Description
Radare2 (r2) is an open-source reverse engineering framework with disassembler, debugger, hex editor, and scriptable analysis. It supports many architectures and file formats. Includes Cutter as GUI frontend.
Installation
BASH
sudo apt install radare2
# Latest
git clone https://github.com/radareorg/radare2 && cd radare2
sys/install.sh
# GUI: Cutter
sudo apt install cutterBasic Usage
BASH
# Open binary
r2 binary
# Analyze
[0x0]> aaa # Auto-analyze all
# List functions
[0x0]> afl # Function list
# Seek to main
[0x0]> s main
# Disassemble
[0x0]> pdf # Print disassembly of function
[0x0]> pd 20 # Print 20 instructions
# Strings
[0x0]> iz # Strings in data sections
[0x0]> izz # All stringsAdvanced Usage
BASH
# Visual mode
[0x0]> V # Visual mode
[0x0]> VV # Graph mode (control flow)
# Cross-references
[0x0]> axt @sym.main # Xrefs to main
# Debug mode
r2 -d binary
[0x0]> db main # Set breakpoint
[0x0]> dc # Continue
[0x0]> dr # Dump registers
[0x0]> ds # Step
# Search
[0x0]> / password # Search string
[0x0]> /x 90909090 # Search hex bytes
# Patching
[0x0]> oo+ # Open in write mode
[0x0]> wa nop # Write assembly
# Scripting (r2pipe)
import r2pipe
r2 = r2pipe.open("binary")
r2.cmd("aaa")
print(r2.cmd("afl"))Common Workflows
BASH
# Quick binary triage
r2 binary -c "aaa; afl; iz; q"
# CTF challenge
r2 -A challenge
afl # Find interesting functions
s sym.check_flag # Go to check function
pdf # Disassemble
VV # Visual graph