An Intro to Radare2

[briscars]

Introduction
Before we start, you should know that is an advanced binary forensics tool. If you are not familiar with some lower level programming or have any kind of understanding about assembly, this isn't for you. There are links on this forum and website that will help you gain a better understanding of architecture and assembly, you should start there.
Radare stands for "Raw Data Recovery". This project was started by a programmer who goes by pancake. This tool has been gaining more and more attraction since 2009, it has been around since 2006. This is an open source free project that is maintained (now) by a community of loyal users. You can visit the official website here, https://www.radare.org. This tool is not only a "tool" but an entire framework that you can use and integrate into your own tools. This software had a full rewrite in 2009 to accommodate the community.
Installation
Do not use the system repositories, use the Github repo,

This is something the author even suggests for you to do. Using the system package mamager to install radare might leave you buggier and out of date. The following are the commands to be executed to install radare2. When you want to check for updates, you can run the sys/install.sh script.

git clone 
[hide]https://github.com/radare/radare2.git[/hide]
sys/install.sh
sys/user.sh

Documentation

• https://radare.gitbooks.io/radare2book/

Any command in radare has help info along with it, simply put a question mark at the end of a command. For example:

[0x00400470]> s?
Usage: s[+-] [addr]
s 0x320    ; seek to this address
s-         ; undo seek
s+         ; redo seek
s*         ; list undo seek history
s++        ; seek blocksize bytes forward
s--        ; seek blocksize bytes backward
s+ 512     ; seek 512 bytes forward
s- 512     ; seek 512 bytes backward
s.hexoff   ; Seek honoring a base from core->offset
sa [[+-]a] [asz] ; seek asz (or bsize) aligned to addr
sn/sp      ; seek next/prev scr.nkey
s/ DATA    ; search for next occurrence of 'DATA'
s/x 9091   ; search for next occurrence of \x90\x91
sb         ; seek aligned to bb start
so         ; seek to next opcode
sf         ; seek to next function (f->addr+f->size)
sC str     ; seek to comment matching given string
sr pc      ; seek to register

OS Support
This project has support for all major operating systems:

• https://www.linux.com/what-is-linux (and https://www.android.com/)
• https://www.microsoft.com/en-us/windows
• https://www.apple.com/macos/
• https://blackberry.qnx.com/en (Blackberry)
• BSD and more..

File Format Support

• ELF
• Mach-O
• Fatmach-O
• PE
• PE+
• BIOS/UEFI
• Java class
• Android boot image
• Game Boy
• Nintendo DS
• Nintendo 3DS

Basic Commands
Some of the most basic things you will need to do is search addresses, display data and move around in binary files. For this part of the tutorial I will write a few basic C programs to help you get started with using some of these commands. The example C binaries and code can be found on my github here:

You will load the binary file simply by typing r2 followed by the binary name.

• a = analyze bytes
• s = seek
• pd = disassemble opcodes
• x = hex
• / = string searches
• q = quit

Hello World
This will be a crash course into using r2 and some of it's other tools. The code we will be analyzing here is the hello.c file in the git repo mentioned above (

.c). You can also find the binary in the repository as well. The first thing we are going to do is use rabin to check the files headers. You can use the -I flag (capital 'i', not an l).

(xenial)sunjester@ rabin2 -I hello
file    /home/sunjester/Downloads/code/c/hello
type    EXEC (Executable file)
pic     false
has_va  true
root    elf
class   ELF64
lang    c
arch    x86
bits    64
machine AMD x86-64 architecture
os      linux
subsys  linux
endian  little
strip   false
static  false
linenum true
lsyms   true
relocs  true
rpath   NONE

Next, let's load it into radare.

(xenial)sunjester@ r2 hello

You will be at a prompt that has an address at the beginning of it. Now, analyze the binary. When you analyze a binary you can use multiple a's. I use aae, but a simple a or even two aa's should be sufficient enough. aae means it will analyze and emulate the binary. Depending on how large the binary file is, depends on how long it will take to analyze. This is a simple hello world c program, so it should be almost instant. When it is done, it will just drop you to a new line at the same address.

[0x00400430]> aae
[0x00400430]>

Now, since I know there is a nice small main function, we can move to that main function (and most of the time in any binary c program) using pdf @ the pdf command disassembles a function that you give it. Since I knew the name of the function was main and 99.99% of all programs have a main function, it disassembled the function and showed me the disassembly.

[0x00400430]> pdf @
/ (fcn) sym.main 21
|           0x00400526    55           push rbp
|           0x00400527    4889e5       mov rbp, rsp
|           0x0040052a    bfc4054000   mov edi, str.helloworld
|           0x0040052f    e8ccfeffff   call sym.imp.puts
|              sym.imp.puts(unk)
|           0x00400534    b800000000   mov eax, 0x0
|           0x00400539    5d           pop rbp
\           0x0040053a    c3           ret

Above is out disassembled main function. You can see the addresses and even our string we have in the code "hello world", denoted by str.helloworld. We can move to that strings location using the seek command (s).

[0x00400430]> s str.helloworld

You can also seek up and down by using the dash (minus) or plus signs. s- willmove you down one, s+ will move you up one, as show in the code block below. If you simply type s you will be given the current stack address you are sitting at.

[0x004005c4]> s-
[0x00400430]> s+

You will notice that the address at your prompt has now changed to the address where the string is sitting. You can use pd to show the bytes, I will show the next 10 instructions from the string using pd 10. You can also just show the instruction you are currently at by using pd 1.

[0x004005c4]> pd 10
;-- str.helloworld:
0x004005c4     .string "hello world" ; len=12
;      [16] va=0x004005d0 pa=0x000005d0 sz=52 vsz=52 rwx=-r-- .eh_frame_hdr
|   ;-- section..eh_frame_hdr:
|   0x004005d0    011b         add [rbx], ebx
|   0x004005d2    033b         add edi, [rbx]
|   0x004005d4    3400         xor al, 0x0
|   0x004005d6    0000         add [rax], al
|   0x004005d8    0500000020   add eax, 0x20000000
0x004005dd    fe           invalid
0x004005de    ff           invalid
0x004005df    ff8000000060 inc dword [rax+0x60000000]
0x004005e5    fe           invalid

Searching for Strings
It is a common thing to search for strings. We can search using the /i command, the 'i' means insensitive. You can also search using wide and other things. To see a list, don't use the question mark, /?.

[0x004005c4]> /i hello
Searching 5 bytes from 0x00400238 to 0x004005c4: 68 65 6c 6c 6f
hits: 1
0x004005c4 hit0_0 "hello world"

When you search and radare finds something it stores it as a hit. To view the hit use the s command and the hit it found, as shown int he code block below. Since we are sitting in the spot we are looking for, our prompt didn't change (if you have been following along).

[0x004005c4]> s hit0_0
[0x004005c4]> pd 1
;-- hit0_0:
0x004005c4     .string "hello world" ; len=12

Conclusion
I hope this will help you along in your quest for becoming a better programmer and hacker.