mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 03:01:15 +07:00
fix 2.5
This commit is contained in:
parent
c84ccf50a6
commit
a5ada05f5d
@ -22,6 +22,7 @@
|
||||
- [视图模式](#视图模式)
|
||||
- [Web 界面使用](#web-界面使用)
|
||||
- [在 CTF 中的运用](#在-ctf-中的运用)
|
||||
- [更多资源](#更多资源)
|
||||
|
||||
|
||||
## 简介
|
||||
@ -108,6 +109,12 @@ Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
|
||||
-X [rr2rule] specify custom rarun2 directive
|
||||
-z, -zz do not load strings or load them even in raw
|
||||
```
|
||||
参数很多,这里最重要是 `file`。如果你想 attach 到一个进程上,则使用 `pid`。常用参数如下:
|
||||
- `-A`:相当于在交互界面输入了 `aaa`。
|
||||
- `-c`:运行 radare 命令。(`r2 -A -q -c 'iI~pic' file`)
|
||||
- `-d`:调试二进制文件或进程。
|
||||
- `-a`,`-b`,`-o`:分别指定体系结构、位数和操作系统,通常是自动的,但也可以手动指定。
|
||||
- `-w`:使用可写模式打开。
|
||||
|
||||
#### rabin2
|
||||
```text
|
||||
@ -569,11 +576,13 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
```text
|
||||
[.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ...
|
||||
```
|
||||
如果你对 *nix shell, sed, awk 等比较熟悉的话,也可以帮助你很快掌握 radare2 命令。
|
||||
- 在任意字符命令后面加上 `?` 可以获得关于该命令更多的细节。如 `a?`、`p?`、`!?`、`@?`。
|
||||
- 当命令以数字开头时表示重复运行的次数。如 `3x`。
|
||||
- `!` 单独使用可以显示命令使用历史记录。
|
||||
- `;` 是命令分隔符,可以在一行上运行多个命令。如 `px 10; pd 20`。
|
||||
- `..` 重复运行上一条命令,使用回车键也一样。
|
||||
- `/` 用于在文件中进行搜索操作。
|
||||
- 以 `!` 开头可以运行 shell 命令。用法:`!<cmd>`。
|
||||
- `!ls`
|
||||
- `|` 是管道符。用法:`<r2command> | <program|H|>`。
|
||||
@ -584,12 +593,14 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
- `pi~mov&eax` 匹配 mov 和 eax 都有的行
|
||||
- `i~0x400$` 匹配以 0x400 结尾的行
|
||||
- `???` 可以获得以 `?` 开头的命令的细节
|
||||
- `?` 可以做各种进制和格式的快速转换。如 `? 1234`
|
||||
- `?p vaddr` 获得虚拟地址 vaddr 的物理地址
|
||||
- `?P paddr` 获得物理地址 paddr 的虚拟地址
|
||||
- `?v` 以十六进制的形式显示某数学表达式的结果。如 `?v eip-0x804800`。
|
||||
- `?l str` 获得 str 的长度,结果被临时保存,使用 `?v` 可输出结果。
|
||||
- `@@` foreach 迭代器,在列出的偏移处重复执行命令。
|
||||
- `wx ff @@ 10 20 30` 在偏移 10、20、30 处写入 ff
|
||||
- `p8 4 @@ fcn.*` 打印处每个函数的头 4 个字节
|
||||
- `?$?` 可以显示表达式所使用变量的帮助信息。用法:`?v [$.]`。
|
||||
- `$$` 是当前所处的虚拟地址
|
||||
- `$?` 是最后一个运算的值
|
||||
@ -600,7 +611,29 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
- `$f` 跳转失败地址。即当前跳转没有生效,`$f` 中保存下一条指令的地址
|
||||
- `$m` 操作码内存引用。如:`mov eax,[0x10] => 0x10`
|
||||
|
||||
默认情况下,执行的每条命令都有一个参考点,通常是内存中的当前位置,由命令前的十六进制数字指示。任何的打印、写入或分析命令都在当前位置执行。例如反汇编当前位置的一条指令:
|
||||
```
|
||||
[0x00005060]> pd 1
|
||||
;-- entry0:
|
||||
;-- rip:
|
||||
0x00005060 31ed xor ebp, ebp
|
||||
```
|
||||
block size 是在我们没有指定行数的时候使用的默认值,输入 `b` 即可看到,使用 `b [num]` 修改字节数,这时使用打印命令如 `pd` 时,将反汇编相应字节的指令。
|
||||
```
|
||||
[0x00005060]> b
|
||||
0x100
|
||||
[0x00005060]> b 10
|
||||
[0x00005060]> b
|
||||
0xa
|
||||
[0x00005060]> pd
|
||||
;-- entry0:
|
||||
;-- rip:
|
||||
0x00005060 31ed xor ebp, ebp
|
||||
0x00005062 4989d1 mov r9, rdx
|
||||
```
|
||||
|
||||
#### 分析(analyze)
|
||||
所有与分析有关的命令都以 `a` 开头:
|
||||
```text
|
||||
[0x00000000]> a?
