Prologue
I was playing a lot with radare2 in the past year, ever since I began participating in CTFs and got dAnalyze alleeper into RE and exploitation challenges. I found radare2 very helpful with many CTFs tasks and my solutions had shortened significantly. It’s sometimes also my go-to tool for malware analysis tasks such as configuration retrievals. Sadly, I believe that only few people are familiar with radare2. It might be because they’re afraid to break out of their comfort zone (IDA Pro, OllyDBG, gdb) or they have simply not heard of it. Either way, I honestly believe that you must include radare2 in your toolbox.
Because I got really enthusiastic about the project and I want more and more researchers to be familiar with it, use it and hopefully contribute to the project, I decided to create a series of articles and use-cases of r2. Since these articles aim to teach you the basics of radare2, its features and capabilities, I’ll explain much more than you actually need to know in order to solve each task.

Welcome to IDA 10.0. (see radare2/doc/fortunes.fun for more fortunes)
radare2
radare2 is an open source framework for reverse engineering and binaries analysis which implements a rich command line interface for disassembling, analyzing data, patching binaries, comparing data, searching, replacing, visualizing and more. It has great scripting capabilities, it runs on all major platforms (GNU/Linux, .Windows *BSD, iOS, OSX, Solaris…) and it supports tons of architectures and file formats. But maybe above all of its features stands the ideology – radare2 is absolutely libre.
This framework is composed of a set of utilities that can be used either together from r2 shell or independently – We’ll get familiar with tools such as rahash2, rabin2, ragg2. Together they create one of the most powerful tools in the field of static and dynamic analysis, hex editing and exploitation (I’ll dive deeper in the following articles).
It is important to note that r2’s learning curve is pretty steep – although r2 have a GUI and a WebUI, none of them is quite enough to compete with the GUI or the convenience of IDA, IMHO. The CLI, however, including its Visual Mode, is still the core of radare2 and where its power lays. Because of its complexity I’ll try to make things as clear and simple as I can.

This is more or less how r2 learning curve works.
Before we begin you can check out the “Unfair comparison between r2, IDA Pro and Hopper” to get an idea of what we’re dealing with.
Finally published the first part in a series of articles: A journey into radare2.
Check it out @ https://t.co/MybNPqq2CH@radareorg #radare2— Itay Cohen (@Megabeets_Blog) March 27, 2017
Getting radare2
Installation
Radare2’s development is pretty quick – the project evolves every day, therefore it’s recommended to use the current git version over the stable one. Sometimes the stable version is less stable than the current git version!
|
1 2 3 |
$ git clone https://github.com/radare/radare2.git $ cd radare2 $ ./sys/install.sh |
If you don’t want to install the git version or you want the binaries for another machine (Windows, OS X, iOS, etc) check out the download page at the radare2 website.
Updating
As I said before, it is highly recommended to always use the newest version of r2 from the git repository. All you need to do to update your r2 version from the git is to execute:
|
1 |
$ ./sys/install.sh |
And you’ll have the latest version from git. I usually update my version of radare2 in the morning, while watching cat videos.
Uninstalling
I Can’t think of a reason for you to uninstall radare2 so early in the article but if you do have you can simply execute:
|
1 2 |
$ make uninstall $ make purge |
Getting Started
You can download the first challenge here.
Now that radare2 is installed on your system and you have downloaded the binary, we are ready to start exploring the basic usage of radare2. I’ll work on a Remnux machine but most of the commands and explanations (if not all of them) would be the same for Windows machines and others.
Command Line Arguments
As most command line utilities, the best approach to reveal the list of the possible arguments is to execute the program with the -h flag.
|
1 |
$ r2 -h |
I won’t paste here the full output, Instead I’ll point out those which I usually use in my daily work:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Usage: r2 [-ACdfLMnNqStuvwz] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] [-s addr] [-B baddr] [-M maddr] [-c cmd] [-e k=v] file|pid|-|--|= -d: Debug the executable 'file' or running process 'pid' -A: Analyze executable at load time (xrefs, etc) -q: Quiet mode, exit after processing commands -w: Write mode enabled -L: List of supported IO plugins -i [file]: Interprets a r2 script -n: Bare load. Do not load executable info as the entrypoint -c 'command; command; ...': Run r2 and execute commands (eg: r2 's main; px 60') -p [prj]: Creates a project for the file being analyzed -: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with |
Binary info
Whenever I face a new challenge I first want to get information about the binary. Let’s extract it using one of the most powerful tools in r2 framework: rabin2.
rabin2 allows extracting information from binary files including Sections, Headers, Imports, Strings, Entrypoints, etc. It can then export the output in several formats. rabin2 is able to understand many file formats such as ELF, PE, Mach-O, Java CLASS.
