22.8 forum: Introduction to radare

radare is not a single binary. It is, in fact a set of programs related to the reverse engineering world. That is, a framework.

Here's the list of programs that the current version of radare installs in your system (0.9.4):

- gradare gtk+vte interface for radare

- radare commandline hexadecimal editor with pluggable interface

- rahash multiple algorithm block-based checksumming utility

- rasm commandline multi-architecture/endian patch assembler

- rabin gets entrypoint, exports, imports, symbols of ELF/PE/Class/..

- xrefs bruteforces data space finding possible xrefs

- rsc shell interface to a set of scripts and utilities

- bdiff erg0t's implementation of the generic binary diff in C++

Some other tools are also installed but will be probably deprecated in the future by using internal radare commands:

- javasm commandline raw java assembler and disassembler

- armasm very basic arm assembler

Maybe you'll feel a bit confused about the usage of the programs, but don't be afraid, and let's start configuring radare editing the ".radarerc" file in our home.

$ echo "eval scr.color = true"     >  ~/.radarerc
$ echo "eval file.identify = true" >> ~/.radarerc

The 'eval' command is the standard interface to configure radare, if we type it in the radare shell we will get a list of key-value pairs of the configuration variables. If you want to list all the flags of a certain domain just end it with a dot '.': Code:

 [0x00000000]> eval cfg.
 cfg.noscript = false
 cfg.encoding = ascii
 cfg.delta = 1024
 cfg.verbose = true
 cfg.endian = false
 cfg.write = false
 cfg.limit = 0
 cfg.rdbdir = TODO
 cfg.datefmt = %d:%m:%Y %H:%M:%S %z
 cfg.count = 0
 cfg.fortunes = true
 cfg.bsize = 512

We can also use pipes in the shell of radare like a plain unix shell: Code:

 [0x00000000]> eval  | grep trace
 asm.trace = false
 file.trace = trace.log
 trace.bt = false
 trace.sleep = 0
 trace.smart = true
 trace.log = true
 trace.dup = false
 trace.cmtregs = false

The radare shell accepts commands in the following format: Code:

 <;> [:] [command] [arg] [@ offset] [| shell-command] [` radare-command]
  |   |     |        |        |             |               |
  |   |     x        x        |             |               |
  |   |                   temporal    pipe output to        |
  |   ` drop verbosity     offset      shell command        |
  |                                                         |
  `- comment                   append output of command ----'

You can also use '>' and '>>' at the end of the command to dump the output to a file.

Here's a basic table of most common operations in radare Code:

Seek     s    > s 0x33
BlockSz  b    > b 0x400
Print    p    > px 20 @ 0x200
Write    w    > wx 90 90 90 @ +2
Search   /    > / lib
Hash     #    > #md5 20 @ esp
Shell    !!   > !!cat /proc/$DPID/maps
Quit     q    > quit

radare only is able to manage "block size" bytes at a time, so, if you want to print data, analyze code, print graphs you will have to setup a high value here to avoid invalid results with broken code blocks.

I don't want to explain everything in detail. Most of commands accept a '?' appended to the 'char' command to give you a help usage. it's mostly self-documented, but there are lot of hidden magic features wink

The most used print modes are: Code:

Hex      px  - hexadecimal
Disasm   pD  - disasm using asm.arch
Octal    po  - octal base
Analyze  pA  - analyzes memory
String0  pz  - zero terminated string
WideStr  pZ  - zero terminated wide string
C array  pc  - outputs C code
Graph    pG  - only when compiled with vala/gtk/cairo

To change the disassembly architecture use the following command:

 [0x0000000]> eval asm.arch = arm

Supported values are: arm, arm16, intel, intel16, intel64, powerpc, java

Let's test all together: Code:

 $ radare -e file.id=true /bin/ls
 open ro /bin/ls
 [0x08049790]> f
 000 0x00001790 512 entrypoint
 [0x08049790]> pD 20
    0x08049790    895e         ebp ^= ebp
    0x08049792    83           pop esi
    0x08049793    e483         ecx = esp
    0x08049795    50f0e4       esp &= 0xf0  ; 240 ' '
    0x08049798    68           push eax
    0x08049799    d0           push esp
    0x0804979A    7b           push edx
    0x0804979B    057bd06800   push dword 0x8057bd0
    0x080497A0    057c206800   push dword 0x8057c20

Wow, maybe you'll be surpressed for this pseudo-asm syntax. You can change it with the asm.syntax variable. Use 'intel', 'att' or 'pseudo'. The last one is the default for readibility reasons. Feel free to setup your favorite one in ~/.radarerc wink

As we see in the previous shell snippet when setupping 'file.id' to true, radare calls rabin internally to determine which kind of file has been opened and automatically setups the base address, flags the entrypoint and jumps there.

The cfg.baddr is the variable which defines the virtual base address. This is good for mapping on-disk and debugged process information and be able to easily apply patches to files.

As a final note, you can use the 'P' command to open and save project files to dump/load all your flags, comments, code atributes, .. from/to disk (also handled by the -P commandline flag). Code:

 $ radare -P /bin/ls
 Using project file: '/tmp/ls.project'
 open ro /bin/ls
 [0x00000000]> q
 Do you want to save the '/tmp/ls.project' project? (Y/n)
 Project '/tmp/ls.project' saved.

That's all for a basic introduction wink simple huh?

Have fun!