So far, I’ve been using strictly the command line prompt of radare2. I do believe this was the perfect choice to start learning how it works, to learn the basics so I can have a strong base of knowledge in this tool.
But let’s be honest, as you evolve, it become tedious use just the command line and I started to feel this in Crackme0x03 when I needed to debug the shift function. An option, was to put a breakpoint in every instruction, type dc, check the registers/variables, type dc, check the registers/variables, typ… you get the point.
Another alternative was to set the first breakpoint and then use “ds” which spares us the effort of setting a lot of breakpoints. But we still need to use “afvd” and “dr” every time we make a step.
We can do better that this!
While I was reading radare’s manual, I discovered the Visual mode. I strongly advise you to take a look in this manual. I’ve been learning to use it, practicing in every crackme and now, I think I’m ready to make a short introduction using crackme0x03.
So, to begin using Radare2’s Visual Mode, you can start radare like we did before, using the A, d or even w flag, it doesn’t matter at this point. Then type “V”.
The first Print Mode (or panel) you see is the HexDump panel and there are 6 more of this panels:
- Disassembly panel
- Debugger panel
- Hexadecimal words dump panel
- Hex-less hexdump panel
- Op analysis color map panel
- Annotated hexdump panel
You can cycle through this panels using “p”. In my examples, I’ll probably use the Debugger panel just because I can see the value of all registers in real time.
In the image presented above, notice the “eip” right next to the highlighted address. EIP stands for “Extended Instruction Pointer” which stores in the stack the address of the next instruction to be executed. To start executing instructions type “s”, which will make a single step and you’ll see the EIP register moving down. It basically means that you executed the next instruction. If you type “S” instead, you’ll step over an instruction. But let me give you an example.
At this point, the next instruction to be executed it’s a call to a function. If you type “s” you’ll be redirected to shift function and you’ll be presented with the instructions of that function. On the other hand, if you type “S“ you’ll step over this call and go right to the jump instruction at 0x08048488. You won’t go inside shift function.
From now on, I’ll use both modes, Visual and command prompt
Here are some other useful key bindings, but you use “?” to check the available options.
Instead of s/S you can use F7/F8, as they are means to the same end.
If you feel the need of using the command prompt of radare2 during Visual Mode, type “:” and a little prompt will appear at the end of the screen. There, you can type all the commands learned so far.
To assemble code, you can use “a” which will show you a prompt ready to accept opcodes or you can use “A” to insert instructions.
You can use the arrow keys to navigate through the code and to set a breakpoint just hit F2.
To quit, just press “q”.
Other commands used in the video below can be found at Radare Basics.