Adding Metadata to Disassembly

The typical work involved in reversing binary files makes powerful annotation capabailities essential. Radare offers multiple ways to store and retrieve such metadata.

By following common basic *NIX principles, it is easy to write a small utility in a scripting language which uses objdump, otool, etc. to obtain information from a binary and to import it into radare. For example, take a look at idc2r.py shipped with radare2ida. To use it, invoke it as idc2r.py file.idc > file.r2. It reads an IDC file exported from an IDA Pro database and produces an r2 script containing the same comments, names of functions etc. You can import the resulting 'file.r2' by using the dot . command of radare:

 [0x00000000]> . file.r2

The . command is used to interpret Radare commands from external sources, including files and program output. For example, to omit generation of an intermediate file and import the script directly you can use this combination:

 [0x00000000]> .!idc2r.py < file.idc

The C command is used to manage comments and data conversions. You can define a range of program's bytes to be interpreted as either code, binary data or string. It is also possible to execute external code at every specified flag location in order to fetch some metadata, such as a comment, from an external file or database.

Here's the help:

[0x00404cc0]> C?
|Usage: C[-LCvsdfm*?][*?] [...] # Metadata management
| C*                                             list meta info in r2 commands
| C- [len] [[@]addr]                             delete metadata at given address range
| CL[-][*] [file:line] [addr]                    show or add 'code line' information (bininfo)
| CS[-][space]                                   manage meta-spaces to filter comments, etc..
| CC[?] [-] [comment-text] [@addr]               add/remove comment
| CC.[addr]                                      show comment in current address
| CC! [@addr]                                    edit comment with $EDITOR
| CCa[-at]|[at] [text] [@addr]                   add/remove comment at given address
| CCu [comment-text] [@addr]                     add unique comment
| Cv[bsr][?]                                     add comments to args
| Cs[?] [-] [size] [@addr]                       add string
| Cz[@addr]                                      add zero-terminated string
| Ch[-] [size] [@addr]                           hide data
| Cd[-] [size] [repeat] [@addr]                  hexdump data array (Cd 4 10 == dword [10])
| Cf[?][-] [sz] [0|cnt][fmt] [a0 a1...] [@addr]  format memory (see pf?)
| CF[sz] [fcn-sign..] [@addr]                    function signature
| Cm[-] [sz] [fmt..] [@addr]                     magic parse (see pm?)
[0x00404cc0]>


[0x00000000]> CCa 0x0000002 this guy seems legit

[0x00000000]> pd 2
           0x00000000    0000         add [rax], al
   ;      this guy seems legit
           0x00000002    0000         add [rax], al

The C? family of commands lets you mark a range as one of several kinds of types. Three basic types are: code (disassembly is done using asm.arch), data (an array of data elements) or string. Use the Cs comand to define a string, use the Cd command for defining an array of data elements, and use the Cf command to define more complex data structures like structs.

Annotating data types is most easily done in visual mode, using the "d" key, short for "data type change". To First, use the cursor to select a range of bytes (press c key to toggle cursor mode and use HJKL keys to expand selection), then press 'd' to get a menu of possible actions/types. For example, to mark the range as a string, use the 's' option from the menu. You can achieve the same result from the shell using the Cs command:

 [0x00000000]> f string_foo @ 0x800
 [0x00000000]> Cs 10 @ string_foo

The Cf command is used to define a memory format string (the same syntax used by the pf command). Here's an example:

  [0x7fd9f13ae630]> Cf 16 2xi foo bar
  [0x7fd9f13ae630]> pd
              ;-- rip:
              0x7fd9f13ae630 format 2xi foo bar {
  0x7fd9f13ae630 [0] {
     foo : 0x7fd9f13ae630 = 0xe8e78948
     bar : 0x7fd9f13ae634 = 14696
  }
  0x7fd9f13ae638 [1] {
     foo : 0x7fd9f13ae638 = 0x8bc48949
     bar : 0x7fd9f13ae63c = 571928325
  }
  } 16
              0x7fd9f13ae633    e868390000   call 0x7fd9f13b1fa0
                 0x7fd9f13b1fa0() ; rip
              0x7fd9f13ae638    4989c4       mov r12, rax

The [sz] argument to Cf is used to define how many bytes the struct should take up in the disassembly, and is completely independent from the size of the dat structure define by the format string. This may seem confusing, but has several uses. For example, you may want to see the formatted structue displayed in the disassembly, but still have those locations be visible as offsets and with raw bytes. Sometimes, you find large structures, but only identified a few fields, or only interested in specific fields. Then, you can tell r2 to display only those fields, using the format string and using 'skip' fields, and also have the disassembly continue after the entire structure, by giving it full size using the sz argument.

Using Cf, it's easy to define to define complex structures with simple oneliners. See pf? for more information. Remember that all these C commands can also be accessed from the visual mode by pressing the d (data conversion) key.

results matching ""

    No results matching ""