r2 zignatures

r2_zignatures.md

Zignatures

Commands

• Manage zignatures
  • z: show zignagures
  • z*: show zignatures in radare format
  • z- zignature: delete zignature
  • z-*: delete all zignatures
  • Load zignatures from file:
    • zo filename: load zignatures from file
    • zoz filename: load zinagures from gzip file
    • zod filename: load zinatures from sdb file
  • Create zignatures manually:
    • zb name type bytes: create anal zignature
    • zB name type bytes: create exact-match zignature
    • zbf [name]: create anal zignature for function (use function name if name is not given)
    • zBf [name]: create exact-match zignature for function (use function name if name is not given)
    • zm name param: create metric zignature (e.g. zm foo bbs=10 calls=printf,exit)
  • Generate zignatures from detected functions:
    • zg zignspace [file]: generate anal zignatures for all functions (and save in file)
    • zG namespace [file]: generate exact-match zignatures for all functions (and save in file)
  • FLIRT:
    • zfs filename: open FLIRT file and scan
    • zfd filename: open FLIRT file and dump
    • zfz filename: open FLIRT file and get sig commands (zfz flirt_file > zignatures.sig)
• Check zignatures
  • z/ [ini] [end]: search zignatures on range and flag matches
  • z/* [ini] [end]: search zignatures on range and output radare commands
  • zc: check zignatures at address
• Manage zignspaces
  • zs: display zignspaces (status per zignspace)
  • zs zignspace: select zignspace
  • zs *: select all zignspace
  • zs- zignspace: delete zignspace
  • zs-*: delete all zignspaces

Zignature types

• R_SIGN_BYTE ('b'): Bytes
• R_SIGN_FUNC ('f'): Function body
• R_SIGN_HEAD ('h'): Function header/prologue

Notes

• New commands aim to be consistent with flag management
• Bytes can contain '.' (dots) to specify a binary mask