add radare2

This commit is contained in:
firmianay 2017-09-28 14:13:00 +08:00
parent e355aa523f
commit 81a2d20326

View File

@ -1 +1,358 @@
# 2.4 Radare2 # 2.4 Radare2
- [简介](#简介)
- [安装](#安装)
- [基本使用方法](#基本使用方法)
- [在 CTF 中的运用](#在-ctf-中的运用)
## 简介
IDA Pro 昂贵的价格令很多二进制爱好者望而却步于是在开源世界中催生出了一个新的逆向工程框架——Radare2它拥有非常强大的功能包括反汇编、调试、打补丁、虚拟化等等而且可以运行在几乎所有的主流平台上GNU/Linux、Windows、BSD、iOS、OSX……。Radare2 开发之初仅提供了基于命令行的操作尽管现在也有非官方的GUI但我更喜欢直接在终端上运行它当然这也就意味着更高陡峭的学习曲线。Radare2 是由一系列的组件构成的这些组件赋予了 Radare2 强大的分析能力,可以在 Radare2 中或者单独被使用。
这里是 Radare2 与其他二进制分析工具的对比。([Comparison Table](http://rada.re/r/cmp.html)
## 安装
#### 安装
```
$ git clone https://github.com/radare/radare2.git
$ cd radare2
$ ./sys/install.sh
```
#### 更新
```
$ ./sys/install.sh
```
#### 卸载
```
$ make uninstall
$ make purge
```
## 基本使用方法
#### 小工具
Radare2 是由一些命令行小工具组成的:
- radare2十六进制编辑器和调试器的核心。
- rabin2从可执行二进制文件中提取信息。
- rasm2汇编和反汇编。
- rahash2基于块的哈希工具。
- radiff2二进制文件或代码差异比对。
- rafind2查找字节模式。
- ragg2r_egg 的前端将以简单高级语言编写的程序编译成x86、x86-64和ARM的二进制文件。
- rarun2用于在不同环境中运行程序。
- rax2数据格式转换。
#### radare2/r2
```
$ r2 -h
Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
[-s addr] [-B baddr] [-M maddr] [-c cmd] [-e k=v] file|pid|-|--|=
-- run radare2 without opening any file
- same as 'r2 malloc://512'
= read file from stdin (use -i and -c to run cmds)
-= perform !=! command to run all commands remotely
-0 print \x00 after init and every command
-a [arch] set asm.arch
-A run 'aaa' command to analyze all referenced code
-b [bits] set asm.bits
-B [baddr] set base address for PIE binaries
-c 'cmd..' execute radare command
-C file is host:port (alias for -c+=http://%s/cmd/)
-d debug the executable 'file' or running process 'pid'
-D [backend] enable debug mode (e cfg.debug=true)
-e k=v evaluate config var
-f block size = file size
-F [binplug] force to use that rbin plugin
-h, -hh show help message, -hh for long
-H ([var]) display variable
-i [file] run script file
-I [file] run script file before the file is opened
-k [k=v] perform sdb query into core->sdb
-l [lib] load plugin file
-L list supported IO plugins
-m [addr] map file at given address (loadaddr)
-M do not demangle symbol names
-n, -nn do not load RBin info (-nn only load bin structures)
-N do not load user settings and scripts
-o [OS/kern] set asm.os (linux, macos, w32, netbsd, ...)
-q quiet mode (no prompt) and quit after -i
-p [prj] use project, list if no arg, load if no file
-P [file] apply rapatch file and quit
-R [rarun2] specify rarun2 profile to load (same as -e dbg.profile=X)
-s [addr] initial seek
-S start r2 in sandbox mode
-t load rabin2 info in thread
-u set bin.filter=false to get raw sym/sec/cls names
-v, -V show radare2 version (-V show lib versions)
-w open file in write mode
-X [rr2rule] specify custom rarun2 directive
-z, -zz do not load strings or load them even in raw
```
#### rabin2
```
$ rabin2 -h
Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]
[-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb]
[-o str] [-O str] [-k query] [-D lang symname] | file
-@ [addr] show section, symbol or import at addr
-A list sub-binaries and their arch-bits pairs
-a [arch] set arch (x86, arm, .. or <arch>_<bits>)
-b [bits] set bits (32, 64 ...)
-B [addr] override base address (pie bins)
-c list classes
-C [fmt:C:D] create [elf,mach0,pe] with Code and Data hexpairs (see -a)
-d show debug/dwarf information
-D lang name demangle symbol name (-D all for bin.demangle=true)
-e entrypoint
-E globally exportable symbols
-f [str] select sub-bin named str
-F [binfmt] force to use that bin plugin (ignore header check)
-g same as -SMZIHVResizcld (show all info)
-G [addr] load address . offset to header
-h this help message
-H header fields
-i imports (symbols imported from libraries)
-I binary info
-j output in json
-k [sdb-query] run sdb query. for example: '*'
-K [algo] calculate checksums (md5, sha1, ..)