Check
man rabin2for more information.
We’ll call rabin2 with the -I flag which prints binary info such as operating system, language, endianness, architecture, mitigations (canary, pic, nx) and more.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$ rabin2 -I megabeets_0x1 havecode true pic false canary false nx false crypto false va true intrp /lib/ld-linux.so.2 bintype elf class ELF32 lang c arch x86 bits 32 machine Intel 80386 os linux minopsz 1 maxopsz 16 pcalign 0 subsys linux endian little stripped false static false linenum true lsyms true relocs true rpath NONE binsz 6220 |
Now let’s run it and see what the program does.
Note: Although I promise you can trust me with running this crackme, it’s highly recommended not to trust me. Whenever you reverse an unknown binary, please do it inside a virtual environment where nothing can be harmed.But you can trust me though, you have my dword 😛
|
1 2 3 4 5 6 7 8 9 10 11 |
$ ./megabeets_0x1 .:: Megabeets ::. Think you can make it? Nop, Wrong argument. $ ./megabeets_0x1 abcdef .:: Megabeets ::. Think you can make it? Nop, Wrong argument. |
The first time we run it we receive a message saying “Nop, Wrong argument”. Assuming we need to provide an argument for the program we run it again, this time with ‘abcdef’ as an argument. We failed again. Obviously some password is needed in order to solve this crackme.
Let’s examine the program using radare2:
| $ r2 ./megabeets_0x1 — Thank you for using radare2. Have a nice night! [0x08048370]> |
We spawned a radare2 shell and it automatically greets us with one of its fortunes. Some are very funny and some are actually useful, you can execute fo command to print a fortune. Now r2 shell is waiting for our commands and shows us the address in which we’re currently at (0x08048370). By default you’ll automatically be at the entrypoint address. Let’s see if it’s correct:
| [0x08048370]> ie [Entrypoints] vaddr=0x08048370 paddr=0x00000370 baddr=0x08048000 laddr=0x00000000 haddr=0x00000018 type=program1 entrypoints |
ie command that prints the entrypoints of the binary. r2 commands are a succession of meaningful letters. In this example ie stands for info >> entrypoint. Hence the commands are easy to remember once you’re familiar with radare2 capabilities. But you don’t have to remember all commands – you can simply add ? after (almost) every letter to get information about the command and its subcommands.| [0x08048370]> i? |Usage: i Get info from opened file (see rabin2’s manpage) | Output mode: | ‘*’ Output in radare commands | ‘j’ Output in json | ‘q’ Simple quiet output | Actions: | i|ij Show info of current file (in JSON) | iA List archs | ia Show all info (imports, exports, sections..) | ib Reload the current buffer for setting of the bin (use once only) | ic List classes, methods and fields | iC Show signature info (entitlements, …) | id Debug information (source lines) | iD lang sym demangle symbolname for given language | ie Entrypoint | iE Exports (global symbols) | ih Headers (alias for iH) | iHH Verbose Headers in raw text | ii Imports | iI Binary info | ik [query] Key-value database from RBinObject | il Libraries | iL List all RBin plugins loaded | im Show info about predefined memory allocation | iM Show main address | io [file] Load info from file (or last opened) use bin.baddr | ir|iR Relocs | is Symbols | iS [entropy,sha1] Sections (choose which hash algorithm to use) | iV Display file version info | iz Strings in data sections | izz Search for Strings in the whole binary | iZ Guess size of binary program |
The i command aim to get information from the opened file, it’s actually rabin2 (mentioned earlier) implemented in radare2 shell.
Analysis
radare2 doesn’t analyze the file by default because analysis is a complex process that can take a long time, especially when dealing with large files. To read more about analysis and the choice not to perform analysis at startup you can read this post at radare2 blog.
