radare2

UNIX-like reverse engineering framework and command-line toolset

20,547

2,991

20,547

869

View on GitHub

Top Related Projects

rizin

2,681

UNIX-like reverse engineering framework and command-line toolset.

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.

angr

7,537

A powerful and user-friendly binary analysis platform!

frida

15,995

Clone this repo to build Frida

Quick Overview

Radare2 is an open-source reverse engineering framework that provides a set of libraries, tools, and plugins for analyzing binary files, disassembling code, and performing various reverse engineering tasks. It supports multiple architectures and file formats, making it a versatile tool for security researchers, malware analysts, and software developers.

Pros

Highly extensible with a plugin system and scripting capabilities
Supports a wide range of architectures and file formats
Powerful command-line interface and scriptable API
Active community and continuous development

Cons

Steep learning curve for beginners
Documentation can be inconsistent or outdated in some areas
User interface may not be as polished as some commercial alternatives
Performance can be slower compared to some specialized tools for specific tasks

Code Examples

import r2pipe

# Open a binary file
r = r2pipe.open("/bin/ls")

# Analyze the binary
r.cmd("aaa")

# Get information about functions
print(r.cmd("afl"))

This example demonstrates how to use the r2pipe Python interface to open a binary, analyze it, and list functions.

# Command-line example
r2 /bin/ls
[0x00005850]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00005850]> afl
0x00005850    1 42           entry0
0x00005880    4 50   -> 40   sym.deregister_tm_clones
0x000058c0    4 66   -> 57   sym.register_tm_clones
0x00005910    5 58   -> 51   sym.__do_global_dtors_aux
...

This example shows how to use the command-line interface to analyze a binary and list functions.

Getting Started

To get started with Radare2:

Install Radare2:

git clone https://github.com/radareorg/radare2
cd radare2
sys/install.sh

Open a binary file:
```
r2 /path/to/binary
```
Analyze the binary:
```
[0x00000000]> aaa
```

Explore using various commands:

[0x00000000]> afl    # List functions
[0x00000000]> pdf @main    # Disassemble main function
[0x00000000]> iz    # List strings

For more information, refer to the official documentation and tutorials available on the Radare2 website.

Competitor Comparisons

rizin

2,681

UNIX-like reverse engineering framework and command-line toolset.

Pros of rizin

Cleaner codebase with improved architecture and modularity
Better documentation and more consistent coding style
Faster development cycle with more frequent updates

Cons of rizin

Smaller community and ecosystem compared to radare2
Less mature and potentially less stable than radare2
Fewer plugins and extensions available

Code Comparison

rizin:

RzCore *core = rz_core_new();
rz_core_cmd(core, "aaa");
rz_core_cmd(core, "pdf");
rz_core_free(core);

radare2:

RCore *core = r_core_new();
r_core_cmd_str(core, "aaa");
r_core_cmd_str(core, "pdf");
r_core_free(core);

The code snippets show similar usage patterns, with rizin using RzCore instead of RCore and rz_ prefixes instead of r_. The main difference is in the function names and structure naming conventions.

Both projects are open-source reverse engineering tools, with rizin being a fork of radare2. rizin aims to improve upon radare2's foundation by addressing some of its architectural issues and providing a more maintainable codebase. However, radare2 still benefits from a larger community and more extensive ecosystem. The choice between the two depends on specific needs and preferences for stability versus potential future improvements.

capstone

7,542

Pros of Capstone

Lightweight and focused solely on disassembly
Supports a wide range of architectures
Easy to integrate into other projects

Cons of Capstone

Limited functionality beyond disassembly
Less active community and fewer updates
Lacks advanced analysis features

Code Comparison

Radare2 (using r2pipe):

import r2pipe
r2 = r2pipe.open("binary")
r2.cmd("aaa")
print(r2.cmd("pdf@main"))

Capstone:

from capstone import *
md = Cs(CS_ARCH_X86, CS_MODE_64)
with open("binary", "rb") as f:
    code = f.read()
for i in md.disasm(code, 0x1000):
    print(f"0x{i.address:x}:\t{i.mnemonic}\t{i.op_str}")

Summary

Radare2 is a comprehensive reverse engineering framework with a wide range of features, including disassembly, debugging, and analysis. It offers a more extensive toolkit but has a steeper learning curve.

Capstone, on the other hand, is a lightweight disassembly engine that excels in its specific focus. It's easier to integrate into other projects but lacks the advanced features and analysis capabilities of Radare2.

Choose Radare2 for comprehensive reverse engineering tasks, and Capstone for projects that require efficient, standalone disassembly functionality.

angr

7,537

A powerful and user-friendly binary analysis platform!

Pros of angr

More advanced symbolic execution and program analysis capabilities
Better suited for complex binary analysis and vulnerability research
Extensive Python API for customization and integration

Cons of angr

Steeper learning curve due to its complexity
Slower performance for basic reverse engineering tasks
Less comprehensive GUI tools compared to radare2

Code Comparison

angr example:

import angr
proj = angr.Project('binary')
state = proj.factory.entry_state()
simgr = proj.factory.simulation_manager(state)
simgr.explore(find=0x400000)

radare2 example:

r2 binary
aaa
s main
pdf

angr focuses on symbolic execution and program analysis, making it powerful for complex binary analysis and vulnerability research. It offers an extensive Python API for customization but has a steeper learning curve.

radare2 is more versatile for general reverse engineering tasks, with a faster startup and better GUI tools. It's easier to use for basic analysis but lacks the advanced symbolic execution capabilities of angr.

The code examples demonstrate the difference in approach: angr uses a Python script for analysis, while radare2 employs a command-line interface for interactive exploration.

frida

15,995

Clone this repo to build Frida

Pros of Frida

Dynamic instrumentation allows real-time analysis and modification of running processes
Cross-platform support with a unified API for iOS, Android, Windows, macOS, and Linux
Powerful scripting capabilities using JavaScript for rapid prototyping and analysis

Cons of Frida

Steeper learning curve for beginners compared to static analysis tools
May require more system resources and can potentially impact target application performance
Less suitable for static binary analysis tasks

Code Comparison

Radare2 (static analysis):

r2 -A binary
[0x00000000]> aaa
[0x00000000]> pdf @ main

Frida (dynamic instrumentation):

Java.perform(() => {
  const MainActivity = Java.use('com.example.app.MainActivity');
  MainActivity.onCreate.implementation = function() {
    console.log('MainActivity.onCreate() called');
    this.onCreate();
  };
});

While Radare2 focuses on static analysis with commands like aaa for auto-analysis and pdf for disassembly, Frida enables dynamic instrumentation by hooking into live processes and modifying their behavior at runtime using JavaScript.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Radare2: Libre Reversing Framework for Unix Geeks

See the Releases page for downloads. The current git master branch is 5.9.7, next will be 5.9.8.

Since 5.6.0, patch releases are abi stable
Even patch numbers used for releases, odd ones for git.
.9 patch versions reflect the abi breaking seasson

Description

r2 is a complete rewrite of radare. It provides a set of libraries, tools and plugins to ease reverse engineering tasks. Distributed mostly under LGPLv3, each plugin can have different licenses (see r2 -L, rasm2 -L, ...).

The radare project started as a simple command-line hexadecimal editor focused on forensics. Today, r2 is a featureful low-level command-line tool with support for scripting with the embedded Javascript interpreter or via r2pipe.

r2 can edit files on local hard drives, view kernel memory, and debug programs locally or via a remote gdb/windbg servers. r2's wide architecture support allows you to analyze, emulate, debug, modify, and disassemble any binary.

Installation

The recommended way to install radare2 is via Git using acr/make or meson:

git clone https://github.com/radareorg/radare2
radare2/sys/install.sh

On Windows you may want to use the precompiled builds or the .bat files to compile if you have msvc:

preconfigure.bat       REM setup python, meson, ninja
configure.bat          REM run meson b + vs project
make.bat               REM run ninja -C b
prefix\bin\radare2.exe

r2 can be installed from git or via pip using r2env.
Run sys/install.sh for the default acr+make+symlink installation
meson/ninja (muon/samu also works) and make builds are supported.
Windows builds require meson and msvc or mingw as compilers
To uninstall the current build of r2 run make uninstall
To uninstall ALL the system installations of r2 do: sudo make purge

Popular Plugins:

Using the r2pm tool you can browse and install many plugins and tools that use radare2.

esilsolve: The symbolic execution plugin, based on esil and z3
iaito: The official Qt graphical interface
keystone Assembler instructions using the Keystone library
decai Decompiler based on AI
r2ai Run a Language Model in localhost with Llama inside r2!
r2dec: A decompiler based on r2 written in JS, accessed with the pdd command
r2diaphora: Diaphora's binary diffing engine on top of radare2
r2frida: The frida io plugin. Start r2 with r2 frida://0 to use it
r2ghidra: The standalone native ghidra decompiler accessible with pdg
r2papi High level api on top of r2pipe
r2pipe Script radare2 from any programming language
r2poke Integration with GNU/Poke for extended binary parsing capabilities
goresym: Import GoReSym symbol as flags
r2yara Run Yara from r2 or use r2 primitives from Yara
radius2: A fast symbolic execution engine based on boolector and esil
r2sarif import/extend/export SARIF documents

Usage

These are the first steps to use r2, read the book or find tutorials for more details

$ r2 /bin/ls   # open file in read-only
> aaa          # analyse the program (r2 -A)
> afl          # list all functions (try aflt, aflm)
> px 32        # print 32 byte hexdump current block
> s sym.main   # seek to main (using flag name)
> f~foo        # filter flags matching 'foo' (internal |grep)
> iS;is        # list sections and symbols (rabin2 -Ss)
> pdf; agf     # disassembly and ascii-art function graph
> oo+;w hello  # reopen in read-write and write a string
> ?*~...       # interactive filter in all command help
> q            # quit

Many plugins are included in r2 by default. But you can extend its capabilities by using the r2pm package manager.

r2pm -s <word>  # search packages matching a word
r2pm -Uci <pkg> # update database and clean install a package
r2pm -u <pkg>   # uninstall the given package
r2pm -l <pkg>   # list installed packages

Resources

Official Book: Read about r2 usage
COMMUNITY.md: Community engagement and loose guidelines
CONTRIBUTING.md: Information about reporting issues and contributing. See also Contributing
DEVELOPERS.md: Development guidelines for r2
SECURITY.md: Instructions for reporting vulnerabilities
USAGE.md: Some example commands
INSTALL.md: Installation instructions using make or meson

Documentation

Learn more about r2 watching youtube talks from r2con. There are also many blogposts, slidedecks and the official radare2 book, but it's always a good idea to join any of the official chats and drop your questions or feedback there.

Community

irc.libera.chat: #radare, #radare_side
Matrix: #radare:matrix.org
Telegram: Main and Side channels
Discord: Server
Mastodon: @radareorg
Website: https://www.radare.org/

Supported Platforms

Operating Systems

Windows (since XP), Linux, Darwin, GNU/Hurd, Apple's {Mac,i,iPad,watch}OS, Android, Wasmer, [Dragonfly, Net, Free, Open] BSD, Z/OS, QNX, SerenityOS, Solaris, AIX, Haiku, Vinix, FirefoxOS.

Architectures

i386, x86-64, Alpha, ARM, AVR, BPF, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, S390, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, PDP11, m680x, V850, CRIS, XAP (CSR), PIC, LM32, 8051, 6502, i4004, i8080, Propeller, EVM, OR1K Tricore, CHIP-8, LH5801, T8200, GameBoy, SNES, SPC700, MSP430, Xtensa, xcore, NIOS II, Java, Dalvik, Pickle, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c64x), Hexagon, Brainfuck, Malbolge, whitespace, DCPU16, LANAI, lm32, MCORE, mcs96, RSP, SuperH-4, VAX, KVX, Am29000, LOONGARCH, JDH8, s390x, STM8.

File Formats

ELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, XCOFF, OMF, TE, XBE, SEP64, BIOS/UEFI, Dyldcache, DEX, ART, Java class, Android boot image, Plan9 executables, Amiga HUNK, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), PDP11, XTAC, CGC, WASM (WebAssembly binary), Commodore VICE emulator, QNX, WAD, OFF, TIC-80, GB/GBA, NDS and N3DS, and mount several filesystems like NTFS, FAT, HFS+, EXT,...

Packaging Status

Top Related Projects

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot