Besides its disassembler and debugger, Radare2 is also packed with a bunch of tools . Most of these are static analysis tools.
To get the MD5 hash of the hello world binary file, we can use rabin2:
With the use of the ls command and rahash2, we are able to determine these pieces of information:
filesize: 7348 bytes
time stamp: July 12 21:26 of this year
md5: 799554478cf399e5f87b37fcaf1c2ae6
sha256: 90085dacc7fc863a2606f8ab77b049532bf454badefcdd326459585bea4dfb29
rabin2 is another tool that can extract static information from a file, such as the type of file, header information, sections, and strings.
Let's get the type of file first by using the rabin2 -I hello command:
The bintype, class, hascode, and os fields indicate that the file is an executable 32-bit ELF file that runs in Linux. arch, bits, endian, and machine suggest that the file was built with an x86 code. In addition, the lang field indicates that the file was compiled from C language. This information will definitely help us prepare for what to expect during disassembly and debugging.
To list imported functions, we use rabin2 -i hello:
There are two global functions we are interested in: puts and __libc_start_main. puts, as we discussed, is used to print a message. __libc_start_main is a function that initializes the stack frame, sets up the registers and some data structures, sets up error handling, and then calls the main() function.
To get the ELF header info, use rabin2 -H hello:
If we are only interested with the strings we can find from the data section, use the rabin2 -z hello command:
With rabin2, we got additional information about the file, shown here:
filetype: 32-bit elf file and has executable code for Linux
architecture: x86 Intel
functions: imports puts and has a main function
notable strings: hello world!
Let's try the radare2 debugger itself. From the Terminal console, you can either use radare2's abbreviation r2, or radare2 itself, with the -d <file> as its argument:
This takes you to the radare2 console. Enclosed in square brackets, the address indicates where the current eip is. It is not the entry point of the hello program, but rather an address in the dynamic loader. As with gdb, you'll have to enter commands. To bring up help, just use ? and it will show you a list of commands as follows:
We start off by using the aaa command. This analyzes the code for function calls, flags, references and tries to generate constructive function names:
Using the V! command sets the console to visual mode. In this mode, we should be able to debug the program while having an interactive view of the registry and the stack. Entering : should show a command console. Pressing Enter should bring us back to visual mode. Type V? to show more visual mode commands. It is also best to maximize the Terminal window to get a better view of the debugger:
In the command console, enter db entry0. This should set a breakpoint at the entry point address of our program. But, since we also know that this program has a main function, you can also enter db sym.entry to set a breakpoint at the main function.
In visual mode, you can start the actual debugging using these keys that are available by default:
| F2 toggle breakpoint
| F4 run to cursor
| F7 single step
| F8 step over
| F9 continue
With the entry point and main function set with a breakpoint, press F9 to run the program. We should end up in the entry point address.
Pressing F9 again should bring you to the main function of our program. Remember to refresh the visual mode:
Press F7 or F8 to trace the program while seeing the stack and registers change. The letter b at the left of the address at line 0x0804840b indicates that the address is set with a breakpoint.
So far, we have learned about the basic commands and keys. Feel free to explore the other commands and you'll definitely get more information and learn some easy ways to work around analyzing files.