Radare2

Last updated
Radare2
Original author(s) Sergi Alvarez (pancake)
Developer(s) pancake and the community
Stable release
5.9.2 [1]   OOjs UI icon edit-ltr-progressive.svg / 20 May 2024
Repository
Written in C [2]
Operating system Linux, BSD, macOS, Microsoft Windows, Haiku, Android, iOS, Solaris
Available in English
Type Disassembler
License LGPL
Website www.radare.org/n/   OOjs UI icon edit-ltr-progressive.svg

Radare2 (also known as r2) is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processor architectures and operating systems.

Contents

History

Radare2 was created in February 2006, [3] aiming to provide a free and simple command-line interface for a hexadecimal editor supporting 64 bit offsets to make searches and recovering data from hard-disks, for forensic purposes. Since then, the project has grown with the aim changed to provide a complete framework for analyzing binaries while adhering to several principles of the Unix philosophy. [4]

In 2009, the decision was made to completely rewrite it, to get around limitations in the initial design. Since then, the project continued to grow, [5] and attracted several resident developers.

In 2016, the first r2con took place in Barcelona, [6] [7] gathering more than 100 participants, featuring various talks about various features and improvements of the framework.

Radare2 has been the focus of multiple presentations at several high-profile security conferences, like the recon, [8] hack.lu, [9] 33c3. [3]

Features and usage

Radare2 has a steep learning curve since its main executable binaries are operated by command line and does not have a GUI by itself. Originally built around a hexadecimal editor, it has now a multitude of tools and features, and also bindings for several languages. [10] Meanwhile it has a WebUI [11] and the official graphical user interface project for Radare2 is called Iaito. [12]

Static analysis

Radare2 is able to assemble and disassemble a lot of software programs, mainly executables, but it can also perform binary diffing with graphs, [13] extract information like relocations symbols, and various other types of data. Internally, it uses a NoSQL database named sdb to keep track of analysis information that can be inferred by Radare2 or manually added by the user. Since it is able to deal with malformed binaries, it has also been used by software security researchers for analysis purposes. [14] [15] [16]

Dynamic analysis

Radare2 has a built-in debugger that is lower-level than GDB.[ citation needed ] It can also interface with GDB and WineDBG [17] to debug Windows binaries on other systems. In addition, it can also be used as a kernel debugger with VMWare.

Software exploitation

Since it features a disassembler and a low-level debugger, Radare2 can be useful to developers of exploits. The software has features which assist in exploit development, such as a ROP gadget search engine and mitigation detection. Because of the software's flexibility and support for many file formats, it is often used by capture the flag teams [18] [19] and other security-oriented personnel. [20] Radare2 can also assist in creating shellcodes with its 'ragg2' tool, similar to metasploit.

Graphical user interface (GUI)

Project Iaito has been developed as the first dedicated graphical user interface (GUI) for Radare2; it's been forked by Cutter as secondly developed graphical user interface (GUI) for Radare2. When the Cutter project was separated from Radare2 project at the end of 2020, [21] Iaito was re-developed to be the current official Radare2 graphical user interface (GUI) maintained by Radare2 project members. [12]

Supported architectures/formats

Related Research Articles

<span class="mw-page-title-main">GNU Debugger</span> Source-level debugger

The GNU Debugger (GDB) is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, Assembly, C, C++, D, Fortran, Haskell, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust, and partially others.

<span class="mw-page-title-main">Debugger</span> Computer program used to test and debug other programs

A debugger or debugging tool is a computer program used to test and debug other programs. The main use of a debugger is to run the target program under controlled conditions that permit the programmer to track its execution and monitor changes in computer resources that may indicate malfunctioning code. Typical debugging facilities include the ability to run or halt the target program at specific points, display the contents of memory, CPU registers or storage devices, and modify memory or register contents in order to enter selected test data that might be a cause of faulty program execution.

A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool. Common uses of disassemblers include analyzing high-level programming language compilers output and their optimizations, recovering source code of a program whose original source was lost, malware analysis, modifying software, and software cracking.

Bytecode is a form of instruction set designed for efficient execution by a software interpreter. Unlike human-readable source code, bytecodes are compact numeric codes, constants, and references that encode the result of compiler parsing and performing semantic analysis of things like type, scope, and nesting depths of program objects.

<span class="mw-page-title-main">Data Display Debugger</span>

Data Display Debugger is a graphical user interface for command-line debuggers such as GDB, DBX, JDB, HP Wildebeest Debugger, XDB, the Perl debugger, the Bash debugger, the Python debugger, and the GNU Make debugger. DDD is part of the GNU Project and distributed as free software under the GNU General Public License.

A programming tool or software development tool is a computer program that software developers use to create, debug, maintain, or otherwise support other programs and applications. The term usually refers to relatively simple programs, that can be combined to accomplish a task, much as one might use multiple hands to fix a physical object. The most basic tools are a source code editor and a compiler or interpreter, which are used ubiquitously and continuously. Other tools are used more or less depending on the language, development methodology, and individual engineer, often used for a discrete task, like a debugger or profiler. Tools may be discrete programs, executed separately – often from the command line – or may be parts of a single large program, called an integrated development environment (IDE). In many cases, particularly for simpler use, simple ad hoc techniques are used instead of a tool, such as print debugging instead of using a debugger, manual timing instead of a profiler, or tracking bugs in a text file or spreadsheet instead of a bug tracking system.

<span class="mw-page-title-main">Interactive Disassembler</span> Software reverse engineering tool

The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It can also be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in, which generates a high level, C source code-like representation of the analysed program, is available at extra cost.

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.

