def createRzPipe(): try: rzproj = rzpipe.open() rzproj.cmd("a") # send a blind command return rzproj except: print("Unexpected error:", sys.exc_info()[0]) return None
def init_rizin(filename): rz = rizin.get(filename) if rz: return rz import rzpipe rz = rzpipe.open(filename) rizin[filename] = rz rz.cmd("aaaa") return rz
def __init__(self, file_name): rflags = ["-dw"] if (not test): rflags.append("-2") r = rzpipe.open(file_name, flags=rflags) for _ in range(5): r.cmd("dcs read") a = r.cmd("dr rip") a = int(a, 16) self.off = a - 0x12EE self.r = r self.encode_addr = 0x2E6F + self.off self.encode_addr_end = self.encode_addr + 0x4d8 self.decode_addr = 0x3894 + self.off self.decode_addr_end = self.decode_addr + 0x4ef self.keyfun_addr = 0x1342 + self.off self.keyfun_addr_end = 0x13C7 + self.off m = 0x9038 + self.off self.mem_addr = int(r.cmdj(f"?j [{m}]")["uint64"])
#!/usr/bin/env python import sys import rzpipe rzp = rzpipe.open() num = int(sys.argv[1]) if num == 0x80: r = rzp.cmdj("arj") if r["eax"] == 1: print("[SYSCALL EXIT] {0:d}", r["ebx"]) elif r["eax"] == 4: msg = rzp.cmd("psz %d@%d" % (r["edx"], r["ecx"])) print("[WRITE SYSCALL] ==> {0:s}", msg) elif num == 3: print("[INT3]") else: print("[unhandled SYSCALL {0:d}]", num)
#!/usr/bin/env python3 import rzpipe import sys import os rz = rzpipe.open("/bin/ls") libpath = ["", ".", "/lib", "/usr/lib"] output = "aa" # output = 'dot' done = {} def findlib(lib): if os.path.isfile(lib): return lib for a in libpath: if os.path.isfile("%s/%s" % (a, lib)): return "%s/%s" % (a, lib) return [] def getlibs(lib): return rz.syscmdj("rabin2 -lj %s" % (lib))["libs"] def filter(s): return s.replace("-", "_").replace("+", "x") def makeNode(name):
def verify(title, cmd, expected): rz = rzpipe.open("-") msg = rz.cmd(cmd) test(title, msg, expected) rz.quit()
""" Example usage to regenerate traps.json: - open the dyld cache in rizin like this: RZ_DYLDCACHE_FILTER=libsystem_kernel rizin -e bin.usextr=false ~/Library/Developer/Xcode/iOS\ DeviceSupport/12.1.2\ \(16C101\)\ arm64e/Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e - run the script with this command: #!pipe python2 /path/to/this/script.py > traps.json """ import json import re import rzpipe r = rzpipe.open("#!pipe") def walk_back_until(addr, pattern, min_addr): cursor = addr while cursor >= min_addr: op = r.cmdj("aoj@" + str(cursor))[0]["opcode"] if re.search(pattern, op) != None: return cursor + 4 if re.search(r"^ret", op) != None: return cursor + 4 if re.search(r"^b ", op) != None: return cursor + 4 cursor -= 4 return min_addr
def _get_rz(self, index): rz = rzpipe.open(self._dex_list[index]) rz.cmd("aa") return rz
import json import rzpipe def chk(x): if x[1]["opcode"] == "svc 0x80": name = x[0]["flags"][0][8:] sysnum = int(x[0]["opcode"].split(" ")[2], 16) print("%d\t%s" % (sysnum, name)) dev_pid = "23f88587e12c30376f8ab0b05236798fdfa4e853/4903" rz = rzpipe.open("frida://" + dev_pid) print("Importing symbols from libSystem...") rz.cmd(".=!i*") rz.cmd(".=!ie* libSystem.B.dylib") print("Finding syscalls...") funcs = rz.cmd("pdj 2 @@f:sym.fun.*") for doc in funcs.split("\n"): if len(doc) > 1: chk(json.loads(doc)) rz.quit() print("Thanks for waiting")
for addr in range(start, end, (2 * self.PTR_SIZE)): func_addr = self.get_pointer(addr) offset = self.get_pointer(addr + self.PTR_SIZE) name_str_off = self.get_pointer(base + offset + self.PTR_SIZE) name_addr = base + name_str_off name = self.rz.cmd('psz @ {}'.format(name_addr)) name = self.format_name(name) if name and len(name) > 2: print('Found name {} at 0x{:x}'.format(name, func_addr)) funcinfo = self.rz.cmdj('afij {}'.format(func_addr)) self.rz.cmd('af{} {} {}'.format('n' if funcinfo else '', name, func_addr)) def format_name(self, name): name = name.replace('(', '') name = name.replace(')', '') name = name.replace('*', '') name = name.replace('/', '.') name = name.replace(' ', '.') name = name.replace(';', '.') name = name.replace(',', '.') return name.strip() if __name__ == '__main__': rz = rzpipe.open() helper = GoLangHelper(rz) gopclntab = helper.get_gopclntab() print(gopclntab) helper.rename_functions()
def __init__( self, image_path: Optional[str] = None, blob: Optional[bytes] = None, rizinhome: Optional[str] = None, ): """UEFI analyzer initialization""" self._rz: rzpipe.open = None self._shm: Optional[shared_memory.SharedMemory] = None self._te: Optional[TerseExecutableParser] = None # init rizin if image_path: self._rz = rzpipe.open(filename=image_path, flags=["-2"], rizin_home=rizinhome) # analyze image self._rz.cmd("aaaa") try: self._te = TerseExecutableParser(image_path=image_path) except TerseExecutableError: self._te = None if blob and sys.platform in ["linux"]: if blob[:2] not in [b"MZ", b"VZ"]: raise UefiAnalyzerError("Invalid data format") blob_size = len(blob) self._shm = shared_memory.SharedMemory(create=True, size=blob_size) self._shm.buf[:] = blob[:] self._rz = rzpipe.open( filename=f"shm://{self._shm.name}/{blob_size:#d}", flags=["-2"], rizin_home=rizinhome, ) self._rz.cmd("aaaa") try: self._te = TerseExecutableParser(blob=blob) except TerseExecutableError: self._te = None if self._rz is None: raise UefiAnalyzerError( "Failed to initialize radare2/rizin analyzing engine") # private cache self._bs_list_g_bs: Optional[List[UefiService]] = None self._bs_prot: Optional[List[UefiService]] = None self._rt_list: Optional[List[UefiService]] = None self._pei_services: Optional[List[UefiService]] = None self._ppi_list: Optional[List[UefiProtocol]] = None self._protocols: Optional[List[UefiProtocol]] = None self._protocol_guids: Optional[List[UefiProtocolGuid]] = None self._nvram_vars: Optional[List[NvramVariable]] = None self._info: Optional[Dict[Any, Any]] = None self._strings: Optional[List[Any]] = None self._sections: Optional[List[Any]] = None self._functions: Optional[List[Any]] = None self._insns: Optional[List[Any]] = None self._g_bs: Optional[List[int]] = None self._g_rt: Optional[List[int]] = None self._smst_list: Optional[List[int]] = None # SMI handlers addresses self._swsmi_handlers: Optional[List[SwSmiHandler]] = None self._child_swsmi_handlers: Optional[List[ChildSwSmiHandler]] = None
from z3 import * import rzpipe import subprocess import os def uncompress(): subprocess.call(['rm','surprise.out']) subprocess.call(['bzip2', '-d','surprise']) ef get_xorvalues(arch): r = rzpipe.open("surprise.out") offsets={ "4":0x10020130, "0":[0x0202020,0x0202060], "2":[0x3020,0x3060] , "1":0x011008, "3":0x0012010}#need to recheck offsets for each arch before running script if arch == '0' or arch == '2': arch_offset1='pf 14d @'+str(offsets[arch][0]) arr = r.cmd(arch_offset1) #offset has to checked with ida after every 20 iters when the arch of the binary changes arr=[int(i) for i in arr.strip().split()[5::7]] xor1=arr arr=[] arch_offset2='pf 14d @'+str(offsets[arch][1]) arr = r.cmd(arch_offset2) #offset has to checked with ida after every 20 iters when the arch of the binary changes arr=[int(i) for i in arr.strip().split()[5::7]] xor2=arr print(xor1,xor2) return xor1,xor2 else: print(offsets[arch],arch) arch_offset='pf 28d @'+str(offsets[arch]) arr = r.cmd(arch_offset) #offset has to checked with ida after every 20 iters when the arch of the binary changes arr=[int(i) for i in arr.strip().split()[5::7]] xor1=arr[:14] xor2=arr[14:] print(xor1,xor2)
# /usr/bin/env python import rzpipe from os import system import time if __name__ == "__main__": print("[+] Spawning rizin tcp and http servers") system("pkill rizin") system("rizin -qc.:9080 /bin/ls &") system("rizin -qc=h /bin/ls &") time.sleep(1) # Test rzpipe with local process print("[+] Testing python rzpipe local") rlocal = rzpipe.open("/bin/ls") print(rlocal.cmd("pi 5")) # print rlocal.cmd("pn") info = rlocal.cmdj("ij") print("Architecture: " + info["bin"]["machine"]) # Test rzpipe with remote tcp process (launch it with "rizin -qc.:9080 myfile") print("[+] Testing python rzpipe tcp://") rremote = rzpipe.open("tcp://127.0.0.1:9080") disas = rremote.cmd("pi 5") if not disas: print("Error with remote tcp conection") else: print(disas) # Test rzpipe with remote http process (launch it with "rizin -qc=H myfile")
#!/usr/bin/env python3 import rzpipe rz = rzpipe.open("ccall:///bin/ls") # rz = rzpipe.open("/bin/ls") # rz.cmd("o /bin/ls") print(rz.cmd("pd 10")) rz.quit()
import rzpipe from malduck import rc4 import sys args = sys.argv print(args) if len(args) < 5: print('wrong') sys.exit() r2 = rzpipe.open() base = args[1] off = args[2] kl = args[3] cl = args[4] cmd = f'pxj {kl} @ {base} + {off}' print(cmd) key = r2.cmdj(cmd) cmd = f'pxj {cl} @ {base} + {off} + {kl}' print(cmd) ct = r2.cmdj(cmd) print(key) print(ct) pt = rc4(bytes(key), bytes(ct)) print(pt) if b'\x00' in pt: print(pt.decode('utf-16'))
def __init__(self, file_path, structure_path=None): if structure_path is None: structure_path = pkg_resources.resource_filename( "quark.core.axmlreader", "axml_definition") if not os.path.isfile(structure_path): raise AxmlException(f"Cannot find printing format definition file" f" of Rizin in {structure_path}") self._rz = rzpipe.open(file_path) self._rz.cmd(f"pfo {structure_path}") self._file_size = int(self._rz.cmd("i~size[1]"), 16) self._ptr = 0 self._cache = {} if self._file_size > 0xFFFF_FFFF: raise AxmlException("Filesize exceeds theoretical upper bound.") elif self._file_size < 8: raise AxmlException("Filesize exceeds theoretical lower bound.") # File Header header = self._rz.cmdj("pfj axml_ResChunk_header @ 0x0") self._data_type = header[0]["value"] self._axml_size = header[2]["value"] header_size = header[1]["value"] if self._data_type != RES_XML_TYPE or header_size != 0x8: raise AxmlException( f"Error parsing first header(type: {self._data_type}," f" size: {header_size}).") if self._axml_size > self._file_size: raise AxmlException(f"Decleared size ({self._axml_size} bytes) is" f" larger than total size({self._file_size}).") self._ptr += 8 if self._ptr >= self._axml_size: return # String Pool string_pool_header = self._rz.cmdj("pfj axml_ResStringPool_header @ 8") string_pool_size = string_pool_header[0]["value"][2]["value"] if string_pool_size > self._axml_size - self._ptr: raise AxmlException( f"Error parsing string pool, there should" f" be {string_pool_size}" f" bytes but only {self._axml_size - self._ptr} bytes.") header = string_pool_header[0]["value"] header_type = header[0]["value"] header_size = header[1]["value"] if header_type != RES_STRING_POOL_TYPE: raise AxmlException( f"Error parsing string pool, expect string pool" f" data at {self._ptr} bytes.") if header_size != 28: raise AxmlException( f"Error parsing string pool, heardsize should " f"be 16 bytes rather than { header_size } bytes.") self._stringCount = string_pool_header[1]["value"] stringStart = string_pool_header[4]["value"] self._rz.cmd(f"f string_pool_header @ 0x8 ") string_pool_index = header_size + self._ptr self._rz.cmd(f"f string_pool_index @ { string_pool_index }") string_pool_data = stringStart + self._ptr self._rz.cmd(f"f string_pool_data @ { string_pool_data }") self._ptr += string_pool_size if self._ptr >= self._axml_size: return # Resource Map (Optional) header = self._rz.cmdj(f"pfj axml_ResChunk_header @ {self._ptr}") header_type = header[0]["value"] if header_type == RES_XML_RESOURCE_MAP_TYPE: map_size = header[2]["value"] # Skip all the resource map if map_size > self._axml_size - self._ptr: raise AxmlException( f"Map size should be {map_size} bytes rather" f" than {self._axml_size - self._ptr} bytes.") self._ptr += map_size if self._ptr >= self._axml_size: return
FILENAMES = [ "bins/elf/_Exit (42)", "bins/pe/winver.exe", "bins/mach0/mach0_2-x86_64" ] for fname in FILENAMES: with open(fname, "rb") as f: data = f.read() data_size = len(data) shm = shared_memory.SharedMemory(create=True, size=data_size) print("Copying %s..." % fname) shm.buf[:data_size] = data[:] print("Copied %s succesfully" % fname) print("-------------") print("Shared buffer size 0x{0:x}".format(data_size)) print("-------------") rzp = rzpipe.open("shm://{0:s}/{1:d}".format(shm.name, data_size)) rzp.cmd("e scr.color=0") rzp.cmd("e scr.utf8=false") rzp.cmd("e scr.interactive=false") infoj = rzp.cmdj("ij") print(infoj["bin"]) print(rzp.cmd("px 16")) rzp.cmd("aaa") print(rzp.cmd("afl")) print(rzp.cmd("pdf @ entry0")) rzp.quit() shm.close() shm.unlink()
#!/usr/bin/env python2 # -*- coding: utf-8 -*- """ Example usage to regenerate traps.json: - open the dyld cache in rizin like this: RZ_DYLDCACHE_FILTER=libsystem_kernel rizin -e bin.usextr=false ~/Library/Developer/Xcode/iOS\ DeviceSupport/12.1.2\ \(16C101\)\ arm64e/Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e - run the script with this command: #!pipe python2 /path/to/this/script.py > traps.json """ import rzpipe, json, re r = rzpipe.open('#!pipe') def walk_back_until (addr, pattern, min_addr): cursor = addr while cursor >= min_addr: op = r.cmdj('aoj@' + str(cursor))[0]['opcode'] if re.search(pattern, op) != None: return cursor + 4 if re.search(r'^ret', op) != None: return cursor + 4 if re.search(r'^b ', op) != None: return cursor + 4 cursor -= 4 return min_addr