Learning Binary Reversing: Radare2 vs. GDB
I’ve seen this question a few times: is it better to learn Radare2 (r2) or GNU Debugger (GDB)? The short answer is you should learn both. The long answer depends on what you are really asking. I usually see this question posed when someone wants to learn binary reverse engineering. In this case, the real question is, “How should I get started? With GDB or r2?”
Getting Started Reversing
My simple answer is GDB. To learn C, you must read C. To learn assembly, you must read assembly. Reading assembly is harder if you have no concept of pointers or context. So, I would start from learning C just to learn and understand pointers and structures.
Learning C and GDB
Write yourself a basic C program that uses pointers, pointers to pointers, structures, and pointers to structures, and then debug this with GDB. Use TUI mode to step through individual assembly instructions while you can see the C source code (hit ctrl+x twice). See if you can figure out how arguments are passed to a function. How are pointers being dereferenced? Where is the data actually being stored? Why shouldn’t you return a local string variable from a function? You will be learning how computers work at nearly the lowest level.
Write your own password protected program using strcmp, and then see if you can debug it and steal the password. Now do it over, but strip all the symbols from your binaries. Notice that you can still set a breakpoint on strcmp, but not on main. This is where some r2 features start to become more useful.
Radare2 has a steeper learning curve than GDB. You can learn GDB pretty quickly. I use maybe a dozen GDB commands regularly. Everything else, I Google. I know a lot more r2 commands because r2 has a lot more that I want to do with it.
Try opening your stripped password protected program in r2 and run
aaa to do some analysis. Dump strings with
iz; the password should pop out. You can also quickly see what external functions the binary uses with
ii, and you can cross reference them with
axt. Cross referencing
strcmp will take you to the code where the password comparison is done. Going there in visual mode (
V command) should show you the password in a comment next to where the password is pulled into memory.
Even if you don’t see the password because the compiler decided to be tricky, you should now be competent enough with assembly to see how the string is passed to strcmp. Unlike GDB, you can do all this without ever executing the program.
One more r2 feature should be mentioned. If you are learning a new assembly language, you should check out the
asm.describe variable in r2. Setting this variable with
e asm.describe = true will tell Radare2 to give you short little descriptions of each asm instruction. This can save you a lot of Google time. You should also check out the pseudo asm and ESIL views.
The journey into learning reverse engineering only ends when you quit. Many quit early because they make the trek too hard on themselves. So, be nice to yourself. Set a pace that is not too difficult but also not too boring. Start with GDB and C; there is plenty of free material for learning them. Once you have problems that r2 solves, go to r2. There are other reversing frameworks too, so try those. If you find the journey fun, you won’t ever stop. If you don’t find it fun, don’t worry about picking something else to learn.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.