Radare2 is an open soruce reverse engineering framework for analyzing binaries, which can be widely used for reverse engineering tasks.
Radare2 has built in debugger feature, so it is not just a framework but also a debugger.
Iaito is the official graphical interface of radare2.
1. Installation
Most preferred and recommended way to install the radare2
3. Tips
3.2. Scripting in Python, and JSON parse the command outputs
R2pipe helps you write a script works with radare2, and it makes your boring reverse engineer tasks simple.
You might see some of the result of executed commands looks redundant, and feel parsing these outputs seems daunting. But most of radare2 commands have j
postfix, which is a short of 'JSON'. You don’t need to parse the result of commands, so you can reduce time and focus on your works.
import r2pipe
r2 = r2pipe.open('./crackme')
print(r2.cmdj('ij')['core']['type'])
Don’t be confused with cmd()
; cmdj()
function would automatically parse the JSON result from radare2.
3.3. Simple Radare2 scripting
r2pipe
is a really good and nice way to talk with radare2 and your target binary, but you might think it is redundant. We don’t need to write a python script just to print disassembly of main function, pdf
is enough.
import r2pipe
r2 = r2pipe.open('./crackme')
r2.cmd('af @ main')
print(r2.cmd('pdf @ main'))
Like gdbscript, write a simple r2script.
af @ main
pdf @ main
Then launch Radare2 with -i
option. It will help you doing simple but boring tasks automatically.
3.4. Stack view like Ollydbg or Immunity Debugger
TL;DR pxr @ rsp
I wrote a simple echo program for example.
#include <stdio.h>
int main() {
char input[0x40];
scanf("%s", input);
printf("%s", input);
return 0;
}
And I compiled the code with gcc
.
gcc echo.c
Open the output with Radare2, and pass -dAA
for the first anlysis and start the debugging session.
$ r2 -dAA a.out
ERROR: Not loading library because it has already been loaded from '/home/ch1keen/.local/share/radare2/plugins/libcore_pdd.so'
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Analyzing methods (af @@ method.*)
INFO: Recovering local variables (afva@@@F)
INFO: Skipping type matching analysis in debugger mode (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Scanning for strings constructed in code (/azs)
INFO: Finding function preludes (aap)
INFO: Enable anal.types.constraint for experimental type propagation
-- rm: /: Permission denied.
[0x7f7d2ff9e7c0]>
I set a breakpoint at the call sym.imp.printf
instruction. When I started the program with the r2 debugger attached, it takes input, and stops at the breakpoint.
[0x7f6d445487c0]> pdf @ main
; DATA XREF from entry0 @ 0x401068(r)
ā 59: int main (int argc, char **argv, char **envp);
ā ; var int64_t var_40h @ rbp-0x40
ā 0x00401136 55 push rbp
ā 0x00401137 4889e5 mov rbp, rsp
ā 0x0040113a 4883ec40 sub rsp, 0x40
ā 0x0040113e 488d45c0 lea rax, [var_40h]
ā 0x00401142 4889c6 mov rsi, rax
ā 0x00401145 bf04204000 mov edi, 0x402004 ; "%s"
ā 0x0040114a b800000000 mov eax, 0
ā 0x0040114f e8ecfeffff call sym.imp.__isoc99_scanf ; int scanf(const char *format)
ā 0x00401154 488d45c0 lea rax, [var_40h]
ā 0x00401158 4889c6 mov rsi, rax
ā 0x0040115b bf04204000 mov edi, 0x402004 ; "%s"
ā 0x00401160 b800000000 mov eax, 0
ā 0x00401165 e8c6feffff call sym.imp.printf ; int printf(const char *format)
ā 0x0040116a b800000000 mov eax, 0
ā 0x0040116f c9 leave
ā 0x00401170 c3 ret
[0x7f6d445487c0]> db 0x401165
[0x7f6d445487c0]> dc
aaaabbbbccccdddd
INFO: hit breakpoint at: 0x401165
[0x00401165]>
…I expect the aaaabbbbccccdddd
would be shown when I type pxr @ rsp
.
[0x00401165]> pxr 0x30 @ rsp
0x7fff9f3c7e60 0x6262626261616161 aaaabbbb @ rsp ascii ('a')
0x7fff9f3c7e68 0x6464646463636363 ccccdddd ascii ('c')
0x7fff9f3c7e70 ..[ null bytes ].. 00000000
0x7fff9f3c7e88 0x00007f6d44549e70 p.TDm... /nix/store/cmpyglinc9xl9pr4ymx8akl286ygl64x-glibc-2.40-66/lib/ld-linux-x86-64.so.2 fcn.7f6d44549e70 fcn.7f6d44549e70 library R X 'endbr64' 'ld-linux-x86-64.so
.2'
[0x00401165]>
Oh, I can see the aaaabbbb
, and ccccdddd
. Plus, I also can see the return address 0x7f6d44549e70
.
4. Plugins
You can easily install plugins with r2pm
, radare2 package manager.
$ r2pm -ci <package>
c
option for cleaning source cache directory, i
option for installing plugins.
4.1. r2ghidra
You can use the ghidra decompile feature after installing r2ghidra
plugin.
$ r2pm -ci r2ghidra
Installation may take a while. After the installation completed, you can use pdg
command to decompile a function.
4.2. r2dec
You might think the r2ghidra is too heavy to use. Then you might want to use a lightweight alternative, r2dec.
$ r2pm -ci r2dec
4.3. r2frida
$ r2pm -ci r2frida
4.4. radius2
To use radius2, your system should have both cargo
and radare2.
$ cargo install radius2
The radius2 can be used to write a script, but it ships with a standalone binary.
4.5. r2ai and r2d2
You can perform reverse engineering tasks with radare2, powered with GPT-4.
With r2ai you can run a language model in local, without internet, and ask a question about radare2 and reverse engineering in general.
r2d2 is like an AI assistant for radare2, even possible to solve simple crackmes.
5. Trivia
-
For the uncertain reason, the developers of the radare2 and cutter forked the code base and refactored them on October 2020.
-
Rizin can save your work as a form of the project file.
-
The famous frontend "Cutter" is the official GUI frontend of Rizin.
-
You can search out why the developers forked the project. But I don’t want to mention it in here.
-
Comment by jchw on Hacker News summerizes the contribution on both radare2 and rizin.
-
-
-
About naming
-
There were some other useful plugins
-
radeco was a decompiler and symbolic execution framework written in Rust.
-
There was the retdec-r2plugin, an official plugin from retdec decompiler. Radare2 plugins at that time had
r2-
prefix on its name, but there was an r2-retdec plugin. I think they named the plugin like that(retdec-r2plugin
) to prevent people confused with the other plugin,r2-retdec
.Whatever, the plugin has now become r2retdec and rz-retdec.
-
There were some attempts to bring the power of site:/w/angr[angr] to the radare2 land. The most famous one is r4ge.
This post in Japanese demonstrates the radare2 in general, and how to use r4ge.
This video shows how to use r4ge, and solving a CTF challenge.
r2angr plugin is written by pancake, the project leader of radare2.
-
6. Reference
-
Awesome Radare2, It has not been updated for years, but it has rich contents.
7. See Also
-
Megabeets is a big fan of radare2, he wrote nice tips about radare2 on the stack overflow, and his blog.
-
A journey into Radare 2 - Part 1: Simple crackme
OMG… This is best tutorial of radare2 in the world.
— h1d3r00t
-
-
Codegate 2018 - RedVelvet writeup
I was struggled to solve this challenge, almost spent 4 hours. This writeup shows how to solve the challenge using my favorite radare2 and angr(AngryIDA).