building a concrete alternative to ida

Radare2 to the rescue!

Jeffrey (crowell) Crowell – Julien (jvoisin) Voisin
June 20, 2015
REcon 2015 – Montreal

we’re sorry

1

who are we?

crowell jvoisin

∙ Work at Google ∙ Soon graduated
∙ raxcity.com ∙ <redacted>
∙ Shellphish ∙ dustri.org
∙ Boston Key Party ∙ Knows some english

2

toolbag Professional Amateur ∙ IDA Pro ∙ IDA Pro ∙ ImmunityDBG ∙ WineDBG ∙ WinDBG ∙ Hopper ∙ ∙ OllyDBG 3 .

toolbag Professional Amateur ∙ IDA Pro ($5000) ∙ IDA Pro (pirated) ∙ ImmunityDBG ∙ WineDBG (pirated Windows) ∙ WinDBG ∙ Hopper (probably not) ∙ ∙ OllyDBG (not maintained) 3 .

ida pro ∙ Created by Ilfak Guilfanov 4 .

ida pro ∙ Created by Ilfak Guilfanov ∙ First DataRescue. then Hex-Rays 4 .

ida pro

∙ Created by Ilfak Guilfanov
∙ First DataRescue, then Hex-Rays
∙ Closed-source and expensive

4

ida pro

∙ Created by Ilfak Guilfanov
∙ First DataRescue, then Hex-Rays
∙ Closed-source and expensive
∙ Lots of architectures are supported

4

ida pro

∙ Created by Ilfak Guilfanov
∙ First DataRescue, then Hex-Rays
∙ Closed-source and expensive
∙ Lots of architectures are supported
∙ Decompilation!

4

ida pro ∙ Created by Ilfak Guilfanov ∙ First DataRescue. then Hex-Rays ∙ Closed-source and expensive ∙ Lots of architectures are supported ∙ Decompilation! ∙ Awesome piece of software 4 .

radare2. cet inconnu .

history ∙ radare in 2006 6 .

history ∙ radare in 2006 ∙ forensics tool 6 .

history ∙ radare in 2006 ∙ forensics tool ∙ radare2 in 2009 6 .

history ∙ radare in 2006 ∙ forensics tool ∙ radare2 in 2009 ∙ written in pure C 6 .

history ∙ radare in 2006 ∙ forensics tool ∙ radare2 in 2009 ∙ written in pure C ∙ 350k LoC under LGPL 6 .

history ∙ radare in 2006 ∙ forensics tool ∙ radare2 in 2009 ∙ written in pure C ∙ 350k LoC under LGPL ∙ multi-purpose suite of tools 6 .

history ∙ likely packaged in your distribution 7 .

history ∙ likely packaged in your distribution ∙ install from source though .-) 7 .

-) ∙ more than 50 contributors for the latest release 7 .history ∙ likely packaged in your distribution ∙ install from source though .

-) ∙ more than 50 contributors for the latest release ∙ RSoC (+GSoC) 7 .history ∙ likely packaged in your distribution ∙ install from source though .

8 .r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Compile programs into tiny binaries for x86-32/64 and arm.

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Binary diffing 8 .

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Binary program info extractor (think readelf ) 8 .

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Search for byte patterns in files 8 .

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Block based hashing utility 8 .

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Run programs in exotic environments 8 .

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Assembler/disassembler 8 .

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Base converter 8 .

r2tools ∙ ragg2 ∙ rafind2 ∙ rasm2 ∙ radiff2 ∙ rahash2 ∙ rax2 ∙ rabin2 ∙ rarun2 ∙ radare2 Combine everything together 8 .

ELF64 ∙ *BSD ∙ Fatmach0/Mach0 ∙ OSX ∙ DEX/JAVA ∙ Android and iOS ∙ BIOS/TE ∙ Smartwatch ∙ GB/GBA/DS ∙ Web browser ∙ XBOX ∙ QNX ∙ Plan9 ∙ … ∙ BIOS 9 .platforms Runs on Handles ∙ Windows ∙ MZ/PE+/PE/COFF ∙ GNU/Linux ∙ ELF.

architectures ∙ 8051 ∙ brainfuck ∙ dcpu16 ∙ arc ∙ cr16 ∙ ebc ∙ arm ∙ csr ∙ gb ∙ avr ∙ dalvik ∙ h8300 10 .

architectures ∙ i4004 ∙ m68k ∙ msp430 ∙ i8080 ∙ malbolge ∙ nios2 ∙ java ∙ mips ∙ powerpc ∙ LH5801 ∙ msil ∙ rar 10 .

architectures ∙ ART ∙ tms320 ∙ z80 ∙ sh ∙ v850 ∙ propeller ∙ sparc ∙ whitespace ∙ snes ∙ spc700 ∙ x86 ∙ psosvm ∙ sysz ∙ xcore ∙ 6502 10 .

r2 internals .

