Radare2 Windows Install

[Maureen Quartaro]

Tostart off I want to say I am a Linux person. I use it all the time for development. The command-line is amazing and very streamlined for computer-science related tasks. While I feel this way, there are those who do not and would prefer to use a Windows environment instead. So I want to show two things in this article, how to install and use radare2 for Windows, and also how to debug applications using radare2.

To change your $PATH variable you can do it one of two ways. You can use the Windows GUI to change it by going to System Properties -> Advanced -> Environment Variables, click on the Path variable and click Edit. Then you can add the directory leading to your radare2 files.

Now that we have Radare2 installed we can move on to our tutorial on debugging. If you do not know what debugging is, it is essentially running the program and pausing at each assembly instruction. It allows you to see dynamically what is going on under the hood and is often times easier than static analysis. However when analyzing malware it is safer to perform static analysis since the file is not actually running. If you want to debug malware, since it is an important part of the analysis process, then you should do it in a Virtual Machine.

We should start by running the program to see what it expects from us and go from there. When we boot up the program we see it prompts us for a password. If we try to guess the password we are shown a message telling us that we are wrong. Not too complex, we just need to find out what the password is.

Then we can run the program using the F9 key. Radare2 will automatically stop us when a blank command prompt comes up, so we need to go back into radare2 and hit F9 again. We will then need to input our string and hit ENTER, we will then stop at the breakpoint we just created.

We then see that we move the length of our string [ebp-0xc] into eax and start a loop that goes through each character in the string. As we step a little further through this we notice that the last letter of our string is placed into eax and the value in [ebp-1] is placed into ecx. We then xor the two values together to start the process of encrypting our string.

This has been a very basic info using the Radare2 debugger on Windows. I personally prefer using x64dbg when I debug applications, but this was a fun learning experience. As always if I did something wrong or there is some way I can improve then please feel free to reach out and tell me. You can contact me at my LinkedIn or my Twitter.

At this point, I decided to try and use the Windows binary instead. I went to the download page and downloaded the windows binary, then unpacked it into my AppData programs folder. I then opened that folder and double-clicked on radare2.exe. This made a quick blip on the taskbar like a window was trying to open, which also immediately closed.

I went and experimented a little, including installing to a Linux VM using the git clone method. I have found that the windows binary is the way to go for this. to use it, unpack the downloaded binary, then open CMD/PowerShell in the radare2 directory, then run bin/radare2.exe or bin/r2.bat. You will need to manually add these to the path, though.

Packaging (making available an installation package for end-users) is always an issue, especially when the software gets updated often. There is in the works a snap package for radare2, and in this post we see how to use it. The package is currently in beta, and when it gets out of beta, come back here for updated usage instructions.

Use the snap info radare2 to inspect the radare2 snap package. There is a snap package in the edge channel, for radare2 4.5.0. It is at 15MB and can be used with the special devmode (developer mode). devmode is important at this stage because radare2 does all sort of things to running binaries; and devmode disables most security protections over the snap package. That is, with devmode, we allow radare2 to have almost full access to our computer in order to perform its magic.

Currently, radare2 is available as an edge snap package that works in devmode security confinement (developer mode). Refer back to this section for updated instructions when radare2 is out of edge/devmode.

Snap packages that work in devmode security confinement do not appear in search results, when you search for them in the Snap Store. To find information about this snap package, run snap info radare2. See the section below on this.

This command installs the radare2 snap package from the edge channel, using the devmode (developer mode) security confinement type. The devmode security confinement disables any restrictions that are applied to typical snap packages. devmode makes a package to work quite similarly to APT and RPM packages.

Run the following command to get info about the radare2 snap package. You can see the list of available commands and how to invoke them. There are packages in the beta and edge channels, currently with radare2 4.5.0. The build number in this example is 5, and is an ascending number that characterises each new build. We have installed radare 4.5.0 from build 5, using the devmode security confinement. We are tracking the edge channel. Since the installed build number is the same as the build number in the channel that we are tracking, we are already running the latest available version.

