Radare2 Windows Download

[Shari Alvine]

Tostart off I want to say I am a Linux person. I use it all the time for development. The command-line is amazing and very streamlined for computer-science related tasks. While I feel this way, there are those who do not and would prefer to use a Windows environment instead. So I want to show two things in this article, how to install and use radare2 for Windows, and also how to debug applications using radare2.

To change your $PATH variable you can do it one of two ways. You can use the Windows GUI to change it by going to System Properties -> Advanced -> Environment Variables, click on the Path variable and click Edit. Then you can add the directory leading to your radare2 files.

Now that we have Radare2 installed we can move on to our tutorial on debugging. If you do not know what debugging is, it is essentially running the program and pausing at each assembly instruction. It allows you to see dynamically what is going on under the hood and is often times easier than static analysis. However when analyzing malware it is safer to perform static analysis since the file is not actually running. If you want to debug malware, since it is an important part of the analysis process, then you should do it in a Virtual Machine.

We should start by running the program to see what it expects from us and go from there. When we boot up the program we see it prompts us for a password. If we try to guess the password we are shown a message telling us that we are wrong. Not too complex, we just need to find out what the password is.

Then we can run the program using the F9 key. Radare2 will automatically stop us when a blank command prompt comes up, so we need to go back into radare2 and hit F9 again. We will then need to input our string and hit ENTER, we will then stop at the breakpoint we just created.

We then see that we move the length of our string [ebp-0xc] into eax and start a loop that goes through each character in the string. As we step a little further through this we notice that the last letter of our string is placed into eax and the value in [ebp-1] is placed into ecx. We then xor the two values together to start the process of encrypting our string.

This has been a very basic info using the Radare2 debugger on Windows. I personally prefer using x64dbg when I debug applications, but this was a fun learning experience. As always if I did something wrong or there is some way I can improve then please feel free to reach out and tell me. You can contact me at my LinkedIn or my Twitter.

At this point, I decided to try and use the Windows binary instead. I went to the download page and downloaded the windows binary, then unpacked it into my AppData programs folder. I then opened that folder and double-clicked on radare2.exe. This made a quick blip on the taskbar like a window was trying to open, which also immediately closed.

I went and experimented a little, including installing to a Linux VM using the git clone method. I have found that the windows binary is the way to go for this. to use it, unpack the downloaded binary, then open CMD/PowerShell in the radare2 directory, then run bin/radare2.exe or bin/r2.bat. You will need to manually add these to the path, though.

I assume that you have some fundamental knowledge about computer arquitectures and know some basic asm instructions such as mov, push and such. I also assume that you already know what radare2 is and thus want to finally learn how to use it.

Another command of our interest may be the iz one. That will list all of the strings contained within the data section of the program (izz will list strings in the whole file). That command is specially useful when dealing with simple crackmes (so we can identify hardcoded passwords).

The first thing that we have to understand here is that, we are inspecting main, and main is a function, so it has to return to somewhere and it may receive arguments or need space for local variables, operations related to those aspects are performed at the beggining and the end of the code.

Update (2020): Since writing this article, it has become, in a way, the go-to tutorial for learning radare2. Your feedback was amazing and I am very happy for the opportunity to teach new people about radare2.

A lot has changed since I wrote this tutorial, both with radare2 and with me. I am now, for several years, a core member in the radare2 team and a maintainer of Cutter, a modern, GUI-based, reverse engineering framework that is powered by radare2.

rabin2 allows extracting information from binary files including Sections, Headers, Imports, Strings, Entrypoints, etc. It can then export the output in several formats. rabin2 is able to understand many file formats such as ELF, PE, Mach-O, Java CLASS.

As I said before, the goal of this tutorial is to teach radare2 and present some of its capabilities, not to teach assembly. Therefore I will not go through the code deeply and explain what it does. The binary is really simple, you should get it even with a basic understanding of reverse engineering.

radare2 is equipped with a very strong and efficient suite of Visual Modes. The Visual Mode is much more user-friendly and takes the reversing experience using r2 to a whole new level. Pressing V will bring us to the Visual Mode screen. Use p/P to change between modes. At the top of the screen you can see the command which was used to generate the view. Navigate to the disassembly view using p. To go back from a specific screen, press q.

