The Official Radare2 Book - читать бесплатно онлайн полную версию книги автора (Introduction) #1

Introduction

This book is an updated version (started by maijin) of the original radare1 book (written by pancake). Which is actively maintained and updated by many contributors over the Internet.

Check the Github site to add new contents or fix typos:

• Github: https://github.com/radareorg/radare2book

• Online: https://book.rada.re/

In 2006, Sergi Àlvarez (aka pancake) was working as a forensic analyst. Since he wasn't allowed to use the company software for his personal needs, he decided to write a small tool-a hexadecimal editor-with very basic characteristics:

• be extremely portable (unix friendly, command line, c, small)

• open disk devices, this is using 64bit offsets

• search for a string or hexpair

• review and dump the results to disk

The editor was originally designed to recover a deleted file from an HFS+ partition.

After that, pancake decided to extend the tool to have a pluggable io to be able to attach to processes and implemented the debugger functionalities, support for multiple architectures, and code analysis.

Since then, the project has evolved to provide a complete framework for analyzing binaries, while making use of basic UNIX concepts. Those concepts include the famous "everything is a file", "small programs that interact using stdin/stdout", and "keep it simple" paradigms.

The need for scripting showed the fragility of the initial design: a monolithic tool made the API hard to use, and so a deep refactoring was needed. In 2009 radare2 (r2) was born as a fork of radare1. The refactor added flexibility and dynamic features. This enabled much better integration, paving the way to use r2 from different programming languages. Later on, the r2pipe API allowed access to radare2 via pipes from any language.

What started as a one-man project, with some eventual contributions, gradually evolved into a big community-based project around 2014. The number of users was growing fast, and the author-and main developer-had to switch roles from coder to manager in order to integrate the work of the different developers that were joining the project.

Instructing users to report their issues allows the project to define new directions to evolve in. Everything is managed in radare2's GitHub and discussed in the Telegram channel.

The project remains active at the time of writing this book, and there are several side projects that provide, among other things, a graphical user interface (Cutter), a decompiler (r2dec, radeco), Frida integration (r2frida), Yara, Unicorn, Keystone, and many other projects indexed in the r2pm (the radare2 package manager).

Since 2016, the community gathers once a year in r2con, a congress around radare2 that takes place in Barcelona.

The Framework

The Radare2 project is a set of small command-line utilities that can be used together or independently.

This chapter will give you a quick understanding of them, but you can check the dedicated sections for each tool at the end of this book.

radare2

The main tool of the whole framework. It uses the core of the hexadecimal editor and debugger. radare2 allows you to open a number of input/output sources as if they were simple, plain files, including disks, network connections, kernel drivers, processes under debugging, and so on.

It implements an advanced command line interface for moving around a file, analyzing data, disassembling, binary patching, data comparison, searching, replacing, and visualizing. It can be scripted with a variety of languages, including Python, Ruby, JavaScript, Lua, and Perl.

rabin2

A program to extract information from executable binaries, such as ELF, PE, Java CLASS, Mach-O, plus any format supported by r2 plugins. rabin2 is used by the core to get data like exported symbols, imports, file information, cross references (xrefs), library dependencies, and sections.

rasm2

A command line assembler and disassembler for multiple architectures (including Intel x86 and x86-64, MIPS, ARM, PowerPC, Java, and myriad of others).

Examples

$ rasm2 -a java 'nop'

$ rasm2 -a x86 -d '90'

nop

$ rasm2 -a x86 -b 32 'mov eax, 33'

b821000000

$ echo 'push eax;nop;nop' | rasm2 -f -

509090

rahash2

An implementation of a block-based hash tool. From small text strings to large disks, rahash2 supports multiple algorithms, including MD4, MD5, CRC16, CRC32, SHA1, SHA256, and others. rahash2 can be used to check the integrity or track changes of big files, memory dumps, or disks.

Examples

$ rahash2 file

file: 0x00000000-0x00000007 sha256: 887cfbd0d44aaff69f7bdbedebd282ec96191cce9d7fa7336298a18efc3c7a5a

$ rahash2 -a md5 file

file: 0x00000000-0x00000007 md5: d1833805515fc34b46c2b9de553f599d

radiff2

A binary diffing utility that implements multiple algorithms. It supports byte-level or delta diffing for binary files, and code-analysis diffing to find changes in basic code blocks obtained from the radare code analysis.

rafind2

A program to find byte patterns in files.

ragg2

A frontend for r_egg. ragg2 compiles programs written in a simple high-level language into tiny binaries for x86, x86-64, and ARM.

