Last changed: 22.06.2018
Reverse engineering with radare2
Radare2 is an open source commandline alternative to commercial reverse engineering solutions like IDA Pro or Hopper. If you are looking for a free tool for example to solve some ctf challenges or crackmes radare2 could be just what you need.
I will try to keep track of some usefull commands for radare2 on this site. For a more comprehensive documentation please have a look at the radare2 book.
file info
Before diving into the functionality of a binary I advise to take a look at some global features. The following commands print some basic information, headers, imports and strings of the binary.
interactive prompt
i show file information
ih show headers
ie show entry point
ii show imports
iE show exports
izz |less show strings (in less)
static code analysis
Radare2 offers a visual mode in which you can quickly navigate through the code of a binary. To resolv and rename function names let radare2 analyze the binary first.
aaaa analyze binary
V enter visual mode
visual mode general keys
? show help
p/P toggle print mode
<space> toggle ascii graph
: open radare2 prompt
q quit
visual mode navigation
o seek to given offset
u/U undo/redo seek
<enter> follow call/jump
1...9 jump to called function [1] ... [9]
x list cross references
_ search in symbols/strings
;[-][cmt] set/remove comment
renaming and setting flags
Rename functions and variables with names to increase the readability of the disassembly. Global variables can be renamed by setting flags.
renaming functions
afn sub.my_function
afvn my_local_var local_4h
afvt my_local_var char
setting flags
f str.my_string @ <addr>
f- @ <addr>
analyzing data
show cross references
axf @ <addr>
axt @ <addr>
print data
To analyze strings or the memory area around interesting variables the following commands can be used.
ps @ <addr>
pxa @ <addr>
pxw 4*16 @ <addr>
pxq 8*8 @ <addr>
show disassembly
pd <number of instructions>
pdf <function>
patching binaries
If you need to modify a binary just reopen it in read-write mode, seek to the address and overwrite the instructions.
oo+
s <addr>
"wa nop;nop;nop"
oo
debug with radare2
r2 -d <PID> attach to process
r2 -d binary <args> start process in debugger
db main set breakpoint
dc/<F9> continue
dcr continue until return
ds/<F7> step into
dso/<F8> step over
ood <args> reload (with arguments)
xw 256 @ esp hexdump of stack (dwords)
xq 256 @ rsp hexdump of stack (qwords)
dr eax=0 write register
drc cf=0 set FLAGS
dm= show memory maps (ascii-art)
manage radare2 projects
To save and restore comments, flags and all other changes you can create radare2 projects.
safe/list/open project
Ps project
Pl
Po project
Ps
edit/show project notes
Pn -
Pn
calculate expressions
Sometimes you may need to translate values from hex to decimal or to calculate expressions. Radare2 can help you here as well. The following commands will print the result of an expression in hex, decimal or in all formats at once.
?v <expr>
?vi <expr>
? <expr>
modifiy options
e hex.cols=16
e graph.comments=false
e scr.utf8=true
other radare2 tools
disassemble opcode
Another cool feature of radare2 is the opcode disassembler.
rasm2 -b 32 -d "58ffe090"
pop eax
jmp eax
nop
If the shellcode is in binary format radare2 needs its length
rasm2 -b 32 -f shellcode.bin -B -l `wc -c shellcode.bin` -d
search source code with vim
:vim /search_regex/ **/*.c
:cw