rasign2 - a tool for generating and managing binary file
signatures
The rasign2 tool is designed for creating, dumping, and managing
signature files for binary analysis. It facilitates the generation of
signature databases (SDB) from binary files, making it easier to identify
and catalog functions and other symbols. The tool can interpret FLIRT
'I.sig' files, execute custom Radare2 scripts, and output signatures in
multiple formats.
- -a
- Perform a more thorough analysis by adding extra 'a' to the analysis
command. The more 'A's, the deeper the analysis.
- -A[AAA]
- Equivalent to r2 -A
- -f
- Interpret the input file as a FLIRT 'I.sig' file and dump its signatures.
- -h
- Display the help menu.
- -j
- Output signatures in JSON format.
- -i script.r2
- Execute the specified Radare2 script on the input file.
- -o sigs.sdb
- Add generated signatures to the specified file. Creates the file if it
does not exist.
- -q
- Enable quiet mode, suppressing normal output.
- -r
- Show output as Radare2 commands.
- -S
- Operate on an SDB signature file. Use '-o -' to save to the same file.
- -s signspace
- Save all signatures under the specified signspace.
- -c
- Add collision signatures before writing to a file.
- -v
- Display version information.
- -m
- Merge or overwrite signatures with the same name.
Basic signature generation:
rasign2 -o libc.sdb libc.so.6
This command generates signatures from 'libc.so.6' and saves them in 'libc.sdb'.
Enhanced analysis:
rasign2 -A -o enhanced_libc.sdb libc.so.6
This performs a deeper analysis before generating signatures, potentially
discovering more functions.
Output in Radare2 commands:
rasign2 -r input_file | grep main
Prints the discovered signatures for 'main' as Radare2 commands.
JSON output:
rasign2 -j input_file
Outputs the generated signatures in JSON format.
Merging signatures:
rasign2 -m -o existing_sigs.sdb new_sigs.sdb
Merges or overwrites signatures in 'existing_sigs.sdb' with those from
'new_sigs.sdb'.
The z command in radare2 is dedicated to the management of
binary signatures, known as zignatures. Zignatures are used for identifying
and cataloging functions across different binaries by their unique
characteristics, such as bytes patterns, graph metrics, and other
attributes.
The behavior of zignature processing can be fine-tuned through a
variety of configuration options, accessible via 'e??zign.' in radare2. Some
key configuration options include:
- zign.autoload
- Autoload all zignatures located in dir.zigns.
- zign.bytes
- Use bytes patterns for matching.
- zign.graph
- Use graph metrics for matching.
- zign.hash
- Use Hash for matching.
- zign.threshold
- Minimum similarity required for inclusion in zb output.
- zign.types
- Use types for matching.
The z command encompasses several subcommands for managing
zignatures:
- z
- Show zignatures.
- z.
- Find matching zignatures in current offset.
- zb
- Search for best match.
- zdzignature
- Diff current function and signature.
- z*
- Show zignatures in radare format.
- zo
- Manage zignature files.
- zf
- Manage FLIRT signatures.
- z/
- Search zignatures.
- zc
- Compare current zignspace zignatures with another one.
- zs
- Manage zignspaces.
- zi
- Show zignatures matching information.
The comprehensive management of zignatures through these
commands facilitates a robust workflow for binary analysis, enabling the
identification of known functions and facilitating the analysis of
binary similarities and differences.
Zignatures in radare2 can be created with a variety of metrics,
each capturing different aspects of binary functions. These metrics
include:
- a: bytes pattern
- Radare2 creates a mask from analysis to match bytes patterns.
- b: bytes pattern
- Direct bytes pattern matching.
- c: base64 comment
- Associates a base64-encoded comment with the zignature.
- n: real function
name
- Uses the real function name for matching.
- g: graph metrics
- Utilizes graph metrics such as cyclomatic complexity, number of edges,
basic blocks, and end blocks.
- o: original offset
- Matches based on the original offset of the function.
- r: references
- Uses references for matching.
- x: cross
references
- Incorporates cross references into the zignature.
- h: bbhash
- Employs hashing of function basic blocks for matching.
- v: vars (and args)
- Matches based on variables and arguments.
Each metric allows for a nuanced approach to identifying and
comparing functions across binaries, enabling more accurate and
comprehensive analysis.
The z command in radare2 is versatile, offering various
functionalities through its subcommands. Here are five usage examples:
- Show all
zignatures
z
Displays all zignatures currently loaded in radare2.
- Find matching zignatures at
the current offset
z.
Searches for and displays zignatures that match at the current offset in the
binary.
- Scan all functions to find
matching zignatures
z/
Searches and match all signatures loaded against all the analyzed functions in
order to give a name to every one.
- Load zignature
files
zo libc.sdb
Loads zignatures from the specified SDB file into the current session.
- Generate zignatures
for all functions
zaF
Generates zignatures for all identified functions in the binary and adds them to
the current session.
- Search for the closest
matching zignatures
zb
Searches for and displays the closest matching zignatures to the function at the
current offset, helping identify similar functions across binaries.
These examples showcase the `z` command's ability to manage
zignatures efficiently, aiding in the binary analysis process by leveraging
the power of zignatures for function identification and comparison.
pancake <pancake@nopcode.org>