Radare2:using test
└─$ sudo apt install radare2 100 ⨯
[sudo] kwkl 的密码:
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
下列软件包是自动安装的并且现在不需要了:
blt buildah conmon fonts-lyx fuse-overlayfs gir1.2-ayatanaappindicator3-0.1 golang-github-containernetworking-plugin-dnsname golang-github-containers-common
golang-github-containers-image isympy-common isympy3 libb2-1 libduktape207 libegl-dev libgl-dev libgl1-mesa-dev libgles-dev libgles1 libgles2 libglu1-mesa-dev libglut-dev
libglut3.12 libglvnd-core-dev libglvnd-dev libglx-dev libjs-jquery-ui libjs-uglify libopengl-dev libostree-1-1 libperl5.34 libprotobuf32 libpython3.11-dev libpython3.9
libpython3.9-dev libpython3.9-minimal libpython3.9-stdlib libqt6core6 libqt6dbus6 libqt6network6 libqt6sql6 libqt6sql6-sqlite libqt6test6 libqt6xml6 libslirp0 libsubid4
libts0 libxext-dev perl-modules-5.34 podman python-matplotlib-data python3-appdirs python3-cycler python3-fs python3-mpmath python3-opengl python3-sympy python3.11
python3.11-dev python3.11-minimal python3.9 python3.9-dev python3.9-minimal qt6-base-dev-tools qt6-translations-l10n qtchooser ruby-uglifier ruby2.7 slirp4netns tk8.6-blt2.5
uidmap unicode-data
使用'sudo apt autoremove'来卸载它(它们)。
将会同时安装下列软件:
file libcapstone-dev liblz4-1 liblz4-dev libmagic-dev libmagic-mgc libmagic1 libradare2-5.0.0 libradare2-common libradare2-dev libzip-dev libzip4
下列【新】软件包将被安装:
libcapstone-dev liblz4-dev libmagic-dev libradare2-5.0.0 libradare2-common libradare2-dev libzip-dev libzip4 radare2
下列软件包将被升级:
file liblz4-1 libmagic-mgc libmagic1
升级了 4 个软件包,新安装了 9 个软件包,要卸载 0 个软件包,有 1856 个软件包未被升级。
需要下载 6,394 kB 的归档。
解压缩后会消耗 41.5 MB 的额外空间。
您希望继续执行吗? [Y/n] y
└─$ radare2 -h 1 ⨯
Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
[-s addr] [-B baddr] [-m maddr] [-c cmd] [-e k=v] file|pid|-|--|=
-- run radare2 without opening any file
- same as 'r2 malloc://512'
= read file from stdin (use -i and -c to run cmds)
-= perform !=! command to run all commands remotely
-0 print \x00 after init and every command
-2 close stderr file descriptor (silent warning messages)
-a [arch] set asm.arch
-A run 'aaa' command to analyze all referenced code
-b [bits] set asm.bits
-B [baddr] set base address for PIE binaries
-c 'cmd..' execute radare command
-C file is host:port (alias for -c+=http://%s/cmd/)
-d debug the executable 'file' or running process 'pid'
-D [backend] enable debug mode (e cfg.debug=true)
-e k=v evaluate config var
-f block size = file size
-F [binplug] force to use that rbin plugin
-h, -hh show help message, -hh for long
-H ([var]) display variable
-i [file] run script file
-I [file] run script file before the file is opened
-j use json for -v, -L and maybe others
-k [OS/kern] set asm.os (linux, macos, w32, netbsd, ...)
