BruceFan's Blog

Stay hungry, stay foolish

0%

Radare2使用说明

发表于 Edited on

radare2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ radare2 -h # 查看帮助
$ r2 -d file # 调试一个文件
> d? #显示调试命令
|Usage: d # Debug commands
| db[?]                   Breakpoints commands
| dc[?]                   Continue execution
| dm[?]                   Show memory maps
| dr[?]                   Cpu registers
...
> v # 进入visual mode,q退出;
    # c可以显示一个游标;
    # 按shift加hjkl可以选中;
    # visual mode中可以用i来overwrite字节;
    # p/P切换其他visual mode view;
    # s - step into,S - step over当前指令;
    # b下断点;
    # : 可以在visual mode中输入常规的radare命令

Seeking

1
2
3
4
5
6
7
8
9
> s?
> s 0x0804848c # 查找这个地址,可以当跳转用
> s-           # 撤销查找
> s+           # 重做查找
> s*           # 列出撤销查找的历史
> s/ DATA      # 查找下一处'DATA'
> s/x 85ff     # 查找下一处\x85\xff
> sf           # 查找下一个函数
> sr eip       # 查找寄存器

Block Size

1
2
3
4
> b?
> b # 显示当前block大小
> b+3 # 当前block大小加3
> b 0x100 # 把block大小设置为0x100

Sections

1
2
3
4
> S?
> S # 列出sections
> S. # 展示当前section名
...

Flags
类似于书签

1
2
3
4
5
> f flag_name @ offset # create a flag type
> f- flag_name # 删除一个flag
> fs # 切换flagspace或创建新的flagspace
> fs symbols # 只选中symbols里的flag
> f # 列出flagspace里的flag

rabin2

File type identification

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ rabin2 -I test
havecode true
pic      false
canary   false
nx       true
crypto   false
va       true
intrp    /lib64/ld-linux-x86-64.so.2
bintype  elf
class    ELF64
lang     c
arch     x86
bits     64
...

Code Entrypoints

1
2
3
4
5
$ rabin2 -e test
[Entrypoints]
vaddr=0x004004b0 paddr=0x000004b0 baddr=0x00400000 laddr=0x00000000 type=program

1 entrypoints

Imports&PLT

1
2
3
4
5
6
7
8
$ rabin2 -i test | head
[Imports]
ordinal=001 plt=0x00400470 bind=GLOBAL type=FUNC name=printf
ordinal=002 plt=0x00400480 bind=GLOBAL type=FUNC name=__libc_start_main
ordinal=003 plt=0x00400490 bind=UNKNOWN type=NOTYPE name=__gmon_start__
ordinal=004 plt=0x004004a0 bind=GLOBAL type=FUNC name=__isoc99_scanf

4 imports

Symbols(Exports)

1
2
3
4
5
6
7
rabin2 -s test | head
[Symbols]
vaddr=0x00600e20 paddr=0x00000e20 ord=028 fwd=NONE sz=0 bind=LOCAL type=OBJECT name=__JCR_LIST__
vaddr=0x004004e0 paddr=0x000004e0 ord=029 fwd=NONE sz=0 bind=LOCAL type=FUNC name=deregister_tm_clones
vaddr=0x00400510 paddr=0x00000510 ord=030 fwd=NONE sz=0 bind=LOCAL type=FUNC name=register_tm_clones
vaddr=0x00400550 paddr=0x00000550 ord=031 fwd=NONE sz=0 bind=LOCAL type=FUNC name=__do_global_dtors_aux
...

List Libraries

1
2
3
4
5
rabin2 -l test
[Linked libraries]
libc.so.6

1 library

Strings

1
rabin2 -z test | head

Program Sections

1
2
3
4
5
6
7
8
9
10
11
12
13
$ rabin2 -S test
rabin2 -S test
[Sections]
idx=00 vaddr=0x00000000 paddr=0x00000000 sz=0 vsz=0 perm=----- name=
idx=01 vaddr=0x00400238 paddr=0x00000238 sz=28 vsz=28 perm=--r-- name=.interp
idx=02 vaddr=0x00400254 paddr=0x00000254 sz=32 vsz=32 perm=--r-- name=.note.ABI_tag
idx=03 vaddr=0x00400274 paddr=0x00000274 sz=36 vsz=36 perm=--r-- name=.note.gnu.build_id
idx=04 vaddr=0x00400298 paddr=0x00000298 sz=28 vsz=28 perm=--r-- name=.gnu.hash
idx=05 vaddr=0x004002b8 paddr=0x000002b8 sz=120 vsz=120 perm=--r-- name=.dynsym
idx=06 vaddr=0x00400330 paddr=0x00000330 sz=88 vsz=88 perm=--r-- name=.dynstr
...

40 sections

rasm2

1
2
3
4
5
6
$ rasm2 -a java 'nop'
00
$ rasm2 -a x86 -d '90'
nop
$ rasm2 -a x86 -b 64 'syscall'
0f05

rahash2

1
2
$ rahash2 file -a md5
file: 0x00000000-0x00000072 md5: b42ebe5fad4e8f020c8153a5b748ad2b

radiff2

无参数运行radiff2显示修改的字节及对应的偏移

1
2
3
4
$ radiff2 test test-c
radiff2 test test-c
Buffer truncated to 8610 bytes (1 not compared)
0x00000200 52 => 02 0x00000200

radiff2可以比较两个文件的相似度和距离

1
2
3
4
$ radiff2 -s test test-c
Processing 8610 of 8609
similarity: 1.000
distance: 2

rafind2

ragg2

rarun2

useful for:

  • Crackmes
  • Fuzzing
  • Test suites

rax2

1
2
3
4
5
6
7
8
9
10
$ rax2 1337
0x539
$ rax2 -b 01111001
y
$ rax2 -S AB
4142
$ rax2 -s 4142
AB
$ rax2 -e 33 # swap endianness
0x21000000

先写这些吧,后面看心情补充。。。