2 -K 0x34 1020304050 + -n binary number ; rax2 -n 0x1234 # 34120000 + -N binary number ; rax2 -N 0x1234 # \x34\x12\x00\x00 + -r r2 style output ; rax2 -r 0x1234 + -s hexstr -> raw ; rax2 -s 43 4a 50 + -S raw -> hexstr ; rax2 -S < /bin/ls > ls.hex + -t tstamp -> str ; rax2 -t 1234567890 + -x hash string ; rax2 -x linux osx + -u units ; rax2 -u 389289238 # 317.0M + -w signed word ; rax2 -w 16 0xffff + -v version ; rax2 -v +``` + + +## 在 CTF 中的运用 + +## 更多资源 +- [The radare2 book](https://www.gitbook.com/book/radare/radare2book) +- [Radare2 intro](https://github.com/radare/radare2/blob/master/doc/intro.md)