Codepaths is a binary reversing tool to find all possible code paths between two functions.
It is a command line tool built on Python3 and r2pipe which supports the formats and architectures that radare2 supports.
The tool gives you a brief overview on how to hit interesting parts of the code in preparation for the manual reverse engineering process. It is particularly useful for simple scenarios like finding paths between functions that handles user-provided input to functions that invoke exec()
-like function.
Different mode of operations can be specified through arguments.
from-to
: Find the code paths between functions passed in--from
and--to
arguments. Omitting--from
starts searching from the binary entry point.to-exec
: Find the code paths between--from
function and a list ofexec()
-like functions. Omitting--from
starts searching from the binary entry point.list-func
: List the functions in the binary. Same as radare2afl
.list-exec
: List theexec()
-like functions in the binary.
Arguments --from
and --to
accept both function name format used by radare2 (i.e. sym.*
, sub.*
, entry0
) and addresses in the 0x
format. Customise what's considered notable exec()
-like function in the SINKS
variable in the script.
Requirements
Follow the official documentation on installing the latest version of radare2.
$ git clone https://github.com/radare/radare2
$ cd radare/
$ sudo sys/install.sh
Then install r2pipe binding for Python 3.
$ sudo pip3 install r2pipe
Install
Downloading the single python script is enough to start using codepaths.
$ wget https://raw.githubusercontent.com/epinna/codepaths/master/codepaths.py
Find all the paths between the entry point and socket()
call in /bin/cat
binary.
$ ./codepaths.py from-to --to sym.imp.socket /bin/cat
[+] Analyzing all referenced code with radare2
[+] Finding paths betwen 1 sources and 1 sinks..
[+] Path 1 of 1 between sym.imp.socket and entry0
▶ 0x100001590 entry0
| 0x1000016cc call sym.func.100001728
▶ 0x100001728 sym.func.100001728
| 0x100001857 call sym.imp.socket
▶ 0x100001d8c sym.imp.socket
Find all the paths between the entry point and any exec()
-like call in /usr/bin/jar
binary.
$ ./codepaths.py to-exec /usr/bin/jar
[+] Analyzing all referenced code with radare2
[+] Finding paths betwen 1 sources and 1 sinks..
[+] Path 1 of 1 between sym.imp.execv and entry0
▶ 0x10000090d entry0
| 0x100000aea call sym.func.100001146
▶ 0x100001146 sym.func.100001146
| 0x10000120a call sym.imp.execv
▶ 0x100001876 sym.imp.execv
List all the exec()
-like functions in the /usr/bin/find
binary.
$ ./codepaths.py list-exec /usr/bin/find
[+] Analyzing all referenced code with radare2
0x100005a4c sym.imp.execvp
List all the functions in the /bin/ls
binary.
$ ./codepaths.py list-func /bin/ls
[+] Analyzing all referenced code with radare2
0x100000f20 sym.func.100000f20
0x100000f32 sym.func.100000f32
0x100000f47 sym.func.100000f47
...
- Codepaths could be run from radare2 command line terminal, but it currently triggers this error. This will be updated when fixed.
- Dictionary of sinks
SINKS
would benefit from additional categories and functions.