From d15ae36ea79da2d9fa17a2a03331fa9ac5c8d089 Mon Sep 17 00:00:00 2001 From: firmianay Date: Fri, 29 Sep 2017 00:05:44 +0800 Subject: [PATCH] update radare2 --- doc/2.5_radare2.md | 457 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 440 insertions(+), 17 deletions(-) diff --git a/doc/2.5_radare2.md b/doc/2.5_radare2.md index cf79a0f..bc8a14c 100644 --- a/doc/2.5_radare2.md +++ b/doc/2.5_radare2.md @@ -2,7 +2,25 @@ - [简介](#简介) - [安装](#安装) -- [基本使用方法](#基本使用方法) +- [命令行使用方法](#命令行使用方法) + - [radare2/r2](#radare2r2) + - [rabin2](#rabin2) + - [rasm2](#rasm2) + - [rahash2](#rahash2) + - [radiff2](#radiff2) + - [rafind2](#rafind2) + - [ragg2](#ragg2) + - [rarun2](#rarun2) + - [rax2](rax2) +- [交互式使用方法](#交互式使用方法) + - [分析(analyze)](#分析analysis) + - [Flags](#flags) + - [定位(seeking)](#定位seeking) + - [信息(information)](#信息(information)) + - [打印(print) & 反汇编(disassembling)](#打印print反汇编disassembling) + - [写入(write)](#写入write) + - [视图模式](#视图模式) +- [Web 界面使用](#web-界面使用) - [在 CTF 中的运用](#在-ctf-中的运用) @@ -14,28 +32,27 @@ IDA Pro 昂贵的价格令很多二进制爱好者望而却步,于是在开源 ## 安装 #### 安装 -``` +```bash $ git clone https://github.com/radare/radare2.git $ cd radare2 $ ./sys/install.sh ``` #### 更新 -``` +```bash $ ./sys/install.sh ``` #### 卸载 -``` +```bash $ make uninstall $ make purge ``` -## 基本使用方法 -#### 小工具 -Radare2 是由一些命令行小工具组成的: -- radare2:十六进制编辑器和调试器的核心。 +## 命令行使用方法 +Radare2 在命令行下有一些小工具可供使用: +- radare2:十六进制编辑器和调试器的核心,通常通过它进入交互式界面。 - rabin2:从可执行二进制文件中提取信息。 - rasm2:汇编和反汇编。 - rahash2:基于块的哈希工具。 @@ -46,7 +63,7 @@ Radare2 是由一些命令行小工具组成的: - rax2:数据格式转换。 #### radare2/r2 -``` +```text $ r2 -h Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] [-s addr] [-B baddr] [-M maddr] [-c cmd] [-e k=v] file|pid|-|--|= @@ -93,7 +110,7 @@ Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] ``` #### rabin2 -``` +```text $ rabin2 -h Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr] [-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb] @@ -151,7 +168,7 @@ Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr] #### rasm2 -``` +```text $ rasm2 -h Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax] [-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|- @@ -181,7 +198,7 @@ Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax] ``` #### rahash2 -``` +```text $ rahash2 -h Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ... -a algo comma separated list of algorithms (default is 'sha256') @@ -207,7 +224,7 @@ Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ``` #### radiff2 -``` +```text $ radiff2 -h Usage: radiff2 [-abcCdjrspOxuUvV] [-A[A]] [-g sym] [-t %] [file] [file] -a [arch] specify architecture plugin to use (x86, arm, ..) @@ -240,7 +257,7 @@ Usage: radiff2 [-abcCdjrspOxuUvV] [-A[A]] [-g sym] [-t %] [file] [file] ``` #### rafind2 -``` +```text $ rafind2 -h Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[m|s|S|e] str] [-x hex] file .. -a [align] only accept aligned hits @@ -263,7 +280,7 @@ Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[m|s|S|e] str] [-x ``` #### ragg2 -``` +```text $ ragg2 -h Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path] [-i sc] [-e enc] [-B hex] [-c k=v] [-C file] [-p pad] [-q off] @@ -301,13 +318,13 @@ Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path] ``` #### rarun2 -``` +```text $ rarun2 -h Usage: rarun2 -v|-t|script.rr2 [directive ..] ``` #### rax2 -``` +```text $ rax2 -h Usage: rax2 [options] [expr ...] =[base] ; rax2 =10 0x46 -> output in base 10 @@ -351,7 +368,413 @@ Usage: rax2 [options] [expr ...] ``` +## 交互式使用方法 +当我们进入到 Radare2 的交互式界面后,就可以使用交互式命令进行操作。 + +输入 `?` 可以获得帮助信息,由于命令太多,我们只会重点介绍一些常用命令: +```text +[0x00000000]> ? +Usage: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ... +Append '?' to any char command to get detailed help +Prefix with number to repeat command N times (f.ex: 3x) +|%var =valueAlias for 'env' command +| *[?] off[=[0x]value] Pointer read/write data/values (see ?v, wx, wv) +| (macro arg0 arg1) Manage scripting macros +| .[?] [-|(m)|f|!sh|cmd] Define macro or load r2, cparse or rlang file +| =[?] [cmd] Send/Listen for Remote Commands (rap://, http://, ) +| /[?] Search for bytes, regexps, patterns, .. +| ![?] [cmd] Run given command as in system(3) +| #[?] !lang [..] Hashbang to run an rlang script +| a[?] Analysis commands +| b[?] Display or change the block size +| c[?] [arg] Compare block with given data +| C[?] Code metadata (comments, format, hints, ..) +| d[?] Debugger commands +| e[?] [a[=b]] List/get/set config evaluable vars +| f[?] [name][sz][at] Add flag at current address +| g[?] [arg] Generate shellcodes with r_egg +| i[?] [file] Get info about opened file from r_bin +| k[?] [sdb-query] Run sdb-query. see k? for help, 'k *', 'k **' ... +| L[?] [-] [plugin] list, unload load r2 plugins +| m[?] Mountpoints commands +| o[?] [file] ([offset]) Open file at optional address +| p[?] [len] Print current block with format and length +| P[?] Project management utilities +| q[?] [ret] Quit program with a return value +| r[?] [len] Resize file +| s[?] [addr] Seek to address (also for '0x', '0x1' == 's 0x1') +| S[?] Io section manipulation information +| t[?] Types, noreturn, signatures, C parser and more +| T[?] [-] [num|msg] Text log utility +| u[?] uname/undo seek/write +| V Enter visual mode (V! = panels, VV = fcngraph, VVV = callgraph) +| w[?] [str] Multiple write operations +| x[?] [len] Alias for 'px' (print hexadecimal) +| y[?] [len] [[[@]addr Yank/paste bytes from/to memory +| z[?] Zignatures management +| ?[??][expr] Help or evaluate math expression +| ?$? Show available '$' variables and aliases +| ?@? Misc help for '@' (seek), '~' (grep) (see ~??) +| ?:? List and manage core plugins +``` + +于是我们知道了 Radare2 交互命令的一般格式,如下所示: +```text +[.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ... +``` +- 在任意字符命令后面加上 `?` 可以获得关于该命令更多的细节。如 `a?`、`p?`、`!?`、`@?`。 +- 当命令以数字开头时表示重复运行的次数。如 `3x`。 +- `!` 单独使用可以显示命令使用历史记录。 +- `;` 是命令分隔符,可以在一行上运行多个命令。如 `px 10; pd 20`。 +- `..` 重复运行上一条命令,使用回车键也一样。 +- 以 `!` 开头可以运行 shell 命令。用法:`!`。 + - `!ls` +- `|` 是管道符。用法:` | `。 + - `pd | less` +- `~` 用于文本比配(grep)。用法:`[command]~[modifier][word,word][endmodifier][[column]][:line]`。 + - `i~:0` 显示 `i` 输出的第一行 + - `pd~mov,eax` 反汇编并匹配 mov 或 eax 所在行 + - `pi~mov&eax` 匹配 mov 和 eax 都有的行 + - `i~0x400$` 匹配以 0x400 结尾的行 +- `???` 可以获得以 `?` 开头的命令的细节 + - `?p vaddr` 获得虚拟地址 vaddr 的物理地址 + - `?P paddr` 获得物理地址 paddr 的虚拟地址 + - `?v` 以十六进制的形式显示某数学表达式的结果。如 `?v eip-0x804800`。 + - `?l str` 获得 str 的长度,结果被临时保存,使用 `?v` 可输出结果。 +- `@@` foreach 迭代器,在列出的偏移处重复执行命令。 + - `wx ff @@ 10 20 30` 在偏移 10、20、30 处写入 ff +- `?$?` 可以显示表达式所使用变量的帮助信息。用法:`?v [$.]`。 + - `$$` 是当前所处的虚拟地址 + - `$?` 是最后一个运算的值 + - `$s` 文件大小 + - `$b` 块大小 + - `$l` 操作码长度 + - `$j` 跳转地址。当 `$$` 处是一个类似 `jmp` 的指令时,`$j` 中保存着将要跳转到的地址 + - `$f` 跳转失败地址。即当前跳转没有生效,`$f` 中保存下一条指令的地址 + - `$m` 操作码内存引用。