mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
update radare2
This commit is contained in:
parent
81a2d20326
commit
d15ae36ea7
@ -2,7 +2,25 @@
|
|||||||
|
|
||||||
- [简介](#简介)
|
- [简介](#简介)
|
||||||
- [安装](#安装)
|
- [安装](#安装)
|
||||||
- [基本使用方法](#基本使用方法)
|
- [命令行使用方法](#命令行使用方法)
|
||||||
|
- [radare2/r2](#radare2r2)
|
||||||
|
- [rabin2](#rabin2)
|
||||||
|
- [rasm2](#rasm2)
|
||||||
|
- [rahash2](#rahash2)
|
||||||
|
- [radiff2](#radiff2)
|
||||||
|
- [rafind2](#rafind2)
|
||||||
|
- [ragg2](#ragg2)
|
||||||
|
- [rarun2](#rarun2)
|
||||||
|
- [rax2](rax2)
|
||||||
|
- [交互式使用方法](#交互式使用方法)
|
||||||
|
- [分析(analyze)](#分析analysis)
|
||||||
|
- [Flags](#flags)
|
||||||
|
- [定位(seeking)](#定位seeking)
|
||||||
|
- [信息(information)](#信息(information))
|
||||||
|
- [打印(print) & 反汇编(disassembling)](#打印print反汇编disassembling)
|
||||||
|
- [写入(write)](#写入write)
|
||||||
|
- [视图模式](#视图模式)
|
||||||
|
- [Web 界面使用](#web-界面使用)
|
||||||
- [在 CTF 中的运用](#在-ctf-中的运用)
|
- [在 CTF 中的运用](#在-ctf-中的运用)
|
||||||
|
|
||||||
|
|
||||||
@ -14,28 +32,27 @@ IDA Pro 昂贵的价格令很多二进制爱好者望而却步,于是在开源
|
|||||||
|
|
||||||
## 安装
|
## 安装
|
||||||
#### 安装
|
#### 安装
|
||||||
```
|
```bash
|
||||||
$ git clone https://github.com/radare/radare2.git
|
$ git clone https://github.com/radare/radare2.git
|
||||||
$ cd radare2
|
$ cd radare2
|
||||||
$ ./sys/install.sh
|
$ ./sys/install.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
#### 更新
|
#### 更新
|
||||||
```
|
```bash
|
||||||
$ ./sys/install.sh
|
$ ./sys/install.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
#### 卸载
|
#### 卸载
|
||||||
```
|
```bash
|
||||||
$ make uninstall
|
$ make uninstall
|
||||||
$ make purge
|
$ make purge
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## 基本使用方法
|
## 命令行使用方法
|
||||||
#### 小工具
|
Radare2 在命令行下有一些小工具可供使用:
|
||||||
Radare2 是由一些命令行小工具组成的:
|
- radare2:十六进制编辑器和调试器的核心,通常通过它进入交互式界面。
|
||||||
- radare2:十六进制编辑器和调试器的核心。
|
|
||||||
- rabin2:从可执行二进制文件中提取信息。
|
- rabin2:从可执行二进制文件中提取信息。
|
||||||
- rasm2:汇编和反汇编。
|
- rasm2:汇编和反汇编。
|
||||||
- rahash2:基于块的哈希工具。
|
- rahash2:基于块的哈希工具。
|
||||||
@ -46,7 +63,7 @@ Radare2 是由一些命令行小工具组成的:
|
|||||||
- rax2:数据格式转换。
|
- rax2:数据格式转换。
|
||||||
|
|
||||||
#### radare2/r2
|
#### radare2/r2
|
||||||
```
|
```text
|
||||||
$ r2 -h
|
$ r2 -h
|
||||||
Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
|
Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
|
||||||
[-s addr] [-B baddr] [-M maddr] [-c cmd] [-e k=v] file|pid|-|--|=
|
[-s addr] [-B baddr] [-M maddr] [-c cmd] [-e k=v] file|pid|-|--|=
|
||||||
@ -93,7 +110,7 @@ Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### rabin2
|
#### rabin2
|
||||||
```
|
```text
|
||||||
$ rabin2 -h
|
$ rabin2 -h
|
||||||
Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]
|
Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]
|
||||||
[-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb]
|
[-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb]
|
||||||
@ -151,7 +168,7 @@ Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]
|
|||||||
|
|
||||||
|
|
||||||
#### rasm2
|
#### rasm2
|
||||||
```
|
```text
|
||||||
$ rasm2 -h
|
$ rasm2 -h
|
||||||
Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax]
|
Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax]
|
||||||
[-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|-
|
[-f file] [-F fil:ter] [-i skip] [-l len] 'code'|hex|-
|
||||||
@ -181,7 +198,7 @@ Usage: rasm2 [-ACdDehLBvw] [-a arch] [-b bits] [-o addr] [-s syntax]
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### rahash2
|
#### rahash2
|
||||||
```
|
```text
|
||||||
$ rahash2 -h
|
$ rahash2 -h
|
||||||
Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ...
