Improve the radiff2 chapter, still very wip

src/SUMMARY.md

@@ -34,6 +34,9 @@
       * [Strings](tools/rabin2/strings.md)
       * [Sections](tools/rabin2/program_sections.md)
    * [Radiff2](tools/radiff2/intro.md)
+      * [Data Diffing](tools/radiff2/datadiff.md)
+      * [Comparing Code](tools/radiff2/codediff.md)
+      * [Headers Diffing](tools/radiff2/bindiff.md)
       * [Binary Diffing](tools/radiff2/binary_diffing.md)
    * [Rasm2](tools/rasm2/intro.md)
       * [Assemble](tools/rasm2/assemble.md)

src/r2frida/intro.md

@@ -1,9 +1,32 @@
 # r2frida
 
-Using Frida from radare2 let's you extend all the static analysis capabilities of radare2 with the powerful tracing and process manipulation capabilities of Frida.
+r2frida is a plugin that merges the capabilities of radare2 and Frida, allowing you to inspect and manipulate running processes. It is useful for dynamic analysis and debugging, leveraging radare2's reverse engineering tools and Frida's dynamic instrumentation.
+
+With r2frida you can use short mnemonic r2 commands instead of having to type long javascript oneliners in the prompt, also those commands are executed inside the target process and are well integrated with radare2, allowing to import all the analysis information from dynamic instrumentation into your static analysis environment.
+
+Some of the most relevant features include:
+
+* Running Frida scripts with :. command
+* Executing snippets in C, JavaScript, or TypeScript
+* Attaching, spawning, or launching processes locally or remotely
+* Listing sections, symbols, classes, methods
+* Searching memory, creating hooks, and manipulating file descriptors
+* Supporting Dalvik, Java, ObjC, Swift, and C interfaces
 
 ## Installation
 
-```
+Install r2frida via radare2 package manager:
+
+```sh
 $ r2pm -ci r2frida
 ```
+
+Now you should be able to test if the system session works by running the following command:
+
+```sh
+$ r2 frida://0
+```
+
+If this is not working try with the `R2_DEBUG=1` environment variable set and see if there's any relevant error. Maybe the plugin is not loaded or it was not compiled for the specific version of radare2 that you are using.
+
+The URI handler of r2frida can be quite complex as it allows you to specify different ways to start a process, attaching as well as the communication channel, permitting it to connect though usb, tcp or working with local programs.

src/tools/radiff2/bindiff.md

@@ -0,0 +1,8 @@
+## Binary Diffing
+
+radiff2 is also able to compare binaries by checking the differences between the output of `rabin2`. This is, the symbols, libraries, strings, etc.
+
+The relevant flags for this feature are:
+
+* -A/-AA analy
+* -i [ifscm] -> compare imports, fields, symbols, classes,..

src/tools/radiff2/codediff.md

@@ -0,0 +1,44 @@
+## Code Diffing
+
+This tool can be also used to compare code, which can be really handy when analyzing two shellcodes, functions or libraries, looking for changes in its code.
+
+To understand this feature we will start by using the basic delta diffing from the previous data analysis example but using the `-D` flag to display the changes in assembly instead of hexadecimal data.
+
+Note that radiff2 permits to specify the arch/bits/.. settings using these flags:
+
+```
+$ radiff2 -h | grep -e arch -e bits
+-a [arch]  specify architecture plugin to use (x86, arm, ..)
+-b [bits]  specify register size for arch (16 (thumb), 32, 64, ..)
+```
+
+Let's test it out!
+
+```
+$ cat 1
+j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A
+$ cat 2
+j0X4PX0PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J
+```
+
+Wen can compare the changes as disassembly like this:
+```
+$ radiff2 -D 5 6
+  push 0x30
+  pop rax
+  xor al, 0x30
++ push rax
++ pop rax
+  pop rdx
+  xor ax, 0x4f73
+  xor ax, 0x3041
+  push rax
+```
+
+So we can see that the second file added an extra `push rax + pop rax` which is basically a nop, and maybe this was introduced to bypass some signatures to avoid being detected.
+
+If you are looking for some more advanced bindiffing tool for code you may want to have a look at the `r2diaphora` and the zignatures features under the `z` command in the radare2 shell.
+
+It's also possible to compare the changes between two functions using the `-g` flag, but you'll need to analize both binaries using the `-A` flag, and tell the symbol name as target.
+
+

src/tools/radiff2/datadiff.md

@@ -0,0 +1,87 @@
+## Data Diffing
+
+Data diffing with radiff2 allows you to compare binary data between files of different sizes. This is useful for identifying differences at the byte level, regardless of file length.
+
+For example, comparing two files with `radiff2 -x` shows the differences in two column hexdump+ascii format:
+
+```
+$ cat 1
+hello
+$ cat 2
+hallo
+$ radiff2 -x 1 2
+  offset     0 1 2 3 4 5 6 7 01234567    0 1 2 3 4 5 6 7 01234567
+0x00000000! 68656c6c6f0a     hello.     68616c6c6f0a     hallo.
+``` 
+
+Also in hexII format:
+
+```
+$ radiff2 -X 1 2
+0x00000000! .h.e.l.l.o0a         .h.a.l.l.o0a    
+```
+
+or even the unified diff format using the `-U` flag:
+
+```
+$ radiff2 -U 1 2
+--- /tmp/r_diff.61dd4e41da041	2024-07-22 14:07:37.682683431 +0200
++++ /tmp/r_diff.61dd4e41da06b	2024-07-22 14:07:37.682683431 +0200
+@@ -1 +1 @@
+-hello
++hallo
+```
+
+Let's understand the output because in your terminal you'll see some green and red highlighting the added or removed bytes from the byte-to-byte comparison.
+
+* `!` sign after the offset explains if the block is equal or not
+* hexdump portion of file 1
+* hexdump portion of file 2
+
+When comparing files of different sizes, we will need to use the `-d` flag which performs a delta-diffing algorithm, trying to find the patterns of bytes that has been added or removed when a specific change is found.
+
+```sh
+$ cat 1 
+hello
+$ cat 3
+helloworld
+$ radiff2 1 3
+INFO: File size differs 6 vs 11
+INFO: Buffer truncated to 6 byte(s) (5 not compared)
+0x00000005 0a => 77 0x00000005
+$ radiff2 -d 1 3
+INFO: File size differs 6 vs 11
+0x00000000 68656c6c6f0a => 68656c6c6f776f726c640a 0x00000000
+$
+```
+
+For JSON output, use radiff2 -j -d to get detailed diff information in JSON format:
+
+```
+$ radiff2 -j -d 1 3 |jq .
+INFO: File size differs 6 vs 11
+{
+  "files": [
+    {
+      "filename": "1",
+      "size": 6,
+      "sha256": "5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03"
+    },
+    {
+      "filename": "3",
+      "size": 11,
+      "sha256": "8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d"
+    }
+  ],
+  "changes": [
+    {
+      "addr": 0,
+      "from": "68656c6c6f0a",
+      "to": "68656c6c6f776f726c640a"
+    }
+  ]
+}
+$
+```
+
+These examples demonstrate how radiff2 can effectively highlight differences in files of varying lengths, providing clear insights into changes at the binary level.

src/tools/radiff2/intro.md

@@ -1,6 +1,14 @@
 ## Radiff2
 
-Radiff2 is a tool designed to compare binary files, similar to how regular `diff` compares text files.
+radiff2 is a powerful tool within the radare2 suite designed for binary diffing. It can be somehow compared to the well known `diff` utility from UNIX, but with focus on comparing binary files.
+
+It supports several types of diffing, including 1:1 binary diffing, delta diffing, code analysis diffing, and binary data (bindata) diffing.
+
+These features allow users to compare two binaries at various levels, from raw data to disassembled code, providing insights into changes and differences between them. Additionally, radiff2 supports architecture and bits specification, graph diffing, and more, making it a versatile tool for reverse engineering tasks.
+
+Many of these diffing features are also available in the `c` command within the radare2 shell. Opening the door to compare data from disk or process memory when using any io backend at any time without leaving the current session.
+
+You can learn more about this tool by checking the help message or reading the manpage with `man radiff2`.
 
 ```
 $ radiff2 -h
@@ -49,3 +57,73 @@ Graph Output formats: (-m [mode])
   i          Interactive ascii art
 ```
 
+
+### Practical examples
+
+Here are a few practical examples of how to use radiff2:
+
+To compare two binaries:
+
+```sh
+radiff2 bin1 bin2
+```
+
+To use graph diffing to compare functions by name:
+
+```sh
+radiff2 -g main bin1 bin2
+```
+
+To count the number of changes between two binaries:
+
+```sh
+radiff2 -c bin1 bin2
+```
+
+To output the diff in a unified format:
+
+```sh
+radiff2 -u bin1 bin2
+```
+
+To compare the opcodes of two functions:
+
+```sh
+radiff2 -O bin1 bin2
+```
+
+### Generating and Applying Patches
+
+To compare two binaries and generate a patch file, you can use the following command:
+
+```sh
+$ echo hello > 1
+$ echo hallo > 2
+$ radiff2 -r 1 2
+wx 61 @ 0x00000001
+$ radiff2 -r 2 1
+wx 65 @ 0x00000001
+$
+```
+
+Note the `-r` flag will generate an r2 script, which can then be used to generate one binary from the other one using radare2 like this:
+
+```sh
+$ rahash2 -a md5 1 2
+1: 0x00000000-0x00000005 md5: b1946ac92492d2347c6235b4d2611184
+2: 0x00000000-0x00000005 md5: aee97cb3ad288ef0add6c6b5b5fae48a
+
+$ radiff2 -r 1 2 > patch.r2
+$ radare2 -qnw -i patch.r2 1
+
+$ rahash2 -a md5 1 2
+1: 0x00000000-0x00000005 md5: aee97cb3ad288ef0add6c6b5b5fae48a
+2: 0x00000000-0x00000005 md5: aee97cb3ad288ef0add6c6b5b5fae48a
+```
+
+Let's explain the radare2 flags one by one:
+
+* -q : quit after executing the script
+* -n : do not load/parse binary headers
+* -w : open in read-write mode
+* -i : specify which script to run