Radare2 for Reverse Engineering, Debugging, and Editing Binaries

Radare2: What is it and How Can You Use it?

Radare2 is an open-source reverse engineering framework used for analyzing, debugging, and editing binary files. It is used primarily by security researchers and reverse engineers to explore the inner workings of software and other systems. Radare2 (or "radare") is written in C and assembles multiple tools including disassemblers, a debugger, and an interactive hexadecimal editor. The source code for Radare2 is available on Github:

https://github.com/radareorg/radare2

What Are the Benefits of Using Radare2?

Radare2’s powerful features make it an ideal tool for reverse engineering, debugging, and code analysis in both native and almost any type of executable file. For example, Radare2 can work on Linux ELF, Windows PE and Mach-O, as well as other supported binary formats. Radare2 is also ideal when a graphical environment is unavailable or if you prefer to operate in the CLI.

The main benefit of using Radare2 is that the user can perform detailed investigations into the binary file they are analyzing. As Radare2 has disassembler capabilities, it converts opcodes found in a raw binary and converts them to allow the user to examine the low-level assembly language instructions. This gives the user access to the file’s internal logic, which can be used to identify potential vulnerabilities. As an added bonus the, "r2ghidra" plugin, allows a reverse engineer to use the Ghidra disassembler, analysis and decompiler plugins within r2. This can be installed once in an r2 session via:

> r2pm -ci r2ghidra

Radare2 also supports a wide range of debugging features, such as breakpoints, trace execution, and variable monitoring. This makes it ideal for analyzing binaries that don’t accurately respond to normal debugging conditions. In addition, the hexadecimal editor in Radare2 allows for fast and efficient editing of the binary file without having to access external tools. At its most basic level, here's how you can begin debugging binaries...let's use the id command as an example:

$ r2 -d /usr/bin/nc -lvvvp 1337
> aaaa
> ia ~..
> afl
> db main
> db
> dc
> pdg
> v

Another example to attach to a running process:

$ /usr/bin/nc -lvvvp 1337 &
$ r2 -d $(pidof nc)
> aaaa
> ia ~..
> afl ~..
> db main
> db
> dc
> pdg
> v

Finally, Radare2 is a powerful tool for reverse engineering malware, as it allows for a more comprehensive view of the codebase, allowing for holes to be found in the malicious code.

Start Debugging with Radare2 by executing the following command:

$ r2 -d <path of binary>

Once inside an r2 session, I've found the following commands to be useful while debugging & reverse engineering:

?:
Display a list of commands.  For additional details you can append ? at the end of a command for more options (e.g. r?)

!:
Run a system command (e.g. !id)

aaa: 
Runs an 'analyze all' operation on the binary, which deconstructs all functions, variables, and strings and populates the r2 command's output. 

af: 
Determines the binary's architecture and calls the correct architecture-dependent analysis functions. 

afl:
List functions

axt: 
Locates the function's address, size, and its frame. 

/c?:
Search for crypto-related materials in memory :)

db:
List breakpoints

db main:
Set a breakpoint at the main function

dc: 
Executes the current instruction and displays the next instruction in assembly.
F2:
Toggle breakpoint

F4:
Run to Cursor

F7: 
Single Step   

F8:
Step Over   

F9:
Continue Execution

ia ~..:
Show all info for arch, imports, exports, sections, etc and pipe the output into less via ~..

pd: 
Disassemble the current function at a specified offset. 

pdga:
Side by side two column disasm and decompilation using the Ghidra decompiler.

r2pm:
Radare2 plugin manager

r2pm -U:
Initialize/update the database

r2pm -ci <plugin>:
Install a plugin for Radare2.  For example, install the Ghidra decompiler via: 
  > r2pm -ci r2ghidra

s main:
Seek (i.e. Jump to) the main function

sx: 
Display the symbolic version of the given address. 

agO: 
Gives a graphical view of a function, allowing the user to quickly navigate the functions and graph their interconnects.

v:
Enter panels mode (displays disassembly, stack, and registers by default).
  * h: for help
  * m: Highlight the menu - scroll via arrow keys
  * -: Split panels horizontally
  * |: to split panels vertically
  * <TAB>: switch active panes
  * <RIGHT CLICK ON ACTIVE PANE>: change the pane (e.g. registers, stack, pdg, disassembly, etc)
  * Once you have a layout you like, type m, highlight the File menu and Save Layout.  From there you can load in layout in future sessions.
  * If you load the layout to include pdg results, it may not load when you load the layout.  To fix this, highlight the decompiler window, right click on it, choose "Change Command of Current Panel" and type pdg to display its results.

V, Vv, or VV: Enter visual mode.
  * p: switch through different visual modes.

w:
Enter window mode - use the HJKL keys to resize the window panes in visual mode.  Press q when complete.

For more information on Radare2 usage see the following:

https://book.rada.re/first_steps/intro.html

For practice, "crackme" binaries are available here:

https://book.rada.re/crackmes/intro.html

Conclusion

Radare2 is a powerful open-source reverse engineering framework that can be used to analyze binary files, debug, and edit them. Radare2 offers powerful features such as a built-in disassembler, debugger, and hexadecimal editor. This makes it ideal for reverse engineering, debugging, and analyzing binary files. Additionally, Radare2 can be used to analyze malware for vulnerabilities. The above radare2 cheatsheet will get a user started with this powerful tool.