-l [lib] load plugin file
-L list supported IO plugins
-m [addr] map file at given address (loadaddr)
-M do not demangle symbol names
-n, -nn do not load RBin info (-nn only load bin structures)
-N do not load user settings and scripts
-NN do not load any script or plugin
-q quiet mode (no prompt) and quit after -i
-qq quit after running all -c and -i
-Q quiet mode (no prompt) and quit faster (quickLeak=true)
-p [prj] use project, list if no arg, load if no file
-P [file] apply rapatch file and quit
-r [rarun2] specify rarun2 profile to load (same as -e dbg.profile=X)
-R [rr2rule] specify custom rarun2 directive
-s [addr] initial seek
-S start r2 in sandbox mode
-T do not compute file hashes
-u set bin.filter=false to get raw sym/sec/cls names
-v, -V show radare2 version (-V show lib versions)
-w open file in write mode
-x open without exec-flag (asm.emu will not work), See io.exec
-X same as -e bin.usextr=false (useful for dyldcache)
-z, -zz do not load strings or load them even in raw
analyzing
└─$ rabin2 -I megabeets_0x1 1 ⨯
arch x86
baddr 0x8048000
binsz 6220
bintype elf
bits 32
canary false
class ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto false
endian little
havecode true
intrp /lib/ld-linux.so.2
laddr 0x0
lang c
linenum true
lsyms true
machine Intel 80386
nx false
os linux
pic false
relocs true
relro partial
rpath NONE
sanitize false
static false
stripped false
subsys linux
va true
┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ rabin2 megabeets_0x1
Usage: rabin2 [-AcdeEghHiIjlLMqrRsSUvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]
[-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb]
[-o str] [-O str] [-k query] [-D lang symname] file
┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ rabin2 -I megabeets_0x1 1 ⨯
arch x86
baddr 0x8048000
binsz 6220
bintype elf
bits 32
canary false
class ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto false
endian little
havecode true
intrp /lib/ld-linux.so.2
laddr 0x0
lang c
linenum true
lsyms true
machine Intel 80386
nx false
os linux
pic false
relocs true
relro partial
rpath NONE
sanitize false
static false
stripped false
subsys linux
va true
┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ r2 ./megabeets_0x1
[0x08048370]> ie
[Entrypoints]
vaddr=0x08048370 paddr=0x00000370 haddr=0x00000018 hvaddr=0x08048018 type=program
1 entrypoints
[0x08048370]> aaaaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x08048370]> fs
0 * classes
5 * format
0 * functions
5 * imports
11 * registers
5 * relocs
31 * sections
10 * segments
4 * strings
37 * symbols
27 * symbols.sections
[0x08048370]> fs imports;f
0x00000360 16 loc.imp.__gmon_start__
0x08048320 6 sym.imp.strcmp
0x08048330 6 sym.imp.strcpy
0x08048340 6 sym.imp.puts
0x08048350 6 sym.imp.__libc_start_main
[0x08048370]> iz
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000700 0x08048700 20 21 .rodata ascii \n .:: Megabeets ::.
1 0x00000715 0x08048715 22 23 .rodata ascii Think you can make it?
2 0x0000072c 0x0804872c 9 10 .rodata ascii Success!\n
3 0x00000736 0x08048736 21 22 .rodata ascii Nop, Wrong argument.\n
[0x08048370]> axt @@ str.*
[0x08048370]> ax?
Usage: ax[?d-l*] # see also 'afx?'
| ax list refs
| ax* output radare commands
| ax addr [at] add code ref pointing to addr (from curseek)
| ax- [at] clean all refs/refs from addr
| ax-* clean all refs/refs
| axc addr [at] add generic code ref
| axC addr [at] add code call ref
| axg [addr] show xrefs graph to reach current function
| axg* [addr] show xrefs graph to given address, use .axg*;aggv
| axgj [addr] show xrefs graph to reach current function in json format
| axd addr [at] add data ref
| axq list refs in quiet/human-readable format
| axj list refs in json format
| axF [flg-glob] find data/code references of flags
| axm addr [at] copy data/code references pointing to addr to also point to curseek (or at)
| axt[?] [addr] find data/code references to this address
| axf[?] [addr] find data/code references from this address
| axv[?] [addr] list local variables read-write-exec references
| ax. [addr] find data/code references from and to this address
| axff[j] [addr] find data/code references from this function
| axs addr [at] add string ref
[0x08048370]> axt @@ *
sym.beet 0x80485e3 [CALL] call sym.imp.strcmp
sym.beet 0x804859b [CALL] call sym.imp.strcpy
main 0x804860e [CALL] call sym.imp.puts
main 0x804861e [CALL] call sym.imp.puts
main 0x804864b [CALL] call sym.imp.puts
main 0x804865d [CALL] call sym.imp.puts
entry0 0x804838c [CALL] call sym.imp.__libc_start_main
[0x08048370]> axt @@ ?
sym.beet 0x80485e3 [CALL] call sym.imp.strcmp
sym.beet 0x804859b [CALL] call sym.imp.strcpy
main 0x804860e [CALL] call sym.imp.puts
main 0x804861e [CALL] call sym.imp.puts
main 0x804864b [CALL] call sym.imp.puts
main 0x804865d [CALL] call sym.imp.puts
entry0 0x804838c [CALL] call sym.imp.__libc_start_main
[0x08048370]> axt @@ str>8
[0x08048370]> axt @@ str.*
[0x08048370]> axt @@ str.*
[0x08048370]> @@?