|
Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file] ...
|
||||||
-a algo comma separated list of algorithms (default is 'sha256')
|
-a algo comma separated list of algorithms (default is 'sha256')
|
||||||
@ -207,7 +224,7 @@ Usage: rahash2 [-rBhLkv] [-b S] [-a A] [-c H] [-E A] [-s S] [-f O] [-t O] [file]
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### radiff2
|
#### radiff2
|
||||||
```
|
```text
|
||||||
$ radiff2 -h
|
$ radiff2 -h
|
||||||
Usage: radiff2 [-abcCdjrspOxuUvV] [-A[A]] [-g sym] [-t %] [file] [file]
|
Usage: radiff2 [-abcCdjrspOxuUvV] [-A[A]] [-g sym] [-t %] [file] [file]
|
||||||
-a [arch] specify architecture plugin to use (x86, arm, ..)
|
-a [arch] specify architecture plugin to use (x86, arm, ..)
|
||||||
@ -240,7 +257,7 @@ Usage: radiff2 [-abcCdjrspOxuUvV] [-A[A]] [-g sym] [-t %] [file] [file]
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### rafind2
|
#### rafind2
|
||||||
```
|
```text
|
||||||
$ rafind2 -h
|
$ rafind2 -h
|
||||||
Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[m|s|S|e] str] [-x hex] file ..
|
Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[m|s|S|e] str] [-x hex] file ..
|
||||||
-a [align] only accept aligned hits
|
-a [align] only accept aligned hits
|
||||||
@ -263,7 +280,7 @@ Usage: rafind2 [-mXnzZhv] [-a align] [-b sz] [-f/t from/to] [-[m|s|S|e] str] [-x
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### ragg2
|
#### ragg2
|
||||||
```
|
```text
|
||||||
$ ragg2 -h
|
$ ragg2 -h
|
||||||
Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path]
|
Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path]
|
||||||
[-i sc] [-e enc] [-B hex] [-c k=v] [-C file] [-p pad] [-q off]
|
[-i sc] [-e enc] [-B hex] [-c k=v] [-C file] [-p pad] [-q off]
|
||||||
@ -301,13 +318,13 @@ Usage: ragg2 [-FOLsrxhvz] [-a arch] [-b bits] [-k os] [-o file] [-I path]
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### rarun2
|
#### rarun2
|
||||||
```
|
```text
|
||||||
$ rarun2 -h
|
$ rarun2 -h
|
||||||
Usage: rarun2 -v|-t|script.rr2 [directive ..]
|
Usage: rarun2 -v|-t|script.rr2 [directive ..]
|
||||||
```
|
```
|
||||||
|
|
||||||
#### rax2
|
#### rax2
|
||||||
```
|
```text
|
||||||
$ rax2 -h
|
$ rax2 -h
|
||||||
Usage: rax2 [options] [expr ...]
|
Usage: rax2 [options] [expr ...]
|
||||||
=[base] ; rax2 =10 0x46 -> output in base 10
|
=[base] ; rax2 =10 0x46 -> output in base 10
|
||||||
@ -351,7 +368,413 @@ Usage: rax2 [options] [expr ...]
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## 交互式使用方法
|
||||||
|
当我们进入到 Radare2 的交互式界面后,就可以使用交互式命令进行操作。
|
||||||
|
|
||||||
|
输入 `?` 可以获得帮助信息,由于命令太多,我们只会重点介绍一些常用命令:
|
||||||
|
```text
|
||||||
|
[0x00000000]> ?
|
||||||
|
Usage: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ...
|
||||||
|
Append '?' to any char command to get detailed help
|
||||||
|
Prefix with number to repeat command N times (f.ex: 3x)
|
||||||
|
|%var =valueAlias for 'env' command
|
||||||
|
| *[?] off[=[0x]value] Pointer read/write data/values (see ?v, wx, wv)
|
||||||
|
| (macro arg0 arg1) Manage scripting macros
|
||||||
|
| .[?] [-|(m)|f|!sh|cmd] Define macro or load r2, cparse or rlang file
|
||||||
|
| =[?] [cmd] Send/Listen for Remote Commands (rap://, http://, <fd>)
|
||||||
|
| /[?] Search for bytes, regexps, patterns, ..
