I am running on 64-bit Windows 7 and am using radare2 to attempt both static and dynamic analysis of a binary executable. The issue is that I cannot seem to find the entry point of where the program proper begins. I am still very new to radare2 and reverse engineering in general, so all of the techniques I currently know of have failed to determine this.
My questions are:
- How can I find the entry point of this binary? (and, in general, any binary)
- Why is there no apparent
mainsymbol? - Why do the checks in
afllfail? (see below)
I have documented my attempts (in chronological order), below:
I use radare2 to open the binary in debug mode (via -d), like so:
$ radare2 -d bin.exe Spawned new process with pid 6204, tid = 6408 r_sys_pid_to_path: Cannot get module filename.= attach 6204 6408 bin.baddr 0x00400000 Using 0x400000 Spawned new process with pid 5764, tid = 1936 r_sys_pid_to_path: Cannot get module filename.asm.bits 32 Radare2 enters at address 0x772201c4 and I then run aaa:
[0x772201c4]> aaa ←[32m[x]←[0m Analyze all flags starting with sym. and entry0 (aa) TODO: esil-vm not initialized ←[32m[x]←[0m Analyze len bytes of instructions for references (aar) ←[32m[x]←[0m Analyze function calls (aac) ←[32m[x]←[0m Use -AA or aaaa to perform additional experimental analysis. ←[32m[x]←[0m Constructing a function name for fcn.* and sym.func.* functions (aan) = attach 6204 6408 6204 All of the checks appear to fail, so I attempt to display the address of the entry point, via iM, to no avail:
[0x772201c4]> iM [0x772201c4]> There is also no listing for sym.main with afll either:
[0x772201c4]> afll address size nbbs edges cc cost min bound range max bound calls locals args xref frame name =========== ==== ===== ===== ===== ==== =========== ===== =========== ===== ====== ==== ==== ===== ==== 0x772201c4 41 1 0 1 4 0x772201c4 13 0x772201d1 2 2 0 0 24 fcn.eip 0x7723df5c 69 1 0 1 29 0x7723df5c 69 0x7723dfa1 0 5 0 1 28 fcn.7723df5c 0x7723dfa1 20 1 0 1 14 0x7723dfa1 20 0x7723dfb5 0 1 0 1 0 fcn.7723dfa1 0x7724989f 69 4 5 3 23 0x7724989f 18 0x772a034a 0 0 1 1 4 fcn.7724989f 0x772498ba 28 1 0 1 22 0x772498ba 28 0x772498d6 2 1 2 1 24 loc.772498ba 0x772498db 54 2 1 0 24 0x772498db 54 0x77249911 4 1 2 1 16 fcn.772498db 0x77266fa6 66 4 5 3 48 0x77266fa6 66 0x77266fe8 5 1 1 1 48 fcn.77266fa6 Very confused, I try pdf, and get only three lines of assembly mnemonics:
[0x772201c4]> pdf ;-- eip: / (fcn) fcn.eip 41 | fcn.eip (); | ; var int local_4h @ esp+0x4 | ; var int local_8h @ esp+0x8 | 0x772201c4 89442404 mov dword [local_4h], eax | 0x772201c8 895c2408 mov dword [local_8h], ebx \ ,=< 0x772201cc e9e9960200 jmp loc.772498ba Edit 1: Following Megabeet's advice, this is my output:
$ radare2 bin.exe [0x00404161]> ie [Entrypoints] vaddr=0x00404161 paddr=0x00004161 baddr=0x00400000 laddr=0x00000000 haddr=0x00000118 type=program 1 entrypoints [0x00404161]> ood Spawned new process with pid 4776, tid = 4528 r_sys_pid_to_path: Cannot get module filename.File dbg://bin.exe reopened in read-write mode = attach 4776 4528 Spawned new process with pid 5720, tid = 4780 r_sys_pid_to_path: Cannot get module filename.Unable to find filedescriptor 3 Unable to find filedescriptor 3 4776 [0x772201c4]> 
dumpbin /headers, although that's actually some code supplied by the C runtime that initialises state and then calls main, not main itself.