Rabin2
rabin2 -I [progname] # main info about the prog
rabin2 -z [progname] # the strings from the binary's data section
rabin2 -zz [progname] # all strings from the binary
rabin2 -zqq [progname] # strings only without additional info
rabin2 -x iGoat-Swift # thin the binary
R2
Info
il # libs in use
ii # or iiq to see imports
r2 [progname] # launch radare2
> s main # seak main function and go to it
> aa # find all strings
> v # psedu GUI mode (Hex editor)
> VV # graph mode
> afvn user_input input # rename local var and all the places it was referenced
# rename function
> s function_old_name
> afn function_new_name
> c # show cursor in visual mode
> afvd # print all local variables
> u # back?
> fs strings; f # load flag space of strings and load them
> axt @@ <address or ref> # go to the xrefs for this item (string,import,function)
> f~bio # load currently selected flag space and grep for flags containing "bio"
> fs imports;f~BiometricAuth # select imports flag space, load it and grep for "BiometricAuth"
> pds # disassemble summary
Graph mode
VV # open Graph
# go to a function via shortcut (;[ao])
o # first type 'o' key
> a # then enter the second letter from the brakets
Decompile
pga? # help for Ghidra, if Ghidra plugin is installed
Debug
r2 -d <progname> # start debug
dcu main # continue until main
ragg2 -P 100 -r # generate a cyclic pattern called [De Bruijn Sequence](https://en.wikipedia.org/wiki/De_Bruijn_sequence)
ragg2 -P 200 -r > pattern.txt
cat profile.rr2
#!/usr/bin/rarun2
stdin=./pattern.txt
r2 -r profile.rr2 -d <progname>
wop?
wopO `dr eip`
Speakeasy
Windows Kernel emulation: https://github.com/mandiant/speakeasy.
CMD
rundll32.dll [dllname].dll,[dllsexportedfuncname_or_ordeal]
# rundll32.dll malicious.dll,ExportedFuncName
# rundll32.dll malicious.dll,#6
Test this https://r2wiki.readthedocs.io/en/latest/tools/radare2/. One good reference and another here.
Workshop for refresh
https://malwareunicorn.org/#/workshops
Todo
Python scripts for IDA
Describe the crackme 1 and 2 solution