Improving analysis

2 minute read

One of the main tasks of Radare2 is to statically analyse executables. This includes binary files disassembly, analysing functions setting calling conventions, auto detecting arguments and type propagation. Autodetecting arguments and type propagation are part of my Google Summer of Code task.

A new analysis round is added for argument detection. It is architecture independent and supposed to capture all arguments and variables then automatically rename them. This analysis round is built on top of ESIL. It will detect all the base pointer + num and store them as arguments, and base pointer - num will be stored as variables. The stack pointer + num will always be stored as an argument whether it is an argument or a variable. Identifying whether stack pointer + offset is an argument or a variable is still a work in progress. The analysis on the left is the one generated using the new aa command, while the one on the right is an old instance of the same aa.


Radare2 also supports renaming declared variables/arguments. This can be done using the command afXn, where X can be:

  • a in case of normal arguments
  • A in case of fastcall
  • e in case a stack pointer is involved
  • ‘v’ if it is a variable

For example afan arg_5h my_first_argument will rename arg_5h to my_first argument. You can also set the variable/argument type using the afXt where X is the same as that used for afXn.

The most important thing to know is how to use this analysis round. Fortunately, it is embedded in the aa command, so for general purpose use, you won’t need to do anything extra, but there will be a scenario where you define a new function at some point where no function existed before. In that case, you can enforce this analysis round for the newly created function using afCa. It will analyze the function located at the current offset and set variables/arguments accordingly.

This is a little example on how to use the new set of commands ;).




Leave a Comment