Radare2 - unix-like Reverse Engineering Framework

Introduction

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.

Radare project started as a forensics tool, a scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, ..

radare2 is portable.

Architectures:
6502, 8051, CRIS, H8/300, LH5801, T8200, arc, arm, avr, bf, blackfin, xap, dalvik, dcpu16, gameboy, i386, i4004, i8080, m68k, malbolge, mips, msil, msp430, nios II, powerpc, rar, sh, snes, sparc, tms320 (c54x c55x c55+), V810, x86-64, zimg, risc-v.

File Formats:
bios, CGC, dex, elf, elf64, filesystem, java, fatmach0, mach0, mach0-64, MZ, PE, PE+, TE, COFF, plan9, dyldcache, Commodore VICE emulator, Game Boy (Advance), Nintendo DS ROMs and Nintendo 3DS FIRMs.

Operating Systems:
Android, GNU/Linux, [Net|Free|Open]BSD, iOS, OSX, QNX, w32, w64, Solaris, Haiku, FirefoxOS

Bindings:

Vala/Genie, Python (2, 3), NodeJS, Lua, Go, Perl, Guile, php5, newlisp, Ruby, Java, OCaml, ...

Dependencies

radare2 can be built without any special dependency, just use make and get a working toolchain (gcc, clang, tcc, ..)

Optionally you can use libewf for loading EnCase disk images.

To build the bindings you need latest valabind, g++ and swig2.

Install

The easiest way to install radare2 from git is by running the following command:

sys/install.sh

If you want to install radare2 in the home directory without using root privileges and sudo, simply run:

sys/user.sh

Update

To update Radare2 you don't need to uninstall or pull, just re-run:

sys/install.sh

Uninstall

In case of a polluted filesystem you can uninstall the current version or remove all previous installations:

make uninstall

make purge

Package manager

Radare2 has its own package manager - r2pm. It's packages repository is on GitHub too. To start to use it for the first time you need to initialize packages:

r2pm init

Refresh the packages database before installing any package:

r2pm update

To install a package use the following command:

r2pm install [package name]

Bindings

All language bindings are under the r2-bindings directory. You will need to install swig and valabind in order to build the bindings for Python, Lua, etc..

APIs are defined in vapi files which are then translated to swig interfaces, nodejs-ffi or other and then compiled.

The easiest way to install the python bindings is to run:

r2pm install lang-python2 #lang-python3 for python3 bindings

r2pm install r2api-python

r2pm install r2pipe-python

In addition there are r2pipe bindings, which are an API interface to interact with the prompt, passing commands and receivent the output as a string, many commands support JSON output, so it's integrated easily with many languages in order to deserialize it into native objects.

npm install r2pipe   # NodeJS

gem install r2pipe   # Ruby

pip install r2pipe   # Python

opam install radare2 # OCaml

And also for Go, Rust, Swift, D, .NET, Java, NewLisp, Perl, Haskell, Vala, OCaml, and many more to come!

Webserver

radare2 comes with an embedded webserver that serves a pure html/js interface that sends ajax queries to the core and aims to implement an usable UI for phones, tablets and desktops.

r2 -c=H /bin/ls

To use the webserver on Windows, you require a cmd instance with administrator rights. To start the webserver use command in the project root.
>> radare2.exe -c=H rax2.exe

• Download

Read More

LFiFreak - LFi Exploiter with Bind/Reverse Shells

Features

• Works with Windows, Linux and OS X
• Includes bind and reverse shell for both Windows and Linux
• Written in Python 2.7

What is this all about?

A unique tool for exploiting local file inclusions using PHP Input, PHP Filter and Data URI methods.

Dependencies

• BeautifulSoup

• Download

Read More

Bytecode-Viewer - Android APK Reverse Engineering Suite

Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.
It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch.

There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of.
You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.

Code from various projects has been used, including but not limited to:

• J-RET by WaterWolf
• JHexPane by Sam Koivu
• RSynaxPane by Robert Futrell
• Commons IO by Apache
• ASM by OW2
• FernFlower by Stiver
• Procyon by Mstrobel
• CFR by Lee Benfield
• CFIDE by Bibl
• Smali by JesusFreke
• Dex2Jar by pxb1..?
• Krakatau by Storyyeller
• JD GUI/JD Core by The Java-Decompiler Team
• Enjarify by Storyyeller

Key Features:

• Krakatau Integration for Bytecode assembly/disassembly.
• Smali/BakSmali Integration - You can now edit class files/dex files via smali!
• APK/DEX Support - Using Dex2Jar and Jar2Dex it's able to load and save APKs with ease!
• Java Decompiler - It utilizes FernFlower, Procyon and CFR for decompilation.
• Bytecode Decompiler - A modified version of CFIDE's.
• Hex Viewer - Powered by JHexPane.
• Each Decompiler/Editor/Viewer is toggleable, you can also select what will display on each pane.
• Fully Featured Search System - Search through strings, functions, variables and more!
• A Plugin System With Built In Plugins - (Show All Strings, Malicious Code Scanner, String Decrypters, etc)
• Fully Featured Scripting System That Supports Groovy.
• EZ-Inject - Graphically insert hooks and debugging code, invoke main and start the program.
• Recent Files & Recent Plugins.
• And more! Give it a try for yourself!