|
||||||
|
| ![?] [cmd] Run given command as in system(3)
|
||||||
|
| #[?] !lang [..] Hashbang to run an rlang script
|
||||||
|
| a[?] Analysis commands
|
||||||
|
| b[?] Display or change the block size
|
||||||
|
| c[?] [arg] Compare block with given data
|
||||||
|
| C[?] Code metadata (comments, format, hints, ..)
|
||||||
|
| d[?] Debugger commands
|
||||||
|
| e[?] [a[=b]] List/get/set config evaluable vars
|
||||||
|
| f[?] [name][sz][at] Add flag at current address
|
||||||
|
| g[?] [arg] Generate shellcodes with r_egg
|
||||||
|
| i[?] [file] Get info about opened file from r_bin
|
||||||
|
| k[?] [sdb-query] Run sdb-query. see k? for help, 'k *', 'k **' ...
|
||||||
|
| L[?] [-] [plugin] list, unload load r2 plugins
|
||||||
|
| m[?] Mountpoints commands
|
||||||
|
| o[?] [file] ([offset]) Open file at optional address
|
||||||
|
| p[?] [len] Print current block with format and length
|
||||||
|
| P[?] Project management utilities
|
||||||
|
| q[?] [ret] Quit program with a return value
|
||||||
|
| r[?] [len] Resize file
|
||||||
|
| s[?] [addr] Seek to address (also for '0x', '0x1' == 's 0x1')
|
||||||
|
| S[?] Io section manipulation information
|
||||||
|
| t[?] Types, noreturn, signatures, C parser and more
|
||||||
|
| T[?] [-] [num|msg] Text log utility
|
||||||
|
| u[?] uname/undo seek/write
|
||||||
|
| V Enter visual mode (V! = panels, VV = fcngraph, VVV = callgraph)
|
||||||
|
| w[?] [str] Multiple write operations
|
||||||
|
| x[?] [len] Alias for 'px' (print hexadecimal)
|
||||||
|
| y[?] [len] [[[@]addr Yank/paste bytes from/to memory
|
||||||
|
| z[?] Zignatures management
|
||||||
|
| ?[??][expr] Help or evaluate math expression
|
||||||
|
| ?$? Show available '$' variables and aliases
|
||||||
|
| ?@? Misc help for '@' (seek), '~' (grep) (see ~??)
|
||||||
|
| ?:? List and manage core plugins
|
||||||
|
```
|
||||||
|
|
||||||
|
于是我们知道了 Radare2 交互命令的一般格式,如下所示:
|
||||||
|
```text
|
||||||
|
[.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ...
|
||||||
|
```
|
||||||
|
- 在任意字符命令后面加上 `?` 可以获得关于该命令更多的细节。如 `a?`、`p?`、`!?`、`@?`。
|
||||||
|
- 当命令以数字开头时表示重复运行的次数。如 `3x`。
|
||||||
|
- `!` 单独使用可以显示命令使用历史记录。
|
||||||
|
- `;` 是命令分隔符,可以在一行上运行多个命令。如 `px 10; pd 20`。
|
||||||
|
- `..` 重复运行上一条命令,使用回车键也一样。
|
||||||
|
- 以 `!` 开头可以运行 shell 命令。用法:`!<cmd>`。
|
||||||
|
- `!ls`
|
||||||
|
- `|` 是管道符。用法:`<r2command> | <program|H|>`。
|
||||||
|
- `pd | less`
|
||||||
|
- `~` 用于文本比配(grep)。用法:`[command]~[modifier][word,word][endmodifier][[column]][:line]`。
|
||||||
|
- `i~:0` 显示 `i` 输出的第一行
|
||||||
|
- `pd~mov,eax` 反汇编并匹配 mov 或 eax 所在行
|
||||||
|
- `pi~mov&eax` 匹配 mov 和 eax 都有的行
|
||||||
|
- `i~0x400$` 匹配以 0x400 结尾的行
|
||||||
|
- `???` 可以获得以 `?` 开头的命令的细节
|
||||||
|
- `?p vaddr` 获得虚拟地址 vaddr 的物理地址
|
||||||
|
- `?P paddr` 获得物理地址 paddr 的虚拟地址
|
||||||
|
- `?v` 以十六进制的形式显示某数学表达式的结果。如 `?v eip-0x804800`。
|
||||||
|
- `?l str` 获得 str 的长度,结果被临时保存,使用 `?v` 可输出结果。
|
||||||
|
