A couple of days back I conducted a session on “Introduction to radare2” over irc for a few people from my college. Here are the notes I made in case it might be helpful for someone else.

###Introduction radare2 is an opensource reverse engineering framework. Other reverse engineering tools include IDA and Hopper. These are extremely expensive and r2 aims at being the ultimate reverse engineering tool in the future and replace these.

Official repository of radare 2 is here, feel free to join in and contribute if you like to :)

A full(?) feature list of r2 and comparison of r2 vs Hopper vs IDA can be found here

Links to other cheatsheets and documentations (which you may like):

• Cheat sheet
• Official Radare2 Book
• Using radare2 for Pwning
• radare2 blog has some interesting articles to pwn ctf challenges using r2.
• radare2 Wiki
• #radare (official channel) on irc.freenode.net if you need any help from r2 folks anytime.

r2 has a ton of features which takes a lot of time to explore and understand. Think of r2 like vim/emacs. Unfortunately it lacks a robust GUI. Feel free to try out the web GUI or Bokken

It has a steep learning curve but we need only a few commands to do basic reversing (and for ctfs) and that is all we’ll be seeing for today :)

Disclamer: I started using radare2 recently too. These are just some of the commands that I felt were most useful and spent some time in learning. I hope it’ll be useful for you too to quickly get up and running and explore the world of r2. Think of this as a newbie’s guide for newbies!

Take your time to explore r2, it’s definitely worth it.

A (very) small tutorial for absolute newbies:

Most Important tip for today (and as long as you use r2!): What most people don’t realise is that r2 is self-documenting. Whenever you don’t know any command, its semantics, what it does etc. use ?.

Example: Just running ? will give you a list of all commands. Now look at a. The help menu says: “Perform analysis of code”. To get more information about commands starting from a, run a?. Use this to learn and discover r2. When in doubt feel free to consult wikis, guides and talk to people on #radare. q is usually used to exit menus and eventually radare2 itself.

Also usually all mneumonics are dervied from their longer form.

Usually this is the workflow you would follow:

• Start up r2 by using: $ r2 ./hello_world
• Run aa to “Analyze All”, or the newer aaa.
• Enter V to enter “Visual Mode”. (Hint: You can use ? in Visual mode too)
• To view the graph of a function hit V. If you don’t see a graph when you enter into graph mode, it usually means that you forgot to run the analysis (rarely it could be a bug in r2, in which case please do report).
• Hit p to show the disassembly at the current location. Hit p again to go into debugger mode which shows all register states.
• v to enter code analysis menu. This menu shows all the functions analysed. Selecting one and pressing g “seeks” to that function. So the first thing to do is seek to the main function. This will usually be shown as ‘main’ or ‘sym.main’. Normally you’ll want to begin analysing the binary from here.
• In visual mode, if you want to run a r2 command, simple hit :. This brings up the same shell that you would have access to outside of the visual mode. All commands that work there work here too. To close the command line, just hit enter with a blank line.
• use s <fn_name> (Example: s sym.main will take you to main directly) or s <offset> to “seek” to locations. s- to undo seek, and s+ to redo seek. This allows you to traverse the binary efficiently. Tab completion is available to help you out here :)
• After some analysis, you might want to rename functions, to do so use afn <new_name> [offset].
• To rename local variables, use afvn [identifier] [new_name]. This is the same for function arguments, but use afan instead.
• Once you have done some analysis, you will want to save your work so that you can return to it later, use Ps [name] to save it as a project. Please check out P? for other project related commands. Most of them are self-explanatory.
• To load a project, use Po [name]. Alternatively, you could also do this while starting up r2 buy using the -P option. (Example: $ r2 -P [name])

Additional:

• To show all strings in a the data section of a binary, try: iz.
• To show all strings in the entire binary try: izz.
• Want to search for a string ‘Foo’ in the binary? Simple, do: / Foo.
• This will return something like: > <offset> hit0_X "Foo". To quickly go to this location, s hit0_X. Again, tab-completion is available.
• To help further with traversal, r2 offers vim style marks. To place a mark at an offset, use mK. Jump to a mark ‘K’ by using 'K (exactly how it works in vim!).
• Don’t like a theme? Check out default themes using eco?. To select a theme run eco [name] .

TODO

• o to seek.
• u/U to undo/redo seek.
• dr and d in general in visual mode.

This was just a basic introduction. radare2 offers many many more commands and is extremely powerful. Plus we’re constantly adding new commands, features and improvements, so stay tuned!