Radare2 Download

[Tabita Knezevic]

Update2020): Since writing this article, it has become, in a way, the go-to tutorial for learning radare2. Your feedback was amazing and I am very happy for the opportunity to teach new people about radare2.

A lot has changed since I wrote this tutorial, both with radare2 and with me. I am now, for several years, a core member in the radare2 team and a maintainer of Cutter, a modern, GUI-based, reverse engineering framework that is powered by radare2.

rabin2 allows extracting information from binary files including Sections, Headers, Imports, Strings, Entrypoints, etc. It can then export the output in several formats. rabin2 is able to understand many file formats such as ELF, PE, Mach-O, Java CLASS.

As I said before, the goal of this tutorial is to teach radare2 and present some of its capabilities, not to teach assembly. Therefore I will not go through the code deeply and explain what it does. The binary is really simple, you should get it even with a basic understanding of reverse engineering.

radare2 is equipped with a very strong and efficient suite of Visual Modes. The Visual Mode is much more user-friendly and takes the reversing experience using r2 to a whole new level. Pressing V will bring us to the Visual Mode screen. Use p/P to change between modes. At the top of the screen you can see the command which was used to generate the view. Navigate to the disassembly view using p. To go back from a specific screen, press q.

As in similar disassemblers, radare2 has a Graph view. You can access Visual Graph mode from your shell by running VV, move Left/Down/Up/Right using the arrows or h/j/k/l and jump to a function using g and the key shown next to the jump call (e.g gd).

Hence, 128 bytes are allocated for the buffer in the stack, the next 4 bytes would be the saved ebp pointer of the previous stack frame, and the next 4 bytes will be the return address, this sums up to 136.

To start off I want to say I am a Linux person. I use it all the time for development. The command-line is amazing and very streamlined for computer-science related tasks. While I feel this way, there are those who do not and would prefer to use a Windows environment instead. So I want to show two things in this article, how to install and use radare2 for Windows, and also how to debug applications using radare2.

To change your $PATH variable you can do it one of two ways. You can use the Windows GUI to change it by going to System Properties -> Advanced -> Environment Variables, click on the Path variable and click Edit. Then you can add the directory leading to your radare2 files.

Now that we have Radare2 installed we can move on to our tutorial on debugging. If you do not know what debugging is, it is essentially running the program and pausing at each assembly instruction. It allows you to see dynamically what is going on under the hood and is often times easier than static analysis. However when analyzing malware it is safer to perform static analysis since the file is not actually running. If you want to debug malware, since it is an important part of the analysis process, then you should do it in a Virtual Machine.

We should start by running the program to see what it expects from us and go from there. When we boot up the program we see it prompts us for a password. If we try to guess the password we are shown a message telling us that we are wrong. Not too complex, we just need to find out what the password is.

Then we can run the program using the F9 key. Radare2 will automatically stop us when a blank command prompt comes up, so we need to go back into radare2 and hit F9 again. We will then need to input our string and hit ENTER, we will then stop at the breakpoint we just created.

We then see that we move the length of our string [ebp-0xc] into eax and start a loop that goes through each character in the string. As we step a little further through this we notice that the last letter of our string is placed into eax and the value in [ebp-1] is placed into ecx. We then xor the two values together to start the process of encrypting our string.

This has been a very basic info using the Radare2 debugger on Windows. I personally prefer using x64dbg when I debug applications, but this was a fun learning experience. As always if I did something wrong or there is some way I can improve then please feel free to reach out and tell me. You can contact me at my LinkedIn or my Twitter.

People are often asking me why they should use radare2 instead of somethingelse, so I decided to write this down. I think that a nice way to (partially) answer thisquestion is to use a handy metaphor: text editors.

Radare2 is all about command line and cryptic shortcuts/commands, and just like vim,at the beginning, one is completely lost, spending all your time in insertionmode, trying to remember what gg=G" is supposed to do, or how to undo thefolding of the function you're looking at. But once you're used to it, once yousaw the light, you're fast and efficient, everything seems logical, pleasant andwell designed.

The community around those two software are a bit alike: they are fans of theirtool, and will be vocal about this, which is sometimes often annoying toothers: Why can't those people not shut up, why do they have to be so vocal andinsist that we give a try at their cryptic tool from the past?

