rbasefind
1.0.0
基於 @mncoppola的basefind.py& @rsaxvc的basefind.cpp的蠻力基礎地址掃描儀。
掃描一個平坦的32位二進製文件,並嘗試計算圖像的基礎地址。尋找ASCII英語字符串,然後發現所有32位單詞的交叉點被解釋為指針和弦樂的偏移。
這在某些手臂(非槍手)二進制中效果很好。這是一個非常簡單的啟發式方法,試圖從目標二進制中使用盡可能少的有關文件的信息。因此,它不會創造奇蹟。
Scan a flat 32-bit binary and attempt to brute-force the base address via string/pointer comparison. Based on the
excellent basefind.py by mncoppola.
USAGE:
rbasefind [FLAGS] [OPTIONS] <INPUT>
FLAGS:
-b, --bigendian Interpret as big-endian (default is little)
-h, --help Prints help information
-p, --progress Show progress
-V, --version Prints version information
OPTIONS:
-n, --maxmatches <LEN> Maximum matches to display (default is 10)
-m, --minstrlen <LEN> Minimum string search length (default is 10)
-o, --offset <LEN> Scan every N (power of 2) addresses. (default is 0x1000)
-t, --threads <NUM_THREADS> # of threads to spawn. (default is # of cpu cores)
ARGS:
<INPUT> The input binary to scan
time ./rbasefind fw.bin
Located 2355 strings
Located 372822 pointers
Scanning with 8 threads...
0x00002000: 2195
0x00001000: 103
0x00000000: 102
0x00003000: 101
0x00004000: 90
0x45e95000: 74
0x45e93000: 73
0x00006000: 64
0x00005000: 59
0x45ec3000: 58
real 0m40.937s
user 5m20.908s
sys 0m0.035s 0x00002000是此二進制的正確基礎地址。
對於大型二進製文件,默認掃描可能需要太長。可以通過指定最小字符串長度來撥打搜索尺寸,而以“準確性”為代價。 IE,
time ./target/release/rbasefind fw_all.bin -m 100
Located 7 strings
Located 372822 pointers
Scanning with 8 threads...
0x00002000: 4
0x2ae7b000: 2
0xffe54000: 1
0xfba46000: 1
0xfb9c3000: 1
0xfb80a000: 1
0xfafe6000: 1
0xfafe0000: 1
0xfae3b000: 1
0xfae13000: 1
real 0m0.149s
user 0m0.751s
sys 0m0.012s
