radare2 — Open-Source Reverse Engineering Framework

Introduction

radare2 (r2) is a portable open-source reverse engineering framework that runs from the command line. It supports disassembly, debugging, binary diffing, and patching for a wide range of processor architectures and file formats, making it a staple tool in CTF competitions and malware analysis.

What radare2 Does

• Disassembles binaries for x86, ARM, MIPS, RISC-V, and 30+ architectures
• Provides an interactive shell with hundreds of commands for binary exploration
• Debugs local and remote processes via GDB, LLDB, and native backends
• Patches binaries in place for quick modifications
• Supports scripting via r2pipe in Python, JavaScript, Go, and other languages

Architecture Overview

radare2 is written in C with a layered architecture: r_io handles I/O across files, processes, and remote targets; r_asm and r_anal provide disassembly and analysis; r_bin parses executable formats; r_debug manages debugging sessions. The r2pipe API exposes all functionality over a JSON protocol for external scripting.

Self-Hosting & Configuration

• Install via system package managers or build from source with meson
• Configure personal settings in ~/.radare2rc
• Install community plugins via r2pm (radare2 package manager)
• Use Cutter (the official Qt GUI) for graphical analysis workflows
• Connect to remote targets with r2 -d gdb://host:port

Key Features

• Visual mode for interactive graph and hex views in the terminal
• Binary diffing (radiff2) to compare two versions of a binary
• ESIL (Evaluable Strings Intermediate Language) for architecture-independent emulation
• r2ghidra plugin integrating Ghidra's decompiler directly into the r2 workflow
• Extensive format support including ELF, PE, Mach-O, DEX, and raw firmware

Comparison with Similar Tools

• Ghidra — richer GUI and decompiler, but heavier and requires JDK
• IDA Pro — commercial gold standard, faster for large binaries but expensive
• Binary Ninja — clean API and modern UI, commercial license required
• Cutter — the official GUI for radare2, for users who prefer graphical analysis

FAQ

Q: What is the learning curve for radare2? A: The CLI-first design has a steep initial curve. The built-in help system (append ? to any command) and visual mode help ease the process.

Q: Can radare2 decompile code? A: With the r2ghidra or r2dec plugins, radare2 can produce pseudocode output similar to commercial decompilers.

Q: Is radare2 suitable for malware analysis? A: Yes. Its sandboxed I/O layer and emulation capabilities make it effective for static and semi-dynamic malware analysis.

Q: How does radare2 compare to Ghidra for team collaboration? A: Ghidra has built-in multi-user project sharing. radare2 is primarily single-user, though r2pipe enables custom collaboration workflows.

Sources

• https://github.com/radareorg/radare2
• https://rada.re/n/