- `@@` foreach 迭代器,在列出的偏移处重复执行命令。
|
||||||
|
- `wx ff @@ 10 20 30` 在偏移 10、20、30 处写入 ff
|
||||||
|
- `?$?` 可以显示表达式所使用变量的帮助信息。用法:`?v [$.]`。
|
||||||
|
- `$$` 是当前所处的虚拟地址
|
||||||
|
- `$?` 是最后一个运算的值
|
||||||
|
- `$s` 文件大小
|
||||||
|
- `$b` 块大小
|
||||||
|
- `$l` 操作码长度
|
||||||
|
- `$j` 跳转地址。当 `$$` 处是一个类似 `jmp` 的指令时,`$j` 中保存着将要跳转到的地址
|
||||||
|
- `$f` 跳转失败地址。即当前跳转没有生效,`$f` 中保存下一条指令的地址
|
||||||
|
- `$m` 操作码内存引用。如:`mov eax,[0x10] => 0x10`
|
||||||
|
|
||||||
|
#### 分析(analyze)
|
||||||
|
```text
|
||||||
|
[0x00000000]> a?
|
||||||
|
|Usage: a[abdefFghoprxstc] [...]
|
||||||
|
| ab [hexpairs] analyze bytes
|
||||||
|
| abb [len] analyze N basic blocks in [len] (section.size by default)
|
||||||
|
| aa[?] analyze all (fcns + bbs) (aa0 to avoid sub renaming)
|
||||||
|
| ac [cycles] analyze which op could be executed in [cycles]
|
||||||
|
| ad[?] analyze data trampoline (wip)
|
||||||
|
| ad [from] [to] analyze data pointers to (from-to)
|
||||||
|
| ae[?] [expr] analyze opcode eval expression (see ao)
|
||||||
|
| af[?] analyze Functions
|
||||||
|
| aF same as above, but using anal.depth=1
|
||||||
|
| ag[?] [options] output Graphviz code
|
||||||
|
| ah[?] analysis hints (force opcode size, ...)
|
||||||
|
| ai [addr] address information (show perms, stack, heap, ...)
|
||||||
|
| ao[?] [len] analyze Opcodes (or emulate it)
|
||||||
|
| aO Analyze N instructions in M bytes
|
||||||
|
| ar[?] like 'dr' but for the esil vm. (registers)
|
||||||
|
| ap find prelude for current offset
|
||||||
|
| ax[?] manage refs/xrefs (see also afx?)
|
||||||
|
| as[?] [num] analyze syscall using dbg.reg
|
||||||
|
| at[?] [.] analyze execution traces
|
||||||
|
| av[?] [.] show vtables
|
||||||
|
```
|
||||||
|
```text
|
||||||
|
[0x00000000]> aa?
|
||||||
|
|Usage: aa[0*?] # see also 'af' and 'afna'
|
||||||
|
| aa alias for 'af@@ sym.*;af@entry0;afva'
|
||||||
|
| aa* analyze all flags starting with sym. (af @@ sym.*)
|
||||||
|
| aaa[?] autoname functions after aa (see afna)
|
||||||
|
| aab aab across io.sections.text
|
||||||
|
| aac [len] analyze function calls (af @@ `pi len~call[1]`)
|
||||||
|
| aad [len] analyze data references to code
|
||||||
|
| aae [len] ([addr]) analyze references with ESIL (optionally to address)
|
||||||
|
| aai[j] show info of all analysis parameters
|
||||||
|
| aar[?] [len] analyze len bytes of instructions for references
|
||||||
|
| aan autoname functions that either start with fcn.* or sym.func.*
|
||||||
|
| aas [len] analyze symbols (af @@= `isq~[0]`)
|
||||||
|
| aat [len] analyze all consecutive functions in section
|
||||||
|
| aaT [len] analyze code after trap-sleds
|
||||||
|
| aap find and analyze function preludes
|
||||||
|
| aav [sat] find values referencing a specific section or map
|
||||||
|
| aau [len] list mem areas (larger than len bytes) not covered by functions
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Flags
|
||||||
|
```text
|
||||||
|
[0x00000000]> f?
