Hi ! 🙂 ‘Radare2’ is a reverse engineering framework which comes with an advanced command line interface which allows moving around the file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, and scripting with a variety of languages, including Ruby, Python, Lua, and Perl. According to the documentation of ‘Radare2’ project, it supports on several platforms including GNU/Linux, Windows, FreeBSD, NetBSD, and OpenBSD etc. (Read more : http://maijin.github.io/radare2book/index.html)
Here I will be helping you to get familiar with the basic ‘radare2’ commands with simple examples. I am working on a LinuxVM with Ubuntu 14.0.
1. Getting source of radare2 from Github
Command :~$ git clone https://github.com/radare/radare2.git
Command :~$ git pull
2. Installing radare2
Executing the install.sh file at sys folder.
Open the terminal at “android/reverse-engineering/radare2-0.9.8/sys” folder and execute the following command.
Now “radare2” is installed on your Ubuntu environment and can proceed with getting familiar with the commands. Radare2 has a set of simple commands so it will be easy to handle with them.
3. Getting familiar with commands
- Creating a new document and start editing the doc.
To create a document with name “document-1”, execute the following command.
Command :~$ radare2 -w document-1
- Re-sizing the file given the size in bytes.
To re-size the file to 1024 bytes, execute the following command. When you open the document in gedit, the allocated space is highlighted in red.
Command [0x00000000]> r 1024
- Write a ‘string’ to the document at current address
To write a string to the document at the current address, just pass the string with the command ‘w’.
Command [0x00000000]> w hello
– To print the string at current address
Command [0x00000000]> ps
- Write a ‘string’ at a given address
To write a string to a given address, pass the new location address join with a ‘@ ‘ .
Command [0x00000000]> w dear @ 0x00000008
– To print the string at a given address
Command [0x00000000]> ps@0x00000008
- Seeking another address
– To seek into another address, give the location address with the command ‘s’.
Command [0x00000000]> s 0x00000008
– To print the content in user-friendly hexadecimal way
Command [0x00000000]> px
- Disassemble code
– To disassemble code
Command [0x00000000]> pd
– To disassemble code with a given no of opcodes.
Command [0x00000000]> pd 5
- Copy/Paste strings
– To copy the content to the clipboard use yank commands given the no of bytes to be copied.
Command [0x00000000]> y 16
– To print the content that copied to the clipboard .
Command [0x00000000]> yp
– To paste the content at to the clipboard at a given address. Use the ‘px’ command to see the changes at file.
Command [0x00000000]> yy 0x00000016
Now lets see how it looks like when an android classes.dex file is open with ‘radare2’ for analyzing.
In the context of reverse engineering you will get an android ‘apk’ file fore analyzing. So first you need to extract the apk file. The extracted apk will contain following fles.
Command :-$ radare2 -a dalvik classes.dex