Examples

$ cat hi.r

/* hello world in r_egg */

write@syscall(4); //x64 write@syscall(1);

exit@syscall(1); //x64 exit@syscall(60);

main@global(128) {

.var0 = "hi!\n";

write(1,.var0, 4);

exit(0);

}

$ ragg2 -O -F hi.r

$ ./hi

hi!

$ cat hi.c

main@global(0,6) {

write(1, "Hello0", 6);

exit(0);

}

$ ragg2 hi.c

$ ./hi.c.bin

Hello

rarun2

A launcher for running programs within different environments, with different arguments, permissions, directories, and overridden default file descriptors. rarun2 is useful for:

• Solving crackmes

• Fuzzing

• Test suites

Sample rarun2 script

$ cat foo.rr2

#!/usr/bin/rarun2

program=./pp400

arg0=10

stdin=foo.txt

chdir=/tmp

#chroot=.

./foo.rr2

Connecting a Program with a Socket

$ nc -l 9999

$ rarun2 program=/bin/ls connect=localhost:9999

Debugging a Program Redirecting the stdio into Another Terminal

1 - open a new terminal and type 'tty' to get a terminal name:

$ tty ; clear ; sleep 999999

/dev/ttyS010

2 - Create a new file containing the following rarun2 profile named foo.rr2:

#!/usr/bin/rarun2

program=/bin/ls

stdio=/dev/ttys010

3 - Launch the following radare2 command:

r2 -r foo.rr2 -d /bin/ls

rax2

A minimalistic mathematical expression evaluator for the shell that is useful for making base conversions between floating point values, hexadecimal representations, hexpair strings to ASCII, octal to integer, and more. It also supports endianness settings and can be used as an interactive shell if no arguments are given.

Examples

$ rax2 1337

0x539

$ rax2 0x400000

4194304

$ rax2 -b 01111001

$ rax2 -S radare2

72616461726532

$ rax2 -s 617765736f6d65

awesome

Downloading radare2

You can get radare from the GitHub repository: https://github.com/radareorg/radare2

Binary packages are available for a number of operating systems (Ubuntu, Maemo, Gentoo, Windows, iPhone, and so on). But you are highly encouraged to get the source and compile it yourself to better understand the dependencies, to make examples more accessible and, of course, to have the most recent version.

A new stable release is typically published every month.

The radare development repository is often more stable than the 'stable' releases. To obtain the latest version:

$ git clone https://github.com/radareorg/radare2.git

This will probably take a while, so take a coffee break and continue reading this book.

To update your local copy of the repository, use git pull anywhere in the radare2 source code tree:

$ git pull

If you have local modifications of the source, you can revert them (and lose them!) with:

$ git reset --hard HEAD

Or send us a patch:

$ git diff > radare-foo.patch

The most common way to get r2 updated and installed system wide is by using:

$ sys/install.sh

Building with meson + ninja

There is also a work-in-progress support for Meson.

Using clang and ld.gold makes the build faster:

CC=clang LDFLAGS=-fuse-ld=gold meson . release --buildtype=release --prefix ~/.local/stow/radare2/release

ninja -C release

# ninja -C release install

Helper Scripts

Take a look at the scripts in sys/, they are used to automate stuff related to syncing, building and installing r2 and its bindings.

The most important one is sys/install.sh. It will pull, clean, build and symstall r2 system wide.

Symstalling is the process of installing all the programs, libraries, documentation and data files using symlinks instead of copying the files.

By default it will be installed in /usr/local, but you can specify a different prefix using the argument --prefix.

This is useful for developers, because it permits them to just run 'make' and try changes without having to run make install again.

Cleaning Up

Cleaning up the source tree is important to avoid problems like linking to old objects files or not updating objects after an ABI change.

The following commands may help you to get your git clone up to date:

$ git clean -xdf

$ git reset --hard @~10

$ git pull

If you want to remove previous installations from your system, you must run the following commands:

$ ./configure --prefix=/usr/local

$ make purge

Compilation and Portability

Currently the core of radare2 can be compiled on many systems and architectures, but the main development is done on GNU/Linux with GCC, and on MacOS X with clang. Radare is also known to compile on many different systems and architectures (including TCC and SunStudio).

People often want to use radare as a debugger for reverse engineering. Currently, the debugger layer can be used on Windows, GNU/Linux (Intel x86 and x86_64, MIPS, and ARM), OS X, FreeBSD, NetBSD, and OpenBSD (Intel x86 and x86_64)..

Compared to core, the debugger feature is more restrictive portability-wise. If the debugger has not been ported to your favorite platform, you can disable the debugger layer with the --without-debugger configure script option when compiling radare2.

