Provided by: radare2_5.9.8+dfsg-1_amd64 
NAME
rasign2 - a tool for generating and managing binary file signatures
SYNOPSIS
rasign2 [options] [file]
DESCRIPTION
The rasign2 tool is designed for creating, dumping, and managing signature files for
binary analysis. It facilitates the generation of signature databases (SDB) from binary
files, making it easier to identify and catalog functions and other symbols. The tool can
interpret FLIRT 'I.sig' files, execute custom Radare2 scripts, and output signatures in
multiple formats.
OPTIONS
-a Perform a more thorough analysis by adding extra 'a' to the analysis command. The
more 'A's, the deeper the analysis.
-A[AAA]
Equivalent to r2 -A
-f Interpret the input file as a FLIRT 'I.sig' file and dump its signatures.
-h Display the help menu.
-j Output signatures in JSON format.
-i script.r2
Execute the specified Radare2 script on the input file.
-o sigs.sdb
Add generated signatures to the specified file. Creates the file if it does not
exist.
-q Enable quiet mode, suppressing normal output.
-r Show output as Radare2 commands.
-S Operate on an SDB signature file. Use '-o -' to save to the same file.
-s signspace
Save all signatures under the specified signspace.
-c Add collision signatures before writing to a file.
-v Display version information.
-m Merge or overwrite signatures with the same name.
USAGE EXAMPLES
Basic signature generation:
rasign2 -o libc.sdb libc.so.6
This command generates signatures from 'libc.so.6' and saves them in 'libc.sdb'.
Enhanced analysis:
rasign2 -A -o enhanced_libc.sdb libc.so.6
This performs a deeper analysis before generating signatures, potentially discovering more
functions.
Output in Radare2 commands:
rasign2 -r input_file | grep main
Prints the discovered signatures for 'main' as Radare2 commands.
JSON output:
rasign2 -j input_file
Outputs the generated signatures in JSON format.
Merging signatures:
rasign2 -m -o existing_sigs.sdb new_sigs.sdb
Merges or overwrites signatures in 'existing_sigs.sdb' with those from 'new_sigs.sdb'.
THE Z COMMAND IN RADARE2
The z command in radare2 is dedicated to the management of binary signatures, known as
zignatures. Zignatures are used for identifying and cataloging functions across different
binaries by their unique characteristics, such as bytes patterns, graph metrics, and other
attributes.
CONFIGURATION OPTIONS
The behavior of zignature processing can be fine-tuned through a variety of configuration
options, accessible via 'e??zign.' in radare2. Some key configuration options include:
zign.autoload
Autoload all zignatures located in dir.zigns.
zign.bytes
Use bytes patterns for matching.
zign.graph
Use graph metrics for matching.
zign.hash
Use Hash for matching.
zign.threshold
Minimum similarity required for inclusion in zb output.
zign.types
Use types for matching.
ADDING ZIGNATURES
Zignatures can be added with the 'za' command, supporting a variety of types such as bytes
patterns, graph metrics, and more.
za foo b 558bec..e8........
Adds a bytes pattern zignature.
za foo g cc=2 nbbs=3 edges=3 ebbs=1
Adds a graph metrics zignature.
ZIGNATURE COMMANDS
The z command encompasses several subcommands for managing zignatures:
z Show zignatures.
z. Find matching zignatures in current offset.
zb Search for best match.
zdzignature
Diff current function and signature.
z* Show zignatures in radare format.
zo Manage zignature files.
zf Manage FLIRT signatures.
z/ Search zignatures.
zc Compare current zignspace zignatures with another one.
zs Manage zignspaces.
zi Show zignatures matching information.
The comprehensive management of zignatures through these commands facilitates a
robust workflow for binary analysis, enabling the identification of known functions
and facilitating the analysis of binary similarities and differences.
SUPPORTED ZIGNATURE METRICS
Zignatures in radare2 can be created with a variety of metrics, each capturing different
aspects of binary functions. These metrics include:
a: bytes pattern
Radare2 creates a mask from analysis to match bytes patterns.
b: bytes pattern
Direct bytes pattern matching.
c: base64 comment
Associates a base64-encoded comment with the zignature.
n: real function name
Uses the real function name for matching.
g: graph metrics
Utilizes graph metrics such as cyclomatic complexity, number of edges, basic
blocks, and end blocks.
o: original offset
Matches based on the original offset of the function.
r: references
Uses references for matching.
x: cross references
Incorporates cross references into the zignature.
h: bbhash
Employs hashing of function basic blocks for matching.
v: vars (and args)
Matches based on variables and arguments.
Each metric allows for a nuanced approach to identifying and comparing functions
across binaries, enabling more accurate and comprehensive analysis.
USAGE EXAMPLES FOR THE Z COMMAND
The z command in radare2 is versatile, offering various functionalities through its
subcommands. Here are five usage examples:
Show all zignatures
z
Displays all zignatures currently loaded in radare2.
Find matching zignatures at the current offset
z.
Searches for and displays zignatures that match at the current offset in the binary.
Scan all functions to find matching zignatures
z/
Searches and match all signatures loaded against all the analyzed functions in order to
give a name to every one.
Load zignature files
zo libc.sdb
Loads zignatures from the specified SDB file into the current session.
Generate zignatures for all functions
zaF
Generates zignatures for all identified functions in the binary and adds them to the
current session.
Search for the closest matching zignatures
zb
Searches for and displays the closest matching zignatures to the function at the current
offset, helping identify similar functions across binaries.
These examples showcase the `z` command's ability to manage zignatures efficiently, aiding
in the binary analysis process by leveraging the power of zignatures for function
identification and comparison.
SEE ALSO
r2(1), radare2(1)
WWW
https://www.radare.org/
AUTHORS
pancake <pancake@nopcode.org>