Debugger/radare2

How to make radare2 work for a large binary?

우와해커 2020. 1. 2. 10:33

https://reverseengineering.stackexchange.com/questions/16112/how-to-make-radare2-work-for-a-large-binary/16115#16115

 

It is not a good practice to run full analysis of your binary at the startup and it also isn't encourged by radare. Running aaa by default is a heavy action and absolutely not recommended or needed in most of the cases.

As stated in this execllent post from radare's blog:

Code analysis is not a quick operation, and not even predictable or taking a linear time to be processed. This makes starting times pretty heavy, compared to just loading the headers and strings information like it’s done by default.
...
We enforce users to think about their workflows in order to better understand the problem they are facing and solve it in an optimal way, saving cpu, memory and why not: cats.

To make the analysis process more efficient you can start with configuring different analysis configuration variables in radare. These configuration variables can help you to fit the analysis process to your program and to your needs. Some of the interesting variables are:

anal.afterjmp anal.depth anal.eobjmp anal.esil anal.hasnext anal.nopskip anal.from anal.to

See the e??anal. command to get more detailed descriptions for them.

Analysis of a program isn't just performing one action and that's it -- it is combined from different analysis for different needs.
radare implements many different commands that perform different kind of analysis. Smart use of these command can help you quick the process of the analysis and analyze only the parts which you believe are the most important:

  • Find functions by prelude instructions (aap)
  • Identify functions by following calls (aac)
  • Detect jump tables and pointers to code section (/V)
  • Analyze opcode absolute and relative references (aa\r)
  • Find code/data/string references to a specific address (/r)
  • Emulate code to identify new pointer references (aae)
  • Use binary header information to find public functions (aas)
  • Assume functions are consecutive (aat)

To sums it up, you should think and plan the analysis process that fits best to your needs:

radare2 is not a click-and-run program, it’s a set of orthogonal tools and commands that allows you to understand, analyze, manipulate and play with a large list of binary types... Only experience and understanding will give you control on what you are doing.

If after reading this answer and the post in radare's blog you believe its a bug and you can point at the problem, feel free to open an issue on github.