|
||||
|Usage: a[abdefFghoprxstc] [...]
|
||||
@ -647,6 +680,7 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
```
|
||||
|
||||
#### Flags
|
||||
flag 用于将给定的偏移与名称相关联,flag 被分为几个 flag spaces,用于存放不同的 flag。
|
||||
```text
|
||||
[0x00000000]> f?
|
||||
|Usage: f [?] [flagname] # Manage offset-name flags
|
||||
@ -689,8 +723,32 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
| fx[d] show hexdump (or disasm) of flag:flagsize
|
||||
| fz[?][name] add named flag zone -name to delete. see fz?[name]
|
||||
```
|
||||
常见用法:
|
||||
- `f flag_name @ addr`:给地址 addr 创建一个 flag,当不指定地址时则默认指定当前地址。
|
||||
- `f-flag_name`:删除flag。
|
||||
- `fs`:管理命名空间。
|
||||
```
|
||||
[0x00005060]> fs?
|
||||
|Usage: fs [*] [+-][flagspace|addr] # Manage flagspaces
|
||||
| fs display flagspaces
|
||||
| fs* display flagspaces as r2 commands
|
||||
| fsj display flagspaces in JSON
|
||||
| fs * select all flagspaces
|
||||
| fs flagspace select flagspace or create if it doesn't exist
|
||||
| fs-flagspace remove flagspace
|
||||
| fs-* remove all flagspaces
|
||||
| fs+foo push previous flagspace and set
|
||||
| fs- pop to the previous flagspace
|
||||
| fs-. remove the current flagspace
|
||||
| fsm [addr] move flags at given address to the current flagspace
|
||||
| fss display flagspaces stack
|
||||
| fss* display flagspaces stack in r2 commands
|
||||
| fssj display flagspaces stack in JSON
|
||||
| fsr newname rename selected flagspace
|
||||
```
|
||||
|
||||
#### 定位(seeking)
|
||||
使用 `s` 命令可以改变当前位置:
|
||||
```text
|
||||
[0x00000000]> s?
|
||||
|Usage: s # Seek commands
|
||||
@ -719,6 +777,9 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
| sr pc Seek to register
|
||||
| ss Seek silently (without adding an entry to the seek history)
|
||||
```
|
||||
- `s+`,`s-`:重复或撤销。
|
||||
- `s+ n`,`s- n`:定位到当前位置向前或向后 n 字节的位置。
|
||||
- `s/ DATA`:定位到下一个出现 DATA 的位置。
|
||||
|
||||
#### 信息(information)
|
||||
```text
|
||||
@ -758,6 +819,48 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
| izz Search for Strings in the whole binary
|
||||
| iZ Guess size of binary program
|
||||
```
|
||||
`i` 系列命令用于获取文件的各种信息,这时配合上 `~` 命令来获得精确的输出,下面是一个类似 checksec 的输出:
|
||||
```
|
||||
[0x00005060]> iI ~relro,canary,nx,pic,rpath
|
||||
canary true
|
||||
nx true
|
||||
pic true
|
||||
relro full
|
||||
rpath NONE
|
||||
```
|
||||
`~` 命令还有一些其他的用法,如获取某一行某一列等,另外使用 `~{}` 可以使 json 的输出更好看:
|
||||
```text
|
||||
[0x00005060]> ~?
