Scribd
Upload
64 views

Intro To Reverse Engineering and Debugging With Radare2

The document provides an introduction to reverse engineering and debugging with Radare2. It discusses compiling source code, looking at binary files, memory and registers, assembly instructions, function prologue and epilogue, and stack frames. The target audience is those interested in computer security with a background in programming and some computer science courses on topics like computer organization and operating systems. It aims to briefly cover source code, memory mapping, and calling conventions before diving more in-depth into debugging, disassembly, and using the Radare2 tool for reversing.

Uploaded by

John Doe
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
64 views

Intro To Reverse Engineering and Debugging With Radare2

The document provides an introduction to reverse engineering and debugging with Radare2. It discusses compiling source code, looking at binary files, memory and registers, assembly instructions, function prologue and epilogue, and stack frames. The target audience is those interested in computer security with a background in programming and some computer science courses on topics like computer organization and operating systems. It aims to briefly cover source code, memory mapping, and calling conventions before diving more in-depth into debugging, disassembly, and using the Radare2 tool for reversing.

Uploaded by

John Doe
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Intro to Reverse Engineering

and Debugging with Radare2

By Chris James
0x00: Who am I?

● Systems Security Professional for Information Security


Office @ UF
● Bachelor's of Science in Computer Science from UF
● Started learning about computer and C code in 2003 with
SoftICE, Ollydbg, crackmes, and keygens
● Moved on to computer graphics
● Didn't pick it back up again until 2005, 2008 @ UF (Help
Desk Malware Removal)
● Joined SIT in 2011/2012, started with forensics, misc,
programming. But now back into binary analysis
0x01: Who are you?

● Minimum:
○ Interested in Computer Security
○ Can write programs in a programming language
■ Programming I/II (exposure to C/C++)
● Ideally:
○ Experience with C/C++ and some Assembly
○ Have taken some CS courses:
■ Computer Organization
■ Digital Logic
● Even Better:
○ Operating Systems
0x02: What I'm gonna cover

● Briefly: ● More In Depth:


○ Source Code ○ Debugging
■ What a compiler ○ Assembly
Does ■ What is
■ Machine Code disassembly?
○ Memory Mapping ○ Radare2
○ Calling conventions ■ Disassembly
■ Debugging
■ Reversing
0x10: Binary ● What does a compiler do
to source?

Review
● What is a binary file?
● How does a CPU execute
binary?
From source to CPU
registers
0x11: Compiling source

● Source file is High-level code $ cat hello.c


e.g. <C> #include <stdio.h>
○ May include shared libraries #include <stdlib.h>
like <stdlib.h>
● Compiler turns C into int main(){
printf("Hello, world!\n");
ELF/Machine code
○ Literally 1’s and 0’s, which
exit(0);
can also be represented as
}
Hexadecimal (base-16)
$ gcc -o hello hello.c
$ ./hello
Hello, world!
0x12: Looking at the Binary

● File Magic $ file hello


○ ELF Header Hello: ELF 64-bit LSB shared obj…
● Lots of Boilerplate code $ strings hello
● Disassembly: Turning /lib64/ld-linux-x86-64.so.2…
machine code back into ASM
$ xxd hello | less
representation 00000000: 7f45 4c46 0201 … ELF
● Entry point
○ Virtual Address $ objdump -Mintel -D ./hello | grep “main>:” -A 8
400546: 55 push rbp
○ Real Address
● Map Binary to memory $ readelf -h ./hello | grep Entry
Entry point address: 0x400450
0x20: Memory ● What is Virtual Memory?

and Registers
● What is physical
Memory?
● Process Image Segments

Virtual, Real, Registers


0x21: Memory

● Memory is addressed by byte


○ 1 byte == 8 bits
○ Value of 1 byte ranges from 0-255
■ 256 discrete values
■ Hex: 0x00 - 0xff
■ Bin: 0b00000000 - 0b11111111
● On 32-bit systems, 2 ^ 32 bytes of addressable memory:
○ 4,294,967,296 Bytes (4 Gibibytes) (approx. 4 Gigabytes)
○ 0x00000000 - 0xffffffff
0x21: Memory

● On 64-bit systems, 2 ^ 64
bytes of addressable memory:
○ 18,446,744,073,709,551,616 Bytes
(16 Exbibytes) (approx. 16
Exabytes)
○ 0x0000000000000000 -
0xffffffffffffffff
● Every process granted full
address space.
○ How? (Virtual Memory to Physical
Memory)
○ But: processes rarely use anywhere
near the total Virtual Memory
space.
0x22: Process memory layout

● .text (0x400000)
○ Section with executable
code
● .(ro)data
○ Sections with initialized
variables
● heap
○ malloc scratchpad
● Shared libraries
○ C std lib
● Stack (0x7fffffff)
○ Local function scratchpads
0x22: Process memory layout

● All code (.text) and data exists


between 0x0 and 0xd80000 (about
14 MB)
○ .0000000000766% of the way
through address space
● Stack starts at 0x7fffffff
○ .0000000116% of the way
through address space
○ 0x7f27ffff bytes between end
of .text/.data and stack
■ Approx 2 GB of space for
heap and Stack to grow
0x23: Registers

● CPU Registers == fastest memory ● Can address different parts of a


● Instruction Pointer: register:
○ rip: “what executes next” ● 0x1122334455667788
● General Purpose: ================ rax (64 bits)
○ rax: return values ======== eax (32 bits)
○ rbx, rcx, rdx ==== ax (16 bits)
● Stack: == ah (8 bits)
○ rsp: stack pointer (top) == al (8 bits)
○ rbp: base pointer (bottom) ● Syscalls:
● Data: ○ rax: syscall number
○ rsi: source index ○ rdi: arg0
○ rdi: destination index ○ rsi: arg1
● Other: ○ rdx: arg2
○ r8-r15 ○ r10-r8-r9: arg3-arg5
● Instructions

0x30: Assembly ● Function Prologue &


Epilogue
● Stack frames
Machine code to logic
0x31: Assembly Instructions

● Intel vs AT&T (Intel is $ objdump -Mintel -D ./hello | grep “main>:” -A 8


400546: 55 push rbp
better)
400547: 48 89 e5 mov rbp,rsp
○ Intel: <inst> <dst>,<src> 40054a: bf e4 05 40 00 mov edi,0x4005e4
○ AT&T: <inst> <src>,<dst> 40054f: e8 dc fe ff ff call 400430 <puts@plt>
● Side effects: 400554: bf 00 00 00 00 mov edi,0x0
400559: e8 e2 fe ff ff call 400440 <exit@plt>
○ CPU Flags:
■ ZF: cmp, jump, test
○ Stack:
$ objdump -D ./hello | grep “main>:” -A 8
■ push, pop, call, 400546: 55 push %rbp
leave, ret 400547: 48 89 e5 mov %rsp,%rbp
● Control Flow: 40054a: bf e4 05 40 00 mov $0x4005e4,%edi
○ call, jump 40054f: e8 dc fe ff ff callq 400430 <puts@plt>
400554: bf 00 00 00 00 mov $0x0,%edi
400559: e8 e2 fe ff ff callq 400440 <exit@plt>
0x32: Function Prologue and Epilogue (x86-64)

● Syscalls: ● call <address>


○ rax: syscall number ○ Same as:
○ rdi: arg0 ■ push rip+len(instruc)
○ rsi: arg1 ■ jmp <address>
● Function prologue:
○ rdx: arg2
○ push rbp
○ r10-r8-r9: arg3-arg5
○ mov rbp, rsp
● Function Calls: ○ sub rsp, 0x20
○ rax: return value ● Function Epilogue
○ rdi: arg0 ○ leave
○ rsi: arg1 ■ Combines:
○ rdx: arg2 ● mov rsp, rbp
○ rcx-r8-r9: arg3-arg5 ● pop rbp
○ ret
■ Same as “pop rip”
0x32a: Function Prologue and Epilogue (x86-32)

● Syscalls: ● call <address>


○ eax: syscall number ○ Same as:
○ ebx: arg0 ■ push eip+len(instruc)
○ ecx: arg1 ■ jmp <address>
● Function prologue:
○ edx: arg2
○ push ebp
○ esi-edi-ebp: arg3-arg5
○ mov ebp, esp
● Function Calls: ○ sub esp, 0x20
○ Arguments are pushed to ● Function Epilogue
stack prior to function ○ leave
call in right-to-left ■ Combines:
order (so that last ● mov esp, ebp
pushed arg is arg0) ● pop ebp
○ ret
■ Same as “pop eip”
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world!


