šŸ— Wiki

Radare2

Radare2

Radare2 is an open soruce reverse engineering framework for analyzing binaries, which can be widely used for reverse engineering tasks.

Radare2 has built in debugger feature, so it is not just a framework but also a debugger.

Iaito is the official graphical interface of radare2.

1. Installation

Most preferred and recommended way to install the radare2

3. Tips

3.1. Launch a debugger with parameters

r2 -d program arg1 arg2 arg3

Or,

> ood arg1 arg2 arg3

3.2. Scripting in Python, and JSON parse the command outputs

R2pipe helps you write a script works with radare2, and it makes your boring reverse engineer tasks simple.

You might see some of the result of executed commands looks redundant, and feel parsing these outputs seems daunting. But most of radare2 commands have j postfix, which is a short of 'JSON'. You don’t need to parse the result of commands, so you can reduce time and focus on your works.

import r2pipe
r2 = r2pipe.open('./crackme')
print(r2.cmdj('ij')['core']['type'])

Don’t be confused with cmd(); cmdj() function would automatically parse the JSON result from radare2.

3.3. Simple Radare2 scripting

r2pipe is a really good and nice way to talk with radare2 and your target binary, but you might think it is redundant. We don’t need to write a python script just to print disassembly of main function, pdf is enough.

import r2pipe
r2 = r2pipe.open('./crackme')
r2.cmd('af @ main')
print(r2.cmd('pdf @ main'))

Like gdbscript, write a simple r2script.

af @ main
pdf @ main

Then launch Radare2 with -i option. It will help you doing simple but boring tasks automatically.

3.4. Stack view like Ollydbg or Immunity Debugger

TL;DR pxr @ rsp

I wrote a simple echo program for example.

#include <stdio.h>

int main() {
  char input[0x40];
  scanf("%s", input);
  printf("%s", input);
  return 0;
}

And I compiled the code with gcc.

gcc echo.c

Open the output with Radare2, and pass -dAA for the first anlysis and start the debugging session.

$ r2 -dAA a.out
ERROR: Not loading library because it has already been loaded from '/home/ch1keen/.local/share/radare2/plugins/libcore_pdd.so'
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Analyzing methods (af @@ method.*)
INFO: Recovering local variables (afva@@@F)
INFO: Skipping type matching analysis in debugger mode (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Scanning for strings constructed in code (/azs)
INFO: Finding function preludes (aap)
INFO: Enable anal.types.constraint for experimental type propagation
 -- rm: /: Permission denied.
[0x7f7d2ff9e7c0]>

I set a breakpoint at the call sym.imp.printf instruction. When I started the program with the r2 debugger attached, it takes input, and stops at the breakpoint.

[0x7f6d445487c0]> pdf @ main
            ; DATA XREF from entry0 @ 0x401068(r)
ā”Œ 59: int main (int argc, char **argv, char **envp);
│           ; var int64_t var_40h @ rbp-0x40
│           0x00401136      55             push rbp
│           0x00401137      4889e5         mov rbp, rsp
│           0x0040113a      4883ec40       sub rsp, 0x40
│           0x0040113e      488d45c0       lea rax, [var_40h]
│           0x00401142      4889c6         mov rsi, rax
│           0x00401145      bf04204000     mov edi, 0x402004           ; "%s"
│           0x0040114a      b800000000     mov eax, 0
│           0x0040114f      e8ecfeffff     call sym.imp.__isoc99_scanf ; int scanf(const char *format)
│           0x00401154      488d45c0       lea rax, [var_40h]
│           0x00401158      4889c6         mov rsi, rax
│           0x0040115b      bf04204000     mov edi, 0x402004           ; "%s"
│           0x00401160      b800000000     mov eax, 0
│           0x00401165      e8c6feffff     call sym.imp.printf         ; int printf(const char *format)
│           0x0040116a      b800000000     mov eax, 0
│           0x0040116f      c9             leave
ā””           0x00401170      c3             ret
[0x7f6d445487c0]> db 0x401165
[0x7f6d445487c0]> dc
aaaabbbbccccdddd
INFO: hit breakpoint at: 0x401165
[0x00401165]>

…​I expect the aaaabbbbccccdddd would be shown when I type pxr @ rsp.

[0x00401165]> pxr 0x30 @ rsp
0x7fff9f3c7e60 0x6262626261616161   aaaabbbb @ rsp ascii ('a')
0x7fff9f3c7e68 0x6464646463636363   ccccdddd ascii ('c')
0x7fff9f3c7e70 ..[ null bytes ]..   00000000
0x7fff9f3c7e88 0x00007f6d44549e70   p.TDm... /nix/store/cmpyglinc9xl9pr4ymx8akl286ygl64x-glibc-2.40-66/lib/ld-linux-x86-64.so.2 fcn.7f6d44549e70 fcn.7f6d44549e70 library R X 'endbr64' 'ld-linux-x86-64.so
.2'
[0x00401165]>

Oh, I can see the aaaabbbb, and ccccdddd. Plus, I also can see the return address 0x7f6d44549e70.

4. Plugins

You can easily install plugins with r2pm, radare2 package manager.

$ r2pm -ci <package>

c option for cleaning source cache directory, i option for installing plugins.

4.1. r2ghidra

You can use the ghidra decompile feature after installing r2ghidra plugin.

$ r2pm -ci r2ghidra

Installation may take a while. After the installation completed, you can use pdg command to decompile a function.

4.2. r2dec

You might think the r2ghidra is too heavy to use. Then you might want to use a lightweight alternative, r2dec.

$ r2pm -ci r2dec

4.3. r2frida

$ r2pm -ci r2frida

4.4. radius2

radius2 is a fast symbolic execution and taint analysis framework like angr using radare2.

To use radius2, your system should have both cargo and radare2.

$ cargo install radius2

The radius2 can be used to write a script, but it ships with a standalone binary.

4.5. r2ai and r2d2

You can perform reverse engineering tasks with radare2, powered with GPT-4.

With r2ai you can run a language model in local, without internet, and ask a question about radare2 and reverse engineering in general.

r2d2 is like an AI assistant for radare2, even possible to solve simple crackmes.

5. Trivia

  • For the uncertain reason, the developers of the radare2 and cutter forked the code base and refactored them on October 2020.

    • Rizin can save your work as a form of the project file.

    • The famous frontend "Cutter" is the official GUI frontend of Rizin.

    • You can search out why the developers forked the project. But I don’t want to mention it in here.

  • About naming

    • Radare2 is a successor of radare[3], an abbriviation of […​][4].

    • The official frontend 'iaito' came from a Japanese word(居合刀), a metal practice sword without a cutting edge.

      Some japanese words used in radare2 projects
  • There were some other useful plugins

    • radeco was a decompiler and symbolic execution framework written in Rust.

    • There was the retdec-r2plugin, an official plugin from retdec decompiler. Radare2 plugins at that time had r2- prefix on its name, but there was an r2-retdec plugin. I think they named the plugin like that(retdec-r2plugin) to prevent people confused with the other plugin, r2-retdec.

      Whatever, the plugin has now become r2retdec and rz-retdec.

    • There were some attempts to bring the power of site:/w/angr[angr] to the radare2 land. The most famous one is r4ge.

      This post in Japanese demonstrates the radare2 in general, and how to use r4ge.

      This video shows how to use r4ge, and solving a CTF challenge.

      r2angr plugin is written by pancake, the project leader of radare2.

6. Reference

  • Awesome Radare2, It has not been updated for years, but it has rich contents.

7. See Also


1. Description on https://github.com/radareorg/radare2, retrieved April 17th, 2024.
2. The project leader pancake made it clear, I saw it on the infosec.exchange. but I couldn’t find it.
3. Description on https://github.com/radareorg/radare2, retrieved April 17th, 2024.
4. The project leader pancake made it clear, I saw it on the infosec.exchange. but I couldn’t find it.