Home

The RSoC is finished

That's sad, I know, but the RSoC is now finished since 2 months and I havn't post for even longer! :/

I have done quit a few commits this summer, and that was really nice to implement new features in a project such as radare2! Still, I have some regrets not to have had enough time for the RSoC... I had no time to implement all the task I was given, and I even still have some that I hope to do in the next few weeks.

And this year, having a lot of responsibilities in my school's associations, and having a few school projects, I find even less time than this summer, so I don't think I'll be able to contribute a lot as I expected.

Now stop complaining about my free time and let's do a quick summary of what I've done. The task was about structure templates, so the goal is to define a human readable structure, a bit like a C header for example, and to apply it on a binary to see each field easily. The method with header file is quickly described here, and I think I'll do a more complete example one day.

But my work was more focused on one r2 feature related to structures: pf. That is the basic command for which you can have a quick help on r2 by hitting pf?.

The command works as follow:

pf iwf foo bar troll

applies the iwf format at current offset. The iwf format is an integer named foo, a word called bar, and a float, troll. This gives the following output:

[0x00000000]> pf iwf foo bar troll
  foo : 0x00000000 = 1179403647
  bar : 0x00000004 = 0x0101
troll : 0x00000006 = 1.000000

More fields type can be easily found in the pf help.

Moreover, pf supports some nice tricks like pointers by using * or arrays using []... eg:

pf *i[2]w pointer_to_int array_of_words

The next point is to store a format by entering following command:

pf.name iwf foo bar meh

We can now apply the format with pf.name. But the thing is that we can now use the stored format as a structure in a new format using ?. eg:

[0x00000000]> pf.meh iw int word
[0x00000000]> pf.boh i?w otherint (meh)plop otherword
[0x00000000]> pf.boh
 otherint : 0x00000000 = 1179403647
     plop : struct<meh>
       int : 0x00000004 = 65793
      word : 0x00000008 = 0x0000
otherword : 0x0000000a = 0x0000

That way, you can define linked lists for example, to apply on memory dumps, or create nested structures for complex templates.

Other features are the JSON output, with pfj, or the already done templates such as the elf32 header that you can easily load with pfo elf32.

On last thing is the writing mode (not fully supported for arrays and nested structs, which are my remaining tasks) that you can use that way. You define a format:

pf.name iwf foo bar meh

And then you can modify its field with:

pf.name.bar=0xfa0

That prints the command you should have to type to write 0xfa0 at the right offset, and a bit of r2 shell makes life easy (see the dot before the command, to execute the output of it as if entered in r2):

[0x00000000]> pf.name
foo : 0x00000000 = 0
bar : 0x00000004 = 0x0000
meh : 0x00000006 = 0.000000
[0x00000000]> .pf.name.bar=0xfa0
[0x00000000]> pf.name
foo : 0x00000000 = 0
bar : 0x00000004 = 0x0fa0
meh : 0x00000006 = 0.000000

There are still some features in pf, but I think you now have a good overview of what pf can do, and so what I've done during my RSoC.

To sum up, that was a great wonderful experience, and I've learned a lot of various interesting things. I hope to finish the last tasks soon, and after that, pf will really be a powerful tool to dump nice elf headers, or analyse strange corrupted PNG files! :)

Finally, I really thank my mentors pancake, xvilka, and jvoisin for helping me doing the task, and for organizing the RSoC in general. I also thank maijin for having done a lot of tests in pf and for reporting a lot of unexpected features, and I also thank all the r2 community for being nice on the IRC chan, and for supporting such a great project!


Tags: