Sign In
Create Account
Posted by
Introduction
Before we start, you should know that is an advanced binary forensics tool. If you are not familiar with some lower level programming or have any kind of understanding about assembly, this isn't for you. There are links on this forum and website that will help you gain a better understanding of architecture and assembly, you should start there.
Radare stands for "Raw Data Recovery". This project was started by a programmer who goes by pancake. This tool has been gaining more and more attraction since 2009, it has been around since 2006. This is an open source free project that is maintained (now) by a community of loyal users. You can visit the official website here, https://www.radare.org. This tool is not only a "tool" but an entire framework that you can use and integrate into your own tools. This software had a full rewrite in 2009 to accommodate the community.
Installation
Do not use the system repositories, use the Github repo, https://github.com/radare/radare2. This is something the author even suggests for you to do. Using the system package mamager to install radare might leave you buggier and out of date. The following are the commands to be executed to install radare2. When you want to check for updates, you can run the sys/install.sh script.
git clone https://github.com/radare/radare2.git sys/install.sh sys/user.sh
Documentation
Any command in radare has help info along with it, simply put a question mark at the end of a command. For example:
[0x00400470]> s? Usage: s[+-] [addr] s 0x320 ; seek to this address s- ; undo seek s+ ; redo seek s* ; list undo seek history s++ ; seek blocksize bytes forward s-- ; seek blocksize bytes backward s+ 512 ; seek 512 bytes forward s- 512 ; seek 512 bytes backward s.hexoff ; Seek honoring a base from core->offset sa [[+-]a] [asz] ; seek asz (or bsize) aligned to addr sn/sp ; seek next/prev scr.nkey s/ DATA ; search for next occurrence of 'DATA' s/x 9091 ; search for next occurrence of \x90\x91 sb ; seek aligned to bb start so ; seek to next opcode sf ; seek to next function (f->addr+f->size) sC str ; seek to comment matching given string sr pc ; seek to register
OS Support
This project has support for all major operating systems:
File Format Support
- ELF
- Mach-O
- Fatmach-O
- PE
- PE+
- BIOS/UEFI
- Java class
- Android boot image
- Game Boy
- Nintendo DS
- Nintendo 3DS
Basic Commands
Some of the most basic things you will need to do is search addresses, display data and move around in binary files. For this part of the tutorial I will write a few basic C programs to help you get started with using some of these commands. The example C binaries and code can be found on my github here: https://github.com/t...lsunjester/code.
You will load the binary file simply by typing r2 followed by the binary name.
- a = analyze bytes
- s = seek
- pd = disassemble opcodes
- x = hex dumps
- / = string searches
- q = quit
Hello World
This will be a crash course into using r2 and some of it's other tools. The code we will be analyzing here is the hello.c file in the git repo mentioned above (https://github.com/t...aster/c/hello.c). You can also find the binary in the repository as well. The first thing we are going to do is use rabin to check the files headers. You can use the -I flag (capital 'i', not an l).
(xenial)sunjester@localhost:~/Downloads/code/c$ rabin2 -I hello file /home/sunjester/Downloads/code/c/hello type EXEC (Executable file) pic false has_va true root elf class ELF64 lang c arch x86 bits 64 machine AMD x86-64 architecture os linux subsys linux endian little strip false static false linenum true lsyms true relocs true rpath NONE
Next, let's load it into radare.
(xenial)sunjester@localhost:~/Downloads/code/c$ r2 hello
You will be at a prompt that has an address at the beginning of it. Now, analyze the binary. When you analyze a binary you can use multiple a's. I use aae, but a simple a or even two aa's should be sufficient enough. aae means it will analyze and emulate the binary. Depending on how large the binary file is, depends on how long it will take to analyze. This is a simple hello world c program, so it should be almost instant. When it is done, it will just drop you to a new line at the same address.
[0x00400430]> aae [0x00400430]>
Now, since I know there is a nice small main function, we can move to that main function (and most of the time in any binary c program) using pdf @main. the pdf command disassembles a function that you give it. Since I knew the name of the function was main and 99.99% of all programs have a main function, it disassembled the function and showed me the disassembly.