● rsp: 0x7ffe89cd1cc0
● rbp: 0x7ffe89cd1cd0
● rip: 0x00400597
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400597 e8aaffffff call 0x400546 0x7ffe89cd1cc8 0x00000021646c726f
0x0040059c bf00000000 mov edi, 0 0x7ffe89cd1cd0 0x00000000004005b0
0x004005a1 e89afeffff call sym.imp.exit
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world!


● rsp: 0x7ffe89cd1cb8
● rbp: 0x7ffe89cd1cd0
● rip: 0x00400546 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400546 55 push rbp 0x7ffe89cd1cc8 0x00000021646c726f
0x00400547 4889e5 mov rbp, rsp 0x7ffe89cd1cd0 0x00000000004005b0
0x0040054a 4883ec10 sub rsp, 0x10
0x0040054e 48897df8 mov qword [rbp - 8], rdi
0x00400552 488b45f8 mov rax, qword [rbp - 8]
0x00400556 4889c7 mov rdi, rax
0x00400559 e8d2feffff call sym.imp.puts
0x0040055e 90 nop
0x0040055f c9 leave
0x00400560 c3 ret
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world!


● rsp: 0x7ffe89cd1cb0
● rbp: 0x7ffe89cd1cd0 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
● rip: 0x00400547 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400546 55 push rbp 0x7ffe89cd1cc8 0x00000021646c726f
0x00400547 4889e5 mov rbp, rsp 0x7ffe89cd1cd0 0x00000000004005b0
0x0040054a 4883ec10 sub rsp, 0x10
0x0040054e 48897df8 mov qword [rbp - 8], rdi
0x00400552 488b45f8 mov rax, qword [rbp - 8]
0x00400556 4889c7 mov rdi, rax
0x00400559 e8d2feffff call sym.imp.puts
0x0040055e 90 nop
0x0040055f c9 leave
0x00400560 c3 ret
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world!


● rsp: 0x7ffe89cd1cb0
● rbp: 0x7ffe89cd1cb0 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
● rip: 0x0040054a 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400546 55 push rbp 0x7ffe89cd1cc8 0x00000021646c726f
0x00400547 4889e5 mov rbp, rsp 0x7ffe89cd1cd0 0x00000000004005b0
0x0040054a 4883ec10 sub rsp, 0x10
0x0040054e 48897df8 mov qword [rbp - 8], rdi
0x00400552 488b45f8 mov rax, qword [rbp - 8]
0x00400556 4889c7 mov rdi, rax
0x00400559 e8d2feffff call sym.imp.puts
0x0040055e 90 nop
0x0040055f c9 leave
0x00400560 c3 ret
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world! 0x7ffe89cd1ca0 <uninitialized data>


● rsp: 0x7ffe89cd1ca0 0x7ffe89cd1ca8 <uninitialized data>
● rbp: 0x7ffe89cd1cb0 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
● rip: 0x0040054e 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400546 55 push rbp 0x7ffe89cd1cc8 0x00000021646c726f
0x00400547 4889e5 mov rbp, rsp 0x7ffe89cd1cd0 0x00000000004005b0
0x0040054a 4883ec10 sub rsp, 0x10
0x0040054e 48897df8 mov qword [rbp - 8], rdi
0x00400552 488b45f8 mov rax, qword [rbp - 8]
0x00400556 4889c7 mov rdi, rax
0x00400559 e8d2feffff call sym.imp.puts
0x0040055e 90 nop
0x0040055f c9 leave
0x00400560 c3 ret
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world! 0x7ffe89cd1ca0 <uninitialized data>


● rsp: 0x7ffe89cd1ca0 0x7ffe89cd1ca8 0x00007ffe89cd1cc0
● rbp: 0x7ffe89cd1cb0 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
● rip: 0x00400552 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400546 55 push rbp 0x7ffe89cd1cc8 0x00000021646c726f
0x00400547 4889e5 mov rbp, rsp 0x7ffe89cd1cd0 0x00000000004005b0
0x0040054a 4883ec10 sub rsp, 0x10
0x0040054e 48897df8 mov qword [rbp - 8], rdi
0x00400552 488b45f8 mov rax, qword [rbp - 8]
0x00400556 4889c7 mov rdi, rax
0x00400559 e8d2feffff call sym.imp.puts
0x0040055e 90 nop
0x0040055f c9 leave
0x00400560 c3 ret
0x33: Stack Frames (skipped over puts to leave)

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world! 0x7ffe89cd1ca0 <uninitialized data>


● rsp: 0x7ffe89cd1ca0 0x7ffe89cd1ca8 0x00007ffe89cd1cc0
● rbp: 0x7ffe89cd1cb0 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
● rip: 0x0040055f 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400546 55 push rbp 0x7ffe89cd1cc8 0x00000021646c726f
0x00400547 4889e5 mov rbp, rsp 0x7ffe89cd1cd0 0x00000000004005b0
0x0040054a 4883ec10 sub rsp, 0x10
0x0040054e 48897df8 mov qword [rbp - 8], rdi
0x00400552 488b45f8 mov rax, qword [rbp - 8]
0x00400556 4889c7 mov rdi, rax
0x00400559 e8d2feffff call sym.imp.puts
0x0040055e 90 nop
0x0040055f c9 leave (mov rsp, rbp;pop rbp)
0x00400560 c3 ret
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world! 0x7ffe89cd1ca0 <uninitialized data>


● rsp: 0x7ffe89cd1cb8 0x7ffe89cd1ca8 0x00007ffe89cd1cc0
● rbp: 0x7ffe89cd1cd0 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
● rip: 0x00400560 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400546 55 push rbp 0x7ffe89cd1cc8 0x00000021646c726f
0x00400547 4889e5 mov rbp, rsp 0x7ffe89cd1cd0 0x00000000004005b0
0x0040054a 4883ec10 sub rsp, 0x10
0x0040054e 48897df8 mov qword [rbp - 8], rdi
0x00400552 488b45f8 mov rax, qword [rbp - 8]
0x00400556 4889c7 mov rdi, rax
0x00400559 e8d2feffff call sym.imp.puts
0x0040055e 90 nop
0x0040055f c9 leave
0x00400560 c3 ret (pop rip)
0x33: Stack Frames

● rdi: 0x7ffe89cd1cc0 char* -> Hello, world! 0x7ffe89cd1ca0 <uninitialized data>


● rsp: 0x7ffe89cd1cc0 0x7ffe89cd1ca8 0x00007ffe89cd1cc0
● rbp: 0x7ffe89cd1cd0 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
● rip: 0x0040059c 0x7ffe89cd1cb8 0x000000000040059c
● Disassembly: 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x00400597 e8aaffffff call 0x400546 0x7ffe89cd1cc8 0x00000021646c726f
0x0040059c bf00000000 mov edi, 0 0x7ffe89cd1cd0 0x00000000004005b0
0x004005a1 e89afeffff call sym.imp.exit
0x34: Quick note about Endianness

● Memory addresses in this binary are reprented 0x7ffe89cd1ca0 <uninitialized data>


in little-endian byte order. 0x7ffe89cd1ca8 0x00007ffe89cd1cc0
● Thus, to the right, the address
0x7ffe89cd1cc0 addresses the byte ‘0x48’, 0x7ffe89cd1cb0 0x00007ffe89cd1cd0
0x7ffe89cd1cc1 addresses the byte ‘0x65’, 0x7ffe89cd1cb8 0x000000000040059c
... 0x7ffe89cd1cc0 0x77202c6f6c6c6548
0x7ffe89cd1ccc addresses the byte ‘0x21’ 0x7ffe89cd1cc8 0x00000021646c726f
● Thus memory addresses appear ‘correct’ when 0x7ffe89cd1cd0 0x00000000004005b0
little-endianness is accounted for, but strings
appear backward
● When printing in sequential order, memory
address appear backward-ordered (by byte) but
strings appear correct.
● TRY IT:
○ `pxq 8 @ rbp` vs. `px 8 @ rbp`
○ `pxq 16 @ str.Hello__world_`
○ `px 16 @ str.Hello__world_`
0x40: Radare2
● Disassembly
● Debugging
● Scripting
Computer Wizard’s
Spellbook
0x41: Configure radare2 for debugging

$ cat ~/.radare2rc $ tty


e scr.wheel=false /dev/pts/##
e stack.bytes=false
e stack.size=114 $ clear; sleep 99999999999999999;

$ cat ./<programName>.rr2
#!/usr/bin/env rarun2
program=<programName>
arg0=”./<programName>”
stdio=/dev/pts/<##>
0x42: Debugging in radare2