Obviously analysis is still a possiblity and r2 has lots of analysis types. As I noted before, we can explore the analysis options by adding '?‘ to 'a' command.
| [0x08048370]> a? |Usage: a[abdefFghoprxstc] […] | ab [hexpairs] analyze bytes | abb [len] analyze N basic blocks in [len] (section.size by default) | aa[?] analyze all (fcns + bbs) (aa0 to avoid sub renaming) | ac[?] [cycles] analyze which op could be executed in [cycles] | ad[?] analyze data trampoline (wip) | ad [from] [to] analyze data pointers to (from-to) | ae[?] [expr] analyze opcode eval expression (see ao) | af[?] analyze Functions | aF same as above, but using anal.depth=1 | ag[?] [options] output Graphviz code | ah[?] analysis hints (force opcode size, …) | ai [addr] address information (show perms, stack, heap, …) | ao[?] [len] analyze Opcodes (or emulate it) | aO Analyze N instructions in M bytes | ar[?] like ‘dr’ but for the esil vm. (registers) | ap find prelude for current offset | ax[?] manage refs/xrefs (see also afx?) | as[?] [num] analyze syscall using dbg.reg | at[?] [.] analyze execution traces Examples: f ts @ S*~text:0[3]; f t @ section..textf ds @ S*~data:0[3]; f d @ section..data.ad t t+ts @ d:ds |
I usually begin with executing 'aa' (analyse all). The name is misleading because there is a lot more to analyze (check aa? but it’s enough for most of the binaries I examined. This time we’ll start straight with aaa to make things simpler and due to its small size. You can also run radare2 with the -A flag to analyze the binary straight at startup using aaa (e.g r2 -A megabeets_0x1).
| [0x08048370]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze len bytes of instructions for references (aar) [x] Analyze function calls (aac) [*] Use -AA or aaaa to perform additional experimental analysis. [x] Constructing a function name for fcn.* and sym.func.* functions (aan) |
Flags
After the analysis radare2 associates names to interesting offsets in the file such as Sections, Function, Symbols, Strings, etc. Those names are called ‘flags’. Flags can be grouped into ‘flag spaces’. A flag space is a namespace for flags of similar characteristics or type. To list the flag spaces run 'fs'.
| [0x08048370]> fs 0 4 . strings 1 35 . symbols 2 82 . sections 3 5 . relocs 4 5 . imports 5 1 . functions |
We can choose a flag space using 'fs <flagspace>' and print the flags it contains using 'f'. To pass several commands in a single line we can use a semicolon (i.e 'cmd1; cmd2; cmd3;...').
| [0x08048370]> fs imports; f 0x08048320 6 sym.imp.strcmp 0x08048330 6 sym.imp.strcpy 0x08048340 6 sym.imp.puts 0xffffffff 16 loc.imp.__gmon_start__ 0x08048350 6 sym.imp.__libc_start_main |
As we can see radare2 flagged up the imports used by the binary – we can see the well-known ‘strcmp’, ‘strcpy’, ‘puts’, etc., along with their corresponding addresses. We can also list the strings flagspace:
| [0x08048370]> fs strings; f 0x08048700 21 str._n__.::_Megabeets_::. 0x08048715 23 str.Think_you_can_make_it_ 0x0804872c 10 str.Success__n 0x08048736 22 str.Nop__Wrong_argument._n |
Strings
iz – List strings in data sectionsizz – Search for Strings in the whole binary| [0x08048370]> iz vaddr=0x08048700 paddr=0x00000700 ordinal=000 sz=21 len=20 section=.rodata type=ascii string=\n .:: Megabeets ::. vaddr=0x08048715 paddr=0x00000715 ordinal=001 sz=23 len=22 section=.rodata type=ascii string=Think you can make it? vaddr=0x0804872c paddr=0x0000072c ordinal=002 sz=10 len=9 section=.rodata type=ascii string=Success!\n vaddr=0x08048736 paddr=0x00000736 ordinal=003 sz=22 len=21 section=.rodata type=ascii string=Nop, Wrong argument.\n |
We already know most of these strings – we saw them when we executed our binary, remember? We didn’t see the “Success” string though, this is probably our ‘good boy’ message. Now that we got the strings, let’s see where they’re used in the program.