| @@ # foreach iterator command:
| x @@ sym.* run 'x' over all flags matching 'sym.' in current flagspace
| x @@.file run 'x' over the offsets specified in the file (one offset per line)
| x @@/x 9090 temporary set cmd.hit to run a command on each search result
| x @@=`pdf~call[0]` run 'x' at every call offset of the current function
| x @@=off1 off2 .. manual list of offsets
| x @@b run 'x' on all basic blocks of current function (see afb)
| x @@c:cmd the same as @@=`` without the backticks
| x @@dbt[abs] run 'x' command on every backtrace address, bp or sp
| x @@f run 'x' on all functions (see aflq)
| x @@f:write run 'x' on all functions matching write in the name
| x @@i run 'x' on all instructions of the current function (see pdr)
| x @@iS run 'x' on all sections adjusting blocksize
| x @@k sdbquery run 'x' on all offsets returned by that sdbquery
| x @@s:from to step run 'x' on all offsets from, to incrementing by step
| x @@t run 'x' on all threads (see dp)
[0x08048370]> iz
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000700 0x08048700 20 21 .rodata ascii \n .:: Megabeets ::.
1 0x00000715 0x08048715 22 23 .rodata ascii Think you can make it?
2 0x0000072c 0x0804872c 9 10 .rodata ascii Success!\n
3 0x00000736 0x08048736 21 22 .rodata ascii Nop, Wrong argument.\n
[0x08048370]> axt @@ str.*
[0x08048370]> afl
0x08048370 1 34 entry0
0x08048350 1 6 sym.imp.__libc_start_main
0x080483b0 4 43 sym.deregister_tm_clones
0x080483e0 4 53 sym.register_tm_clones
0x08048420 3 30 sym.__do_global_dtors_aux
0x08048440 4 43 -> 40 entry.init0
0x080486e0 1 2 sym.__libc_csu_fini
0x080483a0 1 4 sym.__x86.get_pc_thunk.bx
0x0804846b 19 282 sym.rot13
0x080486e4 1 20 sym._fini
0x08048585 1 112 sym.beet
0x08048330 1 6 sym.imp.strcpy
0x08048320 1 6 sym.imp.strcmp
0x08048680 4 93 sym.__libc_csu_init
0x080485f5 5 127 main
0x080482ec 3 35 sym._init
0x08048360 1 6 sym..plt.got
0x08048340 1 6 sym.imp.puts
[0x08048370]> s main
[0x080485f5]> pdf
; DATA XREF from entry0 @ 0x8048387
┌ 127: int main (char **argv);
│ ; var int32_t var_8h @ ebp-0x8
│ ; arg char **argv @ esp+0x24
│ 0x080485f5 8d4c2404 lea ecx, [argv]
│ 0x080485f9 83e4f0 and esp, 0xfffffff0
│ 0x080485fc ff71fc push dword [ecx - 4]
│ 0x080485ff 55 push ebp
│ 0x08048600 89e5 mov ebp, esp
│ 0x08048602 53 push ebx
│ 0x08048603 51 push ecx
│ 0x08048604 89cb mov ebx, ecx
│ 0x08048606 83ec0c sub esp, 0xc
│ 0x08048609 6800870408 push str._n__.::_Megabeets_::. ; 0x8048700 ; "\n .:: Megabeets ::." ; const char *s
│ 0x0804860e e82dfdffff call sym.imp.puts ; int puts(const char *s)
│ 0x08048613 83c410 add esp, 0x10
│ 0x08048616 83ec0c sub esp, 0xc
│ 0x08048619 6815870408 push str.Think_you_can_make_it_ ; 0x8048715 ; "Think you can make it?" ; const char *s
│ 0x0804861e e81dfdffff call sym.imp.puts ; int puts(const char *s)
│ 0x08048623 83c410 add esp, 0x10
│ 0x08048626 833b01 cmp dword [ebx], 1
│ ┌─< 0x08048629 7e2a jle 0x8048655
│ │ 0x0804862b 8b4304 mov eax, dword [ebx + 4]
│ │ 0x0804862e 83c004 add eax, 4
│ │ 0x08048631 8b00 mov eax, dword [eax]
│ │ 0x08048633 83ec0c sub esp, 0xc
│ │ 0x08048636 50 push eax ; int32_t arg_8h
│ │ 0x08048637 e849ffffff call sym.beet
│ │ 0x0804863c 83c410 add esp, 0x10
│ │ 0x0804863f 85c0 test eax, eax
│ ┌──< 0x08048641 7412 je 0x8048655
│ ││ 0x08048643 83ec0c sub esp, 0xc
│ ││ 0x08048646 682c870408 push str.Success__n ; 0x804872c ; "Success!\n" ; const char *s
│ ││ 0x0804864b e8f0fcffff call sym.imp.puts ; int puts(const char *s)
│ ││ 0x08048650 83c410 add esp, 0x10
│ ┌───< 0x08048653 eb10 jmp 0x8048665
│ │││ ; CODE XREFS from main @ 0x8048629, 0x8048641
│ │└└─> 0x08048655 83ec0c sub esp, 0xc
│ │ 0x08048658 6836870408 push str.Nop__Wrong_argument._n ; 0x8048736 ; "Nop, Wrong argument.\n" ; const char *s
│ │ 0x0804865d e8defcffff call sym.imp.puts ; int puts(const char *s)
│ │ 0x08048662 83c410 add esp, 0x10
│ │ ; CODE XREF from main @ 0x8048653
│ └───> 0x08048665 b800000000 mov eax, 0
│ 0x0804866a 8d65f8 lea esp, [var_8h]
│ 0x0804866d 59 pop ecx
│ 0x0804866e 5b pop ebx
│ 0x0804866f 5d pop ebp
│ 0x08048670 8d61fc lea esp, [ecx - 4]
└ 0x08048673 c3 ret
[0x080485f5]>
[0x080485f5]> pdf sym.beet
; DATA XREF from entry0 @ 0x8048387
┌ 127: int main (char **argv);
│ ; var int32_t var_8h @ ebp-0x8
│ ; arg char **argv @ esp+0x24
│ 0x080485f5 8d4c2404 lea ecx, [argv]
│ 0x080485f9 83e4f0 and esp, 0xfffffff0
│ 0x080485fc ff71fc push dword [ecx - 4]
│ 0x080485ff 55 push ebp
│ 0x08048600 89e5 mov ebp, esp
│ 0x08048602 53 push ebx
│ 0x08048603 51 push ecx
│ 0x08048604 89cb mov ebx, ecx
│ 0x08048606 83ec0c sub esp, 0xc
│ 0x08048609 6800870408 push str._n__.::_Megabeets_::. ; 0x8048700 ; "\n .:: Megabeets ::." ; const char *s
│ 0x0804860e e82dfdffff call sym.imp.puts ; int puts(const char *s)
│ 0x08048613 83c410 add esp, 0x10
│ 0x08048616 83ec0c sub esp, 0xc
│ 0x08048619 6815870408 push str.Think_you_can_make_it_ ; 0x8048715 ; "Think you can make it?" ; const char *s
│ 0x0804861e e81dfdffff call sym.imp.puts ; int puts(const char *s)
│ 0x08048623 83c410 add esp, 0x10
│ 0x08048626 833b01 cmp dword [ebx], 1
│ ┌─< 0x08048629 7e2a jle 0x8048655
│ │ 0x0804862b 8b4304 mov eax, dword [ebx + 4]
│ │ 0x0804862e 83c004 add eax, 4
│ │ 0x08048631 8b00 mov eax, dword [eax]
│ │ 0x08048633 83ec0c sub esp, 0xc
│ │ 0x08048636 50 push eax ; int32_t arg_8h
│ │ 0x08048637 e849ffffff call sym.beet
│ │ 0x0804863c 83c410 add esp, 0x10
│ │ 0x0804863f 85c0 test eax, eax
│ ┌──< 0x08048641 7412 je 0x8048655
│ ││ 0x08048643 83ec0c sub esp, 0xc
│ ││ 0x08048646 682c870408 push str.Success__n ; 0x804872c ; "Success!\n" ; const char *s
│ ││ 0x0804864b e8f0fcffff call sym.imp.puts ; int puts(const char *s)
│ ││ 0x08048650 83c410 add esp, 0x10
│ ┌───< 0x08048653 eb10 jmp 0x8048665
│ │││ ; CODE XREFS from main @ 0x8048629, 0x8048641
│ │└└─> 0x08048655 83ec0c sub esp, 0xc
│ │ 0x08048658 6836870408 push str.Nop__Wrong_argument._n ; 0x8048736 ; "Nop, Wrong argument.\n" ; const char *s
│ │ 0x0804865d e8defcffff call sym.imp.puts ; int puts(const char *s)
│ │ 0x08048662 83c410 add esp, 0x10
│ │ ; CODE XREF from main @ 0x8048653
│ └───> 0x08048665 b800000000 mov eax, 0
│ 0x0804866a 8d65f8 lea esp, [var_8h]
│ 0x0804866d 59 pop ecx
│ 0x0804866e 5b pop ebx
│ 0x0804866f 5d pop ebp
│ 0x08048670 8d61fc lea esp, [ecx - 4]
└ 0x08048673 c3 ret
[0x080485f5]> pdf @sym.beet
; CALL XREF from main @ 0x8048637
┌ 112: sym.beet (char *src);
│ ; var char *s2 @ ebp-0x92
│ ; var int32_t var_8eh @ ebp-0x8e
│ ; var int32_t var_8ah @ ebp-0x8a
│ ; var char *dest @ ebp-0x88
│ ; arg char *src @ ebp+0x8
│ 0x08048585 55 push ebp
│ 0x08048586 89e5 mov ebp, esp
│ 0x08048588 81ec98000000 sub esp, 0x98
│ 0x0804858e 83ec08 sub esp, 8
│ 0x08048591 ff7508 push dword [src] ; const char *src
│ 0x08048594 8d8578ffffff lea eax, [dest]
│ 0x0804859a 50 push eax ; char *dest