Note that there are I/O plugins that use GDB, WinDbg, or Wine as back-ends, and therefore rely on presence of corresponding third-party tools (in case of remote debugging - just on the target machine).

To build on a system using acr and GNU Make (e.g. on *BSD systems):

$ ./configure --prefix=/usr

$ gmake

$ sudo gmake install

There is also a simple script to do this automatically:

$ sys/install.sh

Static Build

You can build radare2 statically along with all other tools with the command:

$ sys/static.sh

Meson build

You can use meson + ninja to build:

$ sys/meson.py --prefix=/usr --shared --install

If you want to build locally:

$ sys/meson.py --prefix=/home/$USER/r2meson --local --shared --install

Docker

Radare2 repository ships a Dockerfile that you can use with Docker.

This dockerfile is also used by Remnux distribution from SANS, and is available on the docker registryhub.

Cleaning Up Old Radare2 Installations

./configure --prefix=/old/r2/prefix/installation

make purge

Windows

Radare2 relies on the Meson build system generator to support compilation on all platforms, including Windows. Meson will generate a Visual Studio Solution, all the necessary project files, and wire up the Microsoft Visual C++ compiler for you.

tip You can download nightly binaries from https://ci.appveyor.com/project/radareorg/radare2/history. Be sure to download only from master branch!

Prerequisites

• Visual Studio 2015 (or higher)

• Python 3

• Meson

• Git

Step-by-Step

Install Visual Studio 2015 (or higher)

Visual Studio must be installed with a Visual C++ compiler, supporting C++ libraries, and the appropriate Windows SDK for the target platform version.

• In the Visual Studio 2015 installer, ensure Programming Languages > Visual C++ is selected

• In the Visual Studio 2017+ installers, ensure the Desktop development with C++ workload is selected

If you need a copy of Visual Studio, the Community versions are free and work great.

• Download Visual Studio 2015 Community (registration required)

• Download Visual Studio 2017 Community

Install Python 3 and Meson via Conda

It is strongly recommended you install Conda — a Python environment management system — when working with Python on the Windows platform. This will isolate the Radare2 build environment from other installed Python versions and minimize potential conflicts.

Set Up Conda:

1. Download the appropriate Conda (Python 3.x) for your platform (https://conda.io/miniconda.html)

2. Install Conda with the recommended defaults

Create a Python Environment for Radare2

Follow these steps to create and activate a Conda environment named r2. All instructions from this point on will assume this name matches your environment, but you may change this if desired.

1. Start > Anaconda Prompt

2. conda create -n r2 python=3

3. activate r2

Any time you wish to enter this environment, open the Anaconda Prompt and re-issue activate r2. Conversely, deactivate will leave the environment.

Install Meson

1. Enter the Radare2 Conda environment, if needed (activate r2)

2. Download https://github.com/mesonbuild/meson/archive/master.zip

3. pip install \path\to\downloaded\master.zip

4. Verify Meson is version 0.48 or higher (meson -v)

Install Git for Windows

All Radare2 code is managed via the Git version control system and hosted on GitHub.

Follow these steps to install Git for Windows.

1. Download Git for Windows (https://git-scm.com/download/win)

As you navigate the install wizard, we recommend you set these options when they appear: * Use a TrueType font in all console windows * Use Git from the Windows Command Prompt * Use the native Windows Secure Channel library (instead of OpenSSL) * Checkout Windows-style, commit Unix-style line endings (core.autocrlf=true) * Use Windows' default console window (instead of Mintty)

2. Close any previously open console windows and re-open them to ensure they receive the new PATH

3. Ensure git --version works

Get Radare2 Code

Follow these steps to clone the Radare2 git repository.

1. In your Radare2 Conda environment, navigate to a location where the code will be saved and compiled. This location needs approximately 3-4GiB of space

2. Clone the repository with git clone https://github.com/radareorg/radare2.git

Compile Radare2 Code

Follow these steps to compile the Radare2 Code.

Compiled binaries will be installed into the dest folder.

1. Enter the Radare2 Conda environment

2. Navigate to the root of the Radare2 sources (cd radare2)

3. Initialize Visual Studio tooling by executing the command below that matches the version of Visual Studio installed on your machine and the version of Radare2 you wish to install:

Visual Studio 2015:

Note: For the 64-bit version change only the x86 at the very end of the command below to x64.

"%ProgramFiles(x86)%\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86

Visual Studio 2017:

Note 1: Change Community to either Professional or Enterprise in the command below depending on the version installed.