$ r2 -d rarun2 -R ./<programName>.rr2 ● Breakpoints are fundamental to


debugging
○ `db <addr/sym>` to set a
● Every command is a mnemonic breakpoint
● Use `?` to see help with any ○ `dc` to continue execution until
you hit a breakpoint or program
command
completion
○ E.g. `a?` will show all analysis
○ `ds` to step instructions and
command reference
into calls
● Most commands have subcommands ○ `dso` to step instructions and
○ `db?`, `dc?` over calls
● Radare2 Essential commands: ○ `dcr` continues until a `ret`
○ `aaa`, `s`, `pd`, `px[wq]`, `ps`, instruction!
`db`, `dbt`, `dc`, `dcr`, `ds`,
`dr[r]`, `ood`, `dm`
0x43: Visual Mode
● `V` to enter visual mode
● `?` to see visual mode keyboard shortcuts
● `:` to enter cmd mode
○ <enter> to exit cmd mode
● `p` to cycle view modes
● `c` to enter/exit cursor mode
○ `hjkl` to navigate cursor (vim keys), or arrow keys
○ `b` to set breakpoint
○ `wx` (in write mode) to write bytes
○ `wa` (in write mode) to write assembly
● `u` to undo seek
● `s` to step into
● `S` to step over (capitalized with <shift>)
● `.` to seek to rip
● `_` to view Flags
0x44: Visual Mode UI

● Yellow == Current
Seek address
● Green == Stack view
● Blue == Registers
● Red == Disassembly
0x45: First binary walkthrough: hello

● Commandline Sequence: ● Visual mode Sequence (better!):


○ aaa #analyze ○ aaa
○ db main #set break point ○ db main
○ dc #continue exec ○ dc
○ pd 10 #print 10 instruct. ○ V #start Viz mode
○ 3ds #debug-step 3 times ○ pp #switch to debug view
○ s rip #seek to current rip ○ sss #step 3x
○ ps @ rdi #print str ○ :ps @ rdi #print str @ rdi
○ pd 3 #print 3 instruct. ○ :<enter> #exit cmdline mode
○ dso #step over ○ S #(capital) Step-over
○ dc #continue ○ :dc #debug continue
0x46: Helpful Tips for Exercises:

● Slides 0x42 and 0x43 provide useful ● If you need to back out of any menus
commands for both command and visual from visual mode use `q` to quit out
modes of them.
● Use `?` or `??` after a command for ● If you’re new to all this, start at
help! `re1` and open up `walkthrough.txt`
● Split your terminal window with using `less` or `nano` or `vim`:
<ctrl+shift+O> and <ctrl+shift+E>! ○ $ less walkthrough.txt
● If you accidently end up in ● If you have any questions about
no-man’s-land, using `:ood <args>` anything, please ask me or any of
will re-open the binary in radare2 the SIT officers and we’ll be glad
with any optional arguments you’d to help!
like (unless you used the .rr2 ● I encourage you to work in groups
rarun2 profile) since the complexity of this stuff
● Refer to this site for assembly is high and teamwork can help!
instruction reference. ● `:dcr` will continue until return!
0x47: External resources
0x11: Compiling source
Working with Hexadecimal: https://learn.sparkfun.com/tutorials/hexadecimal
High-level article on compilers: https://en.wikipedia.org/wiki/Compiler

0x12: Looking at the Binary


What is File Magic?: https://en.wikipedia.org/wiki/Magic_number_(programming)#Format_indicator
Commands used: file, strings, xxd, less, objdump, grep,
For help with these commands, just use `man <command>` to show the manual pages.
For information on how linux PIPES (“|”) work, check out:
https://superuser.com/questions/756158/what-does-the-linux-pipe-symbol-do

0x20: Memory and Registers


Subject matter learned in Computer Organization: processor pipelining, memory types vs speed, Instruction decoding.
High-level Register reference: https://www.cs.umd.edu/class/sum2003/cmsc311/Notes/Overall/register.html

0x21: Memory
Virtual-Physical memory mapping learned in OS
High-level overview of Linux Memory Management: http://www.thegeekstuff.com/2012/02/linux-memory-management/

0x22: Process memory layout


Elf File format: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
Process memory overview: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
Take note that the above link reverses address direction (high-on-top) whereas the better way is (low-on-top)

0x23 Registers:
Learned about memory timings and CPU caching in Comp Org
Register reference: https://wiki.cdot.senecacollege.ca/wiki/X86_64_Register_and_Instruction_Quick_Start
Syscall table: http