Radare2:using test

32进制

已于 2023-07-23 17:30:08 修改

阅读量314

点赞数

文章标签： ctf 安全 linux 网络服务器

于 2023-07-23 16:34:20 首次发布

本文链接：https://blog.csdn.net/m0_47210241/article/details/131880962

版权

Radare2:using test

└─$ sudo apt install radare2                                                                                                                                               100 ⨯
[sudo] kwkl 的密码：
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成                 
下列软件包是自动安装的并且现在不需要了：
  blt buildah conmon fonts-lyx fuse-overlayfs gir1.2-ayatanaappindicator3-0.1 golang-github-containernetworking-plugin-dnsname golang-github-containers-common
  golang-github-containers-image isympy-common isympy3 libb2-1 libduktape207 libegl-dev libgl-dev libgl1-mesa-dev libgles-dev libgles1 libgles2 libglu1-mesa-dev libglut-dev
  libglut3.12 libglvnd-core-dev libglvnd-dev libglx-dev libjs-jquery-ui libjs-uglify libopengl-dev libostree-1-1 libperl5.34 libprotobuf32 libpython3.11-dev libpython3.9
  libpython3.9-dev libpython3.9-minimal libpython3.9-stdlib libqt6core6 libqt6dbus6 libqt6network6 libqt6sql6 libqt6sql6-sqlite libqt6test6 libqt6xml6 libslirp0 libsubid4
  libts0 libxext-dev perl-modules-5.34 podman python-matplotlib-data python3-appdirs python3-cycler python3-fs python3-mpmath python3-opengl python3-sympy python3.11
  python3.11-dev python3.11-minimal python3.9 python3.9-dev python3.9-minimal qt6-base-dev-tools qt6-translations-l10n qtchooser ruby-uglifier ruby2.7 slirp4netns tk8.6-blt2.5
  uidmap unicode-data
使用'sudo apt autoremove'来卸载它(它们)。
将会同时安装下列软件：
  file libcapstone-dev liblz4-1 liblz4-dev libmagic-dev libmagic-mgc libmagic1 libradare2-5.0.0 libradare2-common libradare2-dev libzip-dev libzip4
下列【新】软件包将被安装：
  libcapstone-dev liblz4-dev libmagic-dev libradare2-5.0.0 libradare2-common libradare2-dev libzip-dev libzip4 radare2
下列软件包将被升级：
  file liblz4-1 libmagic-mgc libmagic1
升级了 4 个软件包，新安装了 9 个软件包，要卸载 0 个软件包，有 1856 个软件包未被升级。
需要下载 6,394 kB 的归档。
解压缩后会消耗 41.5 MB 的额外空间。
您希望继续执行吗？ [Y/n] y

