There are three giants in the reverse engineering world.
- radare2
- IDA Pro
- Ghidra
IDA Pro has triumphed the reverse engineering universe as GUI capabilities and user-friendly interface it offers. Personally I don’t like it because it has a huge price. So the options we open-sourced community have is Ghidra and radare2. Even though ghidra is used in early years in NSA before even it’s released also created this discussion in reddit.
So we have 2 GUI competitors here and 1 CLI competitor. Why don’t I write about GUI. Because when playing a CTF or accessing a remote file in a server we almost work on the terminal. GUI applications won’t be there to save us. So off we go in our journey to radare.
If you know about compiling and running a program written in C. Go straight down to here.
Prerequisites
- A small hello world program in C.
| #include <stdio.h> | |
| int main(){ | |
| int a=5; | |
| int b=4; | |
| int temp; | |
| char hellostring[]= "Hello World"; | |
| temp=a; | |
| a=b; | |
| b=temp; | |
| printf("%s\n",hellostring); | |
| return 0; | |
| } |
Lets get started
First compile your program in to the appropriate platform you are. If you are in Windows use mingw , or in *nix system you might already have gcc installed. just type $ gcc --version if it returns it with a value you are good to go. If not $ sudo apt install gcc . If you are using a Mac you can use homebrew to install as seen in this article.
So to start we are compiling out hello.c as hello program. In your terminal go to the directory where the hello.c file is located. And run the below command. If you are using MSWindows you might need to add the mingw installed location in to the environmental variables.
$ gcc -o hello hello.c
then If you run the ls command or dir command you will now see two files named hello and hello.c. To be able to debug the program with radare2 we have to change its privileges to executable. In linux type in your same terminal we used before..
$ chmod +x hello
Then we can Start it with radare2.
r2 -d hello
We should be greeted like a terminal application like this.
Process with PID 2601 started…
= attach 2601 2601
bin.baddr 0x55af24f33000
Using 0x55af24f33000
asm.bits 64
[0x7f09eb16b090]>
Fun begins now… XD
We already loaded the program now we have to analyse it. type > aaa on the terminal prompt.
What aaa does is it runs all the commands starting with aa. It runs all of them making our journey easier.
- aa – alias for
af@@ sym.*;af@entry0;afva - aac – analyze function calls (
af @@ `pi len~call[1]`) - aar – analyze len bytes of instructions for references
- aan – autoname functions that either start with
fcn.*orsym.func.* - afta – do type matching analysis for all functions
Then we have to look for the functions of the program. Mostly in the ctfs the program usually have a function named flag,win,or magic. Following command returns available functions.
>afl
Since we don’t have any function here we only have main as sys.main. Lets analyse it.
pdf @main pdf here means disassemble the function in this case the main function.
As you can see we have the varibles in a cryptic (its not a,b and temp now) way but readble. We will follow up this guide with a another. Till then practice practice practice.
Read second part:Beginners guide to radare2-Part 2
Sala's Blog 