Coder Social home page Coder Social logo

gostringsr2's Introduction

gostringsr2

gostringsr2 extracts strings from a Go binary using radare2.

Tested with radare2 3.7.0, Python 3.7, r2pipe 1.4.1, on OS X and Linux.

Tested on Go binaries with architectures: x86 (32 and 64 bit), ARM (32 and 64 bit).

Tested on Go binaries with file formats: ELF (Linux), Mach-O (OS X), PE (Windows).

v1.0.0 code walkthrough - https://carvesystems.com/news/reverse-engineering-go-binaries-using-radare-2-and-python/

Installation

  1. Install radare2.
  2. Install gostringsr2 into your Python3 (virtual) environment

From Github:

pip install git+https://github.com/carvesystems/gostringsr2

or

Locally:

git clone https://github.com/carvesystems/gostringsr2
pip install -e gostringsr2

Usage

Usage: gostringsr2 [OPTIONS] FILE

Options:
  -n INTEGER  minimum length, default=4
  -v          verbose
  -u          utf8 encoding instead of ascii
  -s TEXT     save output as r2 script; load in r2 with: . [script-file]
  --help      Show this message and exit.

Example

Sample Go file:

$ cat <<SOURCE > helloworld.go
package main

func main() {
    print("hello world, how are you today?\n")
}
SOURCE

$ go build helloworld.go

$ ./helloworld
hello world, how are you today?

Basic output:

Find ASCII strings of at least length 8:

$ gostringsr2 -n 8 helloworld|grep -B5 -A5 hello
bad write barrier buffer bounds
call from within the Go runtime
casgstatus: bad incoming values
checkmark found unmarked object
entersyscallblock inconsistent 
hello world, how are you today?
inserting span already in treap
internal error - misuse of itab
non in-use span in unswept list
pacer: sweep done at heap size 
resetspinning: not a spinning m

Verbose output:

Shows debug messages and each string's virtual address and (decoded) length.

$ gostringsr2 -v -n 8 helloworld|grep -B5 -A5 hello
Loading file into r2: helloworld
file: helloworld
size: 1083 KB
executable: mach0
language: c
architecture: 64-bit x86
os: macos
stripped: False

Locating string table...
String table at 0x106cf20 thru 0x10713a2
Retrieving cross references...
Limited cross-ref check from 0x1001000 to 0x104ead0
Locating string references...
Retrieved 774 references to the string table
Found strings: 631
0x106f9c3 : [31] : bad write barrier buffer bounds
0x106f9e2 : [31] : call from within the Go runtime
0x106fa01 : [31] : casgstatus: bad incoming values
0x106fa20 : [31] : checkmark found unmarked object
0x106fa3f : [31] : entersyscallblock inconsistent 
0x106fa5e : [31] : hello world, how are you today?
0x106fa7d : [31] : inserting span already in treap
0x106fa9c : [31] : internal error - misuse of itab
0x106fabb : [31] : non in-use span in unswept list
0x106fada : [31] : pacer: sweep done at heap size 
0x106faf9 : [31] : resetspinning: not a spinning m

r2 script output

Writes an r2 script that creates:

  1. A string reference ("axs") to the string at each code locations
  2. A comment ("CCu") at each code reference, ([string length]) "[first 50 characters of the string]"
  3. A flag in the strings flag space starting with str.go.[first 20 chars of the string]
$ gostringsr2 -s helloworld.r2 -v -n 8 -helloworld|grep hello
Loading file into r2: helloworld
file: helloworld
size: 1083 KB
executable: mach0
language: c
architecture: 64-bit x86
os: macos
stripped: False

Locating string table...
String table at 0x106cf40 thru 0x1071403
Retrieving cross references...
Limited cross-ref check from 0x1001000 to 0x104eaf0
Locating string references...
Retrieved 775 references to the string table
Found strings: 632
+ r2 script written to hello.r2. Load in r2 with '. [scriptfile]'
0x106fbf7 : [32] : hello world, how are you today?


$ r2 helloworld
 -- It's not you, it's me.
[0x0104a4d0]> . hello.r2
[0x0104a4d0]> axt 0x106fbf7
(nofunc); (32) "hello world, how are you today?//" 0x104ea42 [STRING] lea rax, str.go.hello_world__how_are
[0x0104a4d0]> pd 6 @0x104ea42
            0x0104ea42      488d05ae1102.  lea rax, str.go.hello_world__how_are ; (32) "hello world, how are you today?//"
            0x0104ea49      48890424       mov qword [rsp], rax
            0x0104ea4d      48c744240820.  mov qword [rsp + 8], 0x20
            0x0104ea56      e87557fdff     call sym.runtime.printstring
            0x0104ea5b      e8c04efdff     call sym.runtime.printunlock
            0x0104ea60      e83b4efdff     call sym.runtime.printlock
[0x0104a4d0]>

gostringsr2's People

Stargazers

Glenn 'devalias' Grant avatar avatar Luke Simmons avatar Jackson Chen avatar Jerry avatar C0ss4ck avatar aquilosec avatar Joseph Daniel avatar Joshua Nauman avatar H_passerby avatar avatar yuriXO avatar Jamie Sparks avatar Mikal avatar nokae avatar coolder avatar Anderson avatar mmmly avatar Saad Azghour avatar Matthew Conway avatar avatar f0wl avatar Jan Neduchal avatar Kyle Howells avatar Ben Gerard avatar ransomware avatar Schrodinger avatar 0x94 avatar Robin avatar Carson McManus avatar zu1k avatar avatar Gianluigi Spagnuolo avatar DragonKid avatar Alex Useche avatar Alex Useche avatar Ryan Villarreal avatar Midori Kochiya avatar Morgan Creekmore avatar hoopa avatar Daniel W. Crompton avatar avatar Daniel avatar Mark Paone avatar Pype avatar avatar Claud Xiao avatar Henrique Menezes avatar G-VC avatar mingz avatar avatar Robbe Van der Gucht avatar

Watchers

evandrix avatar James Cloos avatar Mike Zusman avatar Jeremy Allen (Carve Sytsems) avatar avatar zu1k avatar

Forkers

pombredanne mewbak antichown hartl3y94 n01e0

gostringsr2's Issues

Typo? dst_addr instead of src_addr

This looks like a typo to me dst_addr >= code_section["vaddr"], I suspect you meant src_addr >= code_section["vaddr"]
https://github.com/CarveSystems/gostringsr2/blob/84d5adc7a74075185c327f170e4642c77eeb7cc0/gostringsr2/gostringsr2.py#L222

Can you also share which version of radare2 you are using? I'm using 3.7.0.0 with Python 3.7.4 and r2.cmd("pr") returns ASCII strings instead of byte strings. I kind of suspect that this is a regression in radare2 or r2pipe.

Thanks for sharing this!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.