Day 20 - radare2

Writer: Niklas Saari - OUSPG / University of Oulu

Next in the Advent calendar, there is probably the biggest unix-like open-source binary analysis and disassembler project in mankind.

Disassemblers in general are ambitious projects, and getting them to support multiple architectures is very challenging task. However, radare2 has been successful in this as open-source project and it has acquired variety of range of users. And the features are not only limited into disassembling.

When the original creator of radare, pancake was working as a forensic analyst in 2006, he decided to write a simple hexadecimal editor with support for searching patterns and dumping the search results to disk to recover some PHP files deleted from an HFS partition.

The whole history can be found from their website: https://www.radare.org/r/history.html

We, and probably many others are very thankful about this great tool!

See their website: https://www.radare.org

Integrating to CinCan project

In the CinCan project, there has been attempt for making Docker images from various tools.

Radare2 has many existing images, for Cutter for example.

We wanted to make one with support for additionally running custom scripts from the container, and for strict version numbering as well, so here is a bit custom image. It is partially based on Alpine build image.

There is also additionally for example plugin for Ghidra installed.

For container, there is custom script, which allows only usage of binaries related to radare2 in the container, and as extra feature, allows running various scripts in the container.

Containers have been also tested to ensure their functionality. Basic functionality of each binary coming with radare2 has been checked.

Simple example usage

Let's expect that we have directory 'samples' where are our sample files. In this case, there is one named as 'hello_world'. We want to analyze it in container.

Example command:

 docker run --rm -itv $(pwd)/:/r2/ cincan/radare2 r2 /r2/samples/hello_world

And make very simple analysis to disassemble main function:

radare_example1

We can also use Ghidra plugin for decompiling:

radare_example2

For helping with usage of different kind containers - cincan command tool can be used to run inline commands. It is not supporting interactive mode yet. Example case for running above analysis as inline without using volumes and using cincan tool:

cincan run  cincan/radare2 r2 -Aqc 'pdg @main' samples/hello_world

radare_example3

There is also one example script included which is using radare2, and for running that, we can use 'cincan' tool as well.

Example script is generating graph from function calls in binary, and it can be used for example as following. It requires sample directory as argument.

cincan run cincan/radare2 script r2_callgraph.sh samples

Which creates 'result' directory, and it contains graphs in ascii art:

radare_example4

For Dockerfile and more instructions and many other tools see our tools repository!