Many of us are dreaming of a new version of IDA leaked to the public, since 6.1 is already a bit outdated. But some people didn’t sit still and started to develop their own tool to help in everyday work.
The radare project was started by a hacker with the nickname pancake in 2006, and for a long time, in fact, he was the only developer. The created framework had a simple console interface to work as a hex editor supporting 64-bit architecture. It allowed finding and recovering data from hard disks. That’s why it was also called a computer forensics tool. But in 2010 there was a “redesign” of the framework, after which the project began to grow and be enriched with new functionality allowing to use it not only as an editor but also as a disassembler, code and shell code analyzer. At the moment this framework is used by famous CTF teams (Dragon Sector) and virus analysts (MalwareMustDie and AlienVault), the latter presenting it at their workshop at Black Hat. A rather large list of those using radare2, with examples, is presented on the project blog.
In general, I’m not afraid of the word, the framework is quietly catching up with our favorite (and rather difficult to obtain) IDA. For now, let’s take a look at its features that have been developed so far.
Let’s start with support for a large number of architectures – there is even support for Gameboy, a video on analyzing the popular game Pokemon for which was published on YouTube channel by one of the researchers, though in German.
One of the features is support for many scripting languages. In addition to the popular Python with Perl, which are supported in other disassemblers, there are also Vala, Go, Guile, Ruby, Lua (I wrote about its pros and cons earlier), Java, JavaScript (Node.js and ducktape), sh and many others.
The development of the framework doesn’t stand still, and version 1.0 is getting closer. One of the planned innovations, which I think will be useful to many people, is support for 010-templates for the hex editor of the same name. And such templates are especially helpful for phasing.
So don’t be surprised if you have version 1.x installed as you read this issue.
One of the developers of this framework, presented it as a small talk at PHDays 2014. In the talk, he showed an example of using radare2 to analyze malware. Windows Trojan Shylock and 64-bit Linux virus Snakso.A were presented as instances, for which both static analysis and debugging using a debugger were performed. The video of the presentation is available on the official PHDays site. And you can read the presentation on the slideshare account of the event.
The creators of the program applied to Google’s Summer of Code, but were rejected. Therefore, the developers launched a crowdfunding campaign to hold their own Summer of Code – Radare Summer of Code 2014, which they also wrote about on Habrahabr.