radare2 – Reverse Engineering Framework

CyberPunk Reverse Engineering
radare2 – Reverse Engineering Framework

Introduction

Radare2 is a complete rewrite of radare, which provides a set of libraries and tools to work with binary files.

radare2

Radare project started as a forensics tool, a scriptable commandline hexadecimal editor able to open disk files, but later support for: analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc.

Unix-Like Reverse Engineering Framework and Commandline Tools Security: radare2

Radare2 is an open source and multi-platform Reverse Engineering framework which supports assembly and disassembly many architectures and binary formats, it represents a set of small command-line utilities that can be used together or independently:

  • radare2, rabin2, rasm2, rahash2, radiff2, rafind2, ragg2, rarun2, rax2.

Features (radare2 can):

  • Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku.
  • Disassemble and assemble for many different architectures.
  • Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbg, windbg)
  • Be scripted in Python, Javascript, Go, etc.
  • Support collaborative analysis using the embedded webserver.
  • Perform forensics on filesystems and data carving
  • Visualize data structures of several file types.
  • Patch programs to uncover new features or fix vulnerabilities.
  • Use powerful analysis capabilities to speed up reversing.
  • Aid in software exploitation.

Radare2 webui

Architectures:

  • i386, x86-64, ARM, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, AVR, XAP, System Z, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, V850, CRIS, XAP, PIC, LM32, 8051, 6502, i4004, i8080, Propeller, Tricore, Chip8 LH5801, T8200, GameBoy, SNES, MSP430, Xtensa, NIOS II, Dalvik, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c66), Hexagon, Brainfuck, Malbolge, DCPU16

File Formats:

  • ELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, OMF, TE, XBE, BIOS/UEFI, Dyldcache, DEX, ART, CGC, Java class, Android boot image, Plan9 executable, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), WASM (WebAssembly binary), Commodore VICE emulator, Game Boy (Advance), Nintendo DS ROMs and Nintendo 3DS FIRMs, various filesystems.

Operating Systems:

  • Windows (since XP), GNU/Linux, OS X, [Net|Free|Open]BSD, Android, iOS, OSX, QNX, Solaris, Haiku, FirefoxOS

Bindings:

  • Vala/Genie, Python (2, 3), NodeJS, Lua, Go, Perl, Guile, PHP, Newlisp, Ruby, Java, OCaml, etc.

radare2 tools

radare2 is the main framework tool, which uses the core of the hexadecimal editor and debugger. radare2 allows you to open a number of input/output sources as if they were simple, plain files, including: disks, network connections, kernel drivers, processes under debugging, etc. It has an advanced command line interface for: analyzing data, data comparison, binary patching, disassembling, searching, replacing, and visualizing.
  • rabin2: a program which can extract information from executable binaries, such as: ELF, PE, Java CLASS, Mach-O, and any format supported by r2 plugins (exported symbols, imports, file information, cross references (xrefs), library dependencies, and sections).
  • rasm2: a command line assembler and disassembler for multiple architectures (including Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and myriad of others).
  • rahash2: A block-based hash tool. From small text strings to large disks, rahash2 supports multiple algorithms including:
    • MD4, MD5, CRC16, CRC32, SHA1, SHA256, etc.
  • rarun2: a launcher for running programs within different environments, with different arguments, permissions, directories, and overridden default file descriptors. rarun2 is useful for:
    • Solving crackmes, Fuzzing, Test suites.
  • rax2: a minimalistic mathematical expression evaluator for the shell that is useful for making base conversions between:
    • floating point values, hexadecimal representations, hexpair strings to ASCII, octal to integer, etc.
  • radiff2: a binary diffing utility that implements multiple algorithms. It supports:
    • byte-level or delta diffing for binary files,
    • code-analysis diffing to find changes in basic code blocks obtained from the radare code analysis.
  • ragg2: a frontend for r_egg. ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.
  • rafind2: a program to find byte patterns in files.

radare2 Install

Clone it from the github repo:

$ git clone https://github.com/radare/radare2.git

To install, simply run the following command:

$ sys/install.sh

or:

$ sys/user.sh

if you want to make system wide install without using root privileges. To update radare2 system wide, just re-run the previous commands.

Package manager

To start using radare2 pm – r2pm,you  need to initialize packages:

$ r2pm init

You need to refresh packages database, before installing any package:

$ r2pm update

Then you can install packages with the following command:

$ r2pm install [package name]

Building with meson + ninja

Building with mason has been tested to work on the following hosts:

  • Rpi3-arm32,
  • macOS-x86-64,
  • Termux/Android-arm64,
  • VoidLinux-x86-64,
  • Windows-x86-64.
Note: The meson build system doesn’t support a lot of configuration options and it isn’t able to build all the plugins.

Install meson and ninja through pm or with r2pm:

$ r2pm -i meson

Then compile radare2:

$ python ./sys/meson.py --prefix=/usr --shared --install

radare2 bindings

Make sure you’ve installed swig and valabind if you want to build the bindings. To install Python bindings, run the following:

$ r2pm install lang-python2 #lang-python3 for python3 bindings
$ r2pm install r2api-python
$ r2pm install r2pipe-py

There are also r2pipe bindings (API interface which interacts with prompt, passes commands, etc.).

$ npm install r2pipe   # NodeJS
$ gem install r2pipe   # Ruby
$ pip install r2pipe   # Python

Basic usage

Type -h to see avalaible commands:

$ radare2 -h
Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
          [-s addr] [-B baddr] [-m maddr] [-c cmd] [-e k=v] file|pid|-|--|=
 --           run radare2 without opening any file
 -            same as 'r2 malloc://512'
 =            read file from stdin (use -i and -c to run cmds)
 -=           perform !=! command to run all commands remotely
 -0           print \x00 after init and every command
 -2           close stderr file descriptor (silent warning messages)
 -a [arch]    set asm.arch
 -A           run 'aaa' command to analyze all referenced code
 -b [bits]    set asm.bits
 -B [baddr]   set base address for PIE binaries
 -c 'cmd..'   execute radare command
 -C           file is host:port (alias for -c+=http://%s/cmd/)
 -d           debug the executable 'file' or running process 'pid'
 -D [backend] enable debug mode (e cfg.debug=true)
 -e k=v       evaluate config var
 -f           block size = file size
 -F [binplug] force to use that rbin plugin
 -h, -hh      show help message, -hh for long
 -H ([var])   display variable
 -i [file]    run script file
 -I [file]    run script file before the file is opened
 -k [OS/kern] set asm.os (linux, macos, w32, netbsd, ...)
 -l [lib]     load plugin file
 -L           list supported IO plugins
...

To see detailed explanations and usage examples, click the documentation button below.

Documentation Box
Download Box
DebuggerDisassemblerDynamic AnalysislinuxPython