|
||||||
|
|Usage: f [?] [flagname] # Manage offset-name flags
|
||||||
|
| f list flags (will only list flags from selected flagspaces)
|
||||||
|
| f?flagname check if flag exists or not, See ?? and ?!
|
||||||
|
| f. [*[*]] list local per-function flags (*) as r2 commands
|
||||||
|
| f.blah=$$+12 set local function label named 'blah'
|
||||||
|
| f* list flags in r commands
|
||||||
|
| f name 12 @ 33 set flag 'name' with length 12 at offset 33
|
||||||
|
| f name = 33 alias for 'f name @ 33' or 'f name 1 33'
|
||||||
|
| f name 12 33 [cmt] same as above + optional comment
|
||||||
|
| f-.blah@fcn.foo delete local label from function at current seek (also f.-)
|
||||||
|
| f-- delete all flags and flagspaces (deinit)
|
||||||
|
| f+name 12 @ 33 like above but creates new one if doesnt exist
|
||||||
|
| f-name remove flag 'name'
|
||||||
|
| f-@addr remove flag at address expression
|
||||||
|
| f. fname list all local labels for the given function
|
||||||
|
| f= [glob] list range bars graphics with flag offsets and sizes
|
||||||
|
| fa [name] [alias] alias a flag to evaluate an expression
|
||||||
|
| fb [addr] set base address for new flags
|
||||||
|
| fb [addr] [flag*] move flags matching 'flag' to relative addr
|
||||||
|
| fc[?][name] [color] set color for given flag
|
||||||
|
| fC [name] [cmt] set comment for given flag
|
||||||
|
| fd addr return flag+delta
|
||||||
|
| fe- resets the enumerator counter
|
||||||
|
| fe [name] create flag name.#num# enumerated flag. See fe?
|
||||||
|
| fi [size] | [from] [to] show flags in current block or range
|
||||||
|
| fg bring visual mode to foreground
|
||||||
|
| fj list flags in JSON format
|
||||||
|
| fl (@[flag]) [size] show or set flag length (size)
|
||||||
|
| fla [glob] automatically compute the size of all flags matching glob
|
||||||
|
| fm addr move flag at current offset to new address
|
||||||
|
| fn list flags displaying the real name (demangled)
|
||||||
|
| fo show fortunes
|
||||||
|
| fr [old] [[new]] rename flag (if no new flag current seek one is used)
|
||||||
|
| fR[?] [f] [t] [m] relocate all flags matching f&~m 'f'rom, 't'o, 'm'ask
|
||||||
|
| fs[?]+-* manage flagspaces
|
||||||
|
| fS[on] sort flags by offset or name
|
||||||
|
| fV[*-] [nkey] [offset] dump/restore visual marks (mK/'K)
|
||||||
|
| fx[d] show hexdump (or disasm) of flag:flagsize
|
||||||
|
| fz[?][name] add named flag zone -name to delete. see fz?[name]
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 定位(seeking)
|
||||||
|
```text
|
||||||
|
[0x00000000]> s?
|
||||||
|
|Usage: s # Seek commands
|
||||||
|
| s Print current address
|
||||||
|
| s:pad Print current address with N padded zeros (defaults to 8)
|
||||||
|
| s addr Seek to address
|
||||||
|
| s- Undo seek
|
||||||
|
| s- n Seek n bytes backward
|
||||||
|
| s-- Seek blocksize bytes backward
|
||||||
|
| s+ Redo seek
|
||||||
|
| s+ n Seek n bytes forward
|
||||||
|
| s++ Seek blocksize bytes forward
|
||||||
|
| s[j*=!] List undo seek history (JSON, =list, *r2, !=names, s==)
|
||||||
|
| s/ DATA Search for next occurrence of 'DATA'
|
||||||
|
| s/x 9091 Search for next occurrence of \x90\x91
|
||||||
|
| s.hexoff Seek honoring a base from core->offset
|
||||||
|
| sa [[+-]a] [asz] Seek asz (or bsize) aligned to addr
|
||||||
|
| sb Seek aligned to bb start
|
||||||
|
| sC[?] string Seek to comment matching given string
|
||||||
|
| sf Seek to next function (f->addr+f->size)
|
||||||
|
| sf function Seek to address of specified function
|
||||||
|
| sg/sG Seek begin (sg) or end (sG) of section or file
|
||||||
|
| sl[?] [+-]line Seek to line
|
||||||
|
| sn/sp Seek to next/prev location, as specified by scr.nkey
|
||||||
|
| so [N] Seek to N next opcode(s)
|
||||||
|
| sr pc Seek to register
|
||||||
|
| ss Seek silently (without adding an entry to the seek history)
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 信息(information)
|
||||||
|
```text
|
||||||
|
[0x00000000]> i?
|
||||||
|
|Usage: i Get info from opened file (see rabin2's manpage)
|
||||||
|
| Output mode:
|
||||||
|
| '*' Output in radare commands
|
||||||
|
| 'j' Output in json
|
||||||
|
| 'q' Simple quiet output
|
||||||
|
| Actions:
|
||||||
|
| i|ij Show info of current file (in JSON)
|
||||||
|
| iA List archs
|
||||||
|
| ia Show all info (imports, exports, sections..)
|
||||||
|
| ib Reload the current buffer for setting of the bin (use once only)
|
||||||
|
| ic List classes, methods and fields
|
||||||
|
| iC Show signature info (entitlements, ...)
|
||||||
|
| id[?] Debug information (source lines)
|
||||||
|
| iD lang sym demangle symbolname for given language
|
||||||
|
| ie Entrypoint
|
||||||
|
| iE Exports (global symbols)
|
||||||
|
| ih Headers (alias for iH)
|
||||||
|
| iHH Verbose Headers in raw text
|
||||||
|
| ii Imports
|
||||||
|
| iI Binary info
|
||||||
|
| ik [query] Key-value database from RBinObject
|
||||||
|
| il Libraries
|
||||||
|
| iL [plugin] List all RBin plugins loaded or plugin details
|
||||||
|
| im Show info about predefined memory allocation
|
||||||
|
| iM Show main address
|
||||||
|
| io [file] Load info from file (or last opened) use bin.baddr
|
||||||
|
| ir Relocs
|
||||||
|
| iR Resources
|
||||||
|
| is Symbols
|
||||||
|
| iS [entropy,sha1] Sections (choose which hash algorithm to use)
|
||||||
|
| iV Display file version info
|
||||||
|
| iz|izj Strings in data sections (in JSON/Base64)
|
||||||
|
| izz Search for Strings in the whole binary
|
||||||
|
| iZ Guess size of binary program
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 打印(print) & 反汇编(disassembling)
|
||||||
|
```text
|
||||||
|
[0x00000000]> p?
|
||||||
|
|Usage: p[=68abcdDfiImrstuxz] [arg|len] [@addr]
|
||||||
|
| p=[?][bep] [blks] [len] [blk] show entropy/printable chars/chars bars
|
||||||
|
| p2 [len] 8x8 2bpp-tiles
|
||||||
|
| p3 [file] print stereogram (3D)
|
||||||
|
| p6[de] [len] base64 decode/encode
|
||||||
|
| p8[?][j] [len] 8bit hexpair list of bytes
|
||||||
|
| pa[edD] [arg] pa:assemble pa[dD]:disasm or pae: esil from hexpairs
|
||||||
|
| pA[n_ops] show n_ops address and type
|
||||||
|
| p[b|B|xb] [len] ([skip]) bindump N bits skipping M
|
||||||
|
| pb[?] [n] bitstream of N bits
|
||||||
|
| pB[?] [n] bitstream of N bytes
|
||||||
|
| pc[?][p] [len] output C (or python) format
|
||||||
|
| pC[d] [rows] print disassembly in columns (see hex.cols and pdi)
|
||||||
|
| pd[?] [sz] [a] [b] disassemble N opcodes (pd) or N bytes (pD)
|
||||||
|
| pf[?][.nam] [fmt] print formatted data (pf.name, pf.name $<expr>)
|
||||||
|
| ph[?][=|hash] ([len]) calculate hash for a block
|
||||||
|
| p[iI][df] [len] print N ops/bytes (f=func) (see pi? and pdi)
|
||||||
|
| pm[?] [magic] print libmagic data (see pm? and /m?)
