Radare2
Jump to navigation
Jump to search
Description
- radare2 is an advanced commandline hexadecimal editor, disassembler and debugger
- r2 is the alias program name for radare2.
Installation
$ git clone git://github.com/radare/radare2 $ cd radare2 $ sudo sys/install.sh
Usage
Syntax
radare2 [-a arch] [-b bits] [-B baddr] [-c cmd] [-e k=v] [-i file] [-k kernel] [-p project] [-P patch] [-s addr] [-AdDwntLqv] file
Options
- -a arch
- force asm.arch (x86, ppc, arm, mips, bf, java, ...)
- -A
- run 'aa' command before prompt or patch to analyze all referenced code
- -b bits
- force asm.bits (16, 32, 64)
- -B baddr
- Specify the base address to be used when loading a new binary. See 'e?bin.baddr'
- -c cmd
- Execute the given command before giving prompt
- -d
- Start in debugger mode
- -D dbg.backend
- Enable debug mode. Set cfg.debug=true
- -e k=v
- Set configuration eval variable key=value. For example -e scr.color=false
- -f
- Blocksize = file size
- -i file
- Run script file
- -k kernel
- Select kernel (asm.os) for syscall resolution
- -l plugfile
- Load given plugin file
- -L
- List supported IO plugins.
- -n
- Do not load user settings/projects from ~/.radare2rc and ~/.config/radare2/.
- -N
- Do not perform any analysis (r_bin). Just load the raw file.
- -q
- Quiet mode (no prompt)
- -p prj
- Set project file
- -P file
- Apply rapatch file and quit
- -s addr
- Start seeking at this address
- -t
- Get binary information using a thread
- -v
- Show version information and exits.
- -w
- Open in write mode
- -h
- Show help message
- -H
- Show files and environment help
Commands
Analyze
- aa
- analyze all symbols and entry points in the executable.
[0x00400a30]> aa [Invalid address from 0x0048449cith sym. and entry0 (aa) Invalid address from 0x0044f0b6 [x] Analyze all flags starting with sym. and entry0 (aa)
List all functions
- afl
- list all functions in the executable
- Use grep to filter
[0x00400a30]> afl | grep main 0x00400e10 114 1657 sym.__libc_start_main 0x0048fb30 16 247 -> 237 sym._nl_unload_domain 0x00403b10 308 5366 -> 5301 sym._nl_load_domain 0x00470520 1 49 sym._IO_switch_to_main_wget_area 0x00403870 39 672 -> 640 sym._nl_find_domain 0x00400b4d 1 68 main 0x0048fae0 7 73 -> 69 sym._nl_finddomain_subfreeres 0x0044cf00 1 8 sym._dl_get_dl_main_map 0x00415fe0 1 43 sym._IO_switch_to_main_get_area
Disassemble
- pdf @main
- disassemble main function
[0x00400a30]> pdf @main
; DATA XREF from entry0 @ 0x400a4d
┌ 68: int main (int argc, char **argv, char **envp);
│ ; var int64_t var_ch @ rbp-0xc
│ ; var int64_t var_8h @ rbp-0x8
│ ; var int64_t var_4h @ rbp-0x4
│ 0x00400b4d 55 push rbp
│ 0x00400b4e 4889e5 mov rbp, rsp
│ 0x00400b51 4883ec10 sub rsp, 0x10
│ 0x00400b55 c745f4040000. mov dword [var_ch], 4
│ 0x00400b5c c745f8050000. mov dword [var_8h], 5
│ 0x00400b63 8b55f4 mov edx, dword [var_ch]
│ 0x00400b66 8b45f8 mov eax, dword [var_8h]
│ 0x00400b69 01d0 add eax, edx
│ 0x00400b6b 8945fc mov dword [var_4h], eax
│ 0x00400b6e 8b4dfc mov ecx, dword [var_4h]
│ 0x00400b71 8b55f8 mov edx, dword [var_8h]
│ 0x00400b74 8b45f4 mov eax, dword [var_ch]
│ 0x00400b77 89c6 mov esi, eax
│ 0x00400b79 488d3d881409. lea rdi, str.the_value_of_a_is__d__the_value_of_b_is__d_and_the_value_of_c_is__d ; 0x492008 ; "the value of a is %d, the value of b is %d and the value of c is %d"
│ 0x00400b80 b800000000 mov eax, 0
│ 0x00400b85 e8f6ea0000 call sym.__printf
│ 0x00400b8a b800000000 mov eax, 0
│ 0x00400b8f c9 leave
└ 0x00400b90 c3 ret
Breakpoints
- db addr
- set breakpoint at addr
