Skip to content

Latest commit

 

History

History
144 lines (102 loc) · 7.31 KB

README.md

File metadata and controls

144 lines (102 loc) · 7.31 KB

Installation

If you haven't already, you can install Radare2. (Note: these commands assume you are running as root.)

git clone https://github.com/radare/radare2.git
cd radare2
sys/install.sh

Learning Radare2

The "Book" is the authoritative and relatively complete guide to Radare2.

Start radare2 by grabbing a random CTF binary and running:

radare2 random_ctf_binary

Feel free to grab the crackme-0x00 challenge. A good chunk of that writeup was just me learning Radare2.

Commands

The CLI: Basic Commands

  • aaaa - analyze all sections, autoname, and perform "additional experimental analysis". This is the first thing you should do when opening a file. The output is pretty meaningless, so just keep on going.
  • afl - analyze function list. Shows list of functions and symbols, both those contained within the file, and those that are externally imported from libraries. Symbols are prefaced with "sym." and imported functions are prefaced with "imp.".
  • s - seek. Controls what Radare is looking at. For example, to output the assembly instructions of the "main" function, you must first s main, then run afl.
  • s- - seek back. If you seek somewhere, then decide you need to return to where you were previously, use this command. Running it repeatedly lets you keep rewinding. The address Radare has seeked to is shown on the prompt.
  • pdf - print disassemble function. Shows the assembly instructions of wherever address you've seeked to -- the address shown on the prompt. Alternatively, append @ and an address/symbol to disassemble that function.
  • v or V - visual mode. Seemingly no difference between these two things. Sends you into a random visual mode, but I think it starts with a hexdump, or alternatively puts you back into whatever view you were in.
  • q - quit. exit Radare.
  • / - search for a string. If your binary prints a string (like "Wrong password!") use this to locate that string and start your analysis there.

Visual mode

After using v (or V) to get into Visual mode, these commands get you around:

  • p / 'P' - switch forward/backward through a cycle of views -- hexdump -> disassembly -> debugging (disassembly with hexdump and registers) -> hexdump (with words) -> hexdump as a C buffer -> hexdump with hideous colors -> hexdump with symbols and things? -> (back to the beginning)
  • [space] - jump to a graphical view of basic blocks. If you get a "Not in a function. Type 'df' to define it here" error, you may have forgotten to run aaaa first or you may need to seek to a function first (try s main).
  • q - Go back to the CLI prompt.
  • : - Run a CLI command while in Visual Mode. Hit [Enter] to return to Visual mode.
  • + or - - zoom in/out. Makes the basic bigger and smaller.
  • 0 - zoom back to normal scale.
  • ' (apostrophe) - Enables disables autogenerated and user-created comments?
  • ';' (semicolon) - inserts a user-generated comment at wherever you've seeked to
  • up/down/left/right or kjhl - moves the view up, down, left, or right (respectively)
  • g - go to. CALL and JMP instructions will often have a hotlink to the section of code they're referencing. For example, if you see ;[x], you can use use gx to seek there. (Note: This changes where you've seeked to for all other commands, including the CLI.)

Debugging

This only works if you restart Radare2 with the -d flag apparently?

  • db - debugger breakpoint. Use it alone to list the current breakpoints, or ...
  • db [addr/sym] - create a breakpoint at this address/symbol: db main, or ...
  • db -[addr/sym] - remove a breakpoint at this address/symbol: db -main
  • dbd / dbe - disable/enable breakpoint. Temporarily turn off a breakpoint. You can't use db to enable a disabled breakpoint, you must use dbe.
  • dc - Execute the instructions in the file. Use CTRL-C to stop.
  • dr - Show CPU registers, or ...
  • dr [reg]=[value] - Set CPU register: dr eax=0

Weird things that are kinda handy

  • Use ? to see all the ways to represent something.
  • Try ? 10 to see the what the decimal value of 10 appears as in: decimal, hexadecimal, octal, as a file size in bytes/kilo/mega/gigabytes, a 64-bit value, signed decimal, a string, binary, a float, a double-float (?), and something else that looks like a float(?)
  • Try ? eip to see what the EIP register contains, and all the different formats
  • Use s while debugging in VV mode to step to the next instruction.

~/.radare2rc

You can create a .rc file that will be checked by radare2 on every startup. This allows you to tweak radare2 to be more to your liking. I don't know what half of these things do, but here's what seems to be popular with the cool kids:

# Show comments at right of disassembly if they fit in screen <---- Not sure what this actually does
e asm.cmtright=true

# Display stack and register values on top of disasembly view (visual mode) <--- Not sure what this actually does
e cmd.stack = true

# Solarized theme (change colors, woo?)
eco solarized

# ESIL EMU <--- NO IDEA what this means or does
e asm.emu=true
e asm.esil = true

# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true

# Make the arrows in the visual modes colored, I think?
e scr.pipecolor = true

# Use `less` when the output is too long for the screen
e scr.pager = less -R

# ???
e asm.describe = true 

# Sanbox settings
e cfg.sandbox=false

# Break on loader entrypoint
e dbg.bep   = loader

# Set Assembly syntax to Intel (default) vs att
e asm.syntax = intel

# Seek to the start of the main() function on startup
e scr.seek   = main

# Disable the distracting startup messages
e cfg.fortunes = false

# Run autoanalysis on startup
aaaa

Questions and/or Answers

Questions I think I know the answer to

  • Is there a difference between radare and radare2?
    • Commands like "ag" don't seem to work the same
  • Was Radare2 a rewrite of Radare? An extension? Is Radare1 dead?
  • "r2 is a rewrite from scratch of radare..." -- https://github.com/radare/radare2
  • Can I have an .init file that automatically enables debugging, runs aaaa, runs s main, and runs db sym.main?
  • Yes, it's ~/.radare2rc.
  • How the hell do you pronounce Radare2? Do I need to say the 2?
    • There's no offial way. I'm going to stick with "radar" (rhay-dahr). Since Radare1 is 10 years old, I assume the "2" is unnecessary at this point.
  • Why isn't Radare2 writing the modified binary out to disk? See "CRACKME0 (the patching solution)".
  • There appears to be a bug that silently causes Radare2 to fail when both write mode (-w) and debug mode (-d) fail. Radare simply fails to change the file, presumably because the file is open for execution and debugging.

Questions I don't yet know the answer to

  • Can you eliminate the plethora of not-particularly useful visual modes?
  • Is there a way to turn debugging without exiting and restarting Radare2?
  • WTF is dbg.bpinmaps that is referenced in the error when I try to set a debugging breakpoint while not having started Radare2 with the -d flag?
  • Is there a way to make it so Radare2 doesn't force me to quit out of both visual modes (BB and hexdump) to get back to a CLI?