└─$ radare2 -h                                                                                                                                                               1 ⨯
Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
          [-s addr] [-B baddr] [-m maddr] [-c cmd] [-e k=v] file|pid|-|--|=
 --           run radare2 without opening any file
 -            same as 'r2 malloc://512'
 =            read file from stdin (use -i and -c to run cmds)
 -=           perform !=! command to run all commands remotely
 -0           print \x00 after init and every command
 -2           close stderr file descriptor (silent warning messages)
 -a [arch]    set asm.arch
 -A           run 'aaa' command to analyze all referenced code
 -b [bits]    set asm.bits
 -B [baddr]   set base address for PIE binaries
 -c 'cmd..'   execute radare command
 -C           file is host:port (alias for -c+=http://%s/cmd/)
 -d           debug the executable 'file' or running process 'pid'
 -D [backend] enable debug mode (e cfg.debug=true)
 -e k=v       evaluate config var
 -f           block size = file size
 -F [binplug] force to use that rbin plugin
 -h, -hh      show help message, -hh for long
 -H ([var])   display variable
 -i [file]    run script file
 -I [file]    run script file before the file is opened
 -j           use json for -v, -L and maybe others
 -k [OS/kern] set asm.os (linux, macos, w32, netbsd, ...)
 -l [lib]     load plugin file
 -L           list supported IO plugins
 -m [addr]    map file at given address (loadaddr)
 -M           do not demangle symbol names
 -n, -nn      do not load RBin info (-nn only load bin structures)
 -N           do not load user settings and scripts
 -NN          do not load any script or plugin
 -q           quiet mode (no prompt) and quit after -i
 -qq          quit after running all -c and -i
 -Q           quiet mode (no prompt) and quit faster (quickLeak=true)
 -p [prj]     use project, list if no arg, load if no file
 -P [file]    apply rapatch file and quit
 -r [rarun2]  specify rarun2 profile to load (same as -e dbg.profile=X)
 -R [rr2rule] specify custom rarun2 directive
 -s [addr]    initial seek
 -S           start r2 in sandbox mode
 -T           do not compute file hashes
 -u           set bin.filter=false to get raw sym/sec/cls names
 -v, -V       show radare2 version (-V show lib versions)
 -w           open file in write mode
 -x           open without exec-flag (asm.emu will not work), See io.exec
 -X           same as -e bin.usextr=false (useful for dyldcache)
 -z, -zz      do not load strings or load them even in raw

analyzing

└─$ rabin2 -I megabeets_0x1                                                                                                                                                  1 ⨯
arch     x86
baddr    0x8048000
binsz    6220
bintype  elf
bits     32
canary   false
class    ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  Intel 80386
nx       false
os       linux
pic      false
relocs   true
relro    partial
rpath    NONE
sanitize false
static   false
stripped false
subsys   linux
va       true

                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ rabin2 megabeets_0x1  
Usage: rabin2 [-AcdeEghHiIjlLMqrRsSUvVxzZ] [-@ at] [-a arch] [-b bits] [-B addr]
              [-C F:C:D] [-f str] [-m addr] [-n str] [-N m:M] [-P[-P] pdb]
              [-o str] [-O str] [-k query] [-D lang symname] file
                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ rabin2 -I megabeets_0x1                                                                                                                                                  1 ⨯
arch     x86
baddr    0x8048000
binsz    6220
bintype  elf
bits     32
canary   false
class    ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  Intel 80386
nx       false
os       linux
pic      false
relocs   true
relro    partial
rpath    NONE
sanitize false
static   false
stripped false
subsys   linux
va       true
                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ r2 ./megabeets_0x1 
[0x08048370]> ie
[Entrypoints]
vaddr=0x08048370 paddr=0x00000370 haddr=0x00000018 hvaddr=0x08048018 type=program

1 entrypoints

[0x08048370]> aaaaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x08048370]> fs
    0 * classes
    5 * format
    0 * functions
    5 * imports
   11 * registers
    5 * relocs
   31 * sections
   10 * segments
    4 * strings
   37 * symbols
   27 * symbols.sections
[0x08048370]> fs imports;f
0x00000360 16 loc.imp.__gmon_start__
0x08048320 6 sym.imp.strcmp
0x08048330 6 sym.imp.strcpy
0x08048340 6 sym.imp.puts
0x08048350 6 sym.imp.__libc_start_main
[0x08048370]> iz
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000700 0x08048700 20  21   .rodata ascii \n  .:: Megabeets ::.
1   0x00000715 0x08048715 22  23   .rodata ascii Think you can make it?
2   0x0000072c 0x0804872c 9   10   .rodata ascii Success!\n
3   0x00000736 0x08048736 21  22   .rodata ascii Nop, Wrong argument.\n