| [0x08048370]> axt @@ str.* data 0x8048609 push str._n__.::_Megabeets_::. in main data 0x8048619 push str.Think_you_can_make_it_ in main data 0x8048646 push str._n_tSuccess__n in main data 0x8048658 push str._n_tNop__Wrong_argument._n in main |
This command reveals us more of radare2 features. The 'axt' command is used to “find data/code references to this address” (see 'ax?'). '@@' is like foreach iterator sign, used to repeat a command over a list of offsets (see '@@?'), and 'str.*' is a wildcard for all the flags that start with 'str.'. This combination helps me not just to list the strings flags but also to list the function name, where it’s used and the referenced instruction. Make sure to select the strings flagspace (default, use 'fs *') before.
Seeking
As I mentioned before, all this time we were at the entrypoint of the program, now it’s time to move on. The strings we just listed are all referenced by ‘main’. in order to navigate from offset to offset we need to use the ‘seek’ command, represented by 's'. As you already know, appending ? to (almost) every command is the answer to all you problems.
| [0x08048370]> s? |Usage: s # Seek commands | s Print current address | s addr Seek to address | s- Undo seek | s- n Seek n bytes backward | s– Seek blocksize bytes backward | s+ Redo seek | s+ n Seek n bytes forward | s++ Seek blocksize bytes forward | s[j*=] List undo seek history (JSON, =list, *r2) | s/ DATA Search for next occurrence of ‘DATA’ | s/x 9091 Search for next occurrence of \x90\x91 | s.hexoff Seek honoring a base from core->offset | sa [[+-]a] [asz] Seek asz (or bsize) aligned to addr | sb Seek aligned to bb start | sC[?] string Seek to comment matching given string | sf Seek to next function (f->addr+f->size) | sf function Seek to address of specified function | sg/sG Seek begin (sg) or end (sG) of section or file | sl[?] [+-]line Seek to line | sn/sp Seek next/prev scr.nkey | so [N] Seek to N next opcode(s) | sr pc Seek to register |
So basically the seek command accepts an address or math expression as an argument. The expression can be math operations, flag, or memory access operations. We want to seek to the main function, we can do it by executing 's main' but let’s see first what other functions radare2 flagged for us using the afl command (Analyze Functions List).
| [0x08048370]> afl 0x080482ec 3 35 sym._init 0x08048320 1 6 sym.imp.strcmp 0x08048330 1 6 sym.imp.strcpy 0x08048340 1 6 sym.imp.puts 0x08048350 1 6 sym.imp.__libc_start_main 0x08048360 1 6 sub.__gmon_start___252_360 0x08048370 1 33 entry0 0x080483a0 1 4 sym.__x86.get_pc_thunk.bx 0x080483b0 4 43 sym.deregister_tm_clones 0x080483e0 4 53 sym.register_tm_clones 0x08048420 3 30 sym.__do_global_dtors_aux 0x08048440 4 43 -> 40 sym.frame_dummy 0x0804846b 19 282 sym.rot13 0x08048585 1 112 sym.beet 0x080485f5 5 127 main 0x08048680 4 93 sym.__libc_csu_init 0x080486e0 1 2 sym.__libc_csu_fini 0x080486e4 1 20 sym._fini |
Sweet! There are the imports we saw before, some .ctors, the entrypoints, libc, main and two interesting functions named ‘sym.beet’ and ‘sym.rot13;’.
Disassembling
main function
It’s time to look at some assembly (yay!). We first need to seek to the function using s main and then disassemble it using pdf (Print Disassemble Function). Pay attention how the address at the prompt changed to the address of main.
Note: As I said before, the goal of this tutorial is to teach radare2 and present some of it’s capabilities, not to teach assembly. Therefore I will not go through the code deeply and explain what it does. Honestly, the binary is really simple, you should get it even with basic understanding of reverse engineering.
