Eight months ago, radare2 0.9.7 was released; today, we’re happy to announce radare 0.9.8!
In details and numbers:
- More than 2500 commits
- More than 120 new users in #radare (+300%)
- About 60 contributors.
- 13 colorscheme themes.
- 8 months
- 1 great leader
- One homepage
- A version nubmer: 0.9.8
- A soundtrack! Thanks to neuroflip!
Since you surely can read the 2500 commits by yourself (or the detailed changelog), we’re just going to highlight some cool new features and improvements:
r2-0.9.8 now builds for Android L, which enables two new architectures:
- Android mips64
- Android aarch64
Also, we are now supporting crosscompilation for iOS devices. No need to use jailbroken devices as main builders. The
sys/ios-sdk.sh script supports the very latest XCode from Yosemite.
We are also happy to get r2 running on Haiku and it’s great that it’s now finally possible to compile it natively on Windows7 using mingw32. Also xvilka helped to catch and fix the remaining bits to get r2 compilable with Cygwin too.
We’re now supporting:
- Java, thanks to dso. Ok, it’s not new, but it was greatly enhanced!
- cr16 and msp430, thanks to montekki
- Nintendo DS, thank to aortega
- tms320(c55x, c55x+, more is coming), thanks to milabs
- m68k - fixed some segfaults from the imported disassembler and use it to reverse engineer some Street Fighter roms.
- Spc700 - (supernes sound-chip)
- Every arch supported by capstone that we didn’t already had, like SystemZ
Also, we have reworked on w32 to make the native debugger work again and support hardware breakpoint registers on x86. (thanks Skuater!)
The tracepoints have been implemented, Now each breakpoint can be be toggled to become active/disabled or be used as a tracepoint or breakpoint.
Lot of work have been done to make the GDB remote work and support X86, MIPS and ARM for qemu and gdb-server targets.
Bear in mind that GDB is a totally fucked up protocol with lot of incompatibilities (yes, more than ELF), and each new target depends on several sub-features to be implemented or handled differently in the client side. defragger did a great work testing and implementing them, but there are still more targets to be supported.
SDB is our key-value database system, that we’re integrating into radare2. This simplifies the code, and increases the performances in many areas.
You can play around with SDB using the
We’re now using capstone to disassemble several architectures. This simplifies maintainance on our side, and bring you complete support for several architectures and their extensions (hello AVX, FPU, …).
If you are having disasm or analysis problems, switch to the old udis86 or GNU plugins to compare and send us your feedback. We’ll fix them as soon as possible.
Thanks to coverity, we fixed a lot of bugs. We’re also using ASAN, valgrind, Jenkins and a complete testsuite to improves r2 efficiency and reliability.
We also cleaned up lot of warnings and memory corruption issues by using different fuzzers (radamsa, melkor, nightmare, zzuf, …), to make the RBin plugins much more reliable on fucked up targets. We know there are still some corner cases to fix, and we will address them in the next bugfix release 0.9.9.
The R_IO layer have been heavily tested, reviewed and partly rewritten to be more stable (thanks condret!)
Montekki spent some time to add support for DWARF! Now you can debug your favourite ELF binary (almost) without reading assembly!
ESIL stands for Evaluable Strings Intermedate Language. It aims to describe a Forth-like representation for every opcode; the goal within radare being emulation, in order to improve the analysis.
With ESIL it is now possible to:
- Debug Brainfuck applications
- Partially emulate Gameboy, X86, ARM and MIPS.
- Define software watchpoint conditions.
- Spawn complex search expressions
- Analyze code without messing with arch-specific and low level struct issues.
We will continue to enhance the ESIL support to emulate code in a better fashion, and we plan to use it for injecting code on child processes and more.
- Analyze an specific memory address with
- Take references from registers and memory with
drr/pxr(à la PEDA)
- ROP gadget searcher (
- Mitigation detections (in
- De Bruijn patterns
search.ineval variable can be used to specify where to search for patterns (for example, inside heaps or executable pages).
ASCII art graphs
Spawned by default when pressing
V inside the Visual mode when placing the cursor on an already analized function. For callgraphs use
Graphviz, JSON and HTML5 interactive graphs are still supported, but not used by default.
In addition, some basic debugging can be done inside the ascii graph graphs.
The visual mode has been enhanced to better handle cursor, enable feedback mode (useful for screencasts), navigating references with
X keys, and support the mouse wheel for scrolling (which can be disabled with the
scr.wheel eval variable).
Since we’ve been rejected from the GSoC, we’ve launched our own Summer of Code. Which turned to be kinda profitable from the point of view of new contributors, feedback, testing and getting new features ready for the masses. Congratulations to everyone who attended and participated!
We will soon release another post explaining all the details of the finalized RSoC.
Skia did great to implement structures support, a bit à la 010Editor.
r2 -nn it is possible to analyze the file header structs using the
pxa and other related commands.
$ r2 -nn /path/to/bin
FLIRT and YARA support
jfrankowski did a great RSoC, and improved yara support in radare2, and also added the FLIRT one! Currently, radare2 is only able to use existing signatures, but feel free to drop us a patch to build our own, using radare!
Yara3 support is almost there, but we prefer to release for a welltested yara2 version and push the upgrade in 0.9.9.
inisider implemented a standalone library to handle PDB files, and integrated it into radare2. You can now analyse/debug PE with much more ease.
> .!rabin2 -rP test.pdb
Integration and bindings
The IDA to r2 Python script has been also updated.
We have also integrated support for GZip files which can be now slurped or loaded without depending on external programs (as we already did with ZIP).
Documentation and PR
libmagic support has been enhanced to the point that we can already replace some features of binwalk to analyze router firmware images.
Also, several commands for searching with asteroids have been added, in order to make data analysis much better.
Also, commands like
rabin2 -zzz allow to dump all strings from a file without storing the results in memory which works great for dumping harddisks or memory snapshots.
R2Pipe and JSON
Since this release you now can use a very fast kind of bindings - r2pipe, which is actually piping output of the commands inside the chosen language wrappers instead of directly calling C function from the library. Also it is very easy to use, because if you know radare2 commands.
A lot of commands spit JSON when typing a
j at the end of the command. This is very useful for exporting information from r2 or processing it from the webui.
In addition a bunch of new bindings have been created under the name of
r2pipe which use r2 with
-0 flag to send commands and receive output asyncrunously.
That solution tends to be far more realiable than depending on SWIG, faster than using FFI and easier to make it distributable or work remotely.
Since we’re a bunch of nice people, we also implemented:
- An ascii version of 2048
- A lot of colourschemes
- Help is colourized
- Greatly enhanced analysis
- Nearly all commands can now output JSON
A new colourscheme
Because patching Gameboy ROM with radare2 is fun!
Prototype of demangling
First screenshot of sonare, a Qt-based disassembly viewer based on radare2.