|
||||||
|
| pr[?][glx] [len] print N raw bytes (in lines or hexblocks, 'g'unzip)
|
||||||
|
| p[kK] [len] print key in randomart (K is for mosaic)
|
||||||
|
| ps[?][pwz] [len] print pascal/wide/zero-terminated strings
|
||||||
|
| pt[?][dn] [len] print different timestamps
|
||||||
|
| pu[?][w] [len] print N url encoded bytes (w=wide)
|
||||||
|
| pv[?][jh] [mode] show variable/pointer/value in memory
|
||||||
|
| p-[?][jh] [mode] bar|json|histogram blocks (mode: e?search.in)
|
||||||
|
| px[?][owq] [len] hexdump of N bytes (o=octal, w=32bit, q=64bit)
|
||||||
|
| pz[?] [len] print zoom view (see pz? for help)
|
||||||
|
| pwd display current working directory
|
||||||
|
```
|
||||||
|
```text
|
||||||
|
[0x00000000]> pd?
|
||||||
|
|Usage: p[dD][ajbrfils] [sz] [arch] [bits] # Print Disassembly
|
||||||
|
| NOTE: len parameter can be negative
|
||||||
|
| NOTE: Pressing ENTER on empty command will repeat last pd command and also seek to end of disassembled range.
|
||||||
|
| pd N disassemble N instructions
|
||||||
|
| pd -N disassemble N instructions backward
|
||||||
|
| pD N disassemble N bytes
|
||||||
|
| pda disassemble all possible opcodes (byte per byte)
|
||||||
|
| pdb disassemble basic block
|
||||||
|
| pdc pseudo disassembler output in C-like syntax
|
||||||
|
| pdC show comments found in N instructions
|
||||||
|
| pdk disassemble all methods of a class
|
||||||
|
| pdj disassemble to json
|
||||||
|
| pdr recursive disassemble across the function graph
|
||||||
|
| pdf disassemble function
|
||||||
|
| pdi like 'pi', with offset and bytes
|
||||||
|
| pdl show instruction sizes
|
||||||
|
| pds[?] disassemble summary (strings, calls, jumps, refs) (see pdsf and pdfs)
|
||||||
|
| pdt disassemble the debugger traces (see atd)
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 写入(write)
|
||||||
|
```text
|
||||||
|
[0x00000000]> w?
|
||||||
|
|Usage: w[x] [str] [<file] [<<EOF] [@addr]
|
||||||
|
| w[1248][+-][n] increment/decrement byte,word..
|
||||||
|
| w foobar write string 'foobar'
|
||||||
|
| w0 [len] write 'len' bytes with value 0x00
|
||||||
|
| w6[de] base64/hex write base64 [d]ecoded or [e]ncoded string
|
||||||
|
| wa[?] push ebp write opcode, separated by ';' (use '"' around the command)
|
||||||
|
| waf file assemble file and write bytes
|
||||||
|
| wao[?] op modify opcode (change conditional of jump. nop, etc)
|
||||||
|
| wA[?] r 0 alter/modify opcode at current seek (see wA?)
|
||||||
|
| wb 010203 fill current block with cyclic hexpairs
|
||||||
|
| wB[-]0xVALUE set or unset bits with given value
|
||||||
|
| wc list all write changes
|
||||||
|
| wc[?][ir*?] write cache undo/commit/reset/list (io.cache)
|
||||||
|
| wd [off] [n] duplicate N bytes from offset at current seek (memcpy) (see y?)
|
||||||
|
| we[?] [nNsxX] [arg] extend write operations (insert instead of replace)
|
||||||
|
| wf -|file write contents of file at current offset
|
||||||
|
| wh r2 whereis/which shell command
|
||||||
|
| wm f0ff set binary mask hexpair to be used as cyclic write mask
|
||||||
|
| wo[?] hex write in block with operation. 'wo?' fmi
|
||||||
|
| wp[?] -|file apply radare patch file. See wp? fmi
|
||||||
|
| wr 10 write 10 random bytes
|
||||||
|
| ws pstring write 1 byte for length and then the string
|
||||||
|
| wt[f][?] file [sz] write to file (from current seek, blocksize or sz bytes)
|
||||||
|
| wts host:port [sz] send data to remote host:port via tcp://
|
||||||
|
| ww foobar write wide string 'f\x00o\x00o\x00b\x00a\x00r\x00'
|
||||||
|
| wx[?][fs] 9090 write two intel nops (from wxfile or wxseek)
|
||||||
|
| wv[?] eip+34 write 32-64 bit value
|
||||||
|
| wz string write zero terminated string (like w + \x00)
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 视图模式
|
||||||
|
输入 `V` 即可进入视图模式,按下 `p/P` 可在不同模式之间进行切换,按下 `?` 即可查看帮助,想退出时按下 `q`。
|
||||||
|
```text
|
||||||
|
Visual mode help:
|
||||||
|
? show this help
|
||||||
|
?? show the user-friendly hud
|
||||||
|
$ toggle asm.pseudo
|
||||||
|
% in cursor mode finds matching pair, otherwise toggle autoblocksz
|
||||||
|
@ redraw screen every 1s (multi-user view), in cursor set position
|
||||||
|
! enter into the visual panels mode
|
||||||
|
_ enter the flag/comment/functions/.. hud (same as VF_)
|
||||||
|
= set cmd.vprompt (top row)
|
||||||
|
| set cmd.cprompt (right column)
|
||||||
|
. seek to program counter
|
||||||
|
" toggle the column mode (uses pC..)