| [0x08048370]> s main [0x080485f5]> pdf ;– main: / (fcn) main 127 | main (); | ; var int local_8h @ ebp-0x8 | ; var int local_4h @ esp+0x4 | ; DATA XREF from 0x08048387 (entry0) | 0x080485f5 8d4c2404 lea ecx, [esp + local_4h] ; 0x4 | 0x080485f9 83e4f0 and esp, 0xfffffff0 | 0x080485fc ff71fc push dword [ecx – 4] | 0x080485ff 55 push ebp | 0x08048600 89e5 mov ebp, esp | 0x08048602 53 push ebx | 0x08048603 51 push ecx | 0x08048604 89cb mov ebx, ecx | 0x08048606 83ec0c sub esp, 0xc | 0x08048609 6800870408 push str._n__.::_Megabeets_::. ; str._n__.::_Megabeets_::. | 0x0804860e e82dfdffff call sym.imp.puts ; int puts(const char *s) | 0x08048613 83c410 add esp, 0x10 | 0x08048616 83ec0c sub esp, 0xc | 0x08048619 6815870408 push str.Think_you_can_make_it_ ; “Think you can make it?” @ 0x8048715 | 0x0804861e e81dfdffff call sym.imp.puts ; int puts(const char *s) | 0x08048623 83c410 add esp, 0x10 | 0x08048626 833b01 cmp dword [ebx], 1 ; [0x1:4]=0x1464c45 | ,=< 0x08048629 7e2a jle 0x8048655 | | 0x0804862b 8b4304 mov eax, dword [ebx + 4] ; [0x4:4]=0x10101 | | 0x0804862e 83c004 add eax, 4 | | 0x08048631 8b00 mov eax, dword [eax] | | 0x08048633 83ec0c sub esp, 0xc | | 0x08048636 50 push eax | | 0x08048637 e849ffffff call sym.beet | | 0x0804863c 83c410 add esp, 0x10 | | 0x0804863f 85c0 test eax, eax | ,==< 0x08048641 7412 je 0x8048655 | || 0x08048643 83ec0c sub esp, 0xc | || 0x08048646 682c870408 push str.Success__n ; “Success!.” @ 0x804872c | || 0x0804864b e8f0fcffff call sym.imp.puts ; int puts(const char *s) | || 0x08048650 83c410 add esp, 0x10 | ,===< 0x08048653 eb10 jmp 0x8048665 | ||| ; JMP XREF from 0x08048629 (main) | ||| ; JMP XREF from 0x08048641 (main) | | -> 0x08048655 83ec0c sub esp, 0xc| | 0x08048658 6836870408 push str.Nop__Wrong_argument._n ; “Nop, Wrong argument..” @ 0x8048736 | | 0x0804865d e8defcffff call sym.imp.puts ; int puts(const char *s) | | 0x08048662 83c410 add esp, 0x10 | | ; JMP XREF from 0x08048653 (main) | `—> 0x08048665 b800000000 mov eax, 0 | 0x0804866a 8d65f8 lea esp, [ebp – local_8h] | 0x0804866d 59 pop ecx | 0x0804866e 5b pop ebx | 0x0804866f 5d pop ebp | 0x08048670 8d61fc lea esp, [ecx – 4] \ 0x08048673 c3 ret |
From reading the assembly we can generate a quick pseudo-code:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
if (argc > 1 && beet(argv[1]) == true) # i.e - if any argument passed to the program AND the result of beet, given the passed argument, is true # argc is the number of arguments passed to the program # argc will be at least 1 becuase the first argument is the program name # argv is the array of parameters passed to the program { print "success" } else { print "fail" } exit |
Visual Mode & Graph Mode
radare2 is equipped with a very strong and efficient suite of Visual Modes. The Visual Mode is much more user-friendly and takes the reversing using r2 to a whole new level. Pressing V will bring us to the Visual Mode screen. Use p/P to change between modes. At the top of the screen you can see the command which was used to generate the view. Navigate to the disassembly view using p.

Basic Visual commands
Movement
You can go up and down using k and j respectively. Pressing Enter whenever you’re on jump or call will take you to the destination address. Next to each jump and call there’s a number inside square brackets, pressing the number on your keyboard will take you to the function/address.
Help
As always in radare, pressing ? will take you to the help screen, you can explore the commands of the Visual Mode.
Cross-References
Use x/X to list the references to/from the function respectively. Use the numbers to jump to a reference.
radare2 commands
Use :command to execute r2 commands from inside Visual Mode.
Comment
You can add or remove comment using ;[-]comment.
Mark
m<key> can be used to mark specific offset with a key of your choice. Press '<key> to go to your key.
Quit
Press q to return to r2 shell.
