1 The Rizin Framework
Rizin is a free and open-source reverse engineering framework that delivers a comprehensive binary analysis experience. It focuses on usability, stability, and functional features, striving to create a welcoming environment for developers and users.
At its core, Rizin consists of a set of small command-line utilities. These utilities can be used in tandem with Rizin or independently, each serving specific purposes. While this chapter provides a brief introduction to these tools, dedicated sections for each tool can be found at the end of this book for more detailed information.
1.0.1 rizin
The primary command line tool within the framework is rizin
. It encompasses various features such as a disassembler, hexadecimal editor, and debugger. Rizin enables you to treat multiple input/output sources, such as plain text files, executables, kernel drivers, processes, etc., as if they were straightforward text files.
It incorporates a sophisticated command line interface for navigating through the accessed resource, analyzing data, disassembling, patching binaries, comparing data, searching, replacing, and visualizing. Furthermore, scripting capabilities are available with a range of languages, including Python, Haskell, OCaml, JavaScript, and others.
1.0.2 rz-bin
The rz-bin
utility serves the purpose of extracting information from executable binaries, encompassing formats like ELF, PE, Java CLASS, Mach-O, and any other format supported by rizin plugins. Within the core functionality, rz-bin
plays a crucial role in obtaining data such as exported symbols, imports, file details, cross references, library dependencies, and sections.
1.0.2.1 Examples
$ rz-bin -I unknown.bin
[Info]
arch x86
cpu N/A
baddr 0x00000000
binsz 0x000213b3
bintype elf
bits 64
class ELF64
compiler GCC: (GNU) 13.2.1 20230801
dbg_file N/A
endian LE
hdr.csum N/A
guid N/A
intrp /lib64/ld-linux-x86-64.so.2
laddr 0x00000000
lang c
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
os linux
cc N/A
pcalign 0
relro full
rpath NONE
subsys linux
stripped true
crypto false
havecode true
va true
sanitiz false
static false
linenum false
lsyms false
canary true
PIE true
RELROCS false
NX true
1.0.3 rz-asm
The rz-asm
tool operates as a command line assembler and disassembler, catering to various architectures such as Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and numerous others.
1.0.3.1 Examples
$ rz-asm -a java 'nop'
00
$ rz-asm -a x86 -d '90'
nop
$ rz-asm -a x86 -b 32 'mov eax, 33'
b821000000
$ echo 'push eax;nop;nop' | rz-asm -f -
509090
1.0.4 rz-hash
rz-hash
stands as an implementation of a block-based hash tool. It offers support for a range of algorithms, including MD4
, MD5
, CRC
, SHA1
, SHA256
, and more, accommodating both small text strings and large files. Its utility extends to checking the integrity or monitoring changes in substantial files and memory dumps.
1.0.4.1 Examples
$ rz-hash file.bin
file.bin: 0x00000000-0x00000007 sha256: 887cfbd0d44aaff69f7bdbedebd282ec96191cce9d7fa7336298a18efc3c7a5a
$ rz-hash -a md5 file.bin
file.bin: 0x00000000-0x00000007 md5: d1833805515fc34b46c2b9de553f599d
1.0.5 rz-diff
The rz-diff
utility serves as a binary diffing tool, implementing various algorithms. It facilitates byte-level or delta diffing for binary files and code-analysis diffing to identify alterations in fundamental code blocks derived from the rizin code analysis.
This tool optimally leverages multi-threading to enhance performance, particularly on CPU-intensive and time-consuming tasks.
1.0.6 rz-find
rz-find
operates as a program designed to locate byte patterns in files. It provides the capability to search for various types of signatures, including strings in different encodings such as ASCII, UTF-8, wide, and more, across multiple encoding types.
1.0.7 rz-gg
rz-gg
is a tool designed to compile programs written in a simple high-level language into compact binaries suitable for x86, x86-64, and ARM architectures.
1.0.7.1 Examples
$ cat hi.r
/* hello world in r_egg */
write@syscall(4); //x64 write@syscall(1);
exit@syscall(1); //x64 exit@syscall(60);
main@global(128) {
.var0 = "hi!\n";
write(1,.var0, 4);
exit(0);
}
$ rz-gg -O -F hi.r
$ ./hi
hi!
$ cat hi.c
main@global(0,6) {
write(1, "Hello0", 6);
exit(0);
}
$ rz-gg hi.c
$ ./hi.c.bin
Hello
1.0.8 rz-run
rz-run
functions as a launcher for executing programs within diverse environments, allowing customization of various aspects such as arguments, permissions, directories, and overridden default file descriptors. This utility proves beneficial for activities like solving crackmes, fuzzing, and running test suites.
The versatility of rz-run
is evident in its capabilities. Here are a few examples illustrating how it can be utilized:
1.0.8.1 Sample rz-run script
$ cat foo.rrz
#!/usr/bin/rz-run
program=./pp400
arg0=10
stdin=foo.txt
chdir=/tmp
#chroot=.
./foo.rrz
1.0.8.2 Connecting a program with a socket
$ nc -l 9999
$ rz-run program=/bin/ls connect=localhost:9999
1.0.8.3 Debugging a program redirecting STDIO into another terminal
1 - Open a new terminal and type ‘tty’ to get a terminal name:
$ tty ; clear ; sleep 999999
/dev/ttyS010
2 - Create a new file containing the following rz-run profile named foo.rrz:
#!/usr/bin/rz-run
program=/bin/ls
stdio=/dev/ttys010
3 - Launch the following rizin command:
rizin -r foo.rrz -d /bin/ls
1.0.9 rz-ax
rz-ax
stands out as a minimalistic mathematical expression evaluator tailored for the shell. Its utility extends to facilitating base conversions between floating-point values, hexadecimal representations, hexpair strings to ASCII, octal to integer, and more. Notably, it supports endianness settings and can serve as an interactive shell when invoked without arguments.
1.0.9.1 Examples
$ rz-ax 1337
0x539
$ rz-ax 0x400000
4194304
$ rz-ax -b 01111001
y
$ rz-ax -S rizin
72616461726532
$ rz-ax -s 617765736f6d65
awesome