[0x08048370]> axt @@ str.*
[0x08048370]> ax?
Usage: ax[?d-l*]   # see also 'afx?'
| ax              list refs
| ax*             output radare commands
| ax addr [at]    add code ref pointing to addr (from curseek)
| ax- [at]        clean all refs/refs from addr
| ax-*            clean all refs/refs
| axc addr [at]   add generic code ref
| axC addr [at]   add code call ref
| axg [addr]      show xrefs graph to reach current function
| axg* [addr]     show xrefs graph to given address, use .axg*;aggv
| axgj [addr]     show xrefs graph to reach current function in json format
| axd addr [at]   add data ref
| axq             list refs in quiet/human-readable format
| axj             list refs in json format
| axF [flg-glob]  find data/code references of flags
| axm addr [at]   copy data/code references pointing to addr to also point to curseek (or at)
| axt[?] [addr]   find data/code references to this address
| axf[?] [addr]   find data/code references from this address
| axv[?] [addr]   list local variables read-write-exec references
| ax. [addr]      find data/code references from and to this address
| axff[j] [addr]  find data/code references from this function
| axs addr [at]   add string ref
[0x08048370]> axt @@ *
sym.beet 0x80485e3 [CALL] call sym.imp.strcmp
sym.beet 0x804859b [CALL] call sym.imp.strcpy
main 0x804860e [CALL] call sym.imp.puts
main 0x804861e [CALL] call sym.imp.puts
main 0x804864b [CALL] call sym.imp.puts
main 0x804865d [CALL] call sym.imp.puts
entry0 0x804838c [CALL] call sym.imp.__libc_start_main
[0x08048370]> axt @@ ?
sym.beet 0x80485e3 [CALL] call sym.imp.strcmp
sym.beet 0x804859b [CALL] call sym.imp.strcpy
main 0x804860e [CALL] call sym.imp.puts
main 0x804861e [CALL] call sym.imp.puts
main 0x804864b [CALL] call sym.imp.puts
main 0x804865d [CALL] call sym.imp.puts
entry0 0x804838c [CALL] call sym.imp.__libc_start_main
[0x08048370]> axt @@ str>8
[0x08048370]> axt @@ str.*
[0x08048370]> axt @@ str.*
[0x08048370]> @@?
| @@                   # foreach iterator command:
| x @@ sym.*          run 'x' over all flags matching 'sym.' in current flagspace
| x @@.file           run 'x' over the offsets specified in the file (one offset per line)
| x @@/x 9090         temporary set cmd.hit to run a command on each search result
| x @@=`pdf~call[0]`  run 'x' at every call offset of the current function
| x @@=off1 off2 ..   manual list of offsets
| x @@b               run 'x' on all basic blocks of current function (see afb)
| x @@c:cmd           the same as @@=`` without the backticks
| x @@dbt[abs]        run 'x' command on every backtrace address, bp or sp
| x @@f               run 'x' on all functions (see aflq)
| x @@f:write         run 'x' on all functions matching write in the name
| x @@i               run 'x' on all instructions of the current function (see pdr)
| x @@iS              run 'x' on all sections adjusting blocksize
| x @@k sdbquery      run 'x' on all offsets returned by that sdbquery
| x @@s:from to step  run 'x' on all offsets from, to incrementing by step
| x @@t               run 'x' on all threads (see dp)
[0x08048370]> iz
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000700 0x08048700 20  21   .rodata ascii \n  .:: Megabeets ::.
1   0x00000715 0x08048715 22  23   .rodata ascii Think you can make it?
2   0x0000072c 0x0804872c 9   10   .rodata ascii Success!\n
3   0x00000736 0x08048736 21  22   .rodata ascii Nop, Wrong argument.\n

