This book is an updated version (started by maijin) of the original radare1 book (written by pancake). Which is actively maintained and updated by many contributors over the Internet.

Check the Github site to add new contents or fix typos:

   • Github: https://github.com/radareorg/radare2book

   • Online: https://book.rada.re/

In 2006, Sergi Àlvarez (aka pancake) was working as a forensic analyst. Since he wasn't allowed to use the company software for his personal needs, he decided to write a small tool-a hexadecimal editor-with very basic characteristics:

   • be extremely portable (unix friendly, command line, c, small)

   • open disk devices, this is using 64bit offsets

   • search for a string or hexpair

   • review and dump the results to disk

The editor was originally designed to recover a deleted file from an HFS+ partition.

After that, pancake decided to extend the tool to have a pluggable io to be able to attach to processes and implemented the debugger functionalities, support for multiple architectures, and code analysis.

Since then, the project has evolved to provide a complete framework for analyzing binaries, while making use of basic UNIX concepts. Those concepts include the famous "everything is a file", "small programs that interact using stdin/stdout", and "keep it simple" paradigms.

The need for scripting showed the fragility of the initial design: a monolithic tool made the API hard to use, and so a deep refactoring was needed. In 2009 radare2 (r2) was born as a fork of radare1. The refactor added flexibility and dynamic features. This enabled much better integration, paving the way to use r2 from different programming languages. Later on, the r2pipe API allowed access to radare2 via pipes from any language.

What started as a one-man project, with some eventual contributions, gradually evolved into a big community-based project around 2014. The number of users was growing fast, and the author-and main developer-had to switch roles from coder to manager in order to integrate the work of the different developers that were joining the project.

Instructing users to report their issues allows the project to define new directions to evolve in. Everything is managed in radare2's GitHub and discussed in the Telegram channel.

The project remains active at the time of writing this book, and there are several side projects that provide, among other things, a graphical user interface (Cutter), a decompiler (r2dec, radeco), Frida integration (r2frida), Yara, Unicorn, Keystone, and many other projects indexed in the r2pm (the radare2 package manager).

Since 2016, the community gathers once a year in r2con, a congress around radare2 that takes place in Barcelona.

The Radare2 project is a set of small command-line utilities that can be used together or independently.

This chapter will give you a quick understanding of them, but you can check the dedicated sections for each tool at the end of this book.

The main tool of the whole framework. It uses the core of the hexadecimal editor and debugger. radare2 allows you to open a number of input/output sources as if they were simple, plain files, including disks, network connections, kernel drivers, processes under debugging, and so on.

It implements an advanced command line interface for moving around a file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, and visualizing. It can be scripted with a variety of languages, including Python, Ruby, JavaScript, Lua, and Perl.

A program to extract information from executable binaries, such as ELF, PE, Java CLASS, Mach-O, plus any format supported by r2 plugins. rabin2 is used by the core to get data like exported symbols, imports, file information, cross references (xrefs), library dependencies, and sections.

A command line assembler and disassembler for multiple architectures (including Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and myriad of others).

$ rasm2 -a java 'nop'

00

$ rasm2 -a x86 -d '90'

nop

$ rasm2 -a x86 -b 32 'mov eax, 33'

b821000000

$ echo 'push eax;nop;nop' | rasm2 -f -

509090

An implementation of a block-based hash tool. From small text strings to large disks, rahash2 supports multiple algorithms, including MD4, MD5, CRC16, CRC32, SHA1, SHA256, and others. rahash2 can be used to check the integrity or track changes of big files, memory dumps, or disks.

$ rahash2 file

file: 0x00000000-0x00000007 sha256: 887cfbd0d44aaff69f7bdbedebd282ec96191cce9d7fa7336298a18efc3c7a5a

$ rahash2 -a md5 file

file: 0x00000000-0x00000007 md5: d1833805515fc34b46c2b9de553f599d

A binary diffing utility that implements multiple algorithms. It supports byte-level or delta diffing for binary files, and code-analysis diffing to find changes in basic code blocks obtained from the radare code analysis.

A program to find byte patterns in files.

A frontend for r_egg. ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.

$ cat hi.r

/* hello world in r_egg */

write@syscall(4); //x64 write@syscall(1);

exit@syscall(1); //x64 exit@syscall(60);

main@global(128) {

.var0 = "hi!\n";

write(1,.var0, 4);

exit(0);

}

$ ragg2 -O -F hi.r

$ ./hi

hi!

$ cat hi.c

main@global(0,6) {

write(1, "Hello0", 6);

exit(0);

}

$ ragg2 hi.c

$ ./hi.c.bin

Hello

A launcher for running programs within different environments, with different arguments, permissions, directories, and overridden default file descriptors. rarun2 is useful for:

   • Solving crackmes

   • Fuzzing

   • Test suites