│ 0x0804859b e890fdffff call sym.imp.strcpy ; char *strcpy(char *dest, const char *src)
│ 0x080485a0 83c410 add esp, 0x10
│ 0x080485a3 c7856effffff. mov dword [s2], 0x6167654d ; 'Mega'
│ 0x080485ad c78572ffffff. mov dword [var_8eh], 0x74656562 ; 'beet'
│ 0x080485b7 66c78576ffff. mov word [var_8ah], 0x73 ; 's' ; 115
│ 0x080485c0 83ec0c sub esp, 0xc
│ 0x080485c3 8d856effffff lea eax, [s2]
│ 0x080485c9 50 push eax ; int32_t arg_8h
│ 0x080485ca e89cfeffff call sym.rot13
│ 0x080485cf 83c410 add esp, 0x10
│ 0x080485d2 83ec08 sub esp, 8
│ 0x080485d5 8d856effffff lea eax, [s2]
│ 0x080485db 50 push eax ; const char *s2
│ 0x080485dc 8d8578ffffff lea eax, [dest]
│ 0x080485e2 50 push eax ; const char *s1
│ 0x080485e3 e838fdffff call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
│ 0x080485e8 83c410 add esp, 0x10
│ 0x080485eb 85c0 test eax, eax
│ 0x080485ed 0f94c0 sete al
│ 0x080485f0 0fb6c0 movzx eax, al
│ 0x080485f3 c9 leave
└ 0x080485f4 c3 ret
[0x080485f5]> ahi ?
[0x080485f5]> ahi?
Usage: ahi [2|8|10|10u|16|bodhipSs] [@ offset] Define numeric base
| ahi <base> set numeric base (2, 8, 10, 16)
| ahi 10|d set base to signed decimal (10), sign bit should depend on receiver size
| ahi 10u|du set base to unsigned decimal (11)
| ahi b set base to binary (2)
| ahi o set base to octal (8)
| ahi h set base to hexadecimal (16)
| ahi i set base to IP address (32)
| ahi p set base to htons(port) (3)
| ahi S set base to syscall (80)
| ahi s set base to string (1)
| ahi1 10 set base of argument 1 to base 10 (same as ahi1 d)
[0x080485f5]> ahi s 0x080485a3 0x080485ad 0x080485b7
[0x080485f5]> ahi s @@=0x080485a3 0x080485ad 0x080485b7
[0x080485f5]> pdf @sym.beet
; CALL XREF from main @ 0x8048637
┌ 112: sym.beet (char *src);
│ ; var char *s2 @ ebp-0x92
│ ; var int32_t var_8eh @ ebp-0x8e
│ ; var int32_t var_8ah @ ebp-0x8a
│ ; var char *dest @ ebp-0x88
│ ; arg char *src @ ebp+0x8
│ 0x08048585 55 push ebp
│ 0x08048586 89e5 mov ebp, esp
│ 0x08048588 81ec98000000 sub esp, 0x98
│ 0x0804858e 83ec08 sub esp, 8
│ 0x08048591 ff7508 push dword [src] ; const char *src
│ 0x08048594 8d8578ffffff lea eax, [dest]
│ 0x0804859a 50 push eax ; char *dest
│ 0x0804859b e890fdffff call sym.imp.strcpy ; char *strcpy(char *dest, const char *src)
│ 0x080485a0 83c410 add esp, 0x10
│ 0x080485a3 c7856effffff. mov dword [s2], 'ageM' ; 'Mega'
│ ; 0x6167654d
│ 0x080485ad c78572ffffff. mov dword [var_8eh], 'teeb' ; 'beet'
│ ; 0x74656562
│ 0x080485b7 66c78576ffff. mov word [var_8ah], 's' ; 's'
│ ; 0x73 ; 115
│ 0x080485c0 83ec0c sub esp, 0xc
│ 0x080485c3 8d856effffff lea eax, [s2]
│ 0x080485c9 50 push eax ; int32_t arg_8h
│ 0x080485ca e89cfeffff call sym.rot13
│ 0x080485cf 83c410 add esp, 0x10
│ 0x080485d2 83ec08 sub esp, 8
│ 0x080485d5 8d856effffff lea eax, [s2]
│ 0x080485db 50 push eax ; const char *s2
│ 0x080485dc 8d8578ffffff lea eax, [dest]
│ 0x080485e2 50 push eax ; const char *s1
│ 0x080485e3 e838fdffff call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
│ 0x080485e8 83c410 add esp, 0x10
│ 0x080485eb 85c0 test eax, eax
│ 0x080485ed 0f94c0 sete al
│ 0x080485f0 0fb6c0 movzx eax, al
│ 0x080485f3 c9 leave
└ 0x080485f4 c3 ret
[0x080485f5]>
┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ rahash2 -E rot -S s:13 -s "Megabeets"
Zrtnorrgf
giantbranch@ubuntu:~/Desktop/jf-binary$ /snap/bin/radare2 ./megabeets_0x1
-- Don't look at the code. Don't look.