Visual Graphs
As in similar disassemblers, radare2 has Graph view. You can access Visual Graph mode from your shell by running VV, move Left/Down/Up/Right using h/j/k/l and jump to a function using g and the key shown next to the jump call (e.g gd).

Use ? to list all the commands and make sure not to miss the R command.
Disassembling ‘beet’
After a short break from disassembling. Let’s go back to it and now explore the function beet. As we saw earlier, our binary checks the result of beet that is called with the argument we pass to the program. We can print beet using several methods, here are some of them:
- Seek to
beetin r2 shell and print the function by usings sym.beet(sym.beetis a flag for thebeetfunction. You can print the ‘sym’ flags by runningf sym.<tab>) and then executingpdf(print disassembled function). - Print
beetfrom r2 shell without seeking by usingpdf @ sym.beet.@is used as a temporary seeking. i.e “print the function at offset sym.beet”. - Jump to
beetfrom Visual Mode frommainusing3(the digit next to the jump call). - Jump to
beetfrom Visual Graph Mode frommainusinggd(‘d’ is the letter next to the jump call).
Here’s how beet looks like in Visual Graph Mode:

We can see that the given argument is copied to a buffer. The buffer is located at ebp - local_88h. ‘local_88h’ is actually 0x88 which is 136 in decimal. We can see this by executing ? 0x88. To execute r2 command from inside Visual Graph mode use : and then write the command.
| :> ? 0x88 136 0x88 0210 136 0000:0088 136 “\x88” 10001000 136.0 136.000000f 136.000000 |
Hence, 128 bytes are allocated for the buffer in the stack, the next 4 bytes would be the saved ebp pointer of the previous stack frame, and the next 4 bytes will be the return address, this sums up to 136.
After the buffer is filled with the given argument, it is then compared with the result of a function named sym.rot13. Rot-13 is a famous substitution cipher used a lot in CTFs and Crackmes. The function is called with 9 hexdecimal values that seems like radare failed to recognize as a string. We can do it manually using ahi s on these addresess.
| :> ahi s @@=0x080485a3 0x080485ad 0x080485b7 |
ahi s is used to set specific offset as string (see ahi?). @@ is an iterator (see @@?) and the addresses are the ones from sym.beet which radare2 didn’t identify as contained string. After executing the command the graph will refresh (if it doesn’t, use r) and will look like this:

Great! Looks like the string that was hiding is “Megabeets” (pushed in reversed order due to endianness).
The binary performs rot13 on “Megabeets” and then compares the result with the argument we passed it using strcmp. Luckily we don’t need to work hard because r2 framework already include rot13 cipher in its rahash2 utility.
rahash2 compute checksums of files or strings using various algorithms.
Check
man rahash2for more information.
| :> !rahash2 -E rot -S s:13 -s ‘Megabeets\n’ Zrtnorrgf |
rahash2 performed rot13(“Megabeets”) and resulted with “Zrtnorrgf”. By using ! we can execute shell commands from within r2 shell as in system(3). We can assume that “Zrtnorrgf” is compared with our input. Let’s open the binary in debug mode with “Zrtnorrgf” as an argument using ood (check ood?) and see what we’ll get.
| [0xf7749be9]> ood? | ood [args] reopen in debugger mode (with args) [0xf7749be9]> ood Zrtnorrgf Wait event received by different pid 7415 Wait event received by different pid 7444 Process with PID 7575 started… File dbg:///home/remnux/Desktop/tutorials/megabeets_0x1 Zrtnorrgf reopened in read-write mode = attach 7575 7575 Assuming filepath /home/remnux/Desktop/tutorials/megabeets_0x1 [0xf7749be9]> dc Selecting and continuing: 7575.:: Megabeets ::. Think you can make it? Success!PTRACE_EVENT_EXIT pid=7575, status=0x0 |
Woohoo! We received the success message and solved the crack me. After getting the success message we can finally say that what the binary is doing is to take the first argument we pass it and compare it with rot13(“Megabeets”) which is “Zrtnorrgf”.
You can see the full source-code of the crackme here.
Epilogue
Here the first part of our journey with radare2 is coming to an end. We learned about radare2 just in a nutshell and explored only the basics of the basics. In the next parts we’ll learn more about radare2 capabilities including scripting, malware analysis and exploitation. I’m aware that it’s hard, at first, to understand the power within radare2 or why should you put aside some of your old habits and get used working with radare2, but I promise that having radare2 in your toolbox is a very smart step whether you’re a reverse engineer, a CTF player or just security enthusiast.
Above all I want to thank Pancake, the man behind radare2, for creating this amazing tool as libre and open, and to the amazing friends in the radare2 community that devote their time to help, improve and promote the framework.
Please post comments or message me privately if something is wrong, not accurate, needs further explanation or you simply don’t get it. Don’t hesitate to share your thoughts with me.
Subscribe on the left if you want to get the next articles straight in your inbox.
I have no excuses now not to learn radare haha
really great tutorial
Outstanding tutorial! As a beginner to RE and r2 in general this was extremely well written and easy to follow. Am looking forward to more entries in this series!
By far the most simple and understandable tutorial of radare. Waiting for the next posts of yours, thanks1
You’re Welcome 🙂 The next post will be published at the next few weeks
The best ever seen tutorial. Thanks for this gem !
Thanks Phil! 🙂
You’re welcome, stay tuned for more
I just want to comment, that there is a error in the “unfair comparison” because you can also use a GUI in radare https://github.com/hteso/iaito
haha that’s true, there are couple of GUI(s) to radare in addition to the webUI but it’s not officially belongs to radare (yet)
I was always wondering how to see actual strings stored in the memory addresses before they are passed to some function or compared against something. This is great, I love it!
This is really quite excellent–looking forward to the next installment!
Awesome! Waiting for the next part 🙂
Hello,i did it as this blog and there comes some problems:
[0x08048370]> s main
[0x080485f5]> pdf
there is no result blow,and i can not go into Visual Graphs when i insert VV, I do not know where it is wrong, and my r2 version is :
radare2 1.4.0-git 14322 @ linux-x86-64 git.1.3.0-226-g547479dad
Hope to get your help,think you!
Hey,
Did you analyzed the binary using
aaa?If so, it should work.
Try the following commands in this order, maybe some would work, tell me afterwards:
First update to the most recent git version using
./sys/install.sh, then open the file usingr2 filename. Then execute the following commands:aaa– analyzing the binaryafl– list the functions, make sure main or sym.main is recognizedaf @ sym.main– analyze main functionpdf @ sym.main– print the main functionV– to enter visual modespace– to toggle between visual mode and graph mode.And please paste the full
r2 -vresult. What machine do you work on?If still nothing works, we’ll open an issue on github.
Waiting for your response.
think you, i am success to go into Visual Graphs as your method.
now ,i am try to use r2 analysis go language program, Is there some recommendation article?
thank you ,have a nice day!
Check this talk about reversing GO malware: https://youtu.be/PRLOlY4IKeA
Hi, there
I followed along the tutorial for learning r2. I had a question on making r2 to recognize specific offset as a string.
I ran the same command. But it did not work. The graph did not get refreshed.
Reproduction Steps:
1. Go to View
[0x08048585]> VV @ sym.beet (nodes 1 edges 0 zoom 100%) BB-OFF mouse:canvas-y movements-speed:52. Press :, and run below command
:> ahi s @@=0x080485a3 0x080485ad 0x080485b73. Press q
4. Press r to refresh the graph.
Thanks.
Hey illnino, it should work. you can also try it from outside Visual Mode and then execute
pdfto see if it changed.There’s other way inside Visual Mode which is actually the best practice:
1. Make sure you’re in
beetfunctions sym.beet2. Enter Visual Mode by pressing
vand toggle to assembly mode usingp3. Use
jto scroll down until you’re on0x080485a3(should be sym.beet+30)4. Press
dto define the selected line, thenito set immediate base, typesand press enter. The line should change right after it.5. Use
jagain to move to the next line and repeat step 4, and then again on the next line.Hope it will be helpful,
Itay
I have forget to chmod 755 the megabeets_0x1 file before to execute it on debug mode 🙂 first. It crashes.
Thanks a lot for this article.
Regards.
Thanks! There’s a minor typo where you call rahash2, the string should be ‘Megabeets’ (no trailing new line).
