Radare2
Original author(s) | Sergi Alvarez (pancake) |
---|---|
Developer(s) | pancake and the core-contributors |
Stable release |
1.5.0[1]
/ May 29, 2017 |
Repository |
github |
Development status | Active |
Written in | C[2] |
Operating system | Microsoft Windows, Mac OS X, Linux, BSD, Haiku, Android, IPhone OS, Solaris, MeeGo |
Available in | English |
Type | Disassembler |
License | LGPL |
Website |
radare |
Radare2 (also known as r2) is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.
History
It was created in February 2006,[3] aiming to provide a free and simple command line interface for a hexadecimal editor supporting 64 bit offsets to make searches and recovering data from hard-disks, for forensic purposes. Since then, the project has grown with the aim changed to provide a complete framework for analyzing binaries while adhering to several principles of the Unix philosophy.[4]
In 2009, the decision was made to completely rewrite it, to get around limitations in the initial design. Since then, the project continued to grow,[5] and attracted several resident developers.
In 2016, the first r2con took place in Barcelona,[6][7] gathering more than 100 participants, featuring various talks about various features and improvements of the framework.
Since a couple of years, radare2 was presented at several high-profile security conferences, like the recon,[8] hack.lu,[9] 33c3,[3] …
Features and usage
Since it doesn't have a GUI, it has a steep learning curve. Originally built around a hexadecimal editor, it has now a multitude of tools and features, and also bindings for several languages.[10]
Static analysis
Radare2 is able to assemble and disassemble a lot of things, but it can also perform binary diffing with graphs,[11] extract information like relocations symbols, and various other types of data. Internally, it uses a NoSQL database named sdb to keep track of analysis information that can be inferred by radare2 or manually added by the user. Since it is able to deal with malformed binaries, it has also been used by software security researchers for analysis purposes[12][13][14]
Dynamic analysis
Radare2 has a built-in debugger, that is lower-level than the classic GDB. However, it can also interface itself with the GNU debugger, or even WineDBG[15] to debug Windows binaries on other systems. It is even possible to use it as a kernel-debugger with VMWare. Also there is a support for the WinDBG protocol.
Software exploitation
Since it features a disassembler and a low-level debugger, radare2 can be useful to developers of exploits. The software has features which assist in exploit development, such as a ROP gadget search engine and mitigation detection. Because of the software's flexibility and support for many file formats, it is often used by capture the flag teams[16][17] and other security-oriented personnel.[18] Radare2 can also assist in creating shellcodes with its 'ragg2' tool, similar to metasploit.
Supported architectures/formats
- Recognized file formats
- COFF and derivatives, including Win32/64/generic PE
- ELF and derivatives
- Mach-O (Mach) and derivatives
- Game Boy and Game Boy Advance cartridges
- MZ (MS-DOS)
- Java class
- dyld cache dump[19]
- Dex (Dalvik EXecutable)
- Xbox xbe format[20]
- Plan9 binaries
- Winrar virtual machine[21]
- File system like the ext family, ReiserFS, HFS+, NTFS, FAT, ...
- DWARF and PDB file formats for storing additional debug information
- Raw binary
- Instruction sets
- Intel x86 family
- ARM architecture
- Atmel AVR series
- Brainfuck
- Motorola 68k and H8
- Ricoh 5A22
- MOS 6502
- Smartcard PSOS Virtual Machine
- Java virtual machine
- MIPS: mipsb/mipsl/mipsr/mipsrl/r5900b/r5900l
- PowerPC
- SPARC Family
- TMS320Cxxx series
- Argonaut RISC Core
- Intel 51 series: 8051/80251b/80251s/80930b/80930s
- Zilog Z80
- CR16
- Cambridge Silicon Radio (CSR)
- AndroidVM Dalvik
- DCPU-16
- EFI bytecode
- Gameboy (z80-like)
- Java Bytecode
- Malebolge
- MSIL/CIL
- Nios II
- SuperH
- Spc700
- Systemz
- TMS320
- V850
- Whitespace
- XCore
References
- ↑ Official website
- ↑ Git repository
- 1 2 "Radare demystified". https://media.ccc.de/. CCC. 2016-12-29. Retrieved 2016-12-29. External link in
|website=
(help) - ↑ ""I have written more than 300.000 code lines for Radare"". www.cigtr.info. Retrieved 2017-01-21.
- ↑ CCC, radare demystified, retrieved 2017-01-21
- ↑ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/events/2016/september/r2con-2016/". www.nccgroup.trust. Retrieved 2017-01-21. External link in
|title=
(help) - ↑ Bakken, Sam (2016-08-09). "The hacker behind open-source, reverse-engineering tool Radare...". NowSecure. Retrieved 2017-01-21.
- ↑ "Recon 2015 Schedule". recon.cx. Retrieved 2017-01-21.
- ↑ "Talks at Hack.lu 2015". Hack.lu 2015. Retrieved 2017-01-21.
- ↑ Git repository for radare2's bindings
- ↑ "Binary Diffing" visual en Linux con Radare2
- ↑ AlienVault - OSX/Leverage.a Analysis
- ↑ Craig Heffner - Finding and Reversing Backdoors in Consumer Firmware
- ↑ PHDays IV, May 21, 2014, 'Anton Kochkov', Application of radare2 illustrated by Shylock/Caphaw.D and Snakso.A analysis
- ↑ Gmane archive about WinDBG support in radare2
- ↑ Dragon Sector
- ↑ LSE
- ↑ Phrack - manual binary mangling with radare
- ↑ Dydl cache - iphonedevwiki.net
- ↑ .XBE File Format 1.1
- ↑ Tavis Ormandy - Fun with Constrained Programming
Further reading
- maijin (2016). The radare2 book. Retrieved 20 March 2016.
- monosource (2016). Radare2 Explorations. Retrieved 19 January 2017.
- pancake (2008). The original radare book (PDF). p. 152.