Resources

There are two ways to look for specific exports in a binary.

Functions

r2.resource(type, language)

Each parameter could be string or regex. In case any parameter is indiferent for you, can use empty string "", for instance:

We can want to look for binaries with an resource type "STRING" and in "JAPANESE":

r2.resource("STRING", "LANG_JAPANESE")

Or simply something in RUSSIAN:

r2.resource("", /RUSSIAN/)

Array

The array called "resources" contains the following attributes:

  • size
  • paddr
  • lang
  • type

So with those you can construct simple or very complex rules, for instance:

rule resources {
    condition:
        for any i in ( 0..r2.number_of_resources ) : 
            (r2.resources[i].size > 2KB and
             r2.resources[i].paddr > 1024 and
             r2.resources[i].type == "ICON" and
             r2.resources[i].lang contains "JAPANESE")
}