As in similar disassemblers, radare2 has a Graph view. You can access Visual Graph mode from your shell by running VV, move Left/Down/Up/Right using the arrows or h/j/k/l and jump to a function using g and the key shown next to the jump call (e.g gd).

Hence, 128 bytes are allocated for the buffer in the stack, the next 4 bytes would be the saved ebp pointer of the previous stack frame, and the next 4 bytes will be the return address, this sums up to 136.

Cutter is a Qt and C++ GUI for radare2. Its goal is making an advanced, customizable and FOSS reverse-engineering platform while keeping the user experience at mind. Cutter is created by reverse engineers for reverse engineers.

Above, we can see that the file mini.dmp contains 13 stream and is of the file type MiniDuMP (MDMP). For additional information on the basics of the MDMP format you can refer to a great blog post by Brendan Dolan-Gavitt.

It should be noted that the flags above portray the information that will be written to the MDMP file. Therefore, certain flags are required to perform different types of analysis.An astute reader will notice that the NumberOfStreams matches that reported by the file binary. Using the NumberOfStreams and StreamDirectoryRVA it is possible to print out the list of directory structures.

The module list contains the information about loaded binaries and libraries. For this process dump there are 202 modules, it is most likely that the first one is the executable while the rest are libraries.

The MDMP plugin parses the streams into information that can then be presented within radare2. While this is beneficial, parsing the data sections can be slow, therefore loading times can be decreased with the -z parameter, which prevents the loading of strings.

The best way to demonstrate the capability of this plugin is by example. The process dump mini.dmp is that of explorer.exe that was originally obtained due to some suspicious unknown module hooks. The sections list contains all of the mapped executables and DLLs, with a simple grep, it is possible to confirm that the dump is indeed for explorer.exe:

One of the hooked functions in question is InternetReadFile of hook type EAT (Export Address Table). Thus the function should be visible in the export table for the library that has been hooked. A quick grep through the exports reveals the DLL:

Yes. Furthermore, there is an immediate value that is moved to ecx and then pushed to the stack as the first argument for the function call 0x40a0000. A few variables look like they could be of interest (memory addresses?) at the offset stored in ecx.

Carving binaries from a memory dump is an incredibly useful technique, especially when it comes to injected malware. Fortunately r2 makes very light work of such a technique [3]. To demonstrate this, a memory dump of hello.exe has been created and will be used for this example. For the sake of simplicity, we are going to carve this executable out of its MDMP file. This sample is part of the MDMP regression test suite and is available here, for those who wish to reproduce.

That is all there is to carving the binary from a memory dump, but in order to analyse the binary in r2 under isolation a little extra work is required. To be more precise, the section headers need patching to update their PointerToRawData and SizeOfRawData to that of the VirtualAddress and VirtualSize, respectively.

I have a cgywin executable file (shall be in PE format) and would like to disassemble it to get the assembly code on the text section using radare2, most of the examples disassemble per instruction instead of a whole file.

First, you have to understand that the pdf command is used to disassemble functions, so you first have to look for function starting points (I think that they are using symbols and some others heuristics to find it).

But, if you want a raw disassembly of a memory area, then pd is probably what you need. It disassembly blindly from the current address up to a certain windows of memory. If you want to disassemble at a precise address, then use pd @0xdeadbeef.

The free radare2 works as a multi-tool for exploring binarydata from the console. Like the unixy console tools that inspired it (bash,vim, grep) it can feel tricky one moment and too simplistic the next. Similarto those tools, radare2 can make the impossible possible. With extensiveprogramming language bindings throughr2pipe you canleverage your favorite programming language to explore binary files.

So now you have a way to go from compiled binary to the assembly that createdit. This is what reverse engineers do every day, but often with more complex32-bit and 64-bit executables. If you want to go deeper, start looking at theebook Radare2Explorationswhich has pointers to a lot of useful information and techniques.

3a8082e126