[0x08048370]> axt @@ str.*
[0x08048370]> afl
0x08048370    1 34           entry0
0x08048350    1 6            sym.imp.__libc_start_main
0x080483b0    4 43           sym.deregister_tm_clones
0x080483e0    4 53           sym.register_tm_clones
0x08048420    3 30           sym.__do_global_dtors_aux
0x08048440    4 43   -> 40   entry.init0
0x080486e0    1 2            sym.__libc_csu_fini
0x080483a0    1 4            sym.__x86.get_pc_thunk.bx
0x0804846b   19 282          sym.rot13
0x080486e4    1 20           sym._fini
0x08048585    1 112          sym.beet
0x08048330    1 6            sym.imp.strcpy
0x08048320    1 6            sym.imp.strcmp
0x08048680    4 93           sym.__libc_csu_init
0x080485f5    5 127          main
0x080482ec    3 35           sym._init
0x08048360    1 6            sym..plt.got
0x08048340    1 6            sym.imp.puts
[0x08048370]> s main
[0x080485f5]> pdf 
            ; DATA XREF from entry0 @ 0x8048387
┌ 127: int main (char **argv);
│           ; var int32_t var_8h @ ebp-0x8
│           ; arg char **argv @ esp+0x24
│           0x080485f5      8d4c2404       lea ecx, [argv]
│           0x080485f9      83e4f0         and esp, 0xfffffff0
│           0x080485fc      ff71fc         push dword [ecx - 4]
│           0x080485ff      55             push ebp
│           0x08048600      89e5           mov ebp, esp
│           0x08048602      53             push ebx
│           0x08048603      51             push ecx
│           0x08048604      89cb           mov ebx, ecx
│           0x08048606      83ec0c         sub esp, 0xc
│           0x08048609      6800870408     push str._n__.::_Megabeets_::. ; 0x8048700 ; "\n  .:: Megabeets ::." ; const char *s
│           0x0804860e      e82dfdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x08048613      83c410         add esp, 0x10
│           0x08048616      83ec0c         sub esp, 0xc
│           0x08048619      6815870408     push str.Think_you_can_make_it_ ; 0x8048715 ; "Think you can make it?" ; const char *s
│           0x0804861e      e81dfdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x08048623      83c410         add esp, 0x10
│           0x08048626      833b01         cmp dword [ebx], 1
│       ┌─< 0x08048629      7e2a           jle 0x8048655
│       │   0x0804862b      8b4304         mov eax, dword [ebx + 4]
│       │   0x0804862e      83c004         add eax, 4
│       │   0x08048631      8b00           mov eax, dword [eax]
│       │   0x08048633      83ec0c         sub esp, 0xc
│       │   0x08048636      50             push eax                    ; int32_t arg_8h
│       │   0x08048637      e849ffffff     call sym.beet
│       │   0x0804863c      83c410         add esp, 0x10
│       │   0x0804863f      85c0           test eax, eax
│      ┌──< 0x08048641      7412           je 0x8048655
│      ││   0x08048643      83ec0c         sub esp, 0xc
│      ││   0x08048646      682c870408     push str.Success__n         ; 0x804872c ; "Success!\n" ; const char *s
│      ││   0x0804864b      e8f0fcffff     call sym.imp.puts           ; int puts(const char *s)
│      ││   0x08048650      83c410         add esp, 0x10
│     ┌───< 0x08048653      eb10           jmp 0x8048665
│     │││   ; CODE XREFS from main @ 0x8048629, 0x8048641
│     │└└─> 0x08048655      83ec0c         sub esp, 0xc
│     │     0x08048658      6836870408     push str.Nop__Wrong_argument._n ; 0x8048736 ; "Nop, Wrong argument.\n" ; const char *s
│     │     0x0804865d      e8defcffff     call sym.imp.puts           ; int puts(const char *s)
│     │     0x08048662      83c410         add esp, 0x10
│     │     ; CODE XREF from main @ 0x8048653
│     └───> 0x08048665      b800000000     mov eax, 0
│           0x0804866a      8d65f8         lea esp, [var_8h]
│           0x0804866d      59             pop ecx
│           0x0804866e      5b             pop ebx
│           0x0804866f      5d             pop ebp
│           0x08048670      8d61fc         lea esp, [ecx - 4]
└           0x08048673      c3             ret
[0x080485f5]> 
[0x080485f5]> pdf sym.beet
            ; DATA XREF from entry0 @ 0x8048387
┌ 127: int main (char **argv);
│           ; var int32_t var_8h @ ebp-0x8
│           ; arg char **argv @ esp+0x24
│           0x080485f5      8d4c2404       lea ecx, [argv]
│           0x080485f9      83e4f0         and esp, 0xfffffff0
