Introduction to radare2¶
Radare2 (r2) is an open source framework for reverse engineering and binary analysis which has a rich command line interface for disassembling ,analysing data, patching binaries, and much more. Radare has a ton of features and utilities which takes a lot of time to explore and understand. One of the main reason why we use radare is due to its Visual mode, this enables us to see the binary in a graphical way ,thus making it pretty easy to understand the control flow of the binary.
To examine a binary in radare we need to use the following command
-- Coffee time! [0x080484b0]>
Now in the terminal , a radare2 shell is opened ,and it greets us with one of its greeting message.Initially you can see a address enclosed in a square bracket ,it is the entry point of the binary.
Usually what we do first when we first get a binary is to get the information about the binary. Using a tool of r2 framework ,this could be easily done.The tool is rabin2.
rabin2 allows extracting information from binary files including Sections, Headers, Imports, Strings, Entrypoints, etc. We will use rabin2 with -I flag for printing out all these information.
rabin2 -I binary
You can also get all the information from the r2 shell by giving
iI , for mode detail see
Command Line Arguments¶
All the command could be listed by executing the program with the -h flag.
But here we will be discussing over few frequently used commands.Also radare is a self documenting ie ,Whenever you don't know any command or what it does etc. use
?.before the command that you are not sure about.
Example: Just running
? will give you a list of all commands. Now let us consider a command called
s ,To get more information,run
Radare doesn't analyse the file by default ,because it's a time consuming process based on the size of the file. Basically what
aaa does is it analyse the binary completely.
After analysing , when we run this command all the function in the binary gets printed.
[0x080484b0]> s <offset>
Using this command we can navigate to a particular address in radare.When we open a binary in radare,by default the address is the entry point.Now when we run
s main (seek main) , we can seek to the main function.
Command : VV
Using this visual mode we can get a graphical view of the binary.The Visual Mode is much more user-friendly and makes the reverse Engineering using r2 much easier.Using the command
p we can switch between different Visual modes.
One thing that you need to remember is that, if you want to use any command inside the visual mode first you need to give a colon followed by your command , and for getting help you can just press
Navigation in Visual modes¶
You can go up and down using
j respectively. Or this could be simply done using the arrow keys. In the visual mode if you want to go to a function,Just type the 2 or 3 characters as shown after the function
In this case, if you type
ga then it goes to this function.
In order to patch, At first we need to open the binary in write mode ie, by using the following code.
$ r2 -w binaryname
Now go to the visual mode,use the command
p to change modes so as to get the address of the instruction,ie after entering visual mode if you enter command
p ,then you will get address and byte code in front of the instruction.
0x08049174 85c0 test eax, eax 0x08049176 7420 je
In this example, consider our aim is to patch this jump instruction.We can do it either by adding a nop instruction or giving a instruction that have the same byte code size ie, Here the byte code size is 2 (74 20) so either we can replace this jump instruction either by 2 nop instructions or we can give another instruction of similar size of byte code.
Now for patching, you need to seek the address where we will be patching .After that ,
command : “wa nop;nop”
Here we used two nop instruction since the size of the byte code in the example is 2.We can give any number of nop instruction based on the size of byte code.
Using other instruction
Before choosing any other convinent instruction ,we have to make sure that the byte code size is similar for both instruction.Suppose if we are going to replace this jump instruction from the example with another jump instruction, The command to be used is
Command : wa jmp 0x8087560