|
||||
|Usage: [command]~[modifier][word,word][endmodifier][[column]][:line]
|
||||
modifier:
|
||||
| & all words must match to grep the line
|
||||
| $[n] sort numerically / alphabetically the Nth column
|
||||
| + case insensitive grep (grep -i)
|
||||
| ^ words must be placed at the beginning of line
|
||||
| ! negate grep
|
||||
| ? count number of matching lines
|
||||
| ?. count number chars
|
||||
| ?? show this help message
|
||||
| :[s]-[e] show lines s-e
|
||||
| .. internal 'less'
|
||||
| ... internal 'hud' (like V_)
|
||||
| {} json indentation
|
||||
| {path} json grep
|
||||
| {}.. less json indentation
|
||||
| endmodifier:
|
||||
| $ words must be placed at the end of line
|
||||
| column:
|
||||
| [n] show only column n
|
||||
| [n-m] show column n to m
|
||||
| [n-] show all columns starting from column n
|
||||
| [i,j,k] show the columns i, j and k
|
||||
| Examples:
|
||||
| i~:0 show first line of 'i' output
|
||||
| i~:-2 show first three lines of 'i' output
|
||||
| pd~mov disasm and grep for mov
|
||||
| pi~[0] show only opcode
|
||||
| i~0x400$ show lines ending with 0x400
|
||||
```
|
||||
|
||||
#### 打印(print) & 反汇编(disassembling)
|
||||
```text
|
||||
@ -791,6 +894,12 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
| pz[?] [len] print zoom view (see pz? for help)
|
||||
| pwd display current working directory
|
||||
```
|
||||
常用参数如下:
|
||||
- `px`:输出十六进制数、偏移和原始数据。后跟 `o`,`w`,`q` 时分别表示8位、32位和64位。
|
||||
- `p8`:输出8位的字节流。
|
||||
- `ps`:输出字符串。
|
||||
|
||||
radare2 中反汇编操作是隐藏在打印操作中的,即使用 `pd`:
|
||||
```text
|
||||
[0x00000000]> pd?
|
||||
|Usage: p[dD][ajbrfils] [sz] [arch] [bits] # Print Disassembly
|
||||
@ -812,8 +921,24 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
| pds[?] disassemble summary (strings, calls, jumps, refs) (see pdsf and pdfs)
|
||||
| pdt disassemble the debugger traces (see atd)
|
||||
```
|
||||
`@addr` 表示一个相对寻址,这里的 addr 可以是地址、符号名等,这个操作和 `s` 命令不同,它不会改变当前位置,当然即使使用类似 `s @addr` 的命令也不会改变当前位置。
|
||||
```
|
||||
[0x00005060]> pd 5 @ main
|
||||
;-- main:
|
||||
;-- section..text:
|
||||
0x00003620 4157 push r15 ; section 13 va=0x00003620 pa=0x00003620 sz=75529 vsz=75529 rwx=--r-x .text
|
||||
0x00003622 4156 push r14
|
||||
0x00003624 4155 push r13
|
||||
0x00003626 4154 push r12
|
||||
0x00003628 55 push rbp
|
||||
[0x00005060]> s @ main
|
||||
0x3620
|
||||
[0x00005060]> s 0x3620
|
||||
[0x00003620]>
|
||||
```
|
||||
|
||||
#### 写入(write)
|
||||
当你在打开 r2 时使用了参数 `-w` 时,才可以使用该命令,`w` 命令用于写入字节,它允许多种输入格式:
|
||||
```text
|
||||
[0x00000000]> w?
|
||||
|Usage: w[x] [str] [<file] [<<EOF] [@addr]
|
||||
@ -845,9 +970,62 @@ Prefix with number to repeat command N times (f.ex: 3x)
|
||||
| wv[?] eip+34 write 32-64 bit value
|
||||
| wz string write zero terminated string (like w + \x00)
|
||||
```
|
||||
常见用法:
|
||||
- `wa`:写入操作码,如 `wa jmp 0x8048320`
|
||||
- `wx`:写入十六进制数。
|
||||
- `wv`:写入32或64位的值。
|
||||
- `wo`:有很多子命令,用于将当前位置的值做运算后覆盖原值。
|
||||
```
|
||||
[0x00005060]> wo?