│           0x080485fc      ff71fc         push dword [ecx - 4]
│           0x080485ff      55             push ebp
│           0x08048600      89e5           mov ebp, esp
│           0x08048602      53             push ebx
│           0x08048603      51             push ecx
│           0x08048604      89cb           mov ebx, ecx
│           0x08048606      83ec0c         sub esp, 0xc
│           0x08048609      6800870408     push str._n__.::_Megabeets_::. ; 0x8048700 ; "\n  .:: Megabeets ::." ; const char *s
│           0x0804860e      e82dfdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x08048613      83c410         add esp, 0x10
│           0x08048616      83ec0c         sub esp, 0xc
│           0x08048619      6815870408     push str.Think_you_can_make_it_ ; 0x8048715 ; "Think you can make it?" ; const char *s
│           0x0804861e      e81dfdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x08048623      83c410         add esp, 0x10
│           0x08048626      833b01         cmp dword [ebx], 1
│       ┌─< 0x08048629      7e2a           jle 0x8048655
│       │   0x0804862b      8b4304         mov eax, dword [ebx + 4]
│       │   0x0804862e      83c004         add eax, 4
│       │   0x08048631      8b00           mov eax, dword [eax]
│       │   0x08048633      83ec0c         sub esp, 0xc
│       │   0x08048636      50             push eax                    ; int32_t arg_8h
│       │   0x08048637      e849ffffff     call sym.beet
│       │   0x0804863c      83c410         add esp, 0x10
│       │   0x0804863f      85c0           test eax, eax
│      ┌──< 0x08048641      7412           je 0x8048655
│      ││   0x08048643      83ec0c         sub esp, 0xc
│      ││   0x08048646      682c870408     push str.Success__n         ; 0x804872c ; "Success!\n" ; const char *s
│      ││   0x0804864b      e8f0fcffff     call sym.imp.puts           ; int puts(const char *s)
│      ││   0x08048650      83c410         add esp, 0x10
│     ┌───< 0x08048653      eb10           jmp 0x8048665
│     │││   ; CODE XREFS from main @ 0x8048629, 0x8048641
│     │└└─> 0x08048655      83ec0c         sub esp, 0xc
│     │     0x08048658      6836870408     push str.Nop__Wrong_argument._n ; 0x8048736 ; "Nop, Wrong argument.\n" ; const char *s
│     │     0x0804865d      e8defcffff     call sym.imp.puts           ; int puts(const char *s)
│     │     0x08048662      83c410         add esp, 0x10
│     │     ; CODE XREF from main @ 0x8048653
│     └───> 0x08048665      b800000000     mov eax, 0
│           0x0804866a      8d65f8         lea esp, [var_8h]
│           0x0804866d      59             pop ecx
│           0x0804866e      5b             pop ebx
│           0x0804866f      5d             pop ebp
│           0x08048670      8d61fc         lea esp, [ecx - 4]
└           0x08048673      c3             ret
[0x080485f5]> pdf @sym.beet
            ; CALL XREF from main @ 0x8048637
┌ 112: sym.beet (char *src);
│           ; var char *s2 @ ebp-0x92
│           ; var int32_t var_8eh @ ebp-0x8e
│           ; var int32_t var_8ah @ ebp-0x8a
│           ; var char *dest @ ebp-0x88
│           ; arg char *src @ ebp+0x8
│           0x08048585      55             push ebp
│           0x08048586      89e5           mov ebp, esp
│           0x08048588      81ec98000000   sub esp, 0x98
│           0x0804858e      83ec08         sub esp, 8
│           0x08048591      ff7508         push dword [src]            ; const char *src
│           0x08048594      8d8578ffffff   lea eax, [dest]
│           0x0804859a      50             push eax                    ; char *dest
│           0x0804859b      e890fdffff     call sym.imp.strcpy         ; char *strcpy(char *dest, const char *src)
│           0x080485a0      83c410         add esp, 0x10
│           0x080485a3      c7856effffff.  mov dword [s2], 0x6167654d  ; 'Mega'
│           0x080485ad      c78572ffffff.  mov dword [var_8eh], 0x74656562 ; 'beet'
│           0x080485b7      66c78576ffff.  mov word [var_8ah], 0x73    ; 's' ; 115
│           0x080485c0      83ec0c         sub esp, 0xc
│           0x080485c3      8d856effffff   lea eax, [s2]
│           0x080485c9      50             push eax                    ; int32_t arg_8h
│           0x080485ca      e89cfeffff     call sym.rot13
│           0x080485cf      83c410         add esp, 0x10
│           0x080485d2      83ec08         sub esp, 8
│           0x080485d5      8d856effffff   lea eax, [s2]
│           0x080485db      50             push eax                    ; const char *s2
│           0x080485dc      8d8578ffffff   lea eax, [dest]
│           0x080485e2      50             push eax                    ; const char *s1
│           0x080485e3      e838fdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
│           0x080485e8      83c410         add esp, 0x10
│           0x080485eb      85c0           test eax, eax
│           0x080485ed      0f94c0         sete al
│           0x080485f0      0fb6c0         movzx eax, al
│           0x080485f3      c9             leave
└           0x080485f4      c3             ret
[0x080485f5]> ahi ?
[0x080485f5]> ahi?
Usage: ahi [2|8|10|10u|16|bodhipSs] [@ offset]   Define numeric base
| ahi <base>  set numeric base (2, 8, 10, 16)
| ahi 10|d    set base to signed decimal (10), sign bit should depend on receiver size
| ahi 10u|du  set base to unsigned decimal (11)
| ahi b       set base to binary (2)
| ahi o       set base to octal (8)
| ahi h       set base to hexadecimal (16)
| ahi i       set base to IP address (32)
| ahi p       set base to htons(port) (3)
| ahi S       set base to syscall (80)
| ahi s       set base to string (1)
| ahi1 10     set base of argument 1 to base 10 (same as ahi1 d)
[0x080485f5]> ahi s 0x080485a3 0x080485ad 0x080485b7 
[0x080485f5]> ahi s @@=0x080485a3 0x080485ad 0x080485b7 
[0x080485f5]> pdf @sym.beet
            ; CALL XREF from main @ 0x8048637
┌ 112: sym.beet (char *src);
│           ; var char *s2 @ ebp-0x92
│           ; var int32_t var_8eh @ ebp-0x8e
│           ; var int32_t var_8ah @ ebp-0x8a
│           ; var char *dest @ ebp-0x88
│           ; arg char *src @ ebp+0x8
│           0x08048585      55             push ebp
│           0x08048586      89e5           mov ebp, esp
│           0x08048588      81ec98000000   sub esp, 0x98
│           0x0804858e      83ec08         sub esp, 8
│           0x08048591      ff7508         push dword [src]            ; const char *src
│           0x08048594      8d8578ffffff   lea eax, [dest]
│           0x0804859a      50             push eax                    ; char *dest
│           0x0804859b      e890fdffff     call sym.imp.strcpy         ; char *strcpy(char *dest, const char *src)
│           0x080485a0      83c410         add esp, 0x10
│           0x080485a3      c7856effffff.  mov dword [s2], 'ageM'      ; 'Mega'
│                                                                      ; 0x6167654d                                                                                              
│           0x080485ad      c78572ffffff.  mov dword [var_8eh], 'teeb' ; 'beet'
│                                                                      ; 0x74656562                                                                                              
│           0x080485b7      66c78576ffff.  mov word [var_8ah], 's'     ; 's'
│                                                                      ; 0x73 ; 115                                                                                              
│           0x080485c0      83ec0c         sub esp, 0xc
│           0x080485c3      8d856effffff   lea eax, [s2]
│           0x080485c9      50             push eax                    ; int32_t arg_8h
│           0x080485ca      e89cfeffff     call sym.rot13
│           0x080485cf      83c410         add esp, 0x10
│           0x080485d2      83ec08         sub esp, 8
│           0x080485d5      8d856effffff   lea eax, [s2]
│           0x080485db      50             push eax                    ; const char *s2
│           0x080485dc      8d8578ffffff   lea eax, [dest]
│           0x080485e2      50             push eax                    ; const char *s1
│           0x080485e3      e838fdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
│           0x080485e8      83c410         add esp, 0x10
│           0x080485eb      85c0           test eax, eax
│           0x080485ed      0f94c0         sete al
│           0x080485f0      0fb6c0         movzx eax, al
│           0x080485f3      c9             leave
└           0x080485f4      c3             ret
[0x080485f5]>