[0x00400430]> pdf @main / (fcn) sym.main 21 | 0x00400526 55 push rbp | 0x00400527 4889e5 mov rbp, rsp | 0x0040052a bfc4054000 mov edi, str.helloworld | 0x0040052f e8ccfeffff call sym.imp.puts | sym.imp.puts(unk) | 0x00400534 b800000000 mov eax, 0x0 | 0x00400539 5d pop rbp \ 0x0040053a c3 ret
Above is out disassembled main function. You can see the addresses and even our string we have in the code "hello world", denoted by str.helloworld. We can move to that strings location using the seek command (s).
[0x00400430]> s str.helloworld
You can also seek up and down by using the dash (minus) or plus signs. s- willmove you down one, s+ will move you up one, as show in the code block below. If you simply type s you will be given the current stack address you are sitting at.
[0x004005c4]> s- [0x00400430]> s+
You will notice that the address at your prompt has now changed to the address where the string is sitting. You can use pd to show the bytes, I will show the next 10 instructions from the string using pd 10. You can also just show the instruction you are currently at by using pd 1.
[0x004005c4]> pd 10 ;-- str.helloworld: 0x004005c4 .string "hello world" ; len=12 ; [16] va=0x004005d0 pa=0x000005d0 sz=52 vsz=52 rwx=-r-- .eh_frame_hdr | ;-- section..eh_frame_hdr: | 0x004005d0 011b add [rbx], ebx | 0x004005d2 033b add edi, [rbx] | 0x004005d4 3400 xor al, 0x0 | 0x004005d6 0000 add [rax], al | 0x004005d8 0500000020 add eax, 0x20000000 0x004005dd fe invalid 0x004005de ff invalid 0x004005df ff8000000060 inc dword [rax+0x60000000] 0x004005e5 fe invalid
Searching for Strings
It is a common thing to search for strings. We can search using the /i command, the 'i' means insensitive. You can also search using wide and other things. To see a list, don't use the question mark, /?.
[0x004005c4]> /i hello Searching 5 bytes from 0x00400238 to 0x004005c4: 68 65 6c 6c 6f hits: 1 0x004005c4 hit0_0 "hello world"
When you search and radare finds something it stores it as a hit. To view the hit use the s command and the hit it found, as shown int he code block below. Since we are sitting in the spot we are looking for, our prompt didn't change (if you have been following along).
[0x004005c4]> s hit0_0 [0x004005c4]> pd 1 ;-- hit0_0: 0x004005c4 .string "hello world" ; len=12
Another way of searching for all the strings is by typing iz, for example, after loading and emulating a binary:
[0x004007c0]> iz [Strings] Num Paddr Vaddr Len Size Section Type String 000 0x00000ce8 0x00400ce8 34 35 (.rodata) ascii \n Error : Could not create socket 001 0x00000d0b 0x00400d0b 25 26 (.rodata) ascii \n inet_pton error occured 002 0x00000d25 0x00400d25 25 26 (.rodata) ascii \n Error : Connect Failed 003 0x00000d3f 0x00400d3f 28 29 (.rodata) ascii \n Usage: %s <ip of server> \n 004 0x00000d5c 0x00400d5c 17 18 (.rodata) ascii [*] Audit Started 005 0x00000d6e 0x00400d6e 9 10 (.rodata) ascii Microsoft 006 0x00000d78 0x00400d78 11 12 (.rodata) ascii [*] NOT IIS 007 0x00000d88 0x00400d88 31 32 (.rodata) ascii Requested Range Not Satisfiable 008 0x00000da8 0x00400da8 15 16 (.rodata) ascii [!!] Looks VULN 009 0x00000db8 0x00400db8 38 39 (.rodata) ascii The request has an invalid header name 010 0x00000ddf 0x00400ddf 17 18 (.rodata) ascii [*] Looks Patched 011 0x00000df8 0x00400df8 52 53 (.rodata) ascii [*] Unexpected response, cannot discern patch status
Conclusion
I hope this will help you along in your quest for becoming a better programmer and hacker.
