Radare2

Radare2 is an open soruce reverse engineering framework for analyzing binaries, which can be widely used for reverse engineering tasks.

Radare2 has built in debugger feature, so it is not just a framework but also a debugger.

Iaito is the official graphical interface of radare2.

1. Installation

Most preferred and recommended way to install the radare2

3. Tips

3.1. Launch a debugger with parameters

r2 -d program arg1 arg2 arg3

Or,

> ood arg1 arg2 arg3

3.2. Scripting in Python, and JSON parse the command outputs

R2pipe helps you write a script works with radare2, and it makes your boring reverse engineer tasks simple.

You might see some of the result of executed commands looks redundant, and feel parsing these outputs seems daunting. But most of radare2 commands have j postfix, which is a short of 'JSON'. You don’t need to parse the result of commands, so you can reduce time and focus on your works.

import r2pipe
r2 = r2pipe.open('./crackme')
print(r2.cmdj('ij')['core']['type'])

Don’t be confused with cmd(); cmdj() function would automatically parse the JSON result from radare2.

3.3. Simple Radare2 scripting

r2pipe is a really good and nice way to talk with radare2 and your target binary, but you might think it is redundant. We don’t need to write a python script just to print disassembly of main function, pdf is enough.

import r2pipe
r2 = r2pipe.open('./crackme')
r2.cmd('af @ main')
print(r2.cmd('pdf @ main'))

Like gdbscript, write a simple r2script.

af @ main
pdf @ main

Then launch Radare2 with -i option. It will help you doing simple but boring tasks automatically.

4. Plugins

You can easily install plugins with r2pm, radare2 package manager.

$ r2pm -ci <package>

c option for cleaning source cache directory, i option for installing plugins.

4.1. r2ghidra

You can use the ghidra decompile feature after installing r2ghidra plugin.

$ r2pm -ci r2ghidra

Installation may take a while. After the installation completed, you can use pdg command to decompile a function.

4.2. r2dec

You might think the r2ghidra is too heavy to use. Then you might want to use a lightweight alternative, r2dec.

$ r2pm -ci r2dec

4.3. r2frida

$ r2pm -ci r2frida

4.4. radius2

radius2 is a fast symbolic execution and taint analysis framework like angr using radare2.

To use radius2, your system should have both cargo and radare2.

$ cargo install radius2

The radius2 can be used to write a script, but it ships with a standalone binary.

4.5. r2ai and r2d2

You can perform reverse engineering tasks with radare2, powered with GPT-4.

With r2ai you can run a language model in local, without internet, and ask a question about radare2 and reverse engineering in general.

r2d2 is like an AI assistant for radare2, even possible to solve simple crackmes.

5. Trivia

For the uncertain reason, the developers of the radare2 and cutter forked the code base and refactored them on October 2020.
- Rizin can save your work as a form of the project file.
- The famous frontend "Cutter" is the official GUI frontend of Rizin.
- You can search out why the developers forked the project. But I don’t want to mention it in here.
  - Comment by jchw on Hacker News summerizes the contribution on both radare2 and rizin.
About naming
- Radare2 is a successor of radare^[3], an abbriviation of […]^[4].
- The official frontend 'iaito' came from a Japanese word(居合刀), a metal practice sword without a cutting edge.
There were some other useful plugins
- radeco was a decompiler and symbolic execution framework written in Rust.
- There was the retdec-r2plugin, an official plugin from retdec decompiler. Radare2 plugins at that time had r2- prefix on its name, but there was an r2-retdec plugin. I think they named the plugin like that(retdec-r2plugin) to prevent people confused with the other plugin, r2-retdec.
  
  Whatever, the plugin has now become r2retdec and rz-retdec.
- There were some attempts to bring the power of site:/w/angr[angr] to the radare2 land. The most famous one is r4ge.
  
  This post in Japanese demonstrates the radare2 in general, and how to use r4ge.
  
  This video shows how to use r4ge, and solving a CTF challenge.
  
  r2angr plugin is written by pancake, the project leader of radare2.

6. Reference

Awesome Radare2, It has not been updated for years, but it has rich contents.

7. See Also

Megabeets is a big fan of radare2, he wrote nice tips about radare2 on the stack overflow, and his blog.
- A journey into Radare 2 - Part 1: Simple crackme
  
  OMG… This is best tutorial of radare2 in the world.
  
  — h1d3r00t
Codegate 2018 - RedVelvet writeup

I was struggled to solve this challenge, almost spent 4 hours. This writeup shows how to solve the challenge using my favorite radare2 and angr(AngryIDA).

1. Description on https://github.com/radareorg/radare2, retrieved April 17th, 2024.

2. The project leader pancake made it clear, I saw it on the infosec.exchange. but I couldn’t find it.

3. Description on https://github.com/radareorg/radare2, retrieved April 17th, 2024.

4. The project leader pancake made it clear, I saw it on the infosec.exchange. but I couldn’t find it.