OllyDbg was an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It has a user friendly interface, and its functionality can be extended by third-party plugins. Version 1.10 is the final 1.x release. Version 2.0 was released in June 2010, and OllyDbg has been rewritten from the ground up in this release. Although the current version of OllyDbg cannot disassemble binaries compiled for 64-bit processors, a 64-bit version of the debugger has been promised. As of April 2022 the development of the project has been frozen and an incomplete 64-bit version can be downloaded from the website.

<span class="mw-page-title-main">Debug (command)</span> Line-oriented debug utility in DOS

The line-oriented debugger DEBUG.EXE is an external command in operating systems such as DOS, OS/2 and Windows.

<span class="mw-page-title-main">Ghidra</span> Free reverse engineering tool developed by the National Security Agency

Ghidra is a free and open source reverse engineering tool developed by the National Security Agency (NSA) of the United States. The binaries were released at RSA Conference in March 2019; the sources were published one month later on GitHub. Ghidra is seen by many security researchers as a competitor to IDA Pro. The software is written in Java using the Swing framework for the GUI. The decompiler component is written in C++, and is therefore usable in a stand-alone form.

Dalvik is a discontinued process virtual machine (VM) in the Android operating system that executes applications written for Android. Dalvik was an integral part of the Android software stack in the Android versions 4.4 "KitKat" and earlier, which were commonly used on mobile devices such as mobile phones and tablet computers, and more in some devices such as smart TVs and wearables. Dalvik is open-source software, originally written by Dan Bornstein, who named it after the fishing village of Dalvík in Eyjafjörður, Iceland.

<span class="mw-page-title-main">Nemiver</span>

Nemiver is computer software, a graphical standalone debugger for the programming languages C and C++, which integrates in the GNOME desktop environment. It currently features a backend which uses the well known GNU Debugger (GDB). The creator and the current lead developer is Dodji Seketeli.

A decompiler is a computer program that translates an executable file to high-level source code. It does therefore the opposite of a typical compiler, which translates a high-level language to a low-level language. While disassemblers translate an executable into assembly language, decompilers go a step further and translate the code into a higher level language such as C or Java, requiring more sophisticated techniques. Decompilers are usually unable to perfectly reconstruct the original source code, thus will frequently produce obfuscated code. Nonetheless, they remain an important tool in the reverse engineering of computer software.

<span class="mw-page-title-main">Qt Creator</span> QT development environment

Qt Creator is a cross-platform C++, JavaScript, Python and QML integrated development environment (IDE) which simplifies GUI application development. It is part of the SDK for the Qt GUI application development framework and uses the Qt API, which encapsulates host OS GUI function calls. It includes a visual debugger and an integrated WYSIWYG GUI layout and forms designer. The editor has features such as syntax highlighting and autocompletion. Qt Creator uses the C++ compiler from the GNU Compiler Collection on Linux. On Windows it can use MinGW or MSVC with the default install and can also use Microsoft Console Debugger when compiled from source code. Clang is also supported.

This article compares the application programming interfaces (APIs) and virtual machines (VMs) of the programming language Java and operating system Android.

<span class="mw-page-title-main">JEB decompiler</span> Reverse engineering software

JEB is a disassembler and decompiler software for Android applications and native machine code. It decompiles Dalvik bytecode to Java source code, and x86, ARM, MIPS, RISC-V machine code to C source code. The assembly and source outputs are interactive and can be refactored. Users can also write their own scripts and plugins to extend JEB functionality.

Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies. Malware may include software that gathers user information without permission.

<span class="mw-page-title-main">WebAssembly</span> Cross-platform assembly language and bytecode designed for execution in web browsers

WebAssembly defines a portable binary-code format and a corresponding text format for executable programs as well as software interfaces for facilitating interactions between such programs and their host environment.

References

  1. "Release 5.9.2". 20 May 2024. Retrieved 25 May 2024.
  2. "radareorg/radare2". January 18, 2024 via GitHub.
  3. 1 2 "Radare demystified". Chaos Computer Club media site. CCC. 2016-12-29. Retrieved 2016-12-29.
  4. "I have written more than 300.000 code lines for Radare". www.cigtr.info. Archived from the original on 2018-11-03. Retrieved 2017-01-21.
  5. CCC (29 December 2016), radare demystified , retrieved 2017-01-21
  6. "r2con 2016". NCC Group . Retrieved 2017-01-21.
  7. Bakken, Sam (2016-08-09). "The hacker behind open-source, reverse-engineering tool Radare..." NowSecure. Retrieved 2017-01-21.
  8. "Recon 2015 Schedule". recon.cx. Retrieved 2017-01-21.
  9. "Talks at Hack.lu 2015". Hack.lu 2015. Retrieved 2017-01-21.
  10. "radareorg/radare2-bindings". December 12, 2023 via GitHub.
  11. "The new web interface". radare.today. Archived from the original on 2016-07-29.
  12. 1 2 "iaito". rada.re. Retrieved 14 August 2021.
  13. ""Binary Diffing" visual en Linux con Radare2".
  14. Arada, Eduardo De la (18 May 2024). "OSX/Leverage.a Analysis". cybersecurity.att.com.
  15. "None" (PDF).
  16. PHDays IV, May 21, 2014, 'Anton Kochkov', Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis
  17. "Gmane archive about WinDBG support in radare2".
  18. "Plaid CTF 2014 - Tiffany writeup". Dragon Sector.
  19. "DEFCON2K12 Prequals: pwn300 writeup". LSE Blog. June 4, 2012.
  20. "manual binary mangling with radare". .:: Phrack Magazine ::.
  21. "Announcing Rizin". rizin.re. 8 December 2020. Retrieved 8 December 2020.
  22. "dyld_shared_cache - iPhone Development Wiki". iphonedev.wiki.
  23. ".XBE File Format". www.caustik.com.
  24. "Fun with Constrained Programming".

Further reading