[0x08048370]> aaaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Scanning for strings constructed in code (/azs)
INFO: Finding function preludes (aap)
INFO: Enable anal.types.constraint for experimental type propagation
[0x08048370]> ood Zrtnorrgf
INFO: File dbg:///home/giantbranch/Desktop/jf-binary/megabeets_0x1 Zrtnorrgf reopened in read-write mode
[0xf7f00a20]> ood Zrtnorrgf
child received signal 9
INFO: File dbg:///home/giantbranch/Desktop/jf-binary/megabeets_0x1 Zrtnorrgf reopened in read-write mode
[0xf7f17a20]> ood Zrtnorrgf
child received signal 9
INFO: File dbg:///home/giantbranch/Desktop/jf-binary/megabeets_0x1 Zrtnorrgf reopened in read-write mode
[0xf7f6aa20]> dc
.:: Megabeets ::.
Think you can make it?
Success!
(112883) Process exited with status=0x0
[0xf7f68dc9]> dc
(112883) Process terminated with status 0
INFO: ==> Process finished
[0xf7f6aa20]>
reference:
Radare2: Libre Reversing Framework for Unix Geeks
See the Releases page for downloads. The current git master
branch is 5.8.9
, next will be 5.9.0
.
- Since r2-5.6.0 all the patch releases are abi stable
- Odd patch versions are used in git builds only, releases use even numbers
- No need to recompile the plugins, bindings or tools if the major and minor version are the same
Description
r2 is a complete rewrite of radare. It provides a set of libraries, tools and plugins to ease reverse engineering tasks. Distributed mostly under LGPLv3, each plugin can have different licenses (see r2 -L, rasm2 -L, …).
The radare project started as a simple command-line hexadecimal editor focused on forensics. Today, r2 is a featureful low-level command-line tool with support for scripting. r2 can edit files on local hard drives, view kernel memory, and debug programs locally or via a remote gdb server. r2’s wide architecture support allows you to analyze, emulate, debug, modify, and disassemble any binary.
Installation
- r2 can be installed from
git
or viapip
usingr2env
. - Run
sys/install.sh
for the default acr+make+symlink installation - meson/ninja (muon/samu also works) and make builds are supported.
- Windows builds require meson and msvc or mingw as compilers
- To uninstall the current build of r2 run
make uninstall
- To uninstall ALL the system installations of r2 do:
sudo make purge
git clone https://github.com/radareorg/radare2
radare2/sys/install.sh
Default Windows builds use MSVC, so run those .bat
:
preconfigure.bat REM setup python, meson, ninja
configure.bat REM run meson b + vs project
make.bat REM run ninja -C b
prefix\bin\radare2.exe
Alternatively you can use r2env to switch between different versions.
pip install -U r2env
r2env init
r2env add radare2@git
Usage
These are the first steps to use r2, read the book or find tutorials for more details
$ r2 /bin/ls # open file in read-only
> aaa # analyse the program (r2 -A)
> afl # list all functions (try aflt, aflm)
> px 32 # print 32 byte hexdump current block
> s sym.main # seek to main (using flag name)
> f~foo # filter flags matching 'foo' (internal |grep)
> iS;is # list sections and symbols (rabin2 -Ss)
> pdf; agf # disassembly and ascii-art function graph
> oo+;w hello # reopen in read-write and write a string
> ?*~... # interactive filter in all command help
> q # quit
Resources
- Official Book: Read about r2 usage
- COMMUNITY.md: Community engagement and loose guidelines
- CONTRIBUTING.md: Information about reporting issues and contributing. See also Contributing
- DEVELOPERS.md: Development guidelines for r2
- SECURITY.md: Instructions for reporting vulnerabilities
- USAGE.md: Some example commands
- INSTALL.md: Installation instructions using make or meson
Plugins
Many plugins are included in r2 by default. But you can extend its capabilities by using the r2pm package manager.