┌──(kwkl㉿kwkl)-[~/HODL/jf-binary]
└─$ rahash2 -E rot -S s:13 -s "Megabeets"
Zrtnorrgf

giantbranch@ubuntu:~/Desktop/jf-binary$ /snap/bin/radare2 ./megabeets_0x1 
 -- Don't look at the code. Don't look.
[0x08048370]> aaaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Scanning for strings constructed in code (/azs)
INFO: Finding function preludes (aap)
INFO: Enable anal.types.constraint for experimental type propagation
[0x08048370]> ood Zrtnorrgf
INFO: File dbg:///home/giantbranch/Desktop/jf-binary/megabeets_0x1 Zrtnorrgf reopened in read-write mode
[0xf7f00a20]> ood Zrtnorrgf
child received signal 9
INFO: File dbg:///home/giantbranch/Desktop/jf-binary/megabeets_0x1 Zrtnorrgf reopened in read-write mode
[0xf7f17a20]> ood Zrtnorrgf
child received signal 9
INFO: File dbg:///home/giantbranch/Desktop/jf-binary/megabeets_0x1 Zrtnorrgf reopened in read-write mode
[0xf7f6aa20]> dc

  .:: Megabeets ::.
Think you can make it?
Success!

(112883) Process exited with status=0x0
[0xf7f68dc9]> dc
(112883) Process terminated with status 0
INFO: ==> Process finished
[0xf7f6aa20]>

reference：

Radare2: Libre Reversing Framework for Unix Geeks

See the Releases page for downloads. The current git master branch is 5.8.9, next will be 5.9.0.

Since r2-5.6.0 all the patch releases are abi stable
Odd patch versions are used in git builds only, releases use even numbers
No need to recompile the plugins, bindings or tools if the major and minor version are the same

Description

r2 is a complete rewrite of radare. It provides a set of libraries, tools and plugins to ease reverse engineering tasks. Distributed mostly under LGPLv3, each plugin can have different licenses (see r2 -L, rasm2 -L, …).

The radare project started as a simple command-line hexadecimal editor focused on forensics. Today, r2 is a featureful low-level command-line tool with support for scripting. r2 can edit files on local hard drives, view kernel memory, and debug programs locally or via a remote gdb server. r2’s wide architecture support allows you to analyze, emulate, debug, modify, and disassemble any binary.

