radare is not a single binary. It is, in fact a set of programs related to the reverse engineering world. That is, a framework.
Here's the list of programs that the current version of radare installs in your system (0.9.4):
- gradare gtk+vte interface for radare
- radare commandline hexadecimal editor with pluggable interface
- rahash multiple algorithm block-based checksumming utility
- rasm commandline multi-architecture/endian patch assembler
- rabin gets entrypoint, exports, imports, symbols of ELF/PE/Class/..
- xrefs bruteforces data space finding possible xrefs
- rsc shell interface to a set of scripts and utilities
- bdiff erg0t's implementation of the generic binary diff in C++
Some other tools are also installed but will be probably deprecated in the future by using internal radare commands:
- javasm commandline raw java assembler and disassembler
- armasm very basic arm assembler
Maybe you'll feel a bit confused about the usage of the programs, but don't be afraid, and let's start configuring radare editing the ".radarerc" file in our home.
$ echo "eval scr.color = true" > ~/.radarerc $ echo "eval file.identify = true" >> ~/.radarerc
The 'eval' command is the standard interface to configure radare, if we type it in the radare shell we will get a list of key-value pairs of the configuration variables. If you want to list all the flags of a certain domain just end it with a dot '.': Code:
[0x00000000]> eval cfg. cfg.noscript = false cfg.encoding = ascii cfg.delta = 1024 cfg.verbose = true cfg.endian = false cfg.write = false cfg.limit = 0 cfg.rdbdir = TODO cfg.datefmt = %d:%m:%Y %H:%M:%S %z cfg.count = 0 cfg.fortunes = true cfg.bsize = 512
We can also use pipes in the shell of radare like a plain unix shell: Code:
[0x00000000]> eval | grep trace asm.trace = false file.trace = trace.log trace.bt = false trace.sleep = 0 trace.smart = true trace.log = true trace.dup = false trace.cmtregs = false
The radare shell accepts commands in the following format: Code:
<;> [:] [command] [arg] [@ offset] [| shell-command] [` radare-command] | | | | | | | | | x x | | | | | temporal pipe output to | | ` drop verbosity offset shell command | | | `- comment append output of command ----'
You can also use '>' and '>>' at the end of the command to dump the output to a file.
Here's a basic table of most common operations in radare Code:
Seek s > s 0x33 BlockSz b > b 0x400 Print p > px 20 @ 0x200 Write w > wx 90 90 90 @ +2 Search / > / lib Hash # > #md5 20 @ esp Shell !! > !!cat /proc/$DPID/maps Quit q > quit
radare only is able to manage "block size" bytes at a time, so, if you want to print data, analyze code, print graphs you will have to setup a high value here to avoid invalid results with broken code blocks.
I don't want to explain everything in detail. Most of commands accept a '?' appended to the 'char' command to give you a help usage. it's mostly self-documented, but there are lot of hidden magic features wink
The most used print modes are: Code:
Hex px - hexadecimal Disasm pD - disasm using asm.arch Octal po - octal base Analyze pA - analyzes memory String0 pz - zero terminated string WideStr pZ - zero terminated wide string C array pc - outputs C code Graph pG - only when compiled with vala/gtk/cairo
To change the disassembly architecture use the following command:
[0x0000000]> eval asm.arch = arm
Supported values are: arm, arm16, intel, intel16, intel64, powerpc, java
Let's test all together: Code:
$ radare -e file.id=true /bin/ls open ro /bin/ls [0x08049790]> f 000 0x00001790 512 entrypoint [0x08049790]> pD 20 0x08049790 895e ebp ^= ebp 0x08049792 83 pop esi 0x08049793 e483 ecx = esp 0x08049795 50f0e4 esp &= 0xf0 ; 240 ' ' 0x08049798 68 push eax 0x08049799 d0 push esp 0x0804979A 7b push edx 0x0804979B 057bd06800 push dword 0x8057bd0 0x080497A0 057c206800 push dword 0x8057c20
Wow, maybe you'll be surpressed for this pseudo-asm syntax. You can change it with the asm.syntax variable. Use 'intel', 'att' or 'pseudo'. The last one is the default for readibility reasons. Feel free to setup your favorite one in ~/.radarerc wink
As we see in the previous shell snippet when setupping 'file.id' to true, radare calls rabin internally to determine which kind of file has been opened and automatically setups the base address, flags the entrypoint and jumps there.
The cfg.baddr is the variable which defines the virtual base address. This is good for mapping on-disk and debugged process information and be able to easily apply patches to files.
As a final note, you can use the 'P' command to open and save project files to dump/load all your flags, comments, code atributes, .. from/to disk (also handled by the -P commandline flag). Code:
$ radare -P /bin/ls Using project file: '/tmp/ls.project' open ro /bin/ls [0x00000000]> q Do you want to save the '/tmp/ls.project' project? (Y/n) Project '/tmp/ls.project' saved. $
That's all for a basic introduction wink simple huh?