Basic notes. Introduction in radare2 (x86-64, Linux)

Before we start – Make sure you are using the latest version of radare2! Radare2 is actively developing and it is very important to have a fresh version.

Radar2 is a simple and flexible tool for reverse engineering. It is already able to do everything and friendly to user scripts.

First, let’s take some program for an example. I managed to find good training programs for reverse-engineering provided by wapiflapi. These programs will be used in future articles.

But first we need to learn basic radare2 commands, so download an example program:

cd /tmp

Don’t forget to give execution rights:

chmod +x ./r1

Now it is possible to open the file in radare2:

r2 ./r1

To show file information that has been recognized, use i command:

i          #   Show file info  (arch, format, size, mode, compiler, type and other)
class        ELF64                                                        # File format
compiler     GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2   # Where and by what it was compiled
lang         c					                           # Programming language that was used

i command provides access to a class of commands that search for information in a file. This is the same as rabin2 utility (but rabin2 uses commandline options, without interface).

To see all available commands, use a question mark at the end. The output is big, therefore I showed only three commands as an example:

i?         #   Usage: i   Get info from opened file (see rabin2's manpage)
iz|izj     #   Strings in data sections (in JSON/Base64)
izz        #   Search for Strings in the whole binary
izzz       #   Dump Strings from whole binary to r2 shell (for huge files)

A question mark can be used with anything you want:


Another class of commands is the class of file analysis commands. They create tags with additional information when disassembling a file and give names to functions so that they can be accessed by their name and not only by address:

a?         #   Class of analyze commands
aa?        #   Additional options for more advanced commands can be viewed using ?
aaa        #   (aa - analyze functions + bbs) + (aaa - autoname functions after aa)

Seek commands. Print current address:


We can step forward/backward or specify the address directly:

s+ 2                 #  Seek two bytes forward
s 0x004006d8	#  Go to 0x004006d8 Vaddr

Go to the main function. This is where the main code starts, after the runtime libraries are initialized:

s main

Print commands:

p?              # Print commands

Print the first three instructions:

pd 3
;-- main:
0x00400602      55                   push rbp
0x00400603      4889e5           mov rbp, rsp
0x00400606      4883ec10       sub rsp, 0x10

Print 5 bytes in hex at 0x00400602:

px 5 @ 0x00400602  # Show 5 bytes at the specified address

When there is another 8 byte (64 bit systems) address located by the specified address, it can be automatically dereferenced using square brackets. Something like [address] -> address -> content:

px 5 @ [some address or register that contains reference in reference]

Print bits:

pB 1         # Print bits of the first byte
pb 8          # Print bits at current position

Write commands. This requires an additional parameter – open a file in write mode:

w? 	                     # Write commands
r2 -w ./r1              # Run radare2 in write mode (Now it is possible to change, patch data and code in the program)
s 0x0040070a
px 2	                     # Print hex values
- offset -         0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0040070a  4f4b                                                      OK

Let’s rewrite this values. Characters are converted to its hexadecimal values by w command:

w NO         # Write string. The changes will be saved immediately
px 2
- offset -         0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0040070a  4e4f                                                     NO

To write hex sequence directly, use wb command:

wb e7a6

Type “V”. This enables visual mode:

V - visual mode
p/P keys - switch between visual modes
Press ? - show help in visual mode
: - type commands in visual mode, like s?, i? and others
radare2 visual mode
Visual mode selected by pressing ‘p’ 2 times. It is well suited for debug mode. We just browse a program, so all registers are empty

The other classes of commands can be shown using a question mark:

i[?] [file]      # get info about opened file from r_bin
P[?]             # project management utilities
and others

To print a pseudo-code in C, we need to analyze a program with aaa and make pdc command:

aaa			                           # Analyze the program
pdc @ sym.compare_pwd         # Show sym.compare_pwd function in pseudo C language
int strcmp("my_password_to_easy", -1)
var = eax & eax
if (var) goto 0x4005ea

    //CODE XREF from sym.compare_pwd (0x4005dc)
    rax = qword [s2]         //rsp
    rsi = rax                //rsp
    edi = st"password \"%s\" not OK\n"/0x4006f8 ; str.password___s__not_OK ; const char *format
    eax = 0
    int printf("password \"%s\" not OK\n")

Work with radare2 config variables. Here we can change radare2 settings, for example, the assembler syntax that should be used:

e?  			                # Evaluable vars
e??  			        # List vars with description
e asm.syntax=??		# print all valid values of var with description
att                                    # Linux familiar assembler syntax
intel                                 # Default value
masm                              # MASM - Microsoft Macro Assembler

Heh, there is even such a setting. But I’m not sure about its accuracy:

e asm.cycles=true   	   # Show CPU-cycles taken by instruction at disassembly

How about changing a theme (syntax highlight) of radare2?

eco                  # Show all available themes
eco pink          # Choose a theme
pink theme in radare2
Pink theme in radare2

I don’t know why I leave it here but in the new version of radare2 there are joke strings appear when radare2 starts, you can find all of them here or offer yours own as a contributor:           # Fortune strings

The next article will be about debugging mode in radare2. Good luck!