Installation

r2 can be installed from git or via pip using r2env.
Run sys/install.sh for the default acr+make+symlink installation
meson/ninja (muon/samu also works) and make builds are supported.
Windows builds require meson and msvc or mingw as compilers
To uninstall the current build of r2 run make uninstall
To uninstall ALL the system installations of r2 do: sudo make purge

git clone https://github.com/radareorg/radare2
radare2/sys/install.sh

Default Windows builds use MSVC, so run those .bat:

preconfigure.bat       REM setup python, meson, ninja
configure.bat          REM run meson b + vs project
make.bat               REM run ninja -C b
prefix\bin\radare2.exe

Alternatively you can use r2env to switch between different versions.

pip install -U r2env
r2env init
r2env add radare2@git

Usage

These are the first steps to use r2, read the book or find tutorials for more details

$ r2 /bin/ls   # open file in read-only
> aaa          # analyse the program (r2 -A)
> afl          # list all functions (try aflt, aflm)
> px 32        # print 32 byte hexdump current block
> s sym.main   # seek to main (using flag name)
> f~foo        # filter flags matching 'foo' (internal |grep)
> iS;is        # list sections and symbols (rabin2 -Ss)
> pdf; agf     # disassembly and ascii-art function graph
> oo+;w hello  # reopen in read-write and write a string
> ?*~...       # interactive filter in all command help
> q            # quit

Resources

Official Book: Read about r2 usage
COMMUNITY.md: Community engagement and loose guidelines
CONTRIBUTING.md: Information about reporting issues and contributing. See also Contributing
DEVELOPERS.md: Development guidelines for r2
SECURITY.md: Instructions for reporting vulnerabilities
USAGE.md: Some example commands
INSTALL.md: Installation instructions using make or meson

Plugins

Many plugins are included in r2 by default. But you can extend its capabilities by using the r2pm package manager.

r2pm -s <word> # search package by word
r2pm -ci <pkg> # install a package
r2pm -u <pkg>  # uninstall
r2pm -l <pkg>  # list installed packages

Contributing

There are many ways to contribute to the project. Contact the community, check out the github issues, or grep for TODO/FIXME/XXX comments in the source.

To contribute code, push your changes to a branch on your fork of the repository. Please ensure that you follow the coding and style guidelines and that your changes pass the testing suite, which you can run with the r2r tool. If you are adding significant code, it may be necessary to modify or add additional tests in the test/ directory.

For more details, see CONTRIBUTING.md and DEVELOPERS.md.

Documentation

To learn more about r2 we encourage you to watch youtube talks from r2con. In addition to reading blogposts, slides or the official radare2 book, here are some methods to contact us:

Community

irc.libera.chat: #radare, #radare_side
Matrix: #radare:matrix.org
Telegram: Main Channel and Side Channel
Discord server
Mastodon: @radareorg
Twitter: @radareorg
Website: https://www.radare.org/

Supported Platforms

Operating Systems

Windows (since XP), Linux, Darwin, GNU/Hurd, Apple’s {Mac,i,iPad,watch}OS, Android, [Dragonfly, Net, Free, Open] BSD, Z/OS, QNX, SerenityOS, Solaris, Haiku, Vinix, FirefoxOS.

Architectures

i386, x86-64, Alpha, ARM, AVR, BPF, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, XAP, S390, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, PDP11, m680x, V850, CRIS, XAP, PIC, LM32, 8051, 6502, i4004, i8080, Propeller, EVM, OR1K Tricore, CHIP-8, LH5801, T8200, GameBoy, SNES, SPC700, MSP430, Xtensa, xcore, NIOS II, Java, Dalvik, Pickle, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c64x), Hexagon, Brainfuck, Malbolge, whitespace, DCPU16, LANAI, lm32, MCORE, mcs96, RSP, SuperH-4, VAX, KVX, Am29000, LOONGARCH, JDH8, s390x.

File Formats

ELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, XCOFF, OMF, TE, XBE, SEP64, BIOS/UEFI, Dyldcache, DEX, ART, CGC, Java class, Android boot image, Plan9 executables, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), PDP11, XTAC, WASM (WebAssembly binary), Commodore VICE emulator, QNX, WAD, OFF, TIC-80, GB/GBA, NDS and N3DS, and mount several filesystems like NTFS, FAT, HFS+, EXT,…