r2pm -s <word> # search package by word
r2pm -ci <pkg> # install a package
r2pm -u <pkg> # uninstall
r2pm -l <pkg> # list installed packages
Most popular packages are:
- esilsolve: The symbolic execution plugin, based on esil and z3
- r2diaphora: Diaphora’s diffing engine working on top of radare2
- iaito: The official Qt graphical interface
- radius2: A fast symbolic execution engine based on boolector and esil
- r2dec: A decompiler based on r2 written in JS, accessed with the
pdd
command - r2ghidra: The native ghidra decompiler plugin, accessed with the
pdg
command - r2frida: The frida io plugin. Start r2 with
r2 frida://0
to use it - r2poke Integration with GNU/Poke for extended binary parsing capabilities
- r2pipe Script radare2 from any programming language
- r2papi High level api on top of r2pipe
Contributing
There are many ways to contribute to the project. Contact the community, check out the github issues, or grep for TODO/FIXME/XXX comments in the source.
To contribute code, push your changes to a branch on your fork of the repository. Please ensure that you follow the coding and style guidelines and that your changes pass the testing suite, which you can run with the r2r
tool. If you are adding significant code, it may be necessary to modify or add additional tests in the test/
directory.
For more details, see CONTRIBUTING.md and DEVELOPERS.md.
Documentation
To learn more about r2 we encourage you to watch youtube talks from r2con. In addition to reading blogposts, slides or the official radare2 book, here are some methods to contact us:
Community
- irc.libera.chat:
#radare
,#radare_side
- Matrix:
#radare:matrix.org
- Telegram: Main Channel and Side Channel
- Discord server
- Mastodon: @radareorg
- Twitter: @radareorg
- Website: https://www.radare.org/
Supported Platforms
Operating Systems
Windows (since XP), Linux, Darwin, GNU/Hurd, Apple’s {Mac,i,iPad,watch}OS, Android, [Dragonfly, Net, Free, Open] BSD, Z/OS, QNX, SerenityOS, Solaris, Haiku, Vinix, FirefoxOS.
Architectures
i386, x86-64, Alpha, ARM, AVR, BPF, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, XAP, S390, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, PDP11, m680x, V850, CRIS, XAP, PIC, LM32, 8051, 6502, i4004, i8080, Propeller, EVM, OR1K Tricore, CHIP-8, LH5801, T8200, GameBoy, SNES, SPC700, MSP430, Xtensa, xcore, NIOS II, Java, Dalvik, Pickle, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c64x), Hexagon, Brainfuck, Malbolge, whitespace, DCPU16, LANAI, lm32, MCORE, mcs96, RSP, SuperH-4, VAX, KVX, Am29000, LOONGARCH, JDH8, s390x.
File Formats
ELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, XCOFF, OMF, TE, XBE, SEP64, BIOS/UEFI, Dyldcache, DEX, ART, CGC, Java class, Android boot image, Plan9 executables, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), PDP11, XTAC, WASM (WebAssembly binary), Commodore VICE emulator, QNX, WAD, OFF, TIC-80, GB/GBA, NDS and N3DS, and mount several filesystems like NTFS, FAT, HFS+, EXT,…
Packaging Status
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4XgN1D94-1690101110469)(https://camo.githubusercontent.com/e2820a5cad2f621fcf564ac9da2e5d975e050aad8245c27e8bb5342cb242f8b5/68747470733a2f2f736e617063726166742e696f2f726164617265322f62616467652e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uAG6kuPk-1690101110470)(https://camo.githubusercontent.com/cf6a971857eb458c8203b0b852b9a30b45b63dd1e5a45dbca6a4e814ecf27746/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f7465726d75782f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-08Hjao58-1690101110470)(https://camo.githubusercontent.com/aa422eaefdfd8fcf0a4ef21f318128070be53d9d3f5936257b4069b079ed9f52/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f616c70696e655f656467652f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-YiKxKnDT-1690101110470)(https://camo.githubusercontent.com/0276d66a7cb4772fddd4b32beeac8f3b7ca34c333e393ab7b87ee8673704bd96/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f616c70696e655f335f31332f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-U22v7Ak4-1690101110471)(https://camo.githubusercontent.com/a5e1b789274459a79e35953cce42a5cd6c85ac1e43cc17a69bc3de9c6678013f/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f616c70696e655f335f31322f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dB6uEazM-1690101110471)(https://camo.githubusercontent.com/939fc803e2f9bd6d08217b7dad391c94b5cd6221a0321990bf563d76b8ccd23c/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f617263682f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-JAsl42lj-1690101110471)(https://camo.githubusercontent.com/0b8a77ccb9ccb73cefd3d6e5c615cc534f145679a3a1cfd7023fdfbb1e5dd828/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