Logo 逆向知识库

intro

Radare2#

Command line options#

-L: List of supported IO plugins
-q: Exit after processing commands
-w: Write mode enabled
-i [file]: Interprets a r2 script
-A: Analyze executable at load time (xrefs, etc)
-n: Bare load. Do not load executable info as the entrypoint
-c 'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
-p [prj]: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
-: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed)
    Similar to r2 malloc://512

Configuration properties#

They can be used in evaluations:? ${asm.tabs}

e: Returns configuration properties
e <property>: Checks a specific property:
    e asm.tabs => false
e <property>=<value>: Change property value
    e asm.arch=ppc
e? help about a configuration property
    e? cmd.stack

You will want to set your favourite options in ~/.radare2rc since every line there will be interpreted at the beginning of each session. Mine for reference:

# Show comments at right of disassembly if they fit in screen
e asm.cmt.right=true

# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true

# Solarized theme
eco solarized

# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true

There is an easier interface accessible from the Visual mode, just typing Ve

Basic Commands#

Command syntax: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe]

  • ; Command chaining: x 3;s+3;pi 3;s+3;pxo 4;
  • | Pipe with shell commands: pd | less
  • ! Run shell commands: !cat /etc/passwd
  • !! Escapes to shell, run command and pass output to radare buffer
  • Note: The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this command to launch it directly to the shell. A single one will walk through the io plugin list.
  • ` Radare commands: wx `!ragg2 -i exec`
  • ~ grep
  • ~! grep -v
  • ~[n] grep by columns afl~[0]
  • ~:n grep by rows afl~:0
    pi~mov,eax  		  ; lines with mov or eax
    pi~mov&eax  		  ; lines with mov and eax
    pi~mov,eax:6  		  ; 6 first lines with mov or eax
    pd 20~call[0]:0       ; grep first column of the first row matching 'call'
  • .cmd Interprets command output
is* prints symbols
.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
  • .. repeats last commands (same as enter \n)
  • ( Used to define and run macros
  • $ Used to define alias
  • $$: Resolves to current address
  • Offsets (@) are absolute, we can use $$ for relative ones @ $$+4
  • ? Evaluate expression
[0x00000000]> ? 33 +2
35 0x23 043 0000:0023 35 00100011 35.0 0.000000

Note: | and & need to be escaped
  • ?$? Help for variables used in expressions
  • $$: Here
  • $s: File size
  • $b: Block size
  • $l: Opcode length
  • $j: When $$ is at a jmp, $j is the address where we are going to jump to
  • $f: Same for jmp fail address
  • $m: Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
  • ??? Help for ? command
  • ?i Takes input from stdin. Eg ?i username
  • ?? Result from previous operations
  • ?s from to [step]: Generates sequence from to every
  • ?p: Get physical address for given virtual address
  • ?P: Get virtual address for given physical one
  • ?v Show hex value of math expr
?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
?v 0x4141414a - 0x41414140  = 0xa
  • ?l str: Returns the length of string
  • @@: Used for iterations
wx ff @@10 20 30      Writes ff at offsets 10, 20 and 30
wx ff @@`?s  1 10 2`  Writes ff at offsets 1, 2 and 3
wx 90 @@ sym.*        Writes a nop on every symbol

Positioning#

s address: Move cursor to address or symbol
    s-5 (5 bytes backwards)
    s- undo seek
    s+ redo seek

Block size#

The block size is the default view size for radare. All commands will work with this constraint, but you can always temporally change the block size just giving a numeric argument to the print commands for example (px 20)

b size: Change block size

JSON Output#

Most of commands such as (i)nfo and (p)rint commands accept a j to print their output in json

[0x100000d78]> ij
{"bin":{"type":"mach0","class":"MACH064","endian":"little","machine":"x86 64 all","arch":"x86","os":"osx","lang":"c","pic":true,"canary":false,"nx":false,"crypto":false,"va":true,"bits":64,"stripped":true,"static":false,"linenums":false,"syms":false,"relocs":false},"core":{"type":"Executable file","os":"osx","arch":"x86 64 all","bits":64,"endian":"little","file":"/bin/ls","fd":6,"size":34640,"mode":"r--","block":256,"uri":"/bin/ls","format":"mach064"}}