∙ Swig/Valabind ∙ Build your own tools on top of radare2 12 . a library.r2 is a library ∙ At it’s heart.

with r2pipe included Bindings are boring. let’s call r2 instead! 13 .r2 is a library.

type. code analysis (opcode. esil) ∙ r_reg. system calls ∙ r_debug. assembler and disassembler ∙ r_anal. registers ∙ r_syscall.r2 is pluggable 3rd party (or 1st party) plugins ∙ r_asm. debugger ∙ r_io. io layer ∙ r_search. search engine ∙ … 14 .

feature comparison .

ida has a book. r2 is self-documented (and also has a book too) ∙ R2 is like vim ∙ Combine intuitives commands ∙ Just append ? everywhere 16 .

r2 has more bindings ∙ Python ∙ Ruby ∙ NodeJS ∙ Go ∙ C ∙ Rust ∙ Lua ∙ Perl ∙ Lisp ∙ OCaml ∙ Vala ∙ … 17 .ida has plugins.

ida has some graphs. r2 does too (but in ascii) ∙ Minimap ∙ Debugger-compliant ∙ Interactive 18 .

so is r2 ∙ name functions ∙ mark flags ∙ define code/data ∙ leave comments ∙ name stack variables ∙ mark structures ∙ use types ∙ define/modify functions 19 .ida is clever but also interactive.

so does. well.ida has a nice gui. … 20 . mh. err.

actually… It’s not all that scary! ∙ Visual Mode . 21 .friendly enough? ∙ Familiar vim keybindings. ∙ Web UI .The future of collaborative reversing! ∙ Communicate over r2pipe.

r2 has a better one. ∙ Ncurses-like ∙ Static ∙ Dynamic ∙ Analysis ∙ Try it. 22 .ida has an old-school tui mode. really.

23 .ida has no web-ui. r2 does.

so does r2 ∙ Classic features ∙ Visual mode too ∙ Several backends ∙ Tracing ∙ Remote 24 .ida has a debugger.

r2 has some too ∙ Functions detection ∙ Local var detection ∙ FLIRT integration ∙ zignatures ∙ (X)REF ∙ DWARF and PDB 25 .ida has kick-ass analysis.

ida some internal il. r2 has an open one ∙ ESIL ∙ RPN-ish ∙ Documented ∙ Emulation ∙ Decompilation ∙ Analysis 26 .

ida has plugins for pwnage. r2 put this in core ∙ Regexp ROP hunter ∙ Mitigations detection ∙ Emulation ∙ Patterns ∙ Environment control 27 .

ida has plugins for bindiffing. r2 put this in core 28 .

summary .

and now? ∙ GSoC ∙ Stabilization ∙ A fresh release ∙ Second edition of our RSoC ∙ ~1000 LoC modified per week 30 .

current drawbacks ∙ Super-steep learning curve ∙ A lot of features ∙ Fast-moving target ∙ IDA is friendlier 31 .

current ĤįşįĹņƀŹ ∙ Free-software ∙ Exotic arch support ∙ Active development ∙ A lot of features ∙ More and more users 32 .

who uses r2 currently? ∙ Some top-notch ctf teams ∙ Some popular RE projects ∙ Shellphish ∙ Coreboot ∙ Dragon Sector ∙ Magic lantern ∙ … ∙ … ∙ Anti-malware companies ∙ Cool wargames ∙ AlienVault ∙ io from smashthestack ∙ IOActive ∙ OverTheWire ∙ … ∙ … 33 .

who uses r2 currently? ∙ Some top-notch ctf teams ∙ Some popular RE projects ∙ Shellphish ∙ Coreboot ∙ Dragon Sector ∙ Magic lantern ∙ … ∙ … ∙ Anti-malware companies ∙ Cool wargames ∙ AlienVault ∙ io from smashthestack ∙ IOActive ∙ OverTheWire ∙ … ∙ … We do! Do you? 33 .

and tomorrow? ∙ Complete-emulation ∙ Decompilation ∙ A complete GUI ∙ What do you want? 34 .

Monoculture is bad.conclusion Question IDA supremacy1 . 1 And don’t pirate it! 35 .

conclusion Radare2 is nice.1 1 Or at least try it 35 . You should use it.

io/radare2book/content/ ∙ Blog .re/ ∙ Source code .gitbooks.com/radare/radare2/ ∙ IRC channel .http://radare.http://github.freenode.http://radare.net/radare Come talk to us! 36 .http://maijin.tv/ ∙ Book .irc://irc.today/ ∙ Homepage .http://rada.resources ∙ TV channel .

Questions? 37 .