如:`mov eax,[0x10] => 0x10` + +#### 分析(analyze) +```text +[0x00000000]> a? +|Usage: a[abdefFghoprxstc] [...] +| ab [hexpairs] analyze bytes +| abb [len] analyze N basic blocks in [len] (section.size by default) +| aa[?] analyze all (fcns + bbs) (aa0 to avoid sub renaming) +| ac [cycles] analyze which op could be executed in [cycles] +| ad[?] analyze data trampoline (wip) +| ad [from] [to] analyze data pointers to (from-to) +| ae[?] [expr] analyze opcode eval expression (see ao) +| af[?] analyze Functions +| aF same as above, but using anal.depth=1 +| ag[?] [options] output Graphviz code +| ah[?] analysis hints (force opcode size, ...) +| ai [addr] address information (show perms, stack, heap, ...) +| ao[?] [len] analyze Opcodes (or emulate it) +| aO Analyze N instructions in M bytes +| ar[?] like 'dr' but for the esil vm. (registers) +| ap find prelude for current offset +| ax[?] manage refs/xrefs (see also afx?) +| as[?] [num] analyze syscall using dbg.reg +| at[?] [.] analyze execution traces +| av[?] [.] show vtables +``` +```text +[0x00000000]> aa? +|Usage: aa[0*?] # see also 'af' and 'afna' +| aa alias for 'af@@ sym.*;af@entry0;afva' +| aa* analyze all flags starting with sym. (af @@ sym.*) +| aaa[?] autoname functions after aa (see afna) +| aab aab across io.sections.text +| aac [len] analyze function calls (af @@ `pi len~call[1]`) +| aad [len] analyze data references to code +| aae [len] ([addr]) analyze references with ESIL (optionally to address) +| aai[j] show info of all analysis parameters +| aar[?] [len] analyze len bytes of instructions for references +| aan autoname functions that either start with fcn.* or sym.func.* +| aas [len] analyze symbols (af @@= `isq~[0]`) +| aat [len] analyze all consecutive functions in section +| aaT [len] analyze code after trap-sleds +| aap find and analyze function preludes +| aav [sat] find values referencing a specific section or map +| aau [len] list mem areas (larger than len bytes) not covered by functions +``` + +#### Flags +```text +[0x00000000]> f? +|Usage: f [?] [flagname] # Manage offset-name flags +| f list flags (will only list flags from selected flagspaces) +| f?flagname check if flag exists or not, See ?? and ?! +| f. [*[*]] list local per-function flags (*) as r2 commands +| f.blah=$$+12 set local function label named 'blah' +| f* list flags in r commands +| f name 12 @ 33 set flag 'name' with length 12 at offset 33 +| f name = 33 alias for 'f name @ 33' or 'f name 1 33' +| f name 12 33 [cmt] same as above + optional comment +| f-.blah@fcn.foo delete local label from function at current seek (also f.-) +| f-- delete all flags and flagspaces (deinit) +| f+name 12 @ 33 like above but creates new one if doesnt exist +| f-name remove flag 'name' +| f-@addr remove flag at address expression +| f. fname list all local labels for the given function +| f= [glob] list range bars graphics with flag offsets and sizes +| fa [name] [alias] alias a flag to evaluate an expression +| fb [addr] set base address for new flags +| fb [addr] [flag*] move flags matching 'flag' to relative addr +| fc[?][name] [color] set color for given flag +| fC [name] [cmt] set comment for given flag +| fd addr return flag+delta +| fe- resets the enumerator counter +| fe [name] create flag name.#num# enumerated flag. See fe? +| fi [size] | [from] [to] show flags in current block or range +| fg bring visual mode to foreground +| fj list flags in JSON format +| fl (@[flag]) [size] show or set flag length (size) +| fla [glob] automatically compute the size of all flags matching glob +| fm addr move flag at current offset to new address +| fn list flags displaying the real name (demangled) +| fo show fortunes +| fr [old] [[new]] rename flag (if no new flag current seek one is used) +| fR[?] [f] [t] [m] relocate all flags matching f&~m 'f'rom, 't'o, 'm'ask +| fs[?]