load without any analysis (file header at offset 0x0): r2 -n /path/to/file
- analyze all:
aa - show sections:
iS - list functions:
afl - list imports:
ii - list entrypoints:
ie - seek to function:
s sym.main
Willi Ballenthin williballenthin
williballenthin
/ yet another radare2 cheatsheet.md
Last active
February 2, 2026 14:49
williballenthin
/ strings.py
Last active
July 14, 2022 21:10
Extract ASCII and Unicode strings using Python.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from collections import namedtuple | |
| ASCII_BYTE = " !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t" | |
| String = namedtuple("String", ["s", "offset"]) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| digraph structs { | |
| node [shape=plaintext, style="rounded", fontname="courier"] | |
| struct1 [label=< <TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0"> <TR><TD>left</TD><TD PORT="f1">mid dle</TD><TD PORT="f2">right</TD></TR> </TABLE>>]; | |
| struct2 [label=< <TABLE BORDER="0" CELLBORDER="1" CELLSPACING="0"> <TR><TD PORT="f0">one</TD><TD>two</TD></TR> </TABLE>>]; | |
| struct3 [label=< | |
| <TABLE BORDER="1" CELLBORDER="0"> |
williballenthin
/ example_cmd.py
Last active
October 2, 2020 14:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| some documentation | |
| author: Willi Ballenthin | |
| email: willi.ballenthin@gmail.com | |
| website: https://gist.github.com/williballenthin/f88c5c95f3e41157de3806dfbeef4bd4 | |
| ''' | |
| import sys | |
| import logging |
williballenthin
/ keybase.md
Created
June 12, 2016 00:05
I hereby claim:
- I am williballenthin on github.
- I am williballenthin (https://keybase.io/williballenthin) on keybase.
- I have a public key whose fingerprint is 5EE1 D88E 60EA 91EF B8B1 906D 017C BAD6 4143 BB1D
To claim this, I am signing this object:
williballenthin
/ add_segment.py
Last active
December 27, 2019 01:59
Add a segment to an IDA .idb from a file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| IDAPython plugin that adds the contents of a file as a new segment in an existing idb. | |
| Prompts the user for: | |
| - file path | |
| - segment name | |
| - segment starting offset | |
| Useful for reversing engineering packed software and shellcode. | |
| Author: Willi Ballenthin <william.ballenthin@fireeye.com> |
williballenthin
/ get_schedule.py
Last active
August 30, 2019 13:34
script to generate consolidated schedule for BH, DC, BSidesLV for 2016
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import logging | |
| from collections import namedtuple | |
| import requests | |
| import bs4 | |
| from bs4 import BeautifulSoup | |
| logger = logging.getLogger(__name__) |
williballenthin
/ yara_fn.py
Last active
December 4, 2020 05:25
generate a yara rule that matches the basic blocks of the current function in IDA Pro
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <william.ballenthin@fireeye.com> |
williballenthin
/ synapse-cortex-tutorial.ipynb
Last active
March 5, 2018 03:39
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
williballenthin
/ synapse-swarm-tutorial.ipynb
Last active
March 5, 2018 03:38
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.