我的书签
添加书签
移除书签Signatures
To load the created signature file you need to load it from SDB file using zo command or from the compressed SDB file using zoz command.
To create signature you need to make function first, then you can create it from the function:
r2 /bin/ls[0x000051c0]> aaa # this creates functions, including 'entry0'[0x000051c0]> zaf entry0 entry[0x000051c0]> zentry: bytes: 31ed4989d15e4889e24883e4f050544c............48............48............ff..........f4 graph: cc=1 nbbs=1 edges=0 ebbs=1 offset: 0x000051c0[0x000051c0]>
As you can see it made a new signature with a name entry from a function entry0. You can show it in JSON format too, which can be useful for scripting:
[0x000051c0]> zj~{}[ { "name": "entry", "bytes": "31ed4989d15e4889e24883e4f050544c............48............48............ff..........f4", "graph": { "cc": "1", "nbbs": "1", "edges": "0", "ebbs": "1" }, "offset": 20928, "refs": [ ] }]
To remove it just run z-entry.
Then we can apply them. Lets open a file again:
r2 /bin/ls -- Log On. Hack In. Go Anywhere. Get Everything.[0x000051c0]> zentry: bytes: 31ed4989d15e4889e24883e4f050544c............48............48............ff..........f4 graph: cc=1 nbbs=1 edges=0 ebbs=1 offset: 0x000051c0[0x000051c0]>
This means that the signatures were successfully loaded from the file myentry and now we can search matching functions:
Note that z. command just checks the signatures against the current address. To search signatures across the all file we need to do a bit different thing. There is an important moment though, if we just run it “as is” - it wont find anything:
[0x000051c0]> z/[+] searching 0x0021dfd0 - 0x002203e8[+] searching function metricshits: 0[0x000051c0]>
Note the searching address - this is because we need to range first:
[0x000051c0]> e search.in=io.section[0x000051c0]> z/[+] searching 0x000038b0 - 0x00015898[+] searching function metricshits: 1[0x000051c0]>
[0x000051c0]> pd 5;-- entry0:;-- sign.bytes.entry_0:0x000051c0 31ed xor ebp, ebp0x000051c2 4989d1 mov r9, rdx0x000051c5 5e pop rsi0x000051c9 4883e4f0 and rsp, 0xfffffffffffffff0[0x000051c0]>
Here we can see the comment of entry0, which is taken from the ELF parsing, but also the sign.bytes.entry_0, which is exactly the result of matching signature.
Signatures configuration stored in the zign. config vars’ namespace:
Often you know the signature should exist somewhere in a binary but and z. still fail. This is often due to very minor differences between the signature and the function. Maybe the compiler switched two instructions, or your signature is not for the correct function version. In these situations the zb commands can still help point you in the right direction by listing near matches.
[0x000040a0]> zb?Usage: zb[r?] [args] # search for closest matching signatures| zb [n] find n closest matching zignatures to function at current offset| zbr zigname [n] search for n most similar functions to zigname
The zb (zign best) command will show the top 5 closest signatures to a function. Each will contain a score between 1.0 and 0.0.
[0x0041e390]> s sym.fclose[0x0040fc10]> zb0.96032 0.92400 B 0.99664 G sym.fclose0.65971 0.35600 B 0.96342 G sym._nl_expand_alias0.65770 0.37800 B 0.93740 G sym.fdopen0.65112 0.35000 B 0.95225 G sym.__run_exit_handlers0.62532 0.34800 B 0.90264 G sym.__cxa_finalize
The zbr (zign best reverse) accepts a zignature name and attempts to find the closet matching functions. Use an analysis command, like aa to find functions first.
[0x00401b20]> aa[x] Analyze all flags starting with sym. and entry0 (aa)[0x00401b20]> zo ./libc.sdb[0x00401b20]> zbr sym.__libc_malloc 100.94873 0.89800 B 0.99946 G sym.malloc0.65245 0.40600 B 0.89891 G sym._mid_memalign0.59470 0.38600 B 0.80341 G sym._IO_flush_all_lockp0.59200 0.28200 B 0.90201 G sym._IO_file_underflow0.57802 0.30400 B 0.85204 G sym.__libc_realloc0.57094 0.35200 B 0.78988 G sym.__calloc0.56785 0.34000 B 0.79570 G sym._IO_un_link.part.00.56358 0.36200 B 0.76516 G sym._IO_cleanup
