We'll be at hack.lu 2014

We are accepted at hack.lu, both for a talk and a workshop: three of our contributors (jvoisin, maijin and xvilka) will be in Luxembourg to spread to good word about radare2!

Talk

If you don't know radare2 yet, make sure to attend the talk, since it will explain what it is, why a tool like this is needed, and some examples about what it's possible to achieve with it: exploitation, firmwares, malwares analysis, ...

Workshop

If you already know radare2 (or attended the talk) and wish to know more about it and get your hands dirty, we'll be happy to show you some black-magic at the workshop! Feel also free to send us emails or brag on irc about what you wish to see/learn during this event.

See you in there ;)

Visual mode

One of the main complain we get about radare2 is that it has no GUI. Maybe we'll get one someday, but for now, if you don't like the CLI, you can use the visual mode, by entering V.

Like with very command in r2, you can get help with the ?. Also, notice the fact that the CLI-command to get the same result it displayed on the top of your terminal.

help

The visual mode comes in several fashion that you can cycle with the p key:

  • hex, the hexadecimal view
  • disasm, the disassembly listing
  • debug, the debugger
  • words, the word-hexidecimal view
  • buf, the C-formatted buffer
  • annotated, the annotated hexdump.

The mode can be really powerful when used during dynamic analysis, since it can display the stack, registers state and the disassembly listing in the same time. Use . to seek to eip, and Enter to follow address of the current jump/call.

visual debugger

If you're not used to radare2, you can use the HUD to quickly access your favorites commands by pressing the _ key. Just type some letters of your command, and press enter when it gets selected. You can even add your commands by edition the hud file in your R2HOME folder (Likely equal to ~/.config/radare2/hud).

HUD

Like in IDA, you can add comments with the ; key, toggl breakpoints with F2, single-step with F7, step-over with F8 and continue with F9.

You can also change the type of the current position with the d key, to define it as a string, data, code, a function, or simply to undefine it. For example: to rename a function just type 'dr' and then the new name. Othervise, you could hit v to get into the visual code analysis menu to edit/look closely at the current function.

The 'c' key toggles the cursor mode, which allows to select, copy, modify, insert new strings, assembler or hexpairs depending on the current view and selected column (use <tab> in the hexdump view to toggle between hex and strings columns).

There are some hidden pearls inside the Visual mode that allow you to configure the eval variables with the e key, or generate an ascii-art basic-block graph of the current function with V.

To jump around metadata like functions or strings, you can hit the t key, to select where you want to go. Cross-references (also known as XREF) and references are available respectively with the X and the x key.

xref Notice the fact that the main function is detected (top of the picture) as being called only once, by the entry0 function, which is the entrypoint of the binary.

Since most of the radare2 developers are using vim, you can find most of its shortcuts in visual mode, like hjkl to move around, g and G to go to the begining or the end of the file, i to insert, ...

And if you're lost, you can type classic r2 command with :, or if you're really scared, exit the visual mode with q.

All this information and more you can get also if press ? in visual mode.

Binary diffing

Yesterday, a new feature was pushed to radare2: offset-based function diffing. We'd like to take this opportunity to write a bit about radare2's diffing features before showing the shiny new one.

Let's take a copy of a cracked crackme as an example, and the true and false binaries.

Without parameter, radiff2 will by default show what bytes changed, and the corresponding offsets.

$ radiff2 genuine cracked
0x000081e0 85c00f94c0 => 9090909090 0x000081e0  
0x0007c805 85c00f84c0 => 9090909090 0x0007c805

$ rasm2 -d 85c00f94c0
test eax, eax  
sete al

Notice how the two jumps are noped.

For bulk processing, you may want to have a higher-overview of the differences. This is why radare2 is able to compute the distance and the percentage of similarity between two files with the -s option:

$ radiff2 -s /bin/true /bin/false
similarity: 0.97  
distance: 743  

If you want more concrete data, it's also possible to count the differences, with the -c option:

$ radiff2 -c genuine cracked
2  

If you're unsure about the fact that you're dealing with similar binaries, you can check if some functions are matching with the -C option. The columns being: "First file offset", "Percentage of matching" and "Second file offset".

$ radiff2 -C /bin/false /bin/true 
                   entry0  0x4013e8 |   MATCH  (0.904762) | 0x4013e2  entry0
sym.imp.__libc_start_main  0x401190 |   MATCH  (1.000000) | 0x401190  sym.imp.__libc_start_main  
             fcn.00401196  0x401196 |   MATCH  (1.000000) | 0x401196  fcn.00401196
             fcn.0040103c  0x40103c |   MATCH  (1.000000) | 0x40103c  fcn.0040103c
             fcn.00401046  0x401046 |   MATCH  (1.000000) | 0x401046  fcn.00401046
             [...]

And now the cool feature : radare2 supports graph-diffing, à la DarunGrim, with the -g option. You can either give a symbol name, of specify two offsets in case the function you want to diff doesn't have the same name in both file.

For example, radiff2 -g main /bin/true /bin/false | xdot - will show the differences between the main function of true and false. You can compare it to radiff2 -g main /bin/false /bin/true (Notice the order of the arguments) to get the two versions.

This is the result:
/bin/true and /bin/false graph diff

The parts in yellow are indicating that some offsets are not matching, the grey one is a perfect match, while the red one highlight a strong difference. If you look closely, you'll see that the left one is mov edi, 0x1; call sym.imp.exit, while the right one is xor edi, edi; call sym.imp.exit.

Binary diffing is an important feature for reverse engineering. It can be used to analyze security updates, infected binaries, firmware changes and more..

We have only shown the code analysis diffing functionality, but radare2 supports more sort of diffing between two binaries at byte level, deltified similarities and more to come.

We have plans to implement more kinds of bindiffing functionalities into r2, and why not, add support for ascii art graph diffing and better integration with the rest of the toolkit.