Day 20 - radare2
Writer: Niklas Saari - OUSPG / University of Oulu
Next in the Advent calendar, there is probably the biggest unix-like open-source binary analysis and disassembler project in mankind.
Disassemblers in general are ambitious projects, and getting them to support multiple architectures is very challenging task. However, radare2 has been successful in this as open-source project and it has acquired variety of range of users. And the features are not only limited into disassembling.
When the original creator of radare, pancake was working as a forensic analyst in 2006, he decided to write a simple hexadecimal editor with support for searching patterns and dumping the search results to disk to recover some PHP files deleted from an HFS partition.
The whole history can be found from their website: https://www.radare.org/r/history.html
We, and probably many others are very thankful about this great tool!
See their website: https://www.radare.org
Integrating to CinCan project
In the CinCan project, there has been attempt for making Docker images from various tools.
Radare2 has many existing images, for Cutter for example.
We wanted to make one with support for additionally running custom scripts from the container, and for strict version numbering as well, so here is a bit custom image. It is partially based on Alpine build image.
There is also additionally for example plugin for Ghidra installed.
For container, there is custom script, which allows only usage of binaries related to radare2 in the container, and as extra feature, allows running various scripts in the container.
Containers have been also tested to ensure their functionality. Basic functionality of each binary coming with radare2 has been checked.
Simple example usage
Let's expect that we have directory 'samples' where are our sample files. In this case, there is one named as 'hello_world'. We want to analyze it in container.
docker run --rm -itv $(pwd)/:/r2/ cincan/radare2 r2 /r2/samples/hello_world
And make very simple analysis to disassemble main function:
We can also use Ghidra plugin for decompiling:
For helping with usage of different kind containers - cincan
command tool can be used to run inline commands. It is not supporting interactive mode yet.
Example case for running above analysis as inline without using volumes and using
cincan run cincan/radare2 r2 -Aqc 'pdg @main' samples/hello_world
There is also one example script included which is using radare2, and for running that, we can use 'cincan' tool as well.
Example script is generating graph from function calls in binary, and it can be used for example as following. It requires sample directory as argument.
cincan run cincan/radare2 script r2_callgraph.sh samples
Which creates 'result' directory, and it contains graphs in ascii art:
For Dockerfile and more instructions and many other tools see our tools repository!