Skip to content

Radare2

$ docker pull radare/radare2
$ docker run -it -v /path/to/dir/containing/binary/:/build /bin/bash
root@8c41772329f6:/# r2 /build/binary
 -- One does not simply write documentation.
[0x00000000]>
[0x004008e0]> f*~sym.jmp
f sym.jmp 10 0x00400cc4
[0x004008e0]> pdf@sym.jmp
/ (fcn) sym.jmp 10
|           ; var int local_8h @ rbp-0x8
|           ; CALL XREF from 0x00400e29 (sym.main)
|           0x00400cc4      55             push rbp
|           0x00400cc5      4889e5         mov rbp, rsp
|           0x00400cc8      48897df8       mov qword [rbp - local_8h], rdi
\           0x00400ccc      ffe7           jmp rdi
[0x00400ec0]> afi sym.imp.strcpy 
#
offset: 0x00400c70
name: sym.imp.strcpy
size: 16
realsz: 48
stackframe: 24
call-convention: amd64
cyclomatic-cost : 18
cyclomatic-complexity: 2
bits: 64
type: sym [NEW]
num-bbs: 2
edges: 2
end-bbs: 0
call-refs: 0x00400c40 J 0x00400c40 J 
data-refs: 0x00603028 0x00000002 0x00603010 0x00603018 0x00000000 
code-xrefs: 
in-degree: 0
out-degree: 0
data-xrefs: 
locals:0
args: 0
diff: type: new
[0x00000815]> ?d sei
set interrupt disable status

Disassemble also for different architecture (like arm r2 -aarm -b16 gy1_v162.frm).

In the example below we print the ELF header of an executable and then examine the first three program headers: open the file with -nn otherwise radare2 tries to map only the program headers

$ r2 -nn file.elf
[]> s 0
[0x00000000]> pfo elf32
[0x00000000]> pf.elf_header 
     ident : 0x00000000 = .ELF...
      type : 0x00000010 = type (enum elf_type) = 0x2 ; ET_EXEC
   machine : 0x00000012 = machine (enum elf_machine) = 0x3 ; EM_386
   version : 0x00000014 = 0x00000001
     entry : 0x00000018 = 0x08048450
     phoff : 0x0000001c = 0x00000034
     shoff : 0x00000020 = 0x00000964
     flags : 0x00000024 = 0x00000000
    ehsize : 0x00000028 = 0x0034
 phentsize : 0x0000002a = 0x0020
     phnum : 0x0000002c = 0x0008
 shentsize : 0x0000002e = 0x0028
     shnum : 0x00000030 = 0x001d
  shstrndx : 0x00000032 = 0x001a
[0x00000000]> pf.elf_phdr @0x34+(0x20*0)
   type : 0x00000034 = type (enum elf_p_type) = 0x6 ; PT_PHDR
 offset : 0x00000038 = 0x00000034
  vaddr : 0x0000003c = 0x08048034
  paddr : 0x00000040 = 0x08048034
 filesz : 0x00000044 = 0x00000100
  memsz : 0x00000048 = 0x00000100
  flags : 0x0000004c = flags (enum elf_p_flags) = 0x5 ; PF_Read_Exec
  align : 0x00000050 = 0x00000004
[0x00000000]> pf.elf_phdr @0x34+(0x20*1)
   type : 0x00000054 = type (enum elf_p_type) = 0x3 ; PT_INTERP
 offset : 0x00000058 = 0x00000134
  vaddr : 0x0000005c = 0x08048134
  paddr : 0x00000060 = 0x08048134
 filesz : 0x00000064 = 0x00000013
  memsz : 0x00000068 = 0x00000013
  flags : 0x0000006c = flags (enum elf_p_flags) = 0x4 ; PF_Read
  align : 0x00000070 = 0x00000001
[0x00000000]> pf.elf_phdr @0x34+(0x20*2)
   type : 0x00000074 = type (enum elf_p_type) = 0x1 ; PT_LOAD
 offset : 0x00000078 = 0x00000000
  vaddr : 0x0000007c = 0x08048000
  paddr : 0x00000080 = 0x08048000
 filesz : 0x00000084 = 0x0000072c
  memsz : 0x00000088 = 0x0000072c
  flags : 0x0000008c = flags (enum elf_p_flags) = 0x5 ; PF_Read_Exec
  align : 0x00000090 = 0x00001000