Knowledge Base

rsbkb

3 min read

rsbkb (Rust blackbag)

rsbkb has multiple tools which are designed to be called directly (through symlinks, like busybox). This allows various operations on data to be chained easily like CyberChef but through pipes.

It also includes various practical tools like entropy, a binary grep, a timestamp decoder, etc.

Examples

Read 10 bytes from /etc/passwd starting at offset 0x2f, then xor with 0xF2, encode it in URL-safe base64 and finally URL encode it:

$ slice /etc/passwd 0x2f +10 | xor -x f2 | b64 -u | urlenc
l5%2DdnMjdh4GA3Q%3D%3D

Various examples:

$ unhex 4141:4141
AA:AA
$ echo -n'4141:4141' | unhex
AA:AA
$ crc32 '41 41 41 32'
e60ce752
$ echo -n '41 41 41 32' | crc32
e60ce752
$ echo test | b64 | urlenc
dGVzdAo%3D
$ tsdec 146424672000234122
2065-01-01T00:00:00.0234122Z
$ tsdec 0
1970-01-01T00:00:00Z
$ rsbkb bofpatt 60
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9
$ rsbkb bofpattoff -b 0x41623841
Decoded pattern: Ab8A (big endian: true)
Offset: 54 (mod 20280) / 0x36
$ echo -n tototutu | rsbkb entropy
0.188
$ bgrep -x 454c460201 /bin/ls
0x1
$ bgrep "\x45\x4c..\x01" /bin/ls
0x1
$ findso -p /lib/x86_64-linux-gnu/ -r memcpy /bin/ls
/lib/x86_64-linux-gnu/libc.so.6
$ findso -l /etc/ld.so.conf -a memcpy
/lib/i386-linux-gnu/libc.so.6
[...]
$ base 0x14
20
$ echo "echo 'test'" | escape -t bash-single
'echo '"'"'test'"'"''

Usage

  • Almost all tools take values as an argument on the command line or if not present, read from stdin
  • Tool name can be specified on the command line rsbkb TOOL
  • Or can be called busybox-style: ln -s rsbkb unhex ; unhex 4142. Create symlinks with:
rsbkb symlink

Included tools

  • hex: hex encode
  • unhex: decode hex data (either in the middle of arbitrary data, or strictly)
  • b64: base64 encode (use -u or --URL for URL-safe b64)
  • d64: base64 decode (use -u or --URL for URL-safe b64)
  • urlenc: url encode (see --help for advanced options)
  • urldec: url decode
  • xor: xor (use -x to specify the key, in hex, -f to specify a file)
  • crc: all CRC algorithms implemented in the Crc crate
  • crc16: CRC-16
  • crc32: CRC-32
  • bofpatt / boffpattoff: buffer overflow pattern generator / offset calculator
  • tsdec: decode various timestamps (Epoch with different resolutions, Windows FILETIME)
  • slice: take a “slice” of a file (like dd):
  • slice input_file 10 will output input_file from offset 10 on stdout
  • slice input_file 0x10 0x20 will do the same from 0x10 to 0x20 (excluded)
  • slice input_file 0x10 +0xFF will copy 0xFF bytes starting at 0x10
  • slice input_file -0x10 will the last 0x10 bytes from input_file
  • entropy: entropy of a file
  • bgrep: simple binary grep
  • findso: find which ELF shared library (.so) exports a given name/function
  • inflate and deflate: raw inflate/deflate compression, fault tolerant and with optional Zlib header support
  • base: easy radix conversion of big integers
  • escape: backslash-escape special characters in strings (generic, single quote, shell, bash, bash single)
  • unescape: unescape \ escaped chars in strings

Graph View

Backlinks