16.1.1 Functions

We can use rabin to import the function definitions directly from the program

[0xB7F14810]> .!rabin -rs $FILE

Rabin will mark each function with 'CF <size> @ <fun-addr>', add comments for stack usage, and setup flags for each function symbols.

To make a function analysis use the 'af' command which will analyze the code from the current seek and tries to identify the end of the function. The command will just output some radare commands, Use '.af*' to interpret them.

[0xB7F94810]> af @ sym.main
offset = 0x080499b7
label = sym.main
size = 832
blocks = 2
framesize = 0
ncalls = 21
xrefs = 0
args = 3
vars = 5

This report shows information about the function analysis. it is useful for scripting, so it is possible to do function signatures easily to identify functions in static bins from previously captured library signatures. (for example) So you can use these metrics to identify if two functions are the same or not.

Once you read this report it is possible to import this information into the core:

[0xB7F93A60]> af*
; from = 0xb7f93a60
; to   = 0xb7f93c0d
CF 430 @ 0xb7f93a60
CC Stack size +40 @ 0xb7f93a71
CC Set var32 @ 0xb7f93a74
...

[0xB7F93A60]> .af*

The function analysis stops when reaching calls, use the 'aF' command to analyze the functions recursively. Use it like in 'af'

[0xB7F93A60]> .aF

You can also analyze all the symbols of a binary using the '@@' operator.

[0xB7F94A60]> .af* @@ sym.

To read the xref information try with:

[0xB7F94A60]> pd 1 @@ imp_printf
; CODE xref 0804923e (sym.main+0x1a2)
0x08048CB8,  imp_printf:
0x08048CB8      v goto dword near [0x805e164]
[0xB7FD9810]> pd 1 @ sym.main+0x1a2
0x0804923E     ^ call 0x8048CB8     ; 1 = imp_printf