Install Now
rasign2 - a tool for generating and managing binary file signatures
Contents
Adding Zignatures
Zignatures can be added with the 'za' command, supporting a variety of types such as bytes patterns,
graph metrics, and more.
zafoob558bec..e8........
Adds a bytes pattern zignature.
zafoogcc=2nbbs=3edges=3ebbs=1
Adds a graph metrics zignature.
Configuration Options
The behavior of zignature processing can be fine-tuned through a variety of configuration options,
accessible via 'e??zign.' in radare2. Some key configuration options include:
zign.autoload
Autoload all zignatures located in dir.zigns.
zign.bytes
Use bytes patterns for matching.
zign.graph
Use graph metrics for matching.
zign.hash
Use Hash for matching.
zign.threshold
Minimum similarity required for inclusion in zb output.
zign.types
Use types for matching.
Description
The rasign2 tool is designed for creating, dumping, and managing signature files for binary analysis. It
facilitates the generation of signature databases (SDB) from binary files, making it easier to identify
and catalog functions and other symbols. The tool can interpret FLIRT 'I.sig' files, execute custom
Radare2 scripts, and output signatures in multiple formats.
Name
rasign2 - a tool for generating and managing binary file signatures
Options
-a Perform a more thorough analysis by adding extra 'a' to the analysis command. The more 'A's, the
deeper the analysis.
-A[AAA]
Equivalent to r2-A-f Interpret the input file as a FLIRT 'I.sig' file and dump its signatures.
-h Display the help menu.
-j Output signatures in JSON format.
-iscript.r2
Execute the specified Radare2 script on the input file.
-osigs.sdb
Add generated signatures to the specified file. Creates the file if it does not exist.
-q Enable quiet mode, suppressing normal output.
-r Show output as Radare2 commands.
-S Operate on an SDB signature file. Use '-o -' to save to the same file.
-ssignspace
Save all signatures under the specified signspace.
-c Add collision signatures before writing to a file.
-v Display version information.
-m Merge or overwrite signatures with the same name.
See Also
r2(1),radare2(1)
Supported Zignature Metrics
Zignatures in radare2 can be created with a variety of metrics, each capturing different aspects of
binary functions. These metrics include:
a:bytespattern
Radare2 creates a mask from analysis to match bytes patterns.
b:bytespattern
Direct bytes pattern matching.
c:base64comment
Associates a base64-encoded comment with the zignature.
n:realfunctionname
Uses the real function name for matching.
g:graphmetrics
Utilizes graph metrics such as cyclomatic complexity, number of edges, basic blocks, and end
blocks.
o:originaloffset
Matches based on the original offset of the function.
r:references
Uses references for matching.
x:crossreferences
Incorporates cross references into the zignature.
h:bbhash
Employs hashing of function basic blocks for matching.
v:vars(andargs)
Matches based on variables and arguments.
Each metric allows for a nuanced approach to identifying and comparing functions across binaries,
enabling more accurate and comprehensive analysis.
Synopsis
rasign2 [options] [file]
The Z Command In Radare2
The z command in radare2 is dedicated to the management of binary signatures, known as zignatures.
Zignatures are used for identifying and cataloging functions across different binaries by their unique
characteristics, such as bytes patterns, graph metrics, and other attributes.
Usage Examples
Basic signature generation:
rasign2-olibc.sdblibc.so.6
This command generates signatures from 'libc.so.6' and saves them in 'libc.sdb'.
Enhanced analysis:
rasign2-A-oenhanced_libc.sdblibc.so.6
This performs a deeper analysis before generating signatures, potentially discovering more functions.
Output in Radare2 commands:
rasign2-rinput_file|grepmain
Prints the discovered signatures for 'main' as Radare2 commands.
JSON output:
rasign2-jinput_file
Outputs the generated signatures in JSON format.
Merging signatures:
rasign2-m-oexisting_sigs.sdbnew_sigs.sdb
Merges or overwrites signatures in 'existing_sigs.sdb' with those from 'new_sigs.sdb'.
Usage Examples For The Z Command
The z command in radare2 is versatile, offering various functionalities through its subcommands. Here are
five usage examples:
Showallzignaturesz
Displays all zignatures currently loaded in radare2.
Findmatchingzignaturesatthecurrentoffsetz.
Searches for and displays zignatures that match at the current offset in the binary.
Scanallfunctionstofindmatchingzignaturesz/
Searches and match all signatures loaded against all the analyzed functions in order to give a name to
every one.
Loadzignaturefileszolibc.sdb
Loads zignatures from the specified SDB file into the current session.
GeneratezignaturesforallfunctionszaF
Generates zignatures for all identified functions in the binary and adds them to the current session.
Searchfortheclosestmatchingzignatureszb
Searches for and displays the closest matching zignatures to the function at the current offset, helping
identify similar functions across binaries.
These examples showcase the `z` command's ability to manage zignatures efficiently, aiding in the binary
analysis process by leveraging the power of zignatures for function identification and comparison.
Www
https://www.radare.org/
Zignature Commands
The z command encompasses several subcommands for managing zignatures:
z Show zignatures.
z. Find matching zignatures in current offset.
zb Search for best match.
zdzignature
Diff current function and signature.
z* Show zignatures in radare format.
zo Manage zignature files.
zf Manage FLIRT signatures.
z/ Search zignatures.
zc Compare current zignspace zignatures with another one.
zs Manage zignspaces.
zi Show zignatures matching information.
The comprehensive management of zignatures through these commands facilitates a robust workflow
for binary analysis, enabling the identification of known functions and facilitating the analysis
of binary similarities and differences.
PNG Icons
