r2

General Information

rabin2 -I filename

• Output

$ rabin2 -I megabeets_0x1
arch     x86
baddr    0x8048000
binsz    6220
bintype  elf
bits     32
canary   false
class    ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  Intel 80386
maxopsz  16
minopsz  1
nx       false
os       linux
pcalign  0
pic      false
relocs   true
relro    partial
rpath    NONE
sanitiz  false
static   false
stripped false
subsys   linux
va       true

Run Program with R2

Find Entrypoints

• ie stands for info entrypoints

Help

• If you know the general flag you want to use i.e. i for info you can append a ?

• This will show you all the help available to append to the i flag.

Analysis

• r2 does not analyze the file by default, you need to specify the a flag

• To have r2 analyze the file issue aa or analyse all, or aaa

• Can also have r2 analyze the file at start up with

Flag Space

• After analysis radare2 associates names to interesting offsets in the file such as sections, functions, symbols, strings.

• All are called flags

• Choose a flag space using fs flagspace and print the flags it contains with f.

• Can pass multiple commands with semi colon i.e. cmd1;cmd2;cmd3

• Can see the strcmp, strcpy, puts etc.

• We can also list the strings flagspace

Strings

• Lets look at the strings

• iz - List the strings in data sections

• izz Search for strings in the whole binary

axt Analyse X-refs to

• axt stands for analyse x-refs to

• Finds data or code references to this specific address

• @@ is like a for each iterator sign used to repeat a command over a list of offsets

• str.* is a wildcard for all flags that start with str. (our strings)

• This helps to list the function name, where they are used and the reference instruction in addition to the strings

• Select the correct strings flagspace (default is 'fs *'

Seeking

• Seek command accepts an address or math expression as an arg.

• Expression can be math operation, flag, or memory access operations.

• We want to seek for the main function.

• Can find it by executing s main

• First we want to see what else radare2 has flagged

• afl stands for analyze functions list

Disassembling

• Seek to the main function

• Now disassemble it with

• Print Disassemble Function

• Prompt will change to the address of main!

Make the Output Prettier

• Can add to ~/.radare2rc to make changes permanent

Visual Mode and Graph Mode

• Much more user-friendly

• Press V will bring us to the Visual Mode Screen

• Use p/P to change between the modes

• Nav to the disassembly view using p

• To go back to a specific screen press q

Cross-Reference

• Use x/X to list the references to and from (respectively) the current offset. Use the numbers to jump to a reference

radare2 Commands

• Use :command to execute r2 commands from inside Visual Mode

Comment

• You can add a comment using ;<comment> followed by Enter

• Remove it using ;-

Mark Offsets

• Use this to mark a specific offset with a key of your choice, press '<key> to choose your key.

• This will allow you to mark important addresses you want to jump to quickly

Quit

• Press q to return to r2 shell

Visual Graphs

• radare2 has a Graph view

• You can access VG move from your shell by running VV

• Move up, down, R, L with h,j,k,l and jump to a func using g and the key shown next to the jump call

All Credit:

https://www.megabeets.net/a-journey-into-radare-2-part-1/