There are some GUI for vim, like GVim, or all the neovimones,but most of the people are simply using vim in a terminal, becauseit's more convenient.Radare2 had gradare2,bokken,Ronin, radare2gui_dotnet, variousweb interfaces, and nowIaitoCutter, but most of its power users areusing radare2.

Binary ninja feels a bit clunky: there is this omnipresent feeling that thingsare missing or aren't completely dry yet. But if you take thetime to write your plugins, or to use the ones from other, then you'llunderstand why its users are loving it so much.

For example, its Opaque predicatepatcher plugin is amazing,and would be awful to write in pure r2script. Even by using Python, forexample via r2pipe, orIDAPython, doing the backward propagationto find if a given condition is constant would be horrible.

At the beginning of this blogpost, I used the term "partially answered",because a metaphor is rarely enough to provide a comprehensive answer,and there is an elephant in the room that needs to be mentioned: money

Radare2 has a vibrant community, that does things mostly because they are fun,while IDA Pro and Binary Ninja have to make money: if you want a feature inradare2, you'll need to either convince someone to implement it for you, orto implement it yourself, while for the others, you can likely just throw abunch of money at the developers to get it done. Worse case,the license is coming with technical support anyway.

This post is just a quick place to document a tip/tool that other malware analysts might find useful. As some of you may be aware, I occasionally teach FOR610: Reverse Engineering Malware. I love the class and on days 3-5 we talk about shellcode and discuss various ways of examining shellcode. Also, I've been doing malware analysis for quite a while and have primarily used IDA and OllyDbg (now, x64dbg, since Olly has been abandoned) for it, but I know some of my colleagues really like radare2. I've never had the time to learn radare2, but in a recent case at the $dayjob, I found some shellcode being executed by powershell. Rather than look at it in IDA, I decided to see what I could see in radare2. Since I do most of my analysis in Linux, being able to do this quickly from the command-line was very attractive. I was able to extract the shellcode as a binary file and with a few minutes of research found that the following one-liner did the job. I figured, this might be of interest to other analysts who haven't used radare2 much either, so here you are.

Note, the switches to the r2 command are -a x86 -b 32 because this shellcode is 32 bit x86 code, -q to just do the disassembly and quit, -c pd to print the disassembly, and, of course, the file containing the binary shellcode (foo.bin). I'm not going to spend any time here examining what the shellcode does. The purpose of this quick post was just to document one way to use radare2. If you want to learn more about how to deal with shellcode, come take FOR610 with us.

This is an ongoing work in progress and reflects various material obtained while stuying how to use radare2. This wiki is constantly updated. Feel free to tweet to me if there is a tidbit I can include in here.

When writing assembly, there may be times when you need to see what's actually going on under the hood. If you are troubleshooting custom shellcode, you need to work through the instructions patiently and deliberately.

If you already have radare2 installed, make sure you are running a recent version. This tool is actively maintained and regularly updated. Also, there are some bugs prior to the June 2022 release that prevented this example from working.

Evaluable Strings Intermediate Language (ESIL) is used by radare2 to abstract the instructions from the hardware and create a way to "execute" machine instructions regardless of the underlying hardware. This is ideal for executing non-native assembly instructions in an emulated environment.

To find out more about how radare2 implements ESIL, check out the chapter in the online book on ESIL, available at:

To use ESIL to execute our shellcode we need to do the following:

1. Load our shellcode binary

2. Configure radare2 so that it knows how to interpret our shellcode binary correctly

3. Initialize ESIL

4. Set up registers as needed

5. Step through our assembly instructions to verify their functionality

Since it is just a binary blob, we need to specify what it is we're looking at after we load it into radare2. Here we change some analysis and assembly settings so that we can correctly analyze our ARM file:

Whether you are troubleshooting custom shellcode or trying to verify what you are seeing statically, sometimes you just need to see what the instructions are actually doing. Radare2 allows you to load up non-native assembly from an unknown file format (such as a shellcode binary file or a firmware image) and walk through the instructions step by step. If you want to learn more about ARM assembly, shellcode, and writing exploits for embedded Internet of Things systems, SANS SEC661: ARM Exploit Development is now available OnDemand and is also taught live throughout the year. For more information, check out -security-courses/arm-exploit-development/.

3a8082e126