Provided by: radare2_5.9.8+dfsg-2_amd64 
NAME
rasign2 - a tool for generating and managing binary file signatures
SYNOPSIS
rasign2 [options] [file]
DESCRIPTION
The rasign2 tool is designed for creating, dumping, and managing signature files for binary analysis. It
facilitates the generation of signature databases (SDB) from binary files, making it easier to identify
and catalog functions and other symbols. The tool can interpret FLIRT 'I.sig' files, execute custom
Radare2 scripts, and output signatures in multiple formats.
OPTIONS
-a Perform a more thorough analysis by adding extra 'a' to the analysis command. The more 'A's, the
deeper the analysis.
-A[AAA]
Equivalent to r2 -A
-f Interpret the input file as a FLIRT 'I.sig' file and dump its signatures.
-h Display the help menu.
-j Output signatures in JSON format.
-i script.r2
Execute the specified Radare2 script on the input file.
-o sigs.sdb
Add generated signatures to the specified file. Creates the file if it does not exist.
-q Enable quiet mode, suppressing normal output.
-r Show output as Radare2 commands.
-S Operate on an SDB signature file. Use '-o -' to save to the same file.
-s signspace
Save all signatures under the specified signspace.
-c Add collision signatures before writing to a file.
-v Display version information.
-m Merge or overwrite signatures with the same name.
USAGE EXAMPLES
Basic signature generation:
rasign2 -o libc.sdb libc.so.6
This command generates signatures from 'libc.so.6' and saves them in 'libc.sdb'.
Enhanced analysis:
rasign2 -A -o enhanced_libc.sdb libc.so.6
This performs a deeper analysis before generating signatures, potentially discovering more functions.
Output in Radare2 commands:
rasign2 -r input_file | grep main
Prints the discovered signatures for 'main' as Radare2 commands.
JSON output:
rasign2 -j input_file
Outputs the generated signatures in JSON format.
Merging signatures:
rasign2 -m -o existing_sigs.sdb new_sigs.sdb
Merges or overwrites signatures in 'existing_sigs.sdb' with those from 'new_sigs.sdb'.
THE Z COMMAND IN RADARE2
The z command in radare2 is dedicated to the management of binary signatures, known as zignatures.
Zignatures are used for identifying and cataloging functions across different binaries by their unique
characteristics, such as bytes patterns, graph metrics, and other attributes.
CONFIGURATION OPTIONS
The behavior of zignature processing can be fine-tuned through a variety of configuration options,
accessible via 'e??zign.' in radare2. Some key configuration options include:
zign.autoload
Autoload all zignatures located in dir.zigns.
zign.bytes
Use bytes patterns for matching.
zign.graph
Use graph metrics for matching.
zign.hash
Use Hash for matching.
zign.threshold
Minimum similarity required for inclusion in zb output.
zign.types
Use types for matching.
ADDING ZIGNATURES
Zignatures can be added with the 'za' command, supporting a variety of types such as bytes patterns,
graph metrics, and more.
za foo b 558bec..e8........
Adds a bytes pattern zignature.
za foo g cc=2 nbbs=3 edges=3 ebbs=1
Adds a graph metrics zignature.
ZIGNATURE COMMANDS
The z command encompasses several subcommands for managing zignatures:
z Show zignatures.
z. Find matching zignatures in current offset.
zb Search for best match.
zdzignature
Diff current function and signature.
z* Show zignatures in radare format.
zo Manage zignature files.
zf Manage FLIRT signatures.
z/ Search zignatures.
zc Compare current zignspace zignatures with another one.
zs Manage zignspaces.
zi Show zignatures matching information.
The comprehensive management of zignatures through these commands facilitates a robust workflow
for binary analysis, enabling the identification of known functions and facilitating the analysis
of binary similarities and differences.
SUPPORTED ZIGNATURE METRICS
Zignatures in radare2 can be created with a variety of metrics, each capturing different aspects of
binary functions. These metrics include:
a: bytes pattern
Radare2 creates a mask from analysis to match bytes patterns.
b: bytes pattern
Direct bytes pattern matching.
c: base64 comment
Associates a base64-encoded comment with the zignature.
n: real function name
Uses the real function name for matching.
g: graph metrics
Utilizes graph metrics such as cyclomatic complexity, number of edges, basic blocks, and end
blocks.
o: original offset
Matches based on the original offset of the function.
r: references
Uses references for matching.
x: cross references
Incorporates cross references into the zignature.
h: bbhash
Employs hashing of function basic blocks for matching.
v: vars (and args)
Matches based on variables and arguments.
Each metric allows for a nuanced approach to identifying and comparing functions across binaries,
enabling more accurate and comprehensive analysis.
USAGE EXAMPLES FOR THE Z COMMAND
The z command in radare2 is versatile, offering various functionalities through its subcommands. Here are
five usage examples:
Show all zignatures
z
Displays all zignatures currently loaded in radare2.
Find matching zignatures at the current offset
z.
Searches for and displays zignatures that match at the current offset in the binary.
Scan all functions to find matching zignatures
z/
Searches and match all signatures loaded against all the analyzed functions in order to give a name to
every one.
Load zignature files
zo libc.sdb
Loads zignatures from the specified SDB file into the current session.
Generate zignatures for all functions
zaF
Generates zignatures for all identified functions in the binary and adds them to the current session.
Search for the closest matching zignatures
zb
Searches for and displays the closest matching zignatures to the function at the current offset, helping
identify similar functions across binaries.
These examples showcase the `z` command's ability to manage zignatures efficiently, aiding in the binary
analysis process by leveraging the power of zignatures for function identification and comparison.
SEE ALSO
r2(1), radare2(1)
WWW
https://www.radare.org/
AUTHORS
pancake <pancake@nopcode.org>
1.0 17 Mar 2024 RASIGN2(1)