+-* manage flagspaces +| fS[on] sort flags by offset or name +| fV[*-] [nkey] [offset] dump/restore visual marks (mK/'K) +| fx[d] show hexdump (or disasm) of flag:flagsize +| fz[?][name] add named flag zone -name to delete. see fz?[name] +``` + +#### 定位(seeking) +```text +[0x00000000]> s? +|Usage: s # Seek commands +| s Print current address +| s:pad Print current address with N padded zeros (defaults to 8) +| s addr Seek to address +| s- Undo seek +| s- n Seek n bytes backward +| s-- Seek blocksize bytes backward +| s+ Redo seek +| s+ n Seek n bytes forward +| s++ Seek blocksize bytes forward +| s[j*=!] List undo seek history (JSON, =list, *r2, !=names, s==) +| s/ DATA Search for next occurrence of 'DATA' +| s/x 9091 Search for next occurrence of \x90\x91 +| s.hexoff Seek honoring a base from core->offset +| sa [[+-]a] [asz] Seek asz (or bsize) aligned to addr +| sb Seek aligned to bb start +| sC[?] string Seek to comment matching given string +| sf Seek to next function (f->addr+f->size) +| sf function Seek to address of specified function +| sg/sG Seek begin (sg) or end (sG) of section or file +| sl[?] [+-]line Seek to line +| sn/sp Seek to next/prev location, as specified by scr.nkey +| so [N] Seek to N next opcode(s) +| sr pc Seek to register +| ss Seek silently (without adding an entry to the seek history) +``` + +#### 信息(information) +```text +[0x00000000]> i? +|Usage: i Get info from opened file (see rabin2's manpage) +| Output mode: +| '*' Output in radare commands +| 'j' Output in json +| 'q' Simple quiet output +| Actions: +| i|ij Show info of current file (in JSON) +| iA List archs +| ia Show all info (imports, exports, sections..) +| ib Reload the current buffer for setting of the bin (use once only) +| ic List classes, methods and fields +| iC Show signature info (entitlements, ...) +| id[?] Debug information (source lines) +| iD lang sym demangle symbolname for given language +| ie Entrypoint +| iE Exports (global symbols) +| ih Headers (alias for iH) +| iHH Verbose Headers in raw text +| ii Imports +| iI Binary info +| ik [query] Key-value database from RBinObject +| il Libraries +| iL [plugin] List all RBin plugins loaded or plugin details +| im Show info about predefined memory allocation +| iM Show main address +| io [file] Load info from file (or last opened) use bin.baddr +| ir Relocs +| iR Resources +| is Symbols +| iS [entropy,sha1] Sections (choose which hash algorithm to use) +| iV Display file version info +| iz|izj Strings in data sections (in JSON/Base64) +| izz Search for Strings in the whole binary +| iZ Guess size of binary program +``` + +#### 打印(print) & 反汇编(disassembling) +```text +[0x00000000]> p? +|Usage: p[=68abcdDfiImrstuxz] [arg|len] [@addr] +| p=[?][bep] [blks] [len] [blk] show entropy/printable chars/chars bars +| p2 [len] 8x8 2bpp-tiles +| p3 [file] print stereogram (3D) +| p6[de] [len] base64 decode/encode +| p8[?][j] [len] 8bit hexpair list of bytes +| pa[edD] [arg] pa:assemble pa[dD]:disasm or pae: esil from hexpairs +| pA[n_ops] show n_ops address and type +| p[b|B|xb] [len] ([skip]) bindump N bits skipping M +| pb[?] [n] bitstream of N bits +| pB[?] [n] bitstream of N bytes +| pc[?][p] [len] output C (or python) format +| pC[d] [rows] print disassembly in columns (see hex.cols and pdi) +| pd[?] [sz] [a] [b] disassemble N opcodes (pd) or N bytes (pD) +| pf[?][.nam] [fmt] print formatted data (pf.name, pf.name $) +| ph[?][=|hash] ([len]) calculate hash for a block +| p[iI][df] [len] print N ops/bytes (f=func) (see pi? and pdi) +| pm[?] [magic] print libmagic data (see pm? and /m?) +| pr[?][glx] [len] print N raw bytes (in lines or hexblocks, 'g'unzip) +| p[kK] [len] print key in randomart (K is for mosaic) +| ps[?][pwz] [len] print pascal/wide/zero-terminated strings +| pt[?][dn] [len] print different timestamps +| pu[?][w] [len] print N url encoded bytes (w=wide) +| pv[?][jh] [mode] show variable/pointer/value in memory +| p-[?][jh] [mode] bar|json|histogram blocks (mode: e?search.in) +| px[?][owq] [len] hexdump of N bytes (o=octal, w=32bit, q=64bit) +| pz[?] [len] print zoom view (see pz? for help) +| pwd display current working directory +``` +```text +[0x00000000]> pd? +|Usage: p[dD][ajbrfils] [sz] [arch] [bits] # Print Disassembly +| NOTE: len parameter can be negative +| NOTE: Pressing ENTER on empty command will repeat last pd command and also seek to end of disassembled range. +| pd N disassemble N instructions +| pd -N disassemble N instructions backward +| pD N disassemble N bytes +| pda disassemble all possible opcodes (byte per byte) +| pdb disassemble basic block +| pdc pseudo disassembler output in C-like syntax +| pdC show comments found in N instructions +| pdk disassemble all methods of a class +| pdj disassemble to json +| pdr recursive disassemble across the function graph +| pdf disassemble function +| pdi like 'pi', with offset and bytes +| pdl show instruction sizes +| pds[?] disassemble summary (strings, calls, jumps, refs) (see pdsf and pdfs) +| pdt disassemble the debugger traces (see atd) +``` + +#### 写入(write) +```text +[0x00000000]> w? +|Usage: w[x] [str] [ seek aligned to block size (seek cursor in cursor mode) + a/A (a)ssemble code, visual (A)ssembler + b toggle breakpoint + B enumerate and inspect classes + c/C toggle (c)ursor and (C)olors + d[f?] define function, data, code, .. + D enter visual diff mode (set diff.from/to) + e edit eval configuration variables + f/F set/unset or browse flags. f- to unset, F to browse, .. + gG go seek to begin and end of file (0-$s) + hjkl move around (or HJKL) (left-down-up-right) + i insert hex or string (in hexdump) use tab to toggle + mK/'K mark/go to Key (any key) + M walk the mounted filesystems + n/N seek next/prev function/flag/hit (scr.nkey) + o go/seek to given offset + O toggle asm.esil + p/P rotate print modes (hex, disasm, debug, words, buf) + q back to radare shell + r refresh screen / in cursor mode browse comments + R randomize color palette (ecr) + sS step / step over + t browse types + T enter textlog chat console (TT) + uU undo/redo seek + v visual function/vars code analysis menu + V (V)iew graph using cmd.graph (agv?) + wW seek cursor to next/prev word + xX show xrefs/refs of current function from/to data/code + yY copy and paste selection + z fold/unfold comments in disassembly + Z toggle zoom mode + Enter follow address of jump/call +Function Keys: (See 'e key.'), defaults to: + F2 toggle breakpoint + F4 run to cursor + F7 single step + F8 step over + F9 continue +``` + + +## Web 界面使用 +Radare2 的 GUI 尚在开发中,但有一个 Web 界面可以使用,如果刚开始你不习惯命令行操作,可以输入下面的命令: +``` +$ r2 -c=H [filename] +``` +默认地址为 `http://localhost:9090/`,这样你就可以在 Web 中进行操作了,但是我强烈建议你强迫自己使用命令行的操作方式。 + + ## 在 CTF 中的运用 +#### IOLI crackme +[Write-up](https://github.com/firmianay/Life-long-Learner/blob/master/binary-security/IOLI-crackme-Writeup.md) + ## 更多资源 - [The radare2 book](https://www.gitbook.com/book/radare/radare2book)