r2

General Information

rabin2 -I filename

  • Output

$ rabin2 -I megabeets_0x1
arch     x86
baddr    0x8048000
binsz    6220
bintype  elf
bits     32
canary   false
class    ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  Intel 80386
maxopsz  16
minopsz  1
nx       false
os       linux
pcalign  0
pic      false
relocs   true
relro    partial
rpath    NONE
sanitiz  false
static   false
stripped false
subsys   linux
va       true

Run Program with R2

r2 ./filename

Find Entrypoints

[0x08048370]> ie
[Entrypoints]
vaddr=0x08048370 paddr=0x00000370 haddr=0x00000018 hvaddr=0x08048018 type=program 1 entrypoints

  • ie stands for info entrypoints

Help

  • If you know the general flag you want to use i.e. i for info you can append a ?

i?

  • This will show you all the help available to append to the i flag.

Analysis

  • r2 does not analyze the file by default, you need to specify the a flag

  • To have r2 analyze the file issue aa or analyse all, or aaa

[0x08048370]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.

  • Can also have r2 analyze the file at start up with

r2 -A filename

Flag Space

  • After analysis radare2 associates names to interesting offsets in the file such as sections, functions, symbols, strings.

  • All are called flags

  • Choose a flag space using fs flagspace and print the flags it contains with f.

  • Can pass multiple commands with semi colon i.e. cmd1;cmd2;cmd3

fs imports; f
[0x08048370]> fs imports; f
0x00000000 16 loc.imp.__gmon_start
0x08048320 6 sym.imp.strcmp
0x08048330 6 sym.imp.strcpy
0x08048340 6 sym.imp.puts
0x08048350 6 sym.imp.__libc_start_main

  • Can see the strcmp, strcpy, puts etc.

  • We can also list the strings flagspace

[0x08048370]> fs strings 
[0x08048370]> f
0x08048700 21 str..::_Megabeets_::.
0x08048715 23 str.Think_you_can_make_it
0x0804872c 10 str.Success
0x08048736 22 str.Nop__Wrong_argument.

Strings

  • Lets look at the strings

  • iz - List the strings in data sections

  • izz Search for strings in the whole binary

[0x08048370]> iz
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000700 0x08048700 20  21   .rodata ascii \n  .:: Megabeets ::.
1   0x00000715 0x08048715 22  23   .rodata ascii Think you can make it?
2   0x0000072c 0x0804872c 9   10   .rodata ascii Success!\n
3   0x00000736 0x08048736 21  22   .rodata ascii Nop, Wrong argument.

axt Analyse X-refs to

  • axt stands for analyse x-refs to

  • Finds data or code references to this specific address

  • @@ is like a for each iterator sign used to repeat a command over a list of offsets

  • str.* is a wildcard for all flags that start with str. (our strings)

  • This helps to list the function name, where they are used and the reference instruction in addition to the strings

  • Select the correct strings flagspace (default is 'fs *'

Seeking

  • Seek command accepts an address or math expression as an arg.

  • Expression can be math operation, flag, or memory access operations.

  • We want to seek for the main function.

  • Can find it by executing s main

  • First we want to see what else radare2 has flagged

[0x08048370]> afl
0x08048370    1 33           entry0
0x08048350    1 6            sym.imp.__libc_start_main
0x080483b0    4 43           sym.deregister_tm_clones
0x080483e0    4 53           sym.register_tm_clones
0x08048420    3 30           sym.__do_global_dtors_aux
0x08048440    4 43   -> 40   entry.init0
0x080486e0    1 2            sym.__libc_csu_fini
0x080483a0    1 4            sym.__x86.get_pc_thunk.bx
0x0804846b   19 282          sym.rot13
0x080486e4    1 20           sym._fini
0x08048585    1 112          sym.beet
0x08048330    1 6            sym.imp.strcpy
0x08048320    1 6            sym.imp.strcmp
0x08048680    4 93           sym.__libc_csu_init
0x080485f5    5 127          main
0x080482ec    3 35           sym._init
0x08048340    1 6            sym.imp.puts

  • afl stands for analyze functions list

Disassembling

  • Seek to the main function

s main

  • Now disassemble it with

pdf

  • Print Disassemble Function

  • Prompt will change to the address of main!

Make the Output Prettier

s sec.utf8=true 
e srrc.utf8.curvy=true

  • Can add to ~/.radare2rc to make changes permanent

Visual Mode and Graph Mode

  • Much more user-friendly

  • Press V will bring us to the Visual Mode Screen

  • Use p/P to change between the modes

  • Nav to the disassembly view using p

  • To go back to a specific screen press q

Cross-Reference

  • Use x/X to list the references to and from (respectively) the current offset. Use the numbers to jump to a reference

radare2 Commands

  • Use :command to execute r2 commands from inside Visual Mode

Comment

  • You can add a comment using ;<comment> followed by Enter

  • Remove it using ;-

Mark Offsets

m<key>

  • Use this to mark a specific offset with a key of your choice, press '<key> to choose your key.

  • This will allow you to mark important addresses you want to jump to quickly

Quit

  • Press q to return to r2 shell

Visual Graphs

  • radare2 has a Graph view

  • You can access VG move from your shell by running VV

  • Move up, down, R, L with h,j,k,l and jump to a func using g and the key shown next to the jump call

All Credit:

https://www.megabeets.net/a-journey-into-radare-2-part-1/

PreviousPowerViewNextResources

Last updated