6175722f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-pZ3PmVJY-1690101110472)(https://camo.githubusercontent.com/9bddbd968011b1bf8f7d95698335bdc1ebaf64513c3ab9b49c9d9b586057949b/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6570656c5f372f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-oZPbdRxt-1690101110472)(https://camo.githubusercontent.com/f1c0b08012dd4908b67284520c84d7810c57aa56bd5b9e90ebe4e2345945d7a1/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6570656c5f382f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yShQprn6-1690101110472)(https://camo.githubusercontent.com/040dd4882d580b222319673f987b2c28c5bc4999598f3749580cf89b0e994012/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6570656c5f392f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-bYoNupz1-1690101110473)(https://camo.githubusercontent.com/bc2e3e75f078212349fb86bfa47208c6d99e55ce9942a8067624446efe7ffc16/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6665646f72615f726177686964652f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VIHV88Cs-1690101110473)(https://camo.githubusercontent.com/58ae964e4f9dca9c7d513a92c4b55f3f7f22041ea3e9f176cba83fc0022b08ae/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6665646f72615f33362f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-hk2XjKVn-1690101110473)(https://camo.githubusercontent.com/7634a7ddabab7eb3e3f3cf6d7ef2d3f5285b790db9f01015054460a123f09c7f/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6665646f72615f33342f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-mG4l0xdq-1690101110474)(https://camo.githubusercontent.com/14dc576e23f08002e877dd6e5742a11dffb7bf4f91407d53598d7ff4689895b4/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f667265656273642f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CWGqbCtL-1690101110474)(https://camo.githubusercontent.com/694fe6100420a30310c903db927eb9b617d6bb2843cfc73609de6fee0144a394/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6f70656e6273642f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GC7YuTiQ-1690101110474)(https://camo.githubusercontent.com/abcbbdf898da76a487040eff50ab92511047d0c9ca08a56194e8180be1743fde/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f706b677372635f63757272656e742f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uo5BxYF6-1690101110475)(https://camo.githubusercontent.com/f9f11e1e70eff8c6821d4064e7a880c17984eeb48ac9b15bb3163608c30cacd2/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f686f6d65627265772f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-c4CTR6oe-1690101110475)(https://camo.githubusercontent.com/8ca79006557c1fa7902d563a247dbaf02e43bc59f2ad12ba40f379ddc89ea62f/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6d6163706f7274732f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Z9IB2A5W-1690101110476)(https://camo.githubusercontent.com/c06f2fd34a47fb8723220456c7228b6daa323605f809cc9ea3643f3d6891b088/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6861696b75706f7274735f6d61737465722f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-eOIb52Zs-1690101110476)(https://camo.githubusercontent.com/1342f208b24b2163fe5d7a6fbc826ddfe149d027a38ef5cd1c214e0cc1336503/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f766f69645f7838365f36342f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5sSNHhRQ-1690101110476)(https://camo.githubusercontent.com/d2091673176840f18dac0e1a0ae536e51841c84751cff320ce7376591215e0e2/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f7562756e74755f32305f30342f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KZgoOl8k-1690101110477)(https://camo.githubusercontent.com/b9be6942e31486ba81584b828bdd74bebe9e0c5b95b499755d830cc3d4b67a45/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f7562756e74755f31385f30342f726164617265322e737667)]
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-sFs0aiAl-1690101110477)(https://camo.githubusercontent.com/8de9f19560338658111d02779b96d9693e582510728449f23b7e9397e6858906/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f64656269616e5f756e737461626c652f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-a4EDZuCp-1690101110477)(https://camo.githubusercontent.com/b8843581c2ea3fcb84b9c281b690917f5486dcd34c0df5d03d66603c5b71b118/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f726173706269616e5f737461626c652f726164617265322e737667)] [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-X52Z6W0T-1690101110478)(https://camo.githubusercontent.com/71843e8bad11f3b03c353df10ebdf7bd1cb9e4a435e851c133e6880e6ee4be09/68747470733a2f2f7265706f6c6f67792e6f72672f62616467652f76657273696f6e2d666f722d7265706f2f6b616c695f726f6c6c696e672f726164617265322e737667)]