[0x00400a30]> db 0x00400b55 [0x00400a30]> pdf @main ; DATA XREF from entry0 @ 0x400a4d ┌ 68: int main (int argc, char **argv, char **envp); │ ; var int64_t var_ch @ rbp-0xc │ ; var int64_t var_8h @ rbp-0x8 │ ; var int64_t var_4h @ rbp-0x4 │ 0x00400b4d 55 push rbp │ 0x00400b4e 4889e5 mov rbp, rsp │ 0x00400b51 4883ec10 sub rsp, 0x10 │ 0x00400b55 b c745f4040000. mov dword [var_ch], 4 │ 0x00400b5c c745f8050000. mov dword [var_8h], 5 │ 0x00400b63 8b55f4 mov edx, dword [var_ch] │ 0x00400b66 8b45f8 mov eax, dword [var_8h] │ 0x00400b69 01d0 add eax, edx │ 0x00400b6b 8945fc mov dword [var_4h], eax │ 0x00400b6e 8b4dfc mov ecx, dword [var_4h] │ 0x00400b71 8b55f8 mov edx, dword [var_8h] │ 0x00400b74 8b45f4 mov eax, dword [var_ch] │ 0x00400b77 89c6 mov esi, eax │ 0x00400b79 488d3d881409. lea rdi, str.the_value_of_a_is__d__the_value_of_b_is__d_and_the_value_of_c_is__d ; 0x492008 ; "the value of a is %d, the value of b is %d and the value of c is %d" │ 0x00400b80 b800000000 mov eax, 0 │ 0x00400b85 e8f6ea0000 call sym.__printf │ 0x00400b8a b800000000 mov eax, 0 │ 0x00400b8f c9 leave └ 0x00400b90 c3 ret
Run
- dc
- run the program (until next breakpoint)
Step in
- ds
- Step in
Reload
- ood
- restart the binary
Print variables
- px addr
- view variable in hex
[0x00400b5c]> pdf @main
; DATA XREF from entry0 @ 0x400a4d
;-- rax:
┌ 68: int main (int argc, char **argv, char **envp);
│ ; var int64_t var_ch @ rbp-0xc
│ ; var int64_t var_8h @ rbp-0x8
│ ; var int64_t var_4h @ rbp-0x4
│ 0x00400b4d 55 push rbp
│ 0x00400b4e 4889e5 mov rbp, rsp
│ 0x00400b51 4883ec10 sub rsp, 0x10
│ 0x00400b55 b c745f4040000. mov dword [var_ch], 4
│ ;-- rip:
│ 0x00400b5c c745f8050000. mov dword [var_8h], 5
│ 0x00400b63 8b55f4 mov edx, dword [var_ch]
│ 0x00400b66 8b45f8 mov eax, dword [var_8h]
│ 0x00400b69 01d0 add eax, edx
│ 0x00400b6b 8945fc mov dword [var_4h], eax
│ 0x00400b6e 8b4dfc mov ecx, dword [var_4h]
│ 0x00400b71 8b55f8 mov edx, dword [var_8h]
│ 0x00400b74 8b45f4 mov eax, dword [var_ch]
│ 0x00400b77 89c6 mov esi, eax
│ 0x00400b79 488d3d881409. lea rdi, str.the_value_of_a_is__d__the_value_of_b_is__d_and_the_value_of_c_is__d ; 0x492008 ; "the value of a is %d, the value of b is %d and the value of c is %d"
│ 0x00400b80 b800000000 mov eax, 0
│ 0x00400b85 e8f6ea0000 call sym.__printf
│ 0x00400b8a b800000000 mov eax, 0
│ 0x00400b8f c9 leave
└ 0x00400b90 c3 ret
[0x00400b5c]> px @ rbp-0xc
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x7fff9015faa4 0400 0000 1890 6b00 0000 0000 7018 4000 ......k.....p.@.
0x7fff9015fab4 0000 0000 1911 4000 0000 0000 0000 0000 ......@.........
0x7fff9015fac4 0000 0000 0000 0000 0100 0000 d8fb 1590 ................
0x7fff9015fad4 ff7f 0000 4d0b 4000 0000 0000 0000 0000 ....M.@.........
0x7fff9015fae4 0000 0000 0600 0000 3c00 0000 3000 0000 ........<...0...
0x7fff9015faf4 0300 0000 0000 0000 0000 0000 0000 0000 ................
0x7fff9015fb04 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x7fff9015fb14 0000 0000 0000 0000 0000 0000 0004 4000 ..............@.
0x7fff9015fb24 0000 0000 b6d2 649d 09a6 d6a5 1019 4000 ......d.......@.
0x7fff9015fb34 0000 0000 0000 0000 0000 0000 1890 6b00 ..............k.
0x7fff9015fb44 0000 0000 0000 0000 0000 0000 b6d2 0458 ...............X
0x7fff9015fb54 a286 295a b6d2 108c 09a6 d6a5 0000 0000 ..)Z............
0x7fff9015fb64 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x7fff9015fb74 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x7fff9015fb84 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x7fff9015fb94 0000 0000 0000 0000 0000 0000 0000 0000 ................
Print registers
- dr
- print registers
[0x00400b6e]> dr rax = 0x00000009 rbx = 0x00400400 rcx = 0x0044ba90 rdx = 0x00000004 r8 = 0x00000000 r9 = 0x00000007 r10 = 0x00000002 r11 = 0x00000001 r12 = 0x00401910 r13 = 0x00000000 r14 = 0x006b9018 r15 = 0x00000000 rsi = 0x7fff9015fbd8 rdi = 0x00000001 rsp = 0x7fff9015faa0 rbp = 0x7fff9015fab0 rip = 0x00400b6e rflags = 0x00000206 orax = 0xffffffffffffffff