Thanks for the feedback Peter! I wrote it intentionally since there’s a bug while executing it without
\n.But then you don’t get the correct rot13 output. If the problem is just the missing newline, what about doing something like:
!rahash2 -E rot -S s:13 -s ‘Megabeets’; !echo
‘Zrtnorrgf’
For some reason, everything works fine up until the very end, when you type “ood Zrtnorrgf”. It seems to be having permissions issues. I saw the comment about chmod 755 and tried that but my megabeets_0x1 file already had the same permissions (tried chmod 755 anyway just to be safe), I also tried chmod 777. Here’s the error I’m getting.
[0x00400835]> ood Zrtnorrgf
Could not execvp: No such file or directory
r_core_file_reopen: Cannot reopen file: dbg:///home/Pragmata/Documents/ReverseEngineering/Crackmes & CTFs/Megabeets0x1/megabeets_0x1 Zrtnorrgf with perms 0x0007, attempting to open read-only.
[0x00000000]>
Interesting, it works for me just fine on the latest version. Please make sure to update radare to its newest version if you haven’t did yet.
Seems like a bug, I’d suggest you to change the location of
megabeets_0x1, say to/tmp/megabeets_0x1. Maybe the&sign is causing an issues.Anyway,
oodis used to “reopen the file in debug mode”, you can do this by yourself by simply executer2 -d megabeets_0x1 Zrtnorrgf.Hey thanks! Both solutions worked, and then I went ahead and tried removing the & sign from the directory name (just “Crackmes” is equally as descriptive, heh..) and it solved the issue entirely! This article is gold, can’t wait to read part 2, and hope to see parts 3 and 4 soon. I’m new to reverse engineering in general as well as radare2, I’m still learning assembly and olly/ida, yet you made everything clear and easy to understand. Many thanks!
Glad to her that! Part 2 is already available check it here https://www.megabeets.net/a-journey-into-radare-2-part-2
I got the same error.
The reason is the “space” in file path .
It works fine after I change the path from “dbg:///home/remnux/A-journey-into-Radare2/Part 1 – Simple crackme/megabeets_0x1” to “dbg:///home/remnux/A-journey-into-Radare2/Part1/megabeets_0x1” .
im having a problem, the “axt @@ str.*” line isn’t doing anything
Did you analyze the binary using
aaoraaa? It should work just fine when the binary is analyzesThanks for this introduction. It is a very good job.
^_^
Thank you so much! You’re welcome!
Great tutorial! thanks!
Sure! You are welcome! 😀
The best tutorial I’ve seen of radare
Thank You!
Thank you for your kind words! 🙂
Glad you like it!
Thanks for the tutorial. Do more lessons and if possible video.
Question:
How to stop(breakpoint) the program in a certain place?
r2 -d
1) aaa
2) db main # or db sym.main, db sym.beet, db sym.rot13, …..
3) dc
The program ends, but does not stop. Saw this in the video, I try to repeat and it does not work out. Tried it in different programs.
This actually should work, you can try with the address (
db 0x40...).Anyway, what is your version of r2? (
r2 -v)1) db 0x40… – also does not work
2) r2 -v
radare2 2.8.0 0 @ linux-x86-64 git.2.8.0
commit: HEAD build: 2018-08-15__09:35:36
Updated to the new version (2.9.0) and it all worked.
Great! Glad to hear 🙂
As I always say, using latest version of r2 from Git is the best
It’s hard to read on my monitor because of the sidebar on the left. It’s wasting a lot of space. Also, it’s irritating to keep scrolling code/console parts of your tutorial horizontally left and right all the time. Zooming out completely makes it small. Can you pls fix this?
Thanks for the feedback Anutrix!
How small is your monitor? Can you please PM me on some IM app (Telegram, twitter,…)?
https://www.megabeets.net/about.html#contact
Hey, first of all I want to thank you for your nice written tutorials 🙂
I really like the colors in your r2. Are you using a custom color scheme and would you mind sharing it?
Best regard
Thank you!
To be honest, the post is way too old and I changed computers and terminals since then.
AFAIR, I didn’t use any r2 theme but instead, I changed (hooked) the terminal colors using the color settings in ConEmu
The best introduction for beginner to study understand code
The addition of GUI with explained command tree help description of command actions would
be a tremendous help to learn r2 commands as a graphical overlay pop up to help suggest and
help directions … for student beginner .. Thank you
What a great tutorial, thank you!
I expect your nexy journey. thank you