Note 2: Change vcvars32.bat to vcvars64.bat in the command below for the 64-bit version.

"%ProgramFiles(x86)%\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvars32.bat"

Visual Studio Preview:

Note 1: Change Community to either Professional or Enterprise in the command below depending on the version installed.

Note 2: Change vcvars32.bat to vcvars64.bat in the command below for the 64-bit version.

"%ProgramFiles(x86)%\Microsoft Visual Studio\Preview\Community\VC\Auxiliary\Build\vcvars32.bat"

4. Generate the build system with Meson:

Note 1: Change debug to release in the command below depending on whether the latest version or release version is desired.

Note 2: If you are using visual studio 2017, you can change swap vs2015 for vs2017.

meson build --buildtype debug --backend vs2015 --prefix %cd%\dest

Meson currently requires --prefix to point to an absolute path. We use the %CD% pseudo-variable to get the absolute path to the current working directory.

5. Start a build:

Note: Change Debug to Release in the command below depending on the version desired.

msbuild build\radare2.sln /p:Configuration=Debug /m

The /m[axcpucount] switch creates one MSBuild worker process per logical processor on your machine. You can specify a numeric value (e.g. /m:2) to limit the number of worker processes if needed. (This should not be confused with the Visual C++ Compiler switch /MP.)

If you get an error with the 32-bit install that says something along the lines of error MSB4126: The specified solution configuration "Debug|x86" is invalid. Get around this by adding the following argument to the command: /p:Platform=Win32

6. Install into your destination folder: meson install -C build --no-rebuild

7. Check your Radare2 version: dest\bin\radare2.exe -v

Check That Radare2 Runs From All Locations

1. In the file explorer go to the folder Radare2 was just installed in.

2. From this folder go to dest > bin and keep this window open.

3. Go to System Properties: In the Windows search bar enter sysdm.cpl.

4. Go to Advanced > Environment Variables.

5. Click on the PATH variable and then click edit (if it exists within both the user and system variables, look at the user version).

6. Ensure the file path displayed in the window left open is listed within the PATH variable. If it is not add it and click ok.

7. Log out of your Windows session.

8. Open up a new Windows Command Prompt: type cmd in the search bar. Ensure that the current path is not in the Radare2 folder.

9. Check Radare2 version from Command Prompt Window: radare2 -v

Android

Radare2 can be cross-compiled for other architectures/systems as well, like Android.

Prerequisites

• Python 3

• Meson

• Ninja

• Git

• Android NDK

Step-by-step

Download and extract the Android NDK

Download the Android NDK from the official site and extract it somewhere on your system (e.g. /tmp/android-ndk)

Make

Specify NDK base path

$ echo NDK=/tmp/android-ndk > ~/.r2androidrc

Compile + create tar.gz + push it to connected android device

./sys/android-build.sh arm64-static

You can build for different architectures by changing the argument to ./sys/android-build.sh. Run the script without any argument to see the accepted values.

Meson

Create a cross-file for meson

Meson needs a configuration file that describes the cross compilation environment (e.g. meson-android.ini). You can adjust it as necessary, but something like the following should be a good starting point:

[binaries]

c = '/tmp/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android28-clang'

cpp = '/tmp/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android28-clang++'

ar = '/tmp/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ar'

as = '/tmp/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-as'

ranlib = '/tmp/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ranlib'

ld = '/tmp/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-ld'

strip = '/tmp/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-strip'

pkgconfig = 'false'

[properties]

sys_root = '/tmp/android-ndk/sysroot'

[host_machine]

system = 'android'

cpu_family = 'arm'

cpu = 'aarch64'

endian = 'little'

Compile with meson + ninja

Now setup the build directory with meson as usual:

CFLAGS="-static" LDFLAGS="-static" meson --default-library static

--prefix=/tmp/android-dir -Dblob=true build --cross-file

./meson-android.ini

A bit of explanation about all the options:

• CFLAGS="-static", LDFLAGS="-static", --default-library static: this ensure that libraries and binaries are statically compiled, so you do not need to properly set LD_* environment variables in your Android environment to make it find the right libraries. Binaries have everything they need inside.

• -Dblob=true: it tells meson to compile just one binary with all the needed code for running radare2, rabin2, rasm2, etc. and creates symbolic links to those names. This avoids creating many statically compiled large binaries and just create one that provides all features. You will still have rabin2, rasm2, rax2, etc. but they are just symlinks to radare2.

• --cross-file ./meson-android.ini: it describes how to compile radare2 for Android

Then compile and install the project:

$ ninja -C build

$ ninja -C build install