Last changed: 22.06.2018
Reverse engineering with radare2
Radare2 is an open source commandline alternative to commercial reverse engineering solutions like IDA Pro or Hopper. If you are looking for a free tool for example to solve some ctf challenges or crackmes radare2 could be just what you need.
I will try to keep track of some usefull commands for radare2 on this site. For a more comprehensive documentation please have a look at the radare2 book.
Before diving into the functionality of a binary I advise to take a look at some global features. The following commands print some basic information, headers, imports and strings of the binary.
i show file information ih show headers ie show entry point ii show imports iE show exports izz |less show strings (in less)
static code analysis
Radare2 offers a visual mode in which you can quickly navigate through the code of a binary. To resolv and rename function names let radare2 analyze the binary first.
aaaa analyze binary V enter visual mode
visual mode general keys
? show help p/P toggle print mode <space> toggle ascii graph : open radare2 prompt q quit
visual mode navigation
o seek to given offset u/U undo/redo seek <enter> follow call/jump 1...9 jump to called function  ...  x list cross references _ search in symbols/strings ;[-][cmt] set/remove comment
renaming and setting flags
Rename functions and variables with names to increase the readability of the disassembly. Global variables can be renamed by setting flags.
afn sub.my_function afvn my_local_var local_4h afvt my_local_var char
f str.my_string @ <addr> f- @ <addr>
show cross references
axf @ <addr> axt @ <addr>
To analyze strings or the memory area around interesting variables the following commands can be used.
ps @ <addr> pxa @ <addr> pxw 4*16 @ <addr> pxq 8*8 @ <addr>
pd <number of instructions> pdf <function>
If you need to modify a binary just reopen it in read-write mode, seek to the address and overwrite the instructions.
oo+ s <addr> "wa nop;nop;nop" oo
debug with radare2
r2 -d <PID> attach to process r2 -d binary <args> start process in debugger db main set breakpoint dc/<F9> continue dcr continue until return ds/<F7> step into dso/<F8> step over ood <args> reload (with arguments) xw 256 @ esp hexdump of stack (dwords) xq 256 @ rsp hexdump of stack (qwords) dr eax=0 write register drc cf=0 set FLAGS dm= show memory maps (ascii-art)
manage radare2 projects
To save and restore comments, flags and all other changes you can create radare2 projects.
Ps project Pl Po project Ps
edit/show project notes
Pn - Pn
Sometimes you may need to translate values from hex to decimal or to calculate expressions. Radare2 can help you here as well. The following commands will print the result of an expression in hex, decimal or in all formats at once.
?v <expr> ?vi <expr> ? <expr>
e hex.cols=16 e graph.comments=false e scr.utf8=true
other radare2 tools
Another cool feature of radare2 is the opcode disassembler.
rasm2 -b 32 -d "58ffe090" pop eax jmp eax nop
If the shellcode is in binary format radare2 needs its length
rasm2 -b 32 -f shellcode.bin -B -l `wc -c shellcode.bin` -d
search source code with vim
:vim /search_regex/ **/*.c :cw