We are accepted at hack.lu, both for a talk and a workshop: three of our contributors (jvoisin, maijin and xvilka) will be in Luxembourg to spread to good word about radare2!
If you don't know radare2 yet, make sure to attend the talk, since it will explain what it is, why a tool like this is needed, and some examples about what it's possible to achieve with it: exploitation, firmwares, malwares analysis, ...
If you already know radare2 (or attended the talk) and wish to know more about it and get your hands dirty, we'll be happy to show you some black-magic at the workshop! Feel also free to send us emails or brag on irc about what you wish to see/learn during this event.
See you in there ;)
One of the main complain we get about radare2 is that it has no GUI. Maybe we'll get one someday, but for now, if you don't like the CLI, you can use the visual mode, by entering
Like with very command in r2, you can get help with the
?. Also, notice the fact that the CLI-command to get the same result it displayed on the top of your terminal.
The visual mode comes in several fashion that you can cycle with the
hex, the hexadecimal view
disasm, the disassembly listing
debug, the debugger
words, the word-hexidecimal view
buf, the C-formatted buffer
annotated, the annotated hexdump.
The mode can be really powerful when used during dynamic analysis, since it can display the stack, registers state and the disassembly listing in the same time. Use
. to seek to eip, and
Enter to follow address of the current jump/call.
If you're not used to radare2, you can use the HUD to quickly access your favorites commands by pressing the
_ key. Just type some letters of your command, and press enter when it gets selected. You can even add your commands by edition the hud file in your
R2HOME folder (Likely equal to
Like in IDA, you can add comments with the
; key, toggl breakpoints with
F2, single-step with
F7, step-over with
F8 and continue with
You can also change the type of the current position with the
d key, to define it as a string, data, code, a function, or simply to undefine it. For example: to rename a function just type 'dr' and then the new name. Othervise, you could hit
v to get into the visual code analysis menu to edit/look closely at the current function.
The 'c' key toggles the cursor mode, which allows to select, copy, modify, insert new strings, assembler or hexpairs depending on the current view and selected column (use
<tab> in the hexdump view to toggle between hex and strings columns).
There are some hidden pearls inside the Visual mode that allow you to configure the eval variables with the
e key, or generate an ascii-art basic-block graph of the current function with
To jump around metadata like functions or strings, you can hit the
t key, to select where you want to go. Cross-references (also known as XREF) and references are available respectively with the
X and the
Notice the fact that the main function is detected (top of the picture) as being called only once, by the
entry0 function, which is the entrypoint of the binary.
Since most of the radare2 developers are using vim, you can find most of its shortcuts in visual mode, like
hjkl to move around,
G to go to the begining or the end of the file,
i to insert, ...
And if you're lost, you can type classic r2 command with
:, or if you're really scared, exit the visual mode with
All this information and more you can get also if press
? in visual mode.
Yesterday, a new feature was pushed to radare2: offset-based function diffing. We'd like to take this opportunity to write a bit about radare2's diffing features before showing the shiny new one.
Let's take a copy of a cracked crackme as an example, and the
radiff2 will by default show what bytes changed, and the corresponding offsets.
$ radiff2 genuine cracked
0x000081e0 85c00f94c0 => 9090909090 0x000081e0
0x0007c805 85c00f84c0 => 9090909090 0x0007c805
$ rasm2 -d 85c00f94c0
test eax, eax
Notice how the two jumps are noped.
For bulk processing, you may want to have a higher-overview of the differences. This is why radare2 is able to compute the distance and the percentage of similarity between two files with the
$ radiff2 -s /bin/true /bin/false
If you want more concrete data, it's also possible to count the differences, with the
$ radiff2 -c genuine cracked
If you're unsure about the fact that you're dealing with similar binaries, you can check if some functions are matching with the
-C option. The columns being: "First file offset", "Percentage of matching" and "Second file offset".
$ radiff2 -C /bin/false /bin/true
entry0 0x4013e8 | MATCH (0.904762) | 0x4013e2 entry0
sym.imp.__libc_start_main 0x401190 | MATCH (1.000000) | 0x401190 sym.imp.__libc_start_main
fcn.00401196 0x401196 | MATCH (1.000000) | 0x401196 fcn.00401196
fcn.0040103c 0x40103c | MATCH (1.000000) | 0x40103c fcn.0040103c
fcn.00401046 0x401046 | MATCH (1.000000) | 0x401046 fcn.00401046
And now the cool feature : radare2 supports graph-diffing, à la DarunGrim, with the
-g option. You can either give a symbol name, of specify two offsets in case the function you want to diff doesn't have the same name in both file.
radiff2 -g main /bin/true /bin/false | xdot - will show the differences between the main function of
false. You can compare it to
radiff2 -g main /bin/false /bin/true (Notice the order of the arguments) to get the two versions.
This is the result:
The parts in yellow are indicating that some offsets are not matching, the grey one is a perfect match, while the red one highlight a strong difference. If you look closely, you'll see that the left one is
mov edi, 0x1; call sym.imp.exit, while the right one is
xor edi, edi; call sym.imp.exit.
Binary diffing is an important feature for reverse engineering. It can be used to analyze security updates, infected binaries, firmware changes and more..
We have only shown the code analysis diffing functionality, but radare2 supports more sort of diffing between two binaries at byte level, deltified similarities and more to come.
We have plans to implement more kinds of bindiffing functionalities into r2, and why not, add support for ascii art graph diffing and better integration with the rest of the toolkit.