Command Line Input:
	-help                         Displays the help menu
	-list                         Displays the available decompilers
	-decompiler <decompiler>      Selects the decompiler, procyon by default
	-i <input file>               Selects the input file (Jar, Class, APK, ZIP, DEX all work automatically)
	-o <output file>              Selects the output file (Java or Java-Bytecode)
	-t <target classname>         Must either be the fully qualified classname or "all" to decompile all as zip
	-nowait                       Doesn't wait for the user to read the CLI messages

Downloads Source

Read More

BARF : Binary Analysis and Reverse engineering Framework

BARF.

The analysis of binary code is a crucial activity in many areas of the computer sciences and software engineering disciplines ranging from software security and program analysis to reverse engineering. Manual binary analysis is a difficult and time-consuming task and there are software tools that seek to automate or assist human analysts. However, most of these tools have several technical and commercial restrictions that limit access and use by a large portion of the academic and practitioner communities. BARF is an open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline. It is a scriptable platform that supports instruction lifting from multiple architectures, binary translation to an intermediate representation, an extensible framework for code analysis plugins and interoperation with external tools such as debuggers, SMT solvers and instrumentation tools. The framework is designed primarily for human-assisted analysis but it can be fully automated.

The BARF project includes BARF and related tools and packages. So far the project is composed of the following items:

• BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
• PyAsmJIT : A JIT for the Intel x86_64 and ARM architecture.
• Tools built upon BARF:
• BARFgadgets : Lets you search, classifiy and verify ROP gadgets inside a binary program.
• BARFcfg : Lets you recover the control-flow graph of the functions of a binary program.
• BARFcg : Lets you recover the call graph of the functions of a binary program.

For more information, see:

• BARF: A multiplatform open source Binary Analysis and Reverse engineering Framework (Whitepaper) [en]
• BARFing Gadgets (ekoparty2014 presentation)

Downloads Master.zip | Demo Install

Quickstart

This is a very simple example which shows how to open a binary file and print each instruction with its translation to the intermediate language (REIL).

from barf import BARF

# Open binary file.
barf = BARF("examples/bin/x86/branch1")

# Print assembly instruction.
for addr, asm_instr, reil_instrs in barf.translate():
    print("0x{addr:08x} {instr}".format(addr=addr, instr=asm_instr))

    # Print REIL translation.
    for reil_instr in reil_instrs:
        print("{indent:11s} {instr}".format(indent="", instr=reil_instr))

We can also recover the CFG and save it to a .dot file.

# Recover CFG.
cfg = barf.recover_cfg()

# Save CFG to a .dot file.
cfg.save("branch1_cfg")

We can check restrictions on code using a SMT solver. For instance, suppose you have the following code:

 80483ed:       55                      push   ebp
 80483ee:       89 e5                   mov    ebp,esp
 80483f0:       83 ec 10                sub    esp,0x10
 80483f3:       8b 45 f8                mov    eax,DWORD PTR [ebp-0x8]
 80483f6:       8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]
 80483f9:       01 d0                   add    eax,edx
 80483fb:       83 c0 05                add    eax,0x5
 80483fe:       89 45 fc                mov    DWORD PTR [ebp-0x4],eax
 8048401:       8b 45 fc                mov    eax,DWORD PTR [ebp-0x4]
 8048404:       c9                      leave
 8048405:       c3                      ret

And you want to know what values you have to assign to memory locations ebp-0x4, ebp-0x8 and ebp-0xc in order to obtain a specific value in eax register after executing the code.

First, we add the instructions to the analyzer component.

from barf import BARF

# Open ELF file
barf = BARF("examples/bin/x86/constraint1")

# Add instructions to analyze.
for addr, asm_instr, reil_instrs in barf.translate(0x80483ed, 0x8048401):
    for reil_instr in reil_instrs:
        barf.code_analyzer.add_instruction(reil_instr)

Then, we generate expressions for each variable of interest

# Get smt expression for eax and ebp registers
eap = barf.code_analyzer.get_register_expr("eax")
ebp = barf.code_analyzer.get_register_expr("ebp")

# Get smt expressions for memory locations (each one of 4 bytes)
a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4)
b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4)
c = barf.code_analyzer.get_memory_expr(ebp-0x4, 4)

And add the desired restrictions on them.

# Set range for variables
barf.code_analyzer.set_preconditions([a >= 2, a <= 100])
barf.code_analyzer.set_preconditions([b >= 2, b <= 100])

# Set desired value for the result
barf.code_analyzer.set_postcondition(c == 13)

Finally, we check is the restrictions we establish can be resolved.

# Check satisfiability.
if barf.code_analyzer.check() == 'sat':
    print("SAT!")

    # Get concrete value for expressions.
    eax_val = barf.code_analyzer.get_expr_value(eax)
    a_val = barf.code_analyzer.get_expr_value(a)
    b_val = barf.code_analyzer.get_expr_value(b)
    c_val = barf.code_analyzer.get_expr_value(c)

    # Print values.
    print("eax : 0x{0:%08x} ({0})".format(eax_val))
    print("ebp : 0x{0:%08x} ({0})".format(ebp_val))
    print("  a : 0x{0:%08x} ({0})".format(a_val))
    print("  b : 0x{0:%08x} ({0})".format(b_val))
    print("  c : 0x{0:%08x} ({0})".format(c_val))
else:
    print("UNSAT!")

You can see these and more examples in the examples directory.

Read More