|
||||||
|
/ in cursor mode search in current block
|
||||||
|
:cmd run radare command
|
||||||
|
;[-]cmt add/remove comment
|
||||||
|
0 seek to beginning of current function
|
||||||
|
[1-9] follow jmp/call identified by shortcut (like ;[1])
|
||||||
|
,file add a link to the text file
|
||||||
|
/*+-[] change block size, [] = resize hex.cols
|
||||||
|
</> seek aligned to block size (seek cursor in cursor mode)
|
||||||
|
a/A (a)ssemble code, visual (A)ssembler
|
||||||
|
b toggle breakpoint
|
||||||
|
B enumerate and inspect classes
|
||||||
|
c/C toggle (c)ursor and (C)olors
|
||||||
|
d[f?] define function, data, code, ..
|
||||||
|
D enter visual diff mode (set diff.from/to)
|
||||||
|
e edit eval configuration variables
|
||||||
|
f/F set/unset or browse flags. f- to unset, F to browse, ..
|
||||||
|
gG go seek to begin and end of file (0-$s)
|
||||||
|
hjkl move around (or HJKL) (left-down-up-right)
|
||||||
|
i insert hex or string (in hexdump) use tab to toggle
|
||||||
|
mK/'K mark/go to Key (any key)
|
||||||
|
M walk the mounted filesystems
|
||||||
|
n/N seek next/prev function/flag/hit (scr.nkey)
|
||||||
|
o go/seek to given offset
|
||||||
|
O toggle asm.esil
|
||||||
|
p/P rotate print modes (hex, disasm, debug, words, buf)
|
||||||
|
q back to radare shell
|
||||||
|
r refresh screen / in cursor mode browse comments
|
||||||
|
R randomize color palette (ecr)
|
||||||
|
sS step / step over
|
||||||
|
t browse types
|
||||||
|
T enter textlog chat console (TT)
|
||||||
|
uU undo/redo seek
|
||||||
|
v visual function/vars code analysis menu
|
||||||
|
V (V)iew graph using cmd.graph (agv?)
|
||||||
|
wW seek cursor to next/prev word
|
||||||
|
xX show xrefs/refs of current function from/to data/code
|
||||||
|
yY copy and paste selection
|
||||||
|
z fold/unfold comments in disassembly
|
||||||
|
Z toggle zoom mode
|
||||||
|
Enter follow address of jump/call
|
||||||
|
Function Keys: (See 'e key.'), defaults to:
|
||||||
|
F2 toggle breakpoint
|
||||||
|
F4 run to cursor
|
||||||
|
F7 single step
|
||||||
|
F8 step over
|
||||||
|
F9 continue
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Web 界面使用
|
||||||
|
Radare2 的 GUI 尚在开发中,但有一个 Web 界面可以使用,如果刚开始你不习惯命令行操作,可以输入下面的命令:
|
||||||
|
```
|
||||||
|
$ r2 -c=H [filename]
|
||||||
|
```
|
||||||
|
默认地址为 `http://localhost:9090/`,这样你就可以在 Web 中进行操作了,但是我强烈建议你强迫自己使用命令行的操作方式。
|
||||||
|
|
||||||
|
|
||||||
## 在 CTF 中的运用
|
## 在 CTF 中的运用
|
||||||
|
#### IOLI crackme
|
||||||
|
[Write-up](https://github.com/firmianay/Life-long-Learner/blob/master/binary-security/IOLI-crackme-Writeup.md)
|
||||||
|
|
||||||
|
|
||||||
## 更多资源
|
## 更多资源
|
||||||
- [The radare2 book](https://www.gitbook.com/book/radare/radare2book)
|
- [The radare2 book](https://www.gitbook.com/book/radare/radare2book)
|
||||||
|
Loading…
Reference in New Issue
Block a user