1. Главная
  2. Книги
  3. authors Collective of
  4. The Official Radare2 Book
  5. Страница 63
Выбрать главу

Under this bunny-arabic-like name, radare hides a powerful tool to handle binary files, to get information on imports, sections, headers and other data. Rabin2 can present it in several formats accepted by other tools, including radare2 itself. Rabin2 understands many file formats: Java CLASS, ELF, PE, Mach-O or any format supported by plugins, and it is able to obtain symbol import/exports, library dependencies, strings of data sections, xrefs, entrypoint address, sections, architecture type.

$ rabin2 -h

Usage: rabin2 [-AcdeEghHiIjlLMqrRsSvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]

[-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb]

[-o str] [-O str] [-k query] [-D lang symname] | file

-@ [addr] show section, symbol or import at addr

-A list sub-binaries and their arch-bits pairs

-a [arch] set arch (x86, arm, .. or <arch>_<bits>)

-b [bits] set bits (32, 64 ...)

-B [addr] override base address (pie bins)

-c list classes

-C [fmt:C:D] create [elf,mach0,pe] with Code and Data hexpairs (see -a)

-d show debug/dwarf information

-D lang name demangle symbol name (-D all for bin.demangle=true)

-e entrypoint

-E globally exportable symbols

-f [str] select sub-bin named str

-F [binfmt] force to use that bin plugin (ignore header check)

-g same as -SMZIHVResizcld (show all info)

-G [addr] load address . offset to header

-h this help message

-H header fields

-i imports (symbols imported from libraries)

-I binary info

-j output in json

-k [sdb-query] run sdb query. for example: '*'

-K [algo] calculate checksums (md5, sha1, ..)

-l linked libraries

-L [plugin] list supported bin plugins or plugin details

-m [addr] show source line at addr

-M main (show address of main symbol)

-n [str] show section, symbol or import named str

-N [min:max] force min:max number of chars per string (see -z and -zz)

-o [str] output file/folder for write operations (out by default)

-O [str] write/extract operations (-O help)

-p show physical addresses

-P show debug/pdb information

-PP download pdb file for binary

-q be quiet, just show fewer data

-qq show less info (no offset/size for -z for ex.)

-Q show load address used by dlopen (non-aslr libs)

-r radare output

-R relocations

-s symbols

-S sections

-u unfiltered (no rename duplicated symbols/sections)

-v display version and quit

-V Show binary version information

-x extract bins contained in file

-X [fmt] [f] .. package in fat or zip the given files and bins contained in file

-z strings (from data section)

-zz strings (from raw bins [e bin.rawstr=1])

-zzz dump raw strings to stdout (for huge files)

-Z guess size of binary program

......

File Properties Identification

File type identification is done using -I. With this option, rabin2 prints information on a binary type, like its encoding, endianness, class, operating system:

$ rabin2 -I /bin/ls

arch x86

binsz 128456

bintype elf

bits 64

canary true

class ELF64

crypto false

endian little

havecode true

intrp /lib64/ld-linux-x86-64.so.2

lang c

linenum false

lsyms false

machine AMD x86-64 architecture

maxopsz 16

minopsz 1

nx true

os linux

pcalign 0

pic true

relocs false

relro partial

rpath NONE

static false

stripped true

subsys linux

va true

To make rabin2 output information in format that the main program, radare2, can understand, pass -Ir option to it:

$ rabin2 -Ir /bin/ls

e cfg.bigendian=false

e asm.bits=64

e asm.dwarf=true

e bin.lang=c

e file.type=elf

e asm.os=linux

e asm.arch=x86

e asm.pcalign=0

Code Entrypoints

The -e option passed to rabin2 will show entrypoints for given binary. Two examples:

$ rabin2 -e /bin/ls

[Entrypoints]

vaddr=0x00005310 paddr=0x00005310 baddr=0x00000000 laddr=0x00000000 haddr=0x00000018 type=program

1 entrypoints

$ rabin2 -er /bin/ls

fs symbols

f entry0 1 @ 0x00005310

f entry0_haddr 1 @ 0x00000018

s entry0

Imports

Rabin2 is able to find imported objects by an executable, as well as their offsets in its PLT. This information is useful, for example, to understand what external function is invoked by call instruction. Pass -i flag to rabin2 to get a list of imports. An example:

$ rabin2 -i /bin/ls

[Imports]

nth vaddr bind type lib name

―――――――――――――――――――――――――――――――――――――

1 0x000032e0 GLOBAL FUNC __ctype_toupper_loc

2 0x000032f0 GLOBAL FUNC getenv

3 0x00003300 GLOBAL FUNC sigprocmask

4 0x00003310 GLOBAL FUNC __snprintf_chk

5 0x00003320 GLOBAL FUNC raise

6 0x00000000 GLOBAL FUNC free

7 0x00003330 GLOBAL FUNC abort

8 0x00003340 GLOBAL FUNC __errno_location

9 0x00003350 GLOBAL FUNC strncmp

10 0x00000000 WEAK NOTYPE _ITM_deregisterTMCloneTable

11 0x00003360 GLOBAL FUNC localtime_r

12 0x00003370 GLOBAL FUNC _exit

13 0x00003380 GLOBAL FUNC strcpy

14 0x00003390 GLOBAL FUNC __fpending

15 0x000033a0 GLOBAL FUNC isatty

16 0x000033b0 GLOBAL FUNC sigaction

17 0x000033c0 GLOBAL FUNC iswcntrl

18 0x000033d0 GLOBAL FUNC wcswidth

19 0x000033e0 GLOBAL FUNC localeconv

20 0x000033f0 GLOBAL FUNC mbstowcs

21 0x00003400 GLOBAL FUNC readlink

...

Exports

Rabin2 is able to find exports. For example:

$ rabin2 -E /usr/lib/libr_bin.so | head

[Exports]

nth paddr vaddr bind type size lib name

―――――――――――――――――――――――――――――――――――――――――――――――――――――

210 0x000ae1f0 0x000ae1f0 GLOBAL FUNC 200 r_bin_java_print_exceptions_attr_summary

211 0x000afc90 0x000afc90 GLOBAL FUNC 135 r_bin_java_get_args

212 0x000b18e0 0x000b18e0 GLOBAL FUNC 35 r_bin_java_get_item_desc_from_bin_cp_list

213 0x00022d90 0x00022d90 GLOBAL FUNC 204 r_bin_class_add_method

214 0x000ae600 0x000ae600 GLOBAL FUNC 175 r_bin_java_print_fieldref_cp_summary

215 0x000ad880 0x000ad880 GLOBAL FUNC 144 r_bin_java_print_constant_value_attr_summary

216 0x000b7330 0x000b7330 GLOBAL FUNC 679 r_bin_java_print_element_value_summary

217 0x000af170 0x000af170 GLOBAL FUNC 65 r_bin_java_create_method_fq_str

~ 63 ~