radare.org

Radare2

R2Pipe

iaito

radare2

A free/libre toolchain for easing several low level tasks like forensics, software reverse engineering, exploiting, debugging, ...

It is composed by a bunch of libraries (which are extended with plugins) and programs that can be automated with almost any programming language.

Installation

It is recommended to install it from git, alternatively you can pick the last release (every 6 weeks) from Github.

Release builds are available here.

$ git clone https://github.com/radareorg/radare2 $ cd radare2 ; sys/install.sh

In case of build problems try the following:

$ sudo make purge $ rm -rf shlr/capstone $ git clean -xdf $ git reset --hard @~50 $ sys/install.sh

Features

- Batch, commandline, visual and panels interactive modes
- Embedded webserver with js scripting and webui
- Assemble and disassemble a large list of CPUs
- Runs on Windows and any other UNIX flavour out there
- Analyze and emulate code with ESIL
- Native debugger and GDB, WINDBG, QNX and FRIDA
- Navigate ascii-art control flow graphs
- Ability to patch binaries, modify code or data
- Search for patterns, magic headers, function signatures
- Easy to extend and modify
- Commandline, C API, script with r2pipe in any language

Usage

Radare2 can be used in many ways, from commandline or shellscripts by calling the individual tools:

$ rasm2 -a arm -b 32 -d `rasm2 -a arm -b 32 nop` $ rabin2 -Ss /bin/ls # list symbols and sections $ rahash2 -a md5 /bin/ls $ rafind2 -x deadbeef bin

All the programs are also accessible as commands inside r2:

$ r2 - > pa nop 90 > pad 90 nop

Those are some common commands you may use in your daily life:

$ r2 /bin/ls > aaa # analyze all the things > is # list symbols > afl # list functions found > pdf # disassemble function > s <tab># seek to address > v # enter visual panels mode

Debugger

The IO layer selected by the file URI when opening a file in r2 can be anything, from local file, remote r2 shell, a full disk, another process memory, etc.

To simplify things, the -d flag will use the dbg:// uri to spawn or attach to a process to read/write its memory, modify registers and inspect the execution flow. It's a low level debugger, don't worry, we don't try to replace gdb/lldb.

$ r2 -d gdb://127.0.0.1 > ds # step into > dso # step over > dr= # show registers in columns > dbt # show backtrace > dsu entry0 # continue until entrypoint > dr rax=33 # change value of register > pxr@rsp # inspect stack > drr # periscoped register values

Plugins

Using the integrated package manager you can easily install external plugins from different sources, most interesting ones are the native ghidra decompiler, the r2dec decompiler and the frida integration. But there are more!

$ r2pm update $ r2pm -i r2ghidra r2dec r2frida

Frida

The favourite in-process debugger/tracer for many people is also available within r2 after installing the r2frida plugin you may be able to attach/spawn to a local or remote program via usb or tcp and be able to read/write process memory in live.

One of the main benefits of using r2frida instead of frida is, despite not depending on Python, the fact that you can type short commands instead of typing multiple lines of Javascript.

- Access remote filesystems
- Modify filedescriptors
- Breakpoints (Like in DWARF)
- Load/Unload agent scripts as plugins
- Sybolicate from local bins, scripts or runtime info
- Supports macOS/iOS/Linux/Android/QNX/Windows

$ r2 frida:///bin/ls > :dc # continue the execution > :dd # list file descriptors > :dm # show process memory maps > :dmm # show modules mapped > :dl foo.so # load a shlib > :dt write # trace every call to 'write' > :isa read # find where's the read symbol located > :ii # list imports off the current module > :dxc exit 0 # call 'exit' symbol with argument 0

Documentation

Join the Telegram / IRC channels and feel free to ask anything. In addition you can read The Book but everything in r2 is self-documented (just append the '?' char) or read the manpages/-h:

You can use the HUD mode to interactively browse all the commands inside r2 using this oneliner:

$ r2 -Qc'?*~...' --