radare2

All posts tagged radare2

Reverse Engineering: 1. Getting familiar with “Radare2”

Posted by Kulani Mahadewa on April 23, 2015
Posted in: Reverse Engineering. Tagged: , , , , , . 1 Comment

Hi ! 🙂 ‘Radare2’ is a reverse  engineering framework which comes with an advanced command line interface which allows moving around the file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, and scripting with a variety of languages, including Ruby, Python, Lua, and Perl. According to the documentation of ‘Radare2’  project, it supports on several platforms including GNU/Linux, Windows, FreeBSD, NetBSD, and OpenBSD etc.  (Read more : http://maijin.github.io/radare2book/index.html)

Here I will be helping you to get familiar with the basic  ‘radare2’ commands with simple examples. I am working on a LinuxVM with Ubuntu 14.0.

1. Getting source of radare2 from Github

Command :~$ git clone https://github.com/radare/radare2.git
Command :~$ git pull

Installing radare2

2. Installing radare2

Executing the install.sh file at sys folder.

Open the terminal at “android/reverse-engineering/radare2-0.9.8/sys” folder and execute the following command.

radare2-0.9.8/sys:~$ sys/install.sh

2

Now “radare2” is installed on your Ubuntu environment and can proceed with getting familiar with the commands. Radare2 has a set of simple commands so it will be easy to handle with them.

3. Getting familiar with commands

  • Creating a new document and start editing the doc.

To create a document with name “document-1”, execute the following command.

Command :~$ radare2 -w document-1

3
  • Re-sizing the file given the size in bytes.

To re-size the file to 1024 bytes, execute the following command. When you open the document in gedit, the allocated space is highlighted in red.

Command [0x00000000]> r 1024

4
  • Write a ‘string’ to the document at current address

To write a string to the document at the current address, just pass the string with the command ‘w’.

Command [0x00000000]> w hello

– To print the string at current address

Command [0x00000000]>  ps

7
  • Write a ‘string’ at a given address

To write a string to a given address, pass the new location address join with a ‘@ ‘ .

Command [0x00000000]> w dear @ 0x00000008

– To print the string at a given address

Command [0x00000000]>  ps@0x00000008
8
9
  • Seeking another address

– To seek into another address, give the location address with the command ‘s’.

Command [0x00000000]>  s 0x00000008

        [0x00000008]>
a

– To print the content in user-friendly hexadecimal way

Command [0x00000000]>  px

9c
  • Disassemble code

– To disassemble code

Command [0x00000000]>  pd

9a

– To disassemble code with a given no of opcodes.

Command [0x00000000]>  pd 5

9b
  • Copy/Paste strings

– To copy the content to the clipboard use yank commands given the no of bytes to be copied.

Command [0x00000000]>  y 16

– To print the content that copied to the clipboard .

Command [0x00000000]>  yp 

9d

– To paste the content at to the clipboard at a given address. Use the ‘px’ command to see the changes at file.

Command [0x00000000]>  yy 0x00000016

9e
9f

……

Now lets see how it looks like when an android  classes.dex file is open with ‘radare2’ for analyzing.

In the context of reverse engineering you will get an android ‘apk’ file fore analyzing. So first you need to extract the apk file. The extracted apk will contain following fles.

9h

Command :-$ radare2 -a dalvik classes.dex

9g
Cheers  !!! 🙂 

Advertisement