IZBR

Hi! My name is Isaac Basque-Rice, I'm A Security Engineer and former Abertay Ethical Hacker, and this website is a repository for all the cool stuff I've done, enjoy!


Project maintained by IBRice101 Hosted on GitHub Pages — Theme by mattgraham

Radare2

By Isaac

The Radare2 Logo

What is it?

Radare2 is a framework for performing reverse engineering and binary analysis both statically (when the program isn’t running) and dynamically (when it is running). R2 is made up of a number of smaller command line utilities, including, but not limited to, the following:

  1. Radare2 - The core tool, a hex editor and debugger, also allows for other tools to be pulled and used seamlessly to perform actions such as data analysis, string extraction, disassembly, binary patching, data comparison, searching, writing, visualising, and has functionality for scripting in Python and JavaScript, amongst others.
  2. Rabin2 - Extracts info from executable binaries such as ELF and PE data, which is metadata for Linux and Windows files.
  3. Rasm2 - Assembler and disassembler for x86, x86-64, ARM, and a slew of other architectures.
  4. Rahash2 - A hash tool
  5. Radiff2 - A tool that allows the user to see the differences between two files

Using Radare2 is as simple as writing r2 path/to/file on the command line, once in, you’re presented with a prompt that reads out the location of the entry point of a program in hexadecimal. In the case of /bin/ls that entry point is 0x000067d0. After this, its simply a case of learning the tool. Radare2 is similar to Vim in a few ways, not least the high skill ceiling and steep learning curve. However where it is arguably most similar is how similar learning it feels to learning a language, due to the fact that both tools make use of compound mnemonics to perform actions. For example, in Vim, using ci) will delete anything inside a set of parentheses and put you in edit mode to change the contents. In the same way, using something like pdf will disassemble functions, which you can learn by knowing that p prints, pd prints disassembly, and pdf prints disassembled functions.

To learn these commands, or if a user needs a reminder of them, said user can add a ? symbol to the end of a command, using the print disassembly example, pd? prints the following:

[0x000067d0]> pd?
Usage: p[dD][ajbrfils] [[-]len]   # Print N bytes/instructions bw/forward
| NOTE: len        parameter can be negative
| NOTE:            Pressing ENTER on empty command will repeat last print command in next page
| pD N             disassemble N bytes
| pd -N            disassemble N instructions backwards
| pd N             disassemble N instructions
| pd--[n]          context disassembly of N instructions
| pda[?]           disassemble all possible opcodes (byte per byte)
| pdb[?]           disassemble basic block
| pdc[?][c]        pseudo disassembler output in C-like syntax
| pdC              show comments found in N instructions
| pde[q|qq|j] [N]  disassemble N instructions following execution flow from current PC
| pdo[N]           convert esil expressions of N instructions to C (bytes for pdO)
| pdf[?]           disassemble function
| pdi              like 'pi', with offset and bytes
| pdj              disassemble to json
| pdJ              formatted disassembly like pd as json
| pdk[?]           disassemble all methods of a class
| pdl              show instruction sizes
| pdp[?]           disassemble by following pointers to read ropchains
| pdr[?]           recursive disassemble across the function graph
| pdr.             recursive disassemble across the function graph (from current basic block)
| pdR              recursive disassemble block size bytes without analyzing functions
| pds[?]           disassemble summary (strings, calls, jumps, refs) (see pdsf and pdfs)
| pdu[aceios?]     disassemble instructions until condition
| pd, [n] [query]  disassemble N instructions in a table (see dtd for debug traces)
| pdx [hex]        alias for pad or pix

Installation

Linux users can install Radare2 either through their package manager, e.g. sudo apt install radare2 for debian-based systems, or perhaps the more recommended approach, cloning directly from the github repository by running the following commands in succession:

git clone https://github.com/radareorg/radare2.git;
cd radare2;
sys/install.sh;

And to update, simply run git pull in the source tree.

Usage

Command line Options

As mentioned previously, Radare2’s standard usage on the command line is r2 /path/to/file, naturally, however, there are flags you can use on the command line to enhance the behaviour of the program from the start. A couple of the most useful commands are listed below:

-A              run 'aaa' command (analysis of all referenced code in a binary)
-c 'cmd...'     run arbitrary commands in radare without having to open first
-d              debug executable
-h or -hh       show help
-w              open file in write mode

Radare2 Commands

Further Reading