i Reversing with Radare2 – All things in moderation

Reversing with Radare2

Radare2 (also known as r2) is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.

Some feature of Radare2:

  • Disassemble (and assemble for) many different architectures
  • Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbg, windbg)
  • Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku
  • Perform forensics on filesystems and data carving
  • Be scripted in Python, Javascript, Go and more
  • Support collaborative analysis using the embedded webserver
  • Visualize data structures of several file types
  • Patch programs to uncover new features or fix vulnerabilities
  • Use powerful analysis capabilities to speed up reversing
  • Aid in software exploitation

Some architectures supported by R2: i386, x86-64, ARM, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, m680x, AVR, XAP, System Z, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, V850, CRIS, XAP, PIC, LM32, 8051, 6502, i4004, i8080, Propeller, Tricore, CHIP-8, LH5801, T8200, GameBoy, SNES, SPC700, MSP430, Xtensa, NIOS II, Java, Dalvik, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c66), Hexagon, Brainfuck, Malbolge, whitespace, DCPU16, LANAI, MCORE, mcs96, RSP, SuperH-4, VAX.

1. Install Radare2:

R2 is preinstalled on some operating systems for advanced Penetration Testing and Security Auditing as Kali Linux.

Installing r2 is very easy on Linux:

$ git clone https://github.com/radare/radare2
$ cd ./radare2/sys
$ ./install.sh

2. Cheat Sheet for R2:

Starting Radare:

The basic usage is radare2 exe (on some systems you can use simply r2 instead of radare2). If there exists a script named exe.r2, then it gets executed after the others rc-files. If you want to run radare2 without opening any file, you can useinstead of an executable name.

  • -d file : debug executable file
  • -d file : debug process pid
  • -A : analyze all referenced code (aaa command)
  • -r profile.rr2 : specifies rarun2 profile
  • -w : open file in write mode
  • -p [prj] : list projects /use project pri
  • -h : show help message

Running in different environments: rarun2

rarun2 runs programs with different environments, arguments, permissions, directories and overridden default file-descriptors. Usage:

$ rarun2 [-t|script-name.rr2] [directives] [--] [prog-name] [args]

rarun2 -t shows the terminal name, say α, and wait for a connection from another process. For instance, from another terminal, you can execute rarun2 stdio=α program=/bin/sh (use stdin/stdout to redirect one stream only). Run rarun2 -h to get a sample .rr2 file. rarun2 supportsa lot of directives, see the man page for details.

Some variables:

  • asm.bytes : display bytes of each instruction
  • asm.describe : show opcode description
  • asm.cmt.right : comments at right of disassembly if they fit
  • asm.emu : run ESIL emulation analysis on disasm
  • asm.demangle : Show demangled symbols in disasm
  • asm.shortcut : Shortcut (e.g. [1], [2], … ) position in visual mode
  • bin.baddr : base address of the binary
  • cmd.bp : command to run when a breakpoint is hit
  • cmd. stack : command to display the stack in visual debug mode
  • dbg.follow.child : continue tracing the child process on fork
  • dbg.slow : show stack and regs in visual mode, in a slow but verbose mode
  • dbg.trace : trace program execution
  • io.cache : enable cache for IO
  • scr.utf8 : show nice UTF-8 chars instead of ANSI
  • scr.utf8.curvy : show curved UTF-8 corners
  • scr.nkey : select seek mode; affects n/N in visual mode
  • scr.html : disassembly outputs in HTML syntax

Searching:

  • / str : search for string str
  • /c instr : search for instruction instr
  • /x hstr : search for hex-string hstr
  • /a asm-instr : assemble instruction and search for its bytes
  • /R[/] opcode : find ROP gadgets containing opcode
  • /A type : find instructions of type type

Writing:

  • wa asm-instr : assemble+write opcodes
  • wao … : replace current instruction
  • w[z] str : write string str [and append byte \x00]
  • wx hex-pairs : write hex-pairs
  • wc : list pending changes
  • wtf [file] [size] : write to file
  • wop0 v : print offset of v inside De Bruijin  pattern

Analysis:

  • aaa : analyze (aa) and auto-name functions
  • aod opcode : description of opcode
  • afl[l] : list functions [with details]
  • afi fn-name : show verbose info for fn-name
  • afn new-name addx : (re)name function at address addx
  • asl : list syscalls
  • asl name : display syscall-number for name
  • asl n : display name of syscall number n
  • afvd var-name : output r2 command for displaying the address and value of arg/local var-name
  • .afvd var-name : display address and value of var-name
  • afvn new-name old-name : rename argument/local variable
  • afvt name type : change type for given argument/local
  • afv- name : removes variable name
  • axt addx : find data/code references to addx
  • ahi {b|d|h|o|r|S|s} @ addr : define binary/decimal/hex/octal/IP/syscall/string base for immediate

Debugging:

  • dc : continue (or start) execution
  • dcu addx : continue until addx is reached
  • dcs [name] : continue until the nex syscall [name]
  • dcr : continue until ret (uses step over)
  • dr= : show general-purpose regs and their values
  • dro : show previous (old) values of registers
  • drr : show register references (telescoping)
  • dr reg-name = value : set register value
  • drt : list register types
  • drt type : list register of type type and their values
  • db : list breakpoints
  • db[-] addx : add [remove] breakpoint
  • doo [args] : (re)start debugging
  • ds[o] : step into [over]
  • dbt : display backtrace
  • drx : hardware breakpoints
  • dm : list memory maps; the asterisk shows where the current offset is
  • dmh : show heap allocation
  • dmm : list modules (libraries, loaded binaries)
  • dmi [addr|lib] [sym] : list symbols of target lib
  • dmp : change page permissions
  • dt[d] : list all traces [disassembled]
  • dd : handle file descriptors

Printing:

  • ps [@ addx] : print C-string at addx
  • psb [@ addx] : print C-string at addx
  • pxr [n] [@ addx] : print with references to flags/code (telescoping)
  • px [n] [@ addx] : hexdump – note: x is an alias for px
  • px{h|w|q} … : hexdump in 16/32/64 bit words
  • px{H|W|Q} … : as the previous oen, but one per line
  • pxl [n] [@ addx] : display n rows of hexdump
  • px/fmt [@ addx] : gdb-style printing fmt
  • pd [n] [@ addx] : disassemble n instructions
  • p8 [n] [@ addx] : print bytes
  • pD [n] [@ addx] : disassemble n bytes
  • pdf [@ fn-name] : disaaemble function fn-name
  • pc[p] [n] [@ addx] : dumps in C [Python] format
  • * addx [=value] : shortcut for reading/writing at addx
  • pf fmt : formatted print
  • pa[d] … : assemble-to/disassemble-from hex-pairs

Information:

  • i : show info of current file
  • iz[z] : strings in data sections
  • i{e|i|l|S|SS} : entrypoint/import/libraries/sections/segments

Visual mode:

V : enters visual mode

  • q : exit visual-mode
  • c : cursor-mode, tab switches among panels +/- increment/decrement current byte
  • : : execute a normal-mode command
  • p and P : rotate forware/backward print modes
  • /str : highlight occurrences of string str
  • # : toggle bytes
  • O : toggle ESIL-asm
  • ; : add/remove comments (to current offset)
  • x : browse xrefs-to current offset
  • X : browse xrefs-from curent function
  • _ : browse flags
  • d : define function, end-function, rename, …
  • di{b|o|d|h|s} : define immediate bin/oct/dec/hex or str
  • V : enter block-graph viewer (space toggles visual/graph)
  • A : enter visual-assembler (preview must be confirmed)
  • n/N : seek next/previous function/flag/hit
  • i : enter insert mode
  • e : configures internal variables
  • : toggle the column mode
  • f : (un)set flags

Seeking in visual mode:

  • . : seeks to program counter
  • Enter : on jump/call instruction, follow target address
  • u / U : undo / redo
  • o : go/seek to given offset
  • 0 : seek to beginning of current function
  • d – a non-zero digit : jump to the jmp/lea-hint marked [d]
  • r : toggle jmp/lea hints
  • ml – a letter : mark the spot with letter l
  • l : jump to mark l
  • n / N : jump to next/previous function

Debugging:

  • B or F2 : toggle breakpoint
  • F4 : run to cursor
  • s or F7 : step-into
  • S or F8 : step-over
  • F9 :continue

3. Install Cutter:

Cutter is a free and open-source GUI for radare2 reverse engineering framework. Its goal is making an advanced, customizable and FOSS reverse-engineering platform while keeping the user experience at mind. Cutter is created by reverse engineers for reverse engineers.

Download the latest AppImage file at here. Then just make it executable and run it:

$ chmod +x Cutter-*.Linux.AppImage
$ ./Cutter-*.Linux.AppImage

Leave a Reply