-l linked libraries
-L [plugin] list supported bin plugins or plugin details
-m [addr] show source line at addr
-M main (show address of main symbol)
-n [str] show section, symbol or import named str
-N [min:max] force min:max number of chars per string (see -z and -zz)
-o [str] output file/folder for write operations (out by default)
-O [str] write/extract operations (-O help)
-p show physical addresses
-P show debug/pdb information
-PP download pdb file for binary
-q be quiet, just show fewer data
-qq show less info (no offset/size for -z for ex.)
-Q show load address used by dlopen (non-aslr libs)
-r radare output
-R relocations
-s symbols
-S sections
-u unfiltered (no rename duplicated symbols/sections)
-v display version and quit
-V Show binary version information
-x extract bins contained in file
-X [fmt] [f] .. package in fat or zip the given files and bins contained in file
-z strings (from data section)
-zz strings (from raw bins [e bin.rawstr=1])
-zzz dump raw strings to stdout (for huge files)
-Z guess size of binary program
```
#### rasm2
```
$ rasm2 -h
Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax]
[-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|-
-a [arch] Set architecture to assemble/disassemble (see -L)
-A Show Analysis information from given hexpairs
-b [bits] Set cpu register size (8, 16, 32, 64) (RASM2_BITS)
-c [cpu] Select specific CPU (depends on arch)
-C Output in C format
-d, -D Disassemble from hexpair bytes (-D show hexpairs)
-e Use big endian instead of little endian
-E Display ESIL expression (same input as in -d)
-f [file] Read data from file
-F [in:out] Specify input and/or output filters (att2intel, x86.pseudo, ...)
-h, -hh Show this help, -hh for long
-i [len] ignore/skip N bytes of the input buffer
-k [kernel] Select operating system (linux, windows, darwin, ..)
-l [len] Input/Output length
-L List Asm plugins: (a=asm, d=disasm, A=analyze, e=ESIL)
-o [offset] Set start address for code (default 0)
-O [file] Output file name (rasm2 -Bf a.asm -O a)
-p Run SPP over input for assembly
-s [syntax] Select syntax (intel, att)
-B Binary input/output (-l is mandatory for binary input)
-v Show version information
-w What's this instruction for? describe opcode
-q quiet mode
```
#### rahash2
```
$ rahash2 -h
Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ...
-a algo comma separated list of algorithms (default is 'sha256')
-b bsize specify the size of the block (instead of full file)
-B show per-block hash
-c hash compare with this hash
-e swap endian (use little endian)
-E algo encrypt. Use -S to set key and -I to set IV
-D algo decrypt. Use -S to set key and -I to set IV
-f from start hashing at given address
-i num repeat hash N iterations
-I iv use give initialization vector (IV) (hexa or s:string)
-S seed use given seed (hexa or s:string) use ^ to prefix (key for -E)
(- will slurp the key from stdin, the @ prefix points to a file
-k show hash using the openssh's randomkey algorithm
-q run in quiet mode (-qq to show only the hash)
-L list all available algorithms (see -a)
-r output radare commands
-s string hash this string instead of files
-t to stop hashing at given address
-x hexstr hash this hexpair string instead of files
-v show version information
```
#### radiff2
```
$ radiff2 -h
Usage: radiff2 [-abcCdjrspOxuUvV] [-A[A]] [-g sym] [-t %] [file] [file]
-a [arch] specify architecture plugin to use (x86, arm, ..)
-A [-A] run aaa or aaaa after loading each binary (see -C)
-b [bits] specify register size for arch (16 (thumb), 32, 64, ..)
-c count of changes
-C graphdiff code (columns: off-A, match-ratio, off-B) (see -A)
-d use delta diffing
-D show disasm instead of hexpairs
-e [k=v] set eval config var value for all RCore instances
-g [sym|off1,off2] graph diff of given symbol, or between two offsets
-G [cmd] run an r2 command on every RCore instance created
-i diff imports of target files (see -u, -U and -z)
-j output in json format
-n print bare addresses only (diff.bare=1)
-O code diffing with opcode bytes only
-p use physical addressing (io.va=0)
-q quiet mode (disable colors, reduce output)
-r output in radare commands
-s compute text distance
-ss compute text distance (using levenstein algorithm)
-S [name] sort code diff (name, namelen, addr, size, type, dist) (only for -C or -g)
-t [0-100] set threshold for code diff (default is 70%)
-x show two column hexdump diffing
-u unified output (---+++)
-U unified output using system 'diff'
-v show version information
-V be verbose (current only for -s)
-z diff on extracted strings
```
#### rafind2
```
$ rafind2 -h
Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[m|s|S|e] str] [-x hex] file ..
-a [align] only accept aligned hits
-b [size] set block size
-e [regex] search for regular expression string matches
-f [from] start searching from address 'from'
-h show this help
-m magic search, file-type carver
-M [str] set a binary mask to be applied on keywords
-n do not stop on read errors
-r print using radare commands
-s [str] search for a specific string (can be used multiple times)
-S [str] search for a specific wide string (can be used multiple times)
-t [to] stop search at address 'to'
-v print version and exit
-x [hex] search for hexpair string (909090) (can be used multiple times)
-X show hexdump of search results
-z search for zero-terminated strings
-Z show string found on each search hit
```
#### ragg2
```
$ ragg2 -h
Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path]
[-i sc] [-e enc] [-B hex] [-c k=v] [-C file] [-p pad] [-q off]
[-q off] [-dDw off:hex] file|f.asm|-
-a [arch] select architecture (x86, mips, arm)
-b [bits] register size (32, 64, ..)
-B [hexpairs] append some hexpair bytes
-c [k=v] set configuration options
-C [file] append contents of file
-d [off:dword] patch dword (4 bytes) at given offset
-D [off:qword] patch qword (8 bytes) at given offset
-e [encoder] use specific encoder. see -L
-f [format] output format (raw, pe, elf, mach0)
-F output native format (osx=mach0, linux=elf, ..)
-h show this help
-i [shellcode] include shellcode plugin, uses options. see -L
-I [path] add include path
-k [os] operating system's kernel (linux,bsd,osx,w32)
-L list all plugins (shellcodes and encoders)
-n [dword] append 32bit number (4 bytes)
-N [dword] append 64bit number (8 bytes)
-o [file] output file
-O use default output file (filename without extension or a.out)
-p [padding] add padding after compilation (padding=n10s32)
ntas : begin nop, trap, 'a', sequence
NTAS : same as above, but at the end
-P [size] prepend debruijn pattern
-q [fragment] debruijn pattern offset
-r show raw bytes instead of hexpairs
-s show assembler
-v show version
-w [off:hex] patch hexpairs at given offset
-x execute
-z output in C string syntax
```
#### rarun2
```
$ rarun2 -h
Usage: rarun2 -v|-t|script.rr2 [directive ..]
```
#### rax2
```
$ rax2 -h
Usage: rax2 [options] [expr ...]
=[base] ; rax2 =10 0x46 -> output in base 10
int -> hex ; rax2 10
hex -> int ; rax2 0xa
-int -> hex ; rax2 -77
-hex -> int ; rax2 0xffffffb3
int -> bin ; rax2 b30
int -> ternary ; rax2 t42
bin -> int ; rax2 1010d
float -> hex ; rax2 3.33f
hex -> float ; rax2 Fx40551ed8
oct -> hex ; rax2 35o
hex -> oct ; rax2 Ox12 (O is a letter)
bin -> hex ; rax2 1100011b
hex -> bin ; rax2 Bx63
hex -> ternary ; rax2 Tx23
raw -> hex ; rax2 -S < /binfile
hex -> raw ; rax2 -s 414141
-b bin -> str ; rax2 -b 01000101 01110110
-B str -> bin ; rax2 -B hello
-d force integer ; rax2 -d 3 -> 3 instead of 0x3
-e swap endianness ; rax2 -e 0x33
-D base64 decode ;
-E base64 encode ;
-f floating point ; rax2 -f 6.3+2.1
-F stdin slurp C hex ; rax2 -F < shellcode.c
-h help ; rax2 -h
-k keep base ; rax2 -k 33+3 -> 36
-K randomart ; rax2 -K 0x34 1020304050
-n binary number ; rax2 -n 0x1234 # 34120000
-N binary number ; rax2 -N 0x1234 # \x34\x12\x00\x00
-r r2 style output ; rax2 -r 0x1234
-s hexstr -> raw ; rax2 -s 43 4a 50
-S raw -> hexstr ; rax2 -S < /bin/ls > ls.hex
-t tstamp -> str ; rax2 -t 1234567890
-x hash string ; rax2 -x linux osx
-u units ; rax2 -u 389289238 # 317.0M
-w signed word ; rax2 -w 16 0xffff
-v version ; rax2 -v
```
## 在 CTF 中的运用
## 更多资源
- [The radare2 book](https://www.gitbook.com/book/radare/radare2book)
- [Radare2 intro](https://github.com/radare/radare2/blob/master/doc/intro.md)