# 签名

Radare2 has its own format of the signatures, allowing to both load/apply and create them on the fly. They are available under the `z` command namespace:

```
[0x000100b0]> z?
|Usage: z[*j-aof/cs] [args] # Manage zignatures
| z            show zignatures
| z*           show zignatures in radare format
| zj           show zignatures in json format
| z-zignature  delete zignature
| z-*          delete all zignatures
| za[?]        add zignature
| zo[?]        manage zignature files
| zf[?]        manage FLIRT signatures
| z/[?]        search zignatures
| zc           check zignatures at address
| zs[?]        manage zignspaces
```

To load the created signature file you need to load it from SDB file using `zo` command or from the compressed SDB file using `zoz` command.

To create signature you need to make function first, then you can create it from the function:

```
r2 /bin/ls
[0x000051c0]> aaa # this creates functions, including 'entry0'
[0x000051c0]> zaf entry0 entry
[0x000051c0]> z
entry:
  bytes: 31ed4989d15e4889e24883e4f050544c............48............48............ff..........f4
  graph: cc=1 nbbs=1 edges=0 ebbs=1
  offset: 0x000051c0
[0x000051c0]>
```

As you can see it made a new signature with a name `entry` from a function `entry0`. You can show it in JSON format too, which can be useful for scripting:

```
[0x000051c0]> zj~{}
[
  {
    "name": "entry",
    "bytes": "31ed4989d15e4889e24883e4f050544c............48............48............ff..........f4",
    "graph": {
      "cc": "1",
      "nbbs": "1",
      "edges": "0",
      "ebbs": "1"
    },
    "offset": 20928,
    "refs": [
    ]
  }
]
[0x000051c0]>
```

To remove it just run `z-entry` But if you want to save all created signatures, you need to save it into the SDB file using command `zos myentry`. Then we can apply them. Lets open a file again:

```
r2 /bin/ls
 -- Log On. Hack In. Go Anywhere. Get Everything.
[0x000051c0]> zo myentry
[0x000051c0]> z
entry:
  bytes: 31ed4989d15e4889e24883e4f050544c............48............48............ff..........f4
  graph: cc=1 nbbs=1 edges=0 ebbs=1
  offset: 0x000051c0
[0x000051c0]>
```

This means that the signatures were successfully loaded from the file `myentry` and now we can search matching functions:

```
[0x000051c0]> zc
[+] searching 0x000051c0 - 0x000052c0
[+] searching function metrics
hits: 1
[0x000051c0]>
```

Note that `zc` command just checks the signatures against the current address. To search signatures across the all file we need to do a bit different thing. There is an important moment though, if we just run it "as is" - it wont find anything:

```
[0x000051c0]> z/
[+] searching 0x0021dfd0 - 0x002203e8
[+] searching function metrics
hits: 0
[0x000051c0]>
```

Note the searching address - this is because we need to [adjust the searching](/radare2/intro-4/configurating_the_search.md) range first:

```
[0x000051c0]> e search.in=io.section
[0x000051c0]> z/
[+] searching 0x000038b0 - 0x00015898
[+] searching function metrics
hits: 1
[0x000051c0]>
```

We are setting the search mode to `io.section` (it was `file` by default) to search in the current section (assuming we are currently in the `.text` section of course). Now we can check, what radare2 found for us:

```
[0x000051c0]> pd 5
;-- entry0:
;-- sign.bytes.entry_0:
0x000051c0      31ed           xor ebp, ebp
0x000051c2      4989d1         mov r9, rdx
0x000051c5      5e             pop rsi
0x000051c6      4889e2         mov rdx, rsp
0x000051c9      4883e4f0       and rsp, 0xfffffffffffffff0
[0x000051c0]>
```

Here we can see the comment of `entry0`, which is taken from the ELF parsing, but also the `sign.bytes.entry_0`, which is exactly the result of matching signature.

Signatures configuration stored in the `zign.` config vars' namespace:

```
[0x000051c0]> e zign.
zign.bytes = true
zign.graph = true
zign.maxsz = 500
zign.mincc = 10
zign.minsz = 16
zign.offset = true
zign.prefix = sign
zign.refs = true
[0x000051c0]>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vxerlee.gitbook.io/radare2/intro-6/zignatures.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.