Introduction
Before we start, you should know that is an advanced binary forensics tool. If you are not familiar with some lower level programming or have any kind of understanding about assembly, this isn't for you. There are links on this forum and website that will help you gain a better understanding of architecture and assembly, you should start there.
Radare stands for "Raw Data Recovery". This project was started by a programmer who goes by pancake. This tool has been gaining more and more attraction since 2009, it has been around since 2006. This is an open source free project that is maintained (now) by a community of loyal users. You can visit the official website here,
. This tool is not only a "tool" but an entire framework that you can use and integrate into your own tools. This software had a full rewrite in 2009 to accommodate the community.Installation
Do not use the system repositories, use the Github repo,
Documentation
Any command in radare has help info along with it, simply put a question mark at the end of a command. For example:
OS Support
This project has support for all major operating systems:
- (and )
- (Blackberry)
- BSD and more..
File Format Support
- ELF
- Mach-O
- Fatmach-O
- PE
- PE+
- BIOS/UEFI
- Java class
- Android boot image
- Game Boy
- Nintendo DS
- Nintendo 3DS
Basic Commands
Some of the most basic things you will need to do is search addresses, display data and move around in binary files. For this part of the tutorial I will write a few basic C programs to help you get started with using some of these commands. The example C binaries and code can be found on my github here:
You will load the binary file simply by typing r2 followed by the binary name.
- a = analyze bytes
- s = seek
- pd = disassemble opcodes
- x = hex dumps
- / = string searches
- q = quit
Hello World
This will be a crash course into using r2 and some of it's other tools. The code we will be analyzing here is the hello.c file in the git repo mentioned above (
Next, let's load it into radare.
You will be at a prompt that has an address at the beginning of it. Now, analyze the binary. When you analyze a binary you can use multiple a's. I use aae, but a simple a or even two aa's should be sufficient enough. aae means it will analyze and emulate the binary. Depending on how large the binary file is, depends on how long it will take to analyze. This is a simple hello world c program, so it should be almost instant. When it is done, it will just drop you to a new line at the same address.
Now, since I know there is a nice small main function, we can move to that main function (and most of the time in any binary c program) using pdf @main. the pdf command disassembles a function that you give it. Since I knew the name of the function was main and 99.99% of all programs have a main function, it disassembled the function and showed me the disassembly.
Above is out disassembled main function. You can see the addresses and even our string we have in the code "hello world", denoted by str.helloworld. We can move to that strings location using the seek command (s).
You can also seek up and down by using the dash (minus) or plus signs. s- willmove you down one, s+ will move you up one, as show in the code block below. If you simply type s you will be given the current stack address you are sitting at.
You will notice that the address at your prompt has now changed to the address where the string is sitting. You can use pd to show the bytes, I will show the next 10 instructions from the string using pd 10. You can also just show the instruction you are currently at by using pd 1.
Searching for Strings
It is a common thing to search for strings. We can search using the /i command, the 'i' means insensitive. You can also search using wide and other things. To see a list, don't use the question mark, /?.
When you search and radare finds something it stores it as a hit. To view the hit use the s command and the hit it found, as shown int he code block below. Since we are sitting in the spot we are looking for, our prompt didn't change (if you have been following along).
Another way of searching for all the strings is by typing iz, for example, after loading and emulating a binary:
Conclusion
I hope this will help you along in your quest for becoming a better programmer and hacker.
Edited by sunjester, 27 December 2018 - 07:04 PM.