|
||||
|Usage: wo[asmdxoArl24] [hexpairs] @ addr[!bsize]
|
||||
| wo[24aAdlmorwx] without hexpair values, clipboard is used
|
||||
| wo2 [val] 2= 2 byte endian swap
|
||||
| wo4 [val] 4= 4 byte endian swap
|
||||
| woa [val] += addition (f.ex: woa 0102)
|
||||
| woA [val] &= and
|
||||
| wod [val] /= divide
|
||||
| woD[algo] [key] [IV] decrypt current block with given algo and key
|
||||
| woe [from to] [step] [wsz=1] .. create sequence
|
||||
| woE [algo] [key] [IV] encrypt current block with given algo and key
|
||||
| wol [val] <<= shift left
|
||||
| wom [val] *= multiply
|
||||
| woo [val] |= or
|
||||
| wop[DO] [arg] De Bruijn Patterns
|
||||
| wor [val] >>= shift right
|
||||
| woR random bytes (alias for 'wr $b')
|
||||
| wos [val] -= substraction
|
||||
| wow [val] == write looped value (alias for 'wb')
|
||||
| wox [val] ^= xor (f.ex: wox 0x90)
|
||||
```
|
||||
|
||||
#### 调试
|
||||
在开启 r2 时使用参数 `-d` 即可开启调试模式,当然如果你已经加载了程序,可以使用命令 `ood` 重新开启调试。
|
||||
```
|
||||
[0x7f8363c75f30]> d?
|
||||
|Usage: d # Debug commands
|
||||
| db[?] Breakpoints commands
|
||||
| dbt[?] Display backtrace based on dbg.btdepth and dbg.btalgo
|
||||
| dc[?] Continue execution
|
||||
| dd[?] File descriptors (!fd in r1)
|
||||
| de[-sc] [rwx] [rm] [e] Debug with ESIL (see de?)
|
||||
| dg <file> Generate a core-file (WIP)
|
||||
| dH [handler] Transplant process to a new handler
|
||||
| di[?] Show debugger backend information (See dh)
|
||||
| dk[?] List, send, get, set, signal handlers of child
|
||||
| dL [handler] List or set debugger handler
|
||||
| dm[?] Show memory maps
|
||||
| do[?] Open process (reload, alias for 'oo')
|
||||
| doo[args] Reopen in debugger mode with args (alias for 'ood')
|
||||
| dp[?] List, attach to process or thread id
|
||||
| dr[?] Cpu registers
|
||||
| ds[?] Step, over, source line
|
||||
| dt[?] Display instruction traces (dtr=reset)
|
||||
| dw <pid> Block prompt until pid dies
|
||||
| dx[?] Inject and run code on target process (See gs)
|
||||
```
|
||||
|
||||
#### 视图模式
|
||||
输入 `V` 即可进入视图模式,按下 `p/P` 可在不同模式之间进行切换,按下 `?` 即可查看帮助,想退出时按下 `q`。
|
||||
在调试时使用视图模式是十分有用的,因为你既可以查看程序当前的位置,也可以查看任何你想看的位置。输入 `V` 即可进入视图模式,按下 `p/P` 可在不同模式之间进行切换,按下 `?` 即可查看帮助,想退出时按下 `q`。
|
||||
```text
|
||||
Visual mode help:
|
||||
? show this help
|
||||
@ -908,6 +1086,11 @@ Function Keys: (See 'e key.'), defaults to:
|
||||
F8 step over
|
||||
F9 continue
|
||||
```
|
||||
视图模式下的命令和命令行模式下的命令有很大不同,下面列出几个,更多的命令请查看帮助:
|
||||
- `o`:定位到给定的偏移。
|
||||
- `;`:添加注释。
|
||||
- `V`:查看图形。
|
||||
- `:`:运行 radare2 命令
|
||||
|
||||
|
||||
## Web 界面使用
|
||||
@ -919,12 +1102,13 @@ $ r2 -c=H [filename]
|
||||
|
||||
|
||||
## 在 CTF 中的运用
|
||||
#### IOLI crackme
|
||||
[Write-up](https://github.com/firmianay/Life-long-Learner/blob/master/binary-security/IOLI-crackme-Writeup.md)
|
||||
- [IOLI crackme](https://github.com/firmianay/Life-long-Learner/blob/master/binary-security/IOLI-crackme-Writeup.md)
|
||||
- [radare2-explorations-binaries](https://github.com/monosource/radare2-explorations-binaries)
|
||||
|
||||
|
||||
## 更多资源
|
||||
- [The radare2 book](https://www.gitbook.com/book/radare/radare2book)
|
||||
- [Radare2 intro](https://github.com/radare/radare2/blob/master/doc/intro.md)
|
||||
- [Radare2 blog](http://radare.today/)
|
||||
- [A journey into Radare 2 – Part 1: Simple crackme](https://www.megabeets.net/a-journey-into-radare-2-part-1/)
|
||||
- [A journey into Radare 2 – Part 2: Exploitation](https://www.megabeets.net/a-journey-into-radare-2-part-2/)
|
||||
|
Loading…
Reference in New Issue
Block a user