We strongly recommend you use FLARE VM within a virtualized environment for malware analysis to protect and isolate your physical device and network from malicious activities. We assume you already have experience setting up and configuring your own virtualized environment. Please create a new virtual machine (VM) and perform a fresh installation of Windows. FLARE VM is designed to be installed on Windows 7 Service Pack 1 or newer; therefore, you can select a version of windows that best suits your needs. From this point forward, all installation steps should be performed within your VM.

Congratulations! You have successfully installed FLARE VM. At this point we recommend you power off the VM, switch the VM networking mode to Host-Only, and then take a snapshot to save a clean state of your analysis VM.

While we attempt to make the tools available as shortcuts within the FLARE folder, there are several available from command-line only. Please see the online documentation for the most up to date list. Here is an incomplete list of some major tools available on FLARE VM:

The FLARE team continues to support and improve FLARE VM to be the de facto distribution for security research, incident response, and malware analysis on Windows platform. We greatly appreciate the numerous bug reports, tool requests, and feature recommendations from everyone. We hope FLARE VM, along with many other FLARE open source projects, can help you do your work better, easier, and faster.

Hello,

I participated in the forum a short time and learned a lot of interesting things.

I am currently a student, and newbie to learn about RE / Malware.

I met a question that, when I use linux and install wine to run Ollydbg. The problem is probably in wine, I understand that wine windows platform emulator is correct and if true, when I open the wine with a crackme (PE), this is causing the error. It says that this file is only executable on windows 32. I think I was wrong because wine did not emulate windows. I want to ask if my thoughts are true? Wine does not emulate the windows platform, it just emulates the folders so that the programs on windows understand and execute them.

It is great if you give me some tips on something that is needed for a beginner like me. Be it documentation, knowledge or some specialized tools.

Thanks for care. (sorry for my bad english).

Thanks @dtm, I think it should be Linux malware

Hi @aaSSfxxx I have heard about IDA, which is a great tool. I will learn more about radare2.

I might as well ask about some programs that display other information as if they were packed, I remember seeing a write-up on the binary and they used DIE. Do you share some of the support tools for these tasks.

Thank you.

When writing assembly, there may be times when you need to see what's actually going on under the hood. If you are troubleshooting custom shellcode, you need to work through the instructions patiently and deliberately.

If you already have radare2 installed, make sure you are running a recent version. This tool is actively maintained and regularly updated. Also, there are some bugs prior to the June 2022 release that prevented this example from working.

Evaluable Strings Intermediate Language (ESIL) is used by radare2 to abstract the instructions from the hardware and create a way to "execute" machine instructions regardless of the underlying hardware. This is ideal for executing non-native assembly instructions in an emulated environment.

To find out more about how radare2 implements ESIL, check out the chapter in the online book on ESIL, available at:

To use ESIL to execute our shellcode we need to do the following:

1. Load our shellcode binary

2. Configure radare2 so that it knows how to interpret our shellcode binary correctly

3. Initialize ESIL

4. Set up registers as needed

5. Step through our assembly instructions to verify their functionality

Since it is just a binary blob, we need to specify what it is we're looking at after we load it into radare2. Here we change some analysis and assembly settings so that we can correctly analyze our ARM file:

Whether you are troubleshooting custom shellcode or trying to verify what you are seeing statically, sometimes you just need to see what the instructions are actually doing. Radare2 allows you to load up non-native assembly from an unknown file format (such as a shellcode binary file or a firmware image) and walk through the instructions step by step. If you want to learn more about ARM assembly, shellcode, and writing exploits for embedded Internet of Things systems, SANS SEC661: ARM Exploit Development is now available OnDemand and is also taught live throughout the year. For more information, check out -security-courses/arm-exploit-development/.

3a8082e126