The hacker behind open-source, reverse-engineering tool Radare previews the inaugural r2conPosted by Keith Mokris NowSecure Marketing
Security Researcher Sergi Alvarez, better known by his nickname Pancake, has been behind the helm of the open source project Radare for ten years now. In the decade since Radare’s inception, the community surrounding and contributing to the project has grown immensely. Next month, researchers and friends of the project will head to Barcelona for the inaugural r2con, a conference celebrating Radare, on September 8-10.
In preparation for the conference, I chatted with Pancake about Radare’s beginnings, recent announcements, and what to expect at the conference.
For people who don’t know what it is, explain Radare in a few sentences:
Radare is a framework and toolset to help reverse engineers, exploiters, malware analysts and other computer security experts understand what programs are doing internally.
The tool is able to do static analysis, but also supports debugging, binary patching, pattern search, and several other features that can be useful in a large number of low level problems.
Many people are scared about the interface because it’s command-line driven. The GUI is out of the core project’s scope, but it would be the tool of choice if you needed some hacker-looking screen shots for a movie. As is, the interface allows users to automate things or do things more quickly compared to just clicking buttons. For people who like using the mouse though, they can try several UIs available from other sources.
What is it that Radare can do that no other open-source tool can do?
The project, written only in the programming language C, was born with some clear design principles in mind: being Unix-like, portable, extensible, and scriptable.
Portability means that it can build without any dependency and run on routers, non-jailbroken Apple Watches, desktops, phones, game consoles, etc. You can also easily extend its functionalities with plugins, with scripts, or by directly modifying the source code.
How does Radare make mobile apps more secure for users and enterprises?
Radare2, the name of the tool (or “r2” for short), supports static analysis of iOS and Android. It is very portable and easy to embed. Radare was the first tool to load 64-bit iOS kernels, Apple Watch apps, and MBN/SBL bootloaders found in Android devices. It was also the first tool that could disassemble Pebble applications.
Users are able to install r2 in their Android devices directly from Google Play and use it for analyzing APKs because it can analyze all MIPS/ARM/ARM64/x86 native libraries and DEX binaries. Extracting information from the app is the quickest way to understand if the app comes with malicious stuff inside it. Enterprises and users can benefit from using r2 for this purpose.
Where did the name come from/how did you decide to name the project Radare?
At the beginning, Radare was just a small hexadecimal editor I wrote in order to recover some deleted files from a G3 Mac. It allowed me to open raw devices like the hard disk and perform pattern searches and dump the results in separate files for later analysis and recovery.
The first two letters of each of the words raw, data, and recovery make up the name Radare. The tool was supposed to be a low level forensics tool. But because I had a lot of fun using it, I extended it to support disassembly, debugging, binary patching, and other functionalities I needed daily. The project grew pretty quickly into a huge monster, and I decided to rewrite it from scratch under the Radare2 project, which basically offers the same functionalities but in a maintainable and pluggable form.
Radare is now ten years old, what has surprised you the most about how large Radare’s community of users and contributors has grown?
At first, Radare was just a personal project. I’m always happy making tools open-source as often as possible, because having other people using your code is the best way to learn, grow, and share your creations.
The project didn’t really grow until four years ago when a bunch of guys (xvilka, jvoisin, and maijin) appeared in the IRC and decided to help spread the word about r2. In just one year, the IRC channel grew from 30 people to 180. Right now there’s nearly 300, and that doesn’t count the Github contributors or users that contact me via Telegram or Mail.
Can you talk about some of the unique ways researchers and your peers are using Radare?
Many users choose r2 as their main reverse engineering tool for solving CrackMe or capture-the-flag (CTF) challenges because it’s free, open-source, runs everywhere, and supports a large number of binary files. It is ideal for beginners.
I am also aware of several companies using it for extracting information and defining metrics from malware samples to feed databases. Thanks to its license and portability, it is very easy to run on headless servers or distributed dockers in the cloud to balance the analysis load.
People are also using r2 to analyze firmware for embedded systems like routers, drones, UEFI images, or DSLR cameras in order to find vulnerabilities and backdoors, or for creating open-source implementations and drivers. Reverse engineering is also used for extending functionalities and compatibility, or even fixing bugs that the company is not going to patch because they are no longer supporting a specific product.
You can see the list of Radare contributors in the repository or view a video about the evolution of Radare on YouTube.
R2con will be taking place this September 8-10 in Barcelona. What can attendees expect at the conference?
The conference will show many aspects of the tool by exemplifying its use in a different range of applications. I recently updated the page with the list of talks and trainings at http://rada.re/con.
The introductory trainings raised a lot of interest. These talks will help new users get hands-on experience with the tool and its capabilities, as well as, learn how to apply that knowledge in a productive way.
Other talks that raised interest were those discussing the recent native Windows Kernel debugging support which completes the support of GDB remote, Bochs and WinDBG. That will be used to analyze some modern Ring 0 malware.
Also, attendees will be able to see talks on the following topics:
- Hacking the Street Fighter video game
- Integrating r2 with Frida presented by Frida’s creator, NowSecure Mobile Security Researcher Ole André Vadla Ravnås (@oleavr)
- Exploiting AVR microprocessors
- Reverse-engineering and binary-patching demos of drone firmware
- Bypassing security in routers
- Fuzzing r2 itself to find vulnerabilities
Students will also share updates from the Google and Radare Summer Of Code competitions about their progress and new features they are including.
To learn more about Radare, check out the latest posts on the Radare blog and connect on Twitter @radareorg.