Reverse engineering using Radare2

2 April 2023 6 minutes Author: Endpool

The basics of working with the Radare2 framework

A small excursion into history. The radare project was started by a hacker with the nickname pancake in 2006, and for a long time he was essentially the only developer. The created framework had a simple console interface to work as a hexadecimal editor supporting 64-bit architecture. This made it possible to find and recover data from hard drives. Therefore, it was also called a tool for computer forensic examination. But in 2010, the “redesign” of the framework took place, after which the project began to grow and be supplemented with new functionality, which allows you to use it not only as an editor, but also as a disassembler, analyzer and code and shell codes. At the moment, this framework is used by famous CTF teams (Dragon Sector) and virus analysts (MalwareMustDie and AlienVault), and the latter presents it at their Black Hat workshop. A fairly large list of radare2 users with examples is available on the project blog. In general, I will not be afraid of this word, the framework is slowly catching up with our beloved (and quite difficult to get) IDA.

For now, let’s consider its features, which have been developed at the moment. Radare2 is a binary analysis framework. It includes a large number of utilities. It first developed as a hex editor for data retrieval and recovery, then it grew into a functional and now powerful framework for data analysis. The main drawback that hinders the spread of the framework is the lack of a high-quality GUI. Radare2 is most often used as a reverse engineering tool, as an advanced disassembler.

Installing Radare2

To install Radare2, start by checking if this program is already present in the standard repositories of your distribution. For example, in Kali Linux, this program not only exists, but is also installed by default.

In Debian and derivatives, install using the command:

On Arch Linux and BlackArch, to install Radare2, run:

To install Radare2 on Linux distributions for which it is not available in the application sources, you need to clone the source code from GitHub and run the sys/ file:

Now let’s take a look at the binaries you downloaded earlier (or created yourself). The intro program displays the line “Hello World” when running in the console:

The code for this program is simple:

Radare2 comes with a very handy tool called rabin2. It can be used to extract information from a binary, this information will include: strings, compile time and other useful information. I usually use this before running any serious analysis, so I can get a general idea of what the program might be doing. I’ll start by adding the -I flag. This will give us important information about the binary.

An example of a conclusion:

This tells us that the program is designed to run on Linux and that it was written in the C programming language. We can also see that the bintype is “elf”. This is called a magic number and can help us find out what type this file (Linux binary) is. That’s all we need to know for now. The next command I like to use is rabin2-z. It will list all lines from the data section of this binary file. By running this command, we can see our “Hello World” line:

An example of a conclusion:

After that I sometimes follow up with rabin2 -zz which shows all the lines in the binary (not just the data section). It usually outputs quite a few lines. Sometimes there are important hidden lines, sometimes not. In the case of the debugger, there’s nothing interesting there, so we’re done with rabin2. You can see other rabin2 flags with the command:

There are many other interesting things that rabin2 can show, such as imports, exports, and code sections, but for this binary it is not particularly interesting. These commands can be useful when analyzing malware, but not for a simple program like this one. So now we can move on to actually running our program in radare2 to view the assembler code. We run the command:

It will upload our executable to radare2. The next step is to enable binary analysis in radare2. With its help, we will find such things as strings, functions and other important information that radare2 can show us during analysis, that is, we are not just digging into the Assembler code. To enable analysis, run the “aa” command. This is the basic analysis command for radare2. We also have “aaa” and “aaaa”, each analyzing more information than the last. At the moment, just “aa” is enough for us.

Now that our file is parseable, we can go to the section of the binary where the code is actually located. The “s” command in radare2 is used to “seek” a location in memory. It can either be used with a valid hex address or we can print the name of the function to be found. Since we know most Linux programs run from the “main” function, we can search

You will notice that the cursor address has changed from 0x00000540 to 0x0000064a. This means that the current address is now 0x0000064a and that we are in the main function. I like to analyze the code in radare2 visual mode (right now we are in command mode). To switch to visual mode, type “v” and press Enter.

What you are looking at now is the radare2 hex editor (yes, it has everything!). But this is not necessarily the code we want to see. Press “p” to change the view. The view will change to the “disassembly view” (disassembly view) and we will be able to see the assembler code of the program. Note that radare2 separates functions into small ASCII block types. The main function code looks something like this:

Now let’s go through the source code. Since this file is an x64 application, we can see that we are placing our “Hello World” string in rdi at memory address 0x0000064e. Then we call the “sym.imp.puts” (or “puts”) function, which is the same as “printf”. That is, this function will print our string. After that, the “nop” command does absolutely nothing (like the pass command in python), then we clean up and end the function using “pop rbp” and “ret”. Since our function has finished and since it is the main function, our program has also finished.

Even without running the app itself, we can tell that this app is outputting Hello World drain. This was a very simple application of radare2. In the next article, we will use radare2 to “hack” a simple program in the style of Capture the Flag (solving hacking tasks, when the proof of achieving the goal is to obtain information specially hidden by the author of the task – “Flag”)

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.