This room assumes that you have basic x86 assembly knowledge. If you do not I highly recommend doing the Intro to x86-64 room before completing this done.
This room is also not designed to be a 100% teach everything on radare2. It is designed to teach you how some of the more common things in radare2 are used.
The included zip file has all the binaries you will need for this exercise.
With that out of the way let’s get started!
1 - Command Line Options
A quick intro to some of the commonly used command line flags for radare2, some of these flags will be extremely useful for later tasks. Include all parts of the flag including the -. All flags can be found in the help menu
1 What flag to you set to analyze the binary upon entering the r2 console (equivalent to running aaa once your inside the console)
-a
2 How do you enable the debugger ?
-d
3 How do you open the file in write mode ?
-w
4 How do you enter the console without opening a file
-
2 - Analyzation
Once inside the radare console you have a myriad of options to analyze your binary. Generally all analyzation commands start with the letter a. If you want to list all possible commands that can be done with your starting letter(s) you add a question mark to the end.
For example a? would output ab,aa,ac along with a description on what each command does.
1 What command “Analyzes Everything” (all functions and their arguments: Same as running with radare with -A)
aaa
2 What command does basic analysis on functions?
af
3 How do you list all functions?
afl
4 How many functions are in the example1 binary?
12
5 What is the name of the secret function in the example1 binary?
secret_func
3 - Information
i is a command that shows general information of the binary. Like a it has many sub commands each with varying degrees of specificity.
1 What command shows all the information about the file that you’re in?
iA
2 How do you get every string that is present in the binary?
izz
3 What if you want the address of the main function?
iM
4 What character do you add to the end of every command to get the output in JSON format?
j
5 How do you get the entrypoint of the file?
ie
6 What is the secret string hidden in the example2 binary?
# r2 -f example2
# then type izz to list all the strings
goodjob
4 - Navigating Through Memory
s is the command that is used to navigate through the memory of your binary. With it and its variations you can you can get information about where you are in the binary as well as move to different points in the binary.
Note: For user created functions that aren’t main, you will have to add sym. before them for example sym.user_func
1 How do you print out the the current memory address your located at in the binary?
s
2 What command do you use to go to a specific point in memory with the syntax?
s
3 What command would you run to go 5 bytes forward?
s+ 5
4 What about 12 bytes backward?
s- 12
5 How do you undo the previous seek?
s-
6 How would go to the memory address of the main function?
# s = Print current address -> print the main function
s main7 What if you wanted to go to the address of the rax register?
sr rax
5 - Printing
pis a command that shows data in a myriad of formats. The command is useful for when you want to get information about what is happening in memory, and get some of the data that’s contained in memory as well. With the p command it is also useful to know about the @ symbol in radare. The @ symbol is used to specify that something is an address in memory, for example if you wanted to specify you were talking about the memory address of the main function you would use
1 How would you print the hex output of where you currently are in memory?
px
2 How would you print the disassembly of where you’re currently at in memory?
pd
3 What if you wanted the disassembly of the main function?
# pd = **disassembly; f = function; main = the name of the function**
pd f main4 What command prints out the emoji hexdump? (this is not useful at all I just find it funny)
# Found it on google (wierd one)
pxe
5 What if you decided you were too good for rows and you wanted the disassembly in column format?
pC
6 What is the value of the first variable in the main function for the example 3 binary?
# scan before the pdf main (aaaa)
1
7 What about the second variable?
5
6 - The Mid-term
Congrats on getting to this point, you now know enough to pass the mid-term exam. The questions in this task will all be related to commands that were in previous tasks so if you skipped one, I recommend going back and doing it. As you probably guessed from the file name all exercises in this task will be done using the midterm binary file.
1 How many functions are in the binary?
13
2 What is the value of the hidden string?
# izz command to list all the strings
you_found_me
3 What is the return value of secret_func()?
4
4 What is the value of the first variable set in the main function(in decimal format)?
0xc = 12
5 What about the second one(also in decimal format)?
0xc0 = 192
6 What is the next function in memory after the main function?
midterm_func
7 How do you get a hexdump of four bytes of the memory address your currently at?
# px = print the hex output of where you currently are in memory and 2 for the row
px 2
7 - Debugging
Recall that in the task “Command Line Options” you learned that the -d flag has radare enter debug mode. Debug mode allows you to set breakpoints and offers a lot of options to not only navigate through your binary, but to analyze the data that goes in and out of the registers as well.
1 How do you set a breakpoint?
db
2 What command is used to print out the values of all the registers?
dr
3 How do you run through the program until the program either ends or you hit the next breakpoint?
dc
4 What if you want to step through the binary one line at a time?
ds
5 How do you go forth 2 lines in the binary?
ds 26 How do you list out the indexes and memory addresses of all breakpoints?
dbi
8 - Write Mode
Occasionally you might end up in a situation where a task is impossible to solve with the current instructions. For example take this code
int val = 4;
if ( val == 5 ) {
printf("%s","You win!");
}You will never be able to get it to print out You win! because under normal circumstances val will never be set equal to 5. This is where write mode comes in, it allows you to change instructions so you can get certain conditions to execute. All commands involving write mode start with w
1 How do you write a string to the current memory address.
w
2 What command lists all write changes?
wc
3 What command modifies an instruction at the current memory address?
wa