How goes the RSoC by the way?

Apart moving a bit slowly, it's going fine.

Skia is working on extending 'pf' command to improve display of nested structures, then will start to implement conditional structures, to lay the foundations of 010-templates-like support.

jfrankowski is improving the YARA support, and will likely greatly enhance the zignature feature.

fr33tux is working on sdb, but it seems that he has lost his internet connection.

Things are moving slowly, but students seems to be interested by their tasks, and we're doing the best to mentor them. Please keep in mind that they are not fluent in C, and are still learning.

Types

One of the most wanted features for the RSoC was the support for 010-like templates. This is still planned, but there have been no recent movement on the topic.

But some of the basic cparse support has been implemented and I think it's time to get in touch with it in order to get ready for the integration with the rest of the analysis engine.

Current cparse is able to handle cpp and C syntax with support for enums, structs and nested structs. There's an ongoing discussion to define how function signatures should be stored in sdb.

Types are managed with the 't' command. By default it loads some basic ones like 'char *', 'unsigned int' or 'long'. The 't' command dumps the core->anal->sdb_types database which contains the following structure:

[0x00000000]> t
unsigned int=type  
unsigned char=type  
unsigned short=type  
int=type  
long=type  
void *=type  
char=type  
char *=type  
const char*=type  
type.unsigned int=i  
type.unsigned char=b  
type.unsigned short=w  
type.int=d  
type.long=x  
type.void *=p  
type.char=x  
type.char *=*z  
type.const char*=*z  

We can load a C include file with the 'to' command:

$ r2 -
[0x00000000]> cat test.h
#define uint32_t unsigned int
#define uint16_t unsigned short
#define uint8_t unsigned char

typedef struct name {  
        char first[40];
        char middle[40];
        char last[40];
} name_t;

typedef struct date {  
        uint8_t day;
        uint8_t month;
        uint16_t year;
} date_t;

typedef struct addr {  
        char street[127];
        char city[40];
        uint32_t zip;
} addr_t;

typedef struct dox {  
        addr_t address;
        name_t name;
        date_t bday;
} dox_t;

Note that the header have been tuned to rename some types to the ones supported by cparse (layer on top of libr_tcc).

[0x00000000]> to test.h

After this command the list of types found in 't' will be longer.

Displaying Types

Types are linked to 'pf' print format command, so the types specify the format char of 'pf' to display or modify it.

Types can be mapped at any address with the 'tl' command, and then using 'tf' it will show the data in there. This is used by the disasm loop to display inline structures.

[0x00000000]> tl addr 0x4000
[0x00000000]> tf 0x4000
struct addr {  
street : 0x00004000 = "Wallaby Way"  
  city : 0x00004000 = "Sydney"
   zip : 0x00004008 = 2000
}

To display the command that is being executed the 't' command accepts a type argument which we may use to get the format string and field names:

[0x00000000]> t addr
pf *z*zi street city zip  

Then we just use the magic of the r2 shell to interpret the command right there at the address we want:

[0x00000000]> .t addr @ 0x804840

Note the dot at the begining will execute every line of the output of the command as an r2 command. The '@' token, splits the line and evaluates the right expression. Then it does a temporal seek at this address runs the command and comes back.

If you want to learn more on Types. See the rest of the commands of 't?'. And if you feel brave don't esitate to checkout the source and send us a patch.

The future is cparse includes conditional structures and full write support for modifying struct fields.

--pancake

We were at PSES!

One of our resident contributor (jvoisin) was at PSES to do a talk in French, entitled Rétro-ingénierie avec radare2 - Parce que l'assembleur, c'est sympathique, aka Reversing with radare2 - Because assembly is sympathetic.

If you're interested in french terms (some of them are funny), you can watch the whole talk on youtube, and download the slides here

Since the audience was non-technical, the first part is a gentle introduction to reverse engineering, and the second one is composed of two (messies) demos of radare2 in action for a WAP54G pwnage, and also a quick and dirty crack for an old game.

Overall, people liked the talk, and we likely gained some new contributors.