Analyze#

aa: Analyze all (fcns + bbs) same that running r2 with -A
ahl <length> <range>: fake opcode length for a range of bytes
ad: Analyze data
    ad@rsp (analyze the stack)

Function analysis (normal mode)

af: Analyze functions
afl: List all functions
    number of functions: afl~?
afi: Returns information about the functions we are currently at
afr: Rename function: structure and flag
afr off: Restore function name set by r2
afn: Rename function
    afn strlen 0x080483f0
af-: Removes metadata generated by the function analysis
af+: Define a function manually given the start address and length
    af+ 0xd6f 403 checker_loop
axt: Returns cross references to (xref to)
axf: Returns cross references from (xref from)

Function analysis (visual mode)

d, f: Function analysis
d, u: Remove metadata generated by function analysis

Opcode analysis:

ao x: Analyze x opcodes from current offset
a8 bytes: Analyze the instruction represented by specified bytes

Information#

iI: File info
iz: Strings in data section
izz: Strings in the whole binary
iS: Sections
    iS~w returns writable sections
is: Symbols
    is~FUNC exports
il: Linked libraries
ii: Imports
ie: Entrypoint

Mitigations:

i~pic : check if the binary has position-independent-code
i~nx : check if the binary has non-executable stack
i~canary : check if the binary has canaries

Get function address in GOT table: pd 1 @ sym.imp<funct> Returns a jmp [addr] where addr is the address of function in the GOT. Similar to objdump -R | grep <func>

Print#

psz n @ offset: Print n zero terminated String
px n @ offset: Print hexdump (or just x) of n bytes
pxw n @ offset: Print hexdump of n words
    pxw size@offset  prints hexadecimal words at address
pd n @ offset: Print n opcodes disassembled
pD n @ offset: Print n bytes disassembled
pi n @ offset: Print n instructions disassembled (no address, XREFs, etc. just instructions)
pdf @ offset: Print disassembled function
    pdf~XREF (grep: XREFs)
    pdf~call (grep: calls)
pcp n @ offset: Print n bytes in python string output.
    pcp 0x20@0x8048550
    import struct
    buf = struct.pack ("32B",
    0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
    0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
    0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
p8 n @ offset: Print n bytes (8bits) (no hexdump)
pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)
pt: Interpret data as dates
pf: Print with format
pf.: list all formats
p=: Print entropy ascii graph

Write#

wx: Write hex values in current offset
    wx 123456
    wx ff @ 4
wa: Write assembly
    wa jnz 0x400d24
wc: Write cache commit
wv: Writes value doing endian conversion and padding to byte
wo[x]: Write result of operation
    wow 11223344 @102!10
        write looped value from 102 to 102+10
        0x00000066  1122 3344 1122 3344 1122 0000 0000 0000
    wox 0x90
        XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
    wox 67 @4!10
        XOR from offset 4 to 10 with value 67
wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)
wF file: Writes the content of the file at the current address or specified offset
wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
    Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
wopO 41424344 : get the index in the De Bruijn Pattern of the given word

Flags#

Flags are labels for offsets. They can be grouped in namespaces as sym for symbols ...

f: List flags
f label @ offset: Define a flag `label` at offset
    f str.pass_len @ 0x804999c
f-label: Removes flag
fr: Rename flag
fd: Returns position from nearest flag (looking backwards). Eg => entry+21
fs: Show all flag spaces
fs flagspace: Change to the specified flag space

yank & paste#

y n: Copies n bytes from current position
y: Shows yank buffer content with address and length where each entry was copied from
yp: Prints yank buffer
yy offset: Paste the contents of the yank buffer at the specified offset
yt n target @ source: Yank to. Copy n bytes from source to target address

