# radare2: hexadecimal editor, disassembler and debugger


Installation

# apt-get install build-essential
# git clone https://github.com/radare/radare2.git
# radare2/sys/user.sh

Analyzing

# r2 challenge
# r2 -A challenge
# r2 -A -q -c 'iI' challenge # execute iI command and exit

[Command mode]
[addr]> aaa # Analysis = aa + aar + aac + aan
[addr]> aaaa # Experimental analysis = aaa + aae + aat + aav

[addr]> pd 10 # print disassemble 10 instructions at current seek
[addr]> 3 pd 10 # 3 times, print disassemble 10 instructions at current seek
[addr]> pd 10 @ main # print disassemble 10 instructions at main
[addr]> pd @ main ! 10 # print disassemble at current seek and limit to 10 bytes

[addr]> b 64 # set block size to 64

[addr]> i~machine,os # grep machine or os, at info output
[addr]> drr~[0] # awk first column
[addr]> drr~:0 # grep first line
[addr]> drr~:0[0] # grep first line and awk first column

[addr]> / secret ; px @@ hit0_* # find secret string and foreach hit, print hexdump

[addr]> ? 0x7a69 # quick numeric conversion

[addr]> i? # like rabin2

[addr]> f myflag @ main+123 # set a flag at main+123

[addr]> afl # list functions
[addr]> s sym.main # seek to addr/symbol
[addr]> pdf # print disassemble function

[Visual mode]
[addr]> vV # view graph
p/P # rotate graph modes
< # global callgraph
> # function callgraph

Debugging

# r2 -Ad `pgrep challenge` # attach and debug pid
# r2 -Ad challenge # run and debug program
# r2 -Ad rarun2 script.rr2 # debug in a custom environment

[Command mode]
[addr]> db # list breakpoints

[addr]> ds 10 # step into 10 instructions
[addr]> dso 10 # step over 10 instructions

[addr]> dcu main # continue until main

[addr]> drr # show registers references (telescoping)

[addr]> db 0x0040081d # add breakpoint
[addr]> dbc 0x0040081d drr # run command when breakpoint is hit

[addr]> dm # list memory maps
[addr]> dm= # list memory maps (ascii art)

[Visual mode]
[addr]> vpp # debug view

:<cmd> # run radare command

; # comment

b # breakpoint

o # seek to offset

p/P # rotate print modes

_ # fuzzy flag searcher

x/X # show xrefs/refs

d # define function
f # analyze function
d # define
r # rename function
fun.callme # function name

Editing

# r2 -w challenge

[Command mode]
[addr]> oo+ # Reopen the current file in read-write

[addr]> wz "See you in shell" # write string\00 at current seek

[addr]> wx 0xcafe @ 0x100 # write 0xcafe at 0x100

[addr]> wb 0x010203 # write the current block cycling 0x010203 pattern

[addr]> woe 42 3 @ edi ! 32 # a = 42; for i in xrange(32): edi[i] = a; a += 3

[addr]> wox 0xcafe @ ebx ! 2 # cf = [0xca, 0xfe]; for i in xrange(2): ebx[i] ^= cf[i]

[Visual mode]
[addr]> v # hex view

c # cursor
<tab> # switch between hex and plain areas
i # insert values
<shift><hjkl> + y # select and copy
<hjkl> + Y # find position and paste

[addr]> v # hex view
a # assemble code
A # visual assembler

ESIL (Evaluable String Intermediate Language)

[addr]> vip

:> s 0x08048486
:> e asm.emu = true # Run ESIL emulation analysis on disasm
:> e asm.esil = true # Show ESIL instead of mnemonic
:> e io.cache = true # Enable cache for io changes
:> aei # initialize ESIL VM state
:> aeip # initialize ESIL pc to curseek
:> aer eax=0x1234
:> aer
:> "aecue 0x1234,eax,^" # Continue until evil expression is true
ESIL BREAK!
:> s `aer~eip[1]`
:> pd -1

Exploiting

[addr]> iI~canary,nx,pic,crypto,class,arch,bits,stripped,static

[addr]> wopD 100 @ eax # Write a De Bruijn pattern
[addr]> wopO 0x41614141 # or wopO $$ - Finds the value into a De Bruijn pattern
[addr]> gi exec # Compile shellcode
[addr]> wx `g` @ eax # Write shellcode at @eax
[addr]> wb 0x90 @ eax+24 ! 52
[addr]> wv `/R call eax~eax:1[0]` @ eax+76 # Write value (address)
[addr]> pcp 80 @ eax
# Print Code Python

Project management

[addr]> Ps <name> # save project
[addr]> Po <name> # open project
[addr]> Pn # show project notes
[addr]> Pn - # edit project notes

No comments: