Classroom Public page

RE-011 Week 8: radare2 / rizin / cutter

939 words

The alternative tradition in binary analysis. Why multiple tools exist, when radare2 is the right choice, and how to be functional in both ecosystems.

Reading (~30 min)

Read the radare2 book introduction (available free at book.rada.re). Read the "Introduction" and "Basic Usage" chapters. The goal is familiarity with the command-line interface pattern, not fluency -- you are not memorizing the 500+ r2 commands.

If you prefer a GUI: Cutter is radare2's official GUI frontend. Install it alongside radare2 and follow the Cutter tutorial on the cutter.re website. Cutter's UI maps closely to Ghidra's; the underlying analysis engine is rizin (the radare2 fork that Cutter uses by default).

Lecture outline (~1.5 hr)

Part 1: Why two tools? (15 min)

Ghidra and radare2 exist because no single tool is right for every situation, and because having two independent analyses of the same binary is more reliable than one.

Ghidra strengths: polished GUI, powerful decompiler, persistent project database, excellent for large-scale analysis, strong scripting with full Java/Python API, broad architecture support with actively maintained processor modules.

radare2/rizin strengths: command-line first (scriptable in shell pipelines), lightweight (runs on a 256 MB embedded system), excellent for interactive exploration of small binaries, strong community for CTF use, can run on remote targets via a debug server, very fast for one-off questions.

When to prefer r2:

  • Scripting: r2 -q -c "aaa; afl" binary > functions.txt dumps all function names in one command. Equivalent Ghidra work requires a headless script.
  • Embedded targets: radare2 can debug binaries running on remote systems via the r2 remote debug server.
  • Quick answer: "What strings does this binary contain above length 10 at offset 0x400?" is a one-liner in r2.
  • CTF work: the CTF community has built a rich ecosystem of r2 tips, tutorials, and plugins that are immediately useful.

When to prefer Ghidra:

  • Long analysis sessions (the persistent project database saves your work).
  • Large binaries (Ghidra's decompiler scales better).
  • Struct recovery and type annotation (Ghidra's data type manager is more mature).
  • Collaboration (shared Ghidra server).

In professional RE work, practitioners use both. RE-011 uses Ghidra as the primary tool and radare2 as the secondary tool. You should be functional in both by the end of this week.

Part 2: radare2 fundamentals (35 min)

radare2 uses a command-line REPL. You open a binary with:

r2 binary         # open for analysis
r2 -A binary      # open and run full analysis (slow but thorough)
r2 -d binary      # open for debugging (Week 9)

Inside r2, commands are terse mnemonics:

Analysis:

aaa               # analyze all (equiv to auto-analyser; required before most commands)
afl               # list all functions (a=analysis, f=function, l=list)
afl | grep main   # filter function list
pdf @ main        # print disassembly of function 'main' (p=print, d=disassemble, f=function)
pdf @ 0x00401136  # print disassembly at address
pdc @ main        # print decompiled pseudocode of 'main' (not as good as Ghidra)

Navigation:

s main            # seek to 'main' (sets current position)
s 0x00401136      # seek to address
s+10              # seek forward 10 bytes
VV                # visual mode, graph view (arrow-key navigation; 'q' to exit)

Strings and xrefs:

iz                # list strings in .rodata section
izz               # list strings in entire binary
axt 0x402008      # show xrefs to address 0x402008 (calls, data references)
axf main          # show xrefs from 'main' (what main calls)

Renaming:

afn new_name      # rename current function
afn validate_key 0x00401200  # rename function at address

Searching:

/ password        # search for ASCII string "password"
/x 7f454c46      # search for hex bytes (ELF magic)

The VV command (visual graph mode) is radare2's equivalent of Ghidra's graph view: it shows the control flow graph of the current function as an ASCII-art graph. Press p to cycle between views (linear disassembly, graph, hex). Press q to exit visual mode.

Part 3: Cutter -- radare2 with a GUI (20 min)

Cutter is an official GUI frontend for rizin (the radare2 fork). Its interface has:

  • Functions panel (left): like Ghidra's symbol tree, lists all identified functions.
  • Disassembly/Graph view (center): same data as pdf / VV, rendered graphically.
  • Decompiler panel (right): pseudo-C output (similar quality to r2's pdc).
  • Strings panel: equivalent to iz / izz.
  • Imports/Exports: equivalent to dynamic symbol table views.

Cutter's decompiler is weaker than Ghidra's on complex binaries. Use Cutter when you want a fast GUI without opening Ghidra, especially for simple CrackMes.

Part 4: Cross-tool verification (10 min)

Use multiple tools to cross-check conclusions. If Ghidra's decompiler says a function does X and radare2's pdf shows something that cannot produce X, one of them is wrong (or your interpretation of one is wrong). Always check important conclusions in the listing (assembly), not just in a decompiler.

Practical cross-check workflow for CrackMes:

  1. Ghidra auto-analyse, find check function via string xref.
  2. Verify the check logic in Ghidra's listing view.
  3. Open the same binary in r2, aaa, pdf @ addr_of_check_function. Confirm the assembly matches.
  4. If they agree, you are confident. If they disagree, something is wrong with one analysis.

Lab walk: r2 session on a CrackMe (~1 hr, ungraded)

Instructor-led: open a CrackMe in radare2, run aaa, use afl to list functions, pdf @ main to read main, find the check function by searching for strings with izz, navigate to it with s, read it with pdf. Compare the result to what Ghidra shows for the same binary. Document differences.

Independent practice (~3 hr)

  • Tool Journal: Document the ten most-used r2 commands from this week. Include the mnemonic structure: a = analysis prefix, f = function prefix, l = list suffix, p = print prefix, d = disassemble. The mnemonic structure is how you remember the commands without memorizing a list.
  • CrackMe in both tools: Solve a CrackMe (or attempt one from the ladder) using radare2 first, then verify in Ghidra. Write a brief comparison: what did r2 show you faster? Where did Ghidra add value?
  • Cutter install: Install Cutter if you have not already. Import one CrackMe and navigate to the check function using only Cutter's GUI. Note in your Tool Journal: which Cutter panels map to which Ghidra panels.

Reflection prompts

  1. radare2's command syntax is intentionally terse (aaa, afl, pdf). This makes it fast once learned and opaque until then. Ghidra's menu-driven interface is slower but self-documenting. Under what working conditions does each approach win? What does this tell you about the design tradeoff between discoverability and efficiency?

  2. Two tools analyzing the same binary might disagree about where a function starts, what type a variable has, or what a jump target is. When two tools disagree, how do you determine which is correct? What is the authoritative source?

  3. radare2 can run on a remote target via a debug server (you connect to r2 running on another machine and analyze code running there). Why would this capability matter in a professional RE context? Give one scenario where it would be essential.

Week 8 of 14. Next: Dynamic analysis -- gdb, strace, ltrace, and when static analysis hits a wall.