Understanding rabin2 output

Posted by David on February 28, 2020
Read time: 3 mins

Prelude

If you don’t know what rabin2 is/what it does.

Rabin2 understands many file formats: Java CLASS, ELF, PE, Mach-O or any format supported by plugins, and it is able to obtain symbol import/exports, library dependencies, strings of data sections, xrefs, entrypoint address, sections, architecture type. [src]

The binary info option of rabin2 outputs quite a lot of information, however there’s no explanation to what each of the values mean, they can be quite cryptic especially to those not familiar with reverse engineering. I tried searching around but couldn’t find any information regarding it so I made this table to help with interpretting the values, not all values are included here, but I added all that I could figure out so far, this may be updated in the future.

Table

Header Explanation Remark
arch Architecture of the binary (Eg. ARM, x86)  
baddr Base Address, used to calculate the absolute address when the program is loaded in memory.  
laddr Load Address Reference
bits Size of address pointer of program  
bintype The type of binary (Eg. PE, ELF), blank if not a known binary type  
linenum COFF Line Numbers for PE or DWARF in ELF, Debugging line numbers relating to the source code.  
lsyms Whether the binary contains debug symbols. Having symbols allows you to see function and variable names.  
endian Endianness of the binary (Little or Big)  
binsz Size of the binary in bytes  
Canary Stack canary. A random value is placed on the stack at the start of the function, this value is checked for modification before a function returns because it has to be overwritten in order to overwrite the return pointer. Protection Mechanism
retguard Similar function to stack canary. More info Protection Mechanism
sanitiz Address Sanitizer (ASAN) a memory error detector for C/C++ Should only be seen for debug builds because of the performance impact of ASAN
NX No execute bit. W^X -> Memory regions cannot be both writable and executable Protection Mechanism
PIC Position Independent Code, allows ASLR Protection Mechanism
reloc Performs Load-time relocation  
Relro Makes some binary sections read-only. Protection Mechanism
rpath The run-time library search path hard-coded in an executable file or library.  
Signed Digitally signed Only for PE binaries
Static Whether the binary is statically linked  
Stripped Whether the binary contain debug information  
va Uses virtual addressing  

Sample outputs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ rabin2 -I /bin/bash
arch     x86
baddr    0x0
binsz    1111705
bintype  elf
bits     64
canary   true
sanitiz  false
class    ELF64
crypto   false
endian   little
havecode true
intrp    /lib64/ld-linux-x86-64.so.2
laddr    0x0
lang     c
linenum  false
lsyms    false
machine  AMD x86-64 architecture
maxopsz  16
minopsz  1
nx       true
os       linux
pcalign  0
pic      true
relocs   false
relro    full
rpath    NONE
static   false
stripped true
subsys   linux
va       true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ rabin2 -I /mnt/c/Windows/System32/ipconfig.exe
arch     x86
baddr    0x140000000
binsz    34816
bintype  pe
bits     64
canary   false
retguard false
sanitiz  false
class    PE32+
cmp.csum 0x0000cef7
compiled Tue Jan 14 03:35:17 1986
crypto   false
dbg_file ipconfig.pdb
endian   little
havecode true
hdr.csum 0x0000cef7
guid     FF8C0F8EBC5D9AA01B9260167EE2FC3C1
laddr    0x0
linenum  false
lsyms    false
machine  AMD 64
maxopsz  16
minopsz  1
nx       true
os       windows
overlay  false
pcalign  0
pic      true
relocs   false
signed   false
static   false
stripped true
subsys   Windows CUI
va       true