Last changed: 22.06.2018

Reverse engineering with radare2

Radare2 is an open source commandline alternative to commercial reverse engineering solutions like IDA Pro or Hopper. If you are looking for a free tool for example to solve some ctf challenges or crackmes radare2 could be just what you need.

I will try to keep track of some usefull commands for radare2 on this site. For a more comprehensive documentation please have a look at the radare2 book.

file info

Before diving into the functionality of a binary I advise to take a look at some global features. The following commands print some basic information, headers, imports and strings of the binary.

interactive prompt

i           show file information
ih          show headers
ie          show entry point
ii          show imports
iE          show exports
izz |less   show strings (in less)

static code analysis

Radare2 offers a visual mode in which you can quickly navigate through the code of a binary. To resolv and rename function names let radare2 analyze the binary first.

aaaa        analyze binary
V           enter visual mode

visual mode general keys

?           show help
p/P         toggle print mode
<space>     toggle ascii graph
:           open radare2 prompt
q           quit

visual mode navigation

o           seek to given offset
u/U         undo/redo seek
<enter>     follow call/jump
1...9       jump to called function [1] ... [9]
x           list cross references
_           search in symbols/strings
;[-][cmt]   set/remove comment

renaming and setting flags

Rename functions and variables with names to increase the readability of the disassembly. Global variables can be renamed by setting flags.

renaming functions

afn sub.my_function
afvn my_local_var local_4h
afvt my_local_var char

setting flags

f str.my_string @ <addr>
f- @ <addr>

analyzing data

show cross references

axf @ <addr>
axt @ <addr>

print data

To analyze strings or the memory area around interesting variables the following commands can be used.

ps @ <addr>
pxa @ <addr>
pxw 4*16 @ <addr>
pxq 8*8 @ <addr>

show disassembly

pd <number of instructions>
pdf <function>

patching binaries

If you need to modify a binary just reopen it in read-write mode, seek to the address and overwrite the instructions.

oo+
s <addr>
"wa nop;nop;nop"
oo

debug with radare2

r2 -d <PID>         attach to process
r2 -d binary <args> start process in debugger
db main             set breakpoint
dc/<F9>             continue
dcr                 continue until return
ds/<F7>             step into
dso/<F8>            step over
ood <args>          reload (with arguments)
xw 256 @ esp        hexdump of stack (dwords)
xq 256 @ rsp        hexdump of stack (qwords)
dr eax=0            write register
drc cf=0            set FLAGS
dm=                 show memory maps (ascii-art)

manage radare2 projects

To save and restore comments, flags and all other changes you can create radare2 projects.

safe/list/open project

Ps project
Pl
Po project
Ps

edit/show project notes

Pn -
Pn

calculate expressions

Sometimes you may need to translate values from hex to decimal or to calculate expressions. Radare2 can help you here as well. The following commands will print the result of an expression in hex, decimal or in all formats at once.

?v <expr>
?vi <expr>
? <expr>

modifiy options

e hex.cols=16
e graph.comments=false
e scr.utf8=true

other radare2 tools

disassemble opcode

Another cool feature of radare2 is the opcode disassembler.

rasm2 -b 32 -d "58ffe090"
pop eax
jmp eax
nop

If the shellcode is in binary format radare2 needs its length

rasm2 -b 32 -f shellcode.bin -B -l `wc -c shellcode.bin` -d

search source code with vim

:vim /search_regex/ **/*.c
:cw