Visual Mode:#

V enters visual mode

q: Exits visual mode
hjkl: move around (or HJKL) (left-down-up-right)
o: go/seek to given offset
?: Help
.: Seek EIP
<enter>: Follow address of the current jump/call
:cmd: Enter radare commands. Eg: x @ esi
d[f?]: Define cursor as a string, data, code, a function, or simply to undefine it.
    dr: Rename a function
    df: Define a function
v: Get into the visual code analysis menu to edit/look closely at the current function.
p/P: Rotate print (visualization) modes
    hex, the hexadecimal view
    disasm, the disassembly listing
        Use numbers in [] to follow jump
        Use "u" to go back
    debug, the debugger
    words, the word-hexidecimal view
    buf, the C-formatted buffer
    annotated, the annotated hexdump.
c: Changes to cursor mode or exits the cursor mode
    select: Shift+[hjkl]
    i: Insert mode
    a: assembly inline
    A: Assembly in visual mode
    y: Copy
    Y: Paste
    f: Creates a flag where cursor points to
    <tab> in the hexdump view to toggle between hex and strings columns
V: View ascii-art basic block graph of current function
W: WebUI
x, X: XREFs to current function. ("u" to go back)
t: track flags (browse symbols, functions..)
gG: Begin or end of file
HUD
    _ Show HUD
    backspace: Exits HUD
    We can add new commands to HUD in: radare2/shlr/hud/main
;[-]cmt: Add/remove comment
m<char>: Define a bookmark
'<char>: Go to previously defined bookmark

ROP#

/R opcodes: Search opcodes
    /R pop,pop,ret
/Rl opcodes: Search opcodes and print them in linear way
    /Rl jmp eax,call ebx
/a: Search assembly
    /a jmp eax
pda: Returns a library of gadgets that can be use. These gadgets are obtained by disassembling byte per byte instead of obeying to opcode length

Search depth can be configure with following properties:

e search.roplen = 4  (change the depth of the search, to speed-up the hunt)

Searching#

/ bytes: Search bytes
    \x7fELF

Example: Searching function preludes:

push ebp
mov ebp, esp

Opcodes: 5589e5

/x 5589e5
    [# ]hits: 54c0f4 < 0x0804c600  hits = 1
    0x08049f70 hit0_0 5589e557565383e4f081ec
    0x0804c31a hit0_1 5589e583ec18c704246031
    0x0804c353 hit0_2 5589e583ec1889442404c7
    0x0804c379 hit0_3 5589e583ec08e87cffffff
    0x0804c3a2 hit0_4 5589e583ec18c70424302d

pi 5 @@hit* (Print 5 first instructions of every hit)

Its possible to run a command for each hit. Use the cmd.hit property:

e cmd.hit=px

Comments and defines#

Cd [size]: Define as data
C- [size]: Define as code
Cs [size]: Define as String
Cf [size]: Define as struct
    We can define structures to be shown in the disassembly
CC: List all comments or add a new comment in console mode
    C* Show all comments/metadata
    CC <comment> add new comment
    CC- remove comment

Magic files#

pm: Print Magic files analysis
    [0x00000000]> pm
    0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1

Search for magic numbers

/m [magicfile]: Search magic number headers with libmagic

Search can be controlled with following properties:

search.align
search.from (0 = beginning)
search.to (0 = end)
search.asmstr
search.in

Yara#

Yara can also be used for detecting file signatures to determine compiler types, shellcodes, protections and more.

:yara scan

Zignatures#

Zignatures are useful when dealing with stripped binaries. We can take a non-stripped binary, run zignatures on it and apply it to a different binary that was compiled statically with the same libraries.

zg <language> <output file>: Generate signatures
    eg: zg go go.z
Run the generated script to load signatures
    eg: . go.z
z: To show signatures loaded:

Zignatures are applied as comments:

r2-(pid2)> pd 35 @ 0x08049adb-10
|          0x08049adb   call fcn.0805b030
|             fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
|          0x08049ae0   add esp, 0xc
|          0x08049ae3   call fcn.08095580

Compare files#

r2 -m 0xf0000 /etc/fstab	; Open source file
o /etc/issue  				; Open file2 at offset 0
o  							; List both files
cc offset: Diff by columns between current offset address and "offset"

Graphs#

Basic block graphs

af: Load function metadata
ag $$ > a.dot: Dump basic block graph to file
ag $$ | xdot -: Show current function basic block graph

Call graphs

af: Load function metadata
agc $$ > b.dot: Dump basic block graph to file

Convert .dot in .png

dot -Tpng -o /tmp/b.png b.dot

Generate graph for file:

radiff2 -g main crackme.bin crackme.bin > /tmp/a
xdot /tmp/a

Debugger#

Start r2 in debugger mode. r2 will fork and attach

r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")

ptrace://pid (debug backend does not notice, only access to mapped memory)

To pass arguments:

r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)

To pass stdin:

r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)

Commands

do: Reopen program
dp: Shows debugged process, child processes and threads
dc: Continue
dcu <address or symbol>: Continue until symbol (sets bp in address, continua until bp and remove bp)
dc[sfcp]: Continue until syscall(eg: write), fork, call, program address (To exit a library)
ds: Step in
dso: Step out
dss: Skip instruction
dr register=value: Change register value
dr(=)?: Show register values
db address: Sets a breakpoint at address
    db sym.main add breakpoint into sym.main
    db 0x804800 add breakpoint
    db -0x804800 remove breakpoint
dsi (conditional step): Eg: "dsi eax==3,ecx>0"
dbt: Shows backtrace
drr: Display in colors and words all the refs from registers or memory
dm: Shows memory map (* indicates current section)
    [0xb776c110]> dm
    sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
    sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
    sys 0xb776a000 - 0xb776b000 s r-x [vdso]
    sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
    sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
    sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]

To follow child processes in forks (set-follow-fork-mode in gdb)

dcf until a fork happen
then use dp to select what process you want to debug.

PEDA like details: drr;pd 10@-10;pxr 40@esp

Debug in visual mode

toggle breakpoints with F2
single-step with F7 (s)
step-over with F8 (S)
continue with F9

WebGUI (Enyo)#

=h: Start the server
=H: Start server and browser

Radare2 suite commands#

All suite commands include a -r flag to generate instructions for r2

rax2 - Base conversion#

-e: Change endian
-K: random ASCII art to represent a number/hash. Similar to how SSH represents keys
-s: hexstr -> raw
-S: raw -> hexstr

rahash2 - Entropy, hashes and checksums#

-a: Specify the algorithm
-b XXX: Block size
-B: Print all blocks
-a entropy: Show file entropy or entropy per block (-B -b 512 -a entropy)

radiff2 - File diffing#

-s: Calculate text distance from two files.
-d: Delta diffing (For files with different sizes. Its not byte per byte)
-C: Code diffing (instead of data)

Examples:

Diff original and patched on x86_32, using graphdiff algorithm
    radiff2 -a x86 -b32 -C original patched
Show differences between original and patched on x86_32
    radiff2 -a x86 -b32 original patched :

rasm2 - Assembly/Disassembly#

-L: Supported architectures
-a arch instruction: Sets architecture
    rasm2 -a x86 'mov eax,30' => b81e000000
-b tam: Sets block size
-d: Disassembly
    rasm2 -d b81e000000 => mov eax, 0x1e
-C: Assembly in C output
    rasm2 -C 'mov eax,30' => "\xb8\x1e\x00\x00\x00"
-D:	Disassemble showing hexpair and opcode
    rasm2 -D b81e0000 => 0x00000000   5               b81e000000  mov eax, 0x1e
-f: Read data from file instead of ARG.
-O filename: Write data to file

rafind2 - Search#

-Z: Look for Zero terminated strings
-s str: Look for specific string

ragg2 - Shellcode generator, C/opcode compiler#

-P: Generate De Bruijn patterns
    ragg2 -P 300 -r
-a arch: Configure architecture
-b bits: Specify architecture bits (32/64)
-i shellcode: Specify shellcode to generate
-e encoder: Specify encoder

Example:

Generate a x86, 32 bits exec shellcode
    ragg2 -a x86 -b 32 -i exec

rabin2 - Executable analysis: symbols, imports, strings ...#

-I: Executable information
-c: Returns classes. Useful to list Java Classes
-l: Dynamic linked libraries
-s: Symbols
-z: Strings

rarun2 - Launcher to run programs with different environments, args, stdin, permissions, fds#

Examples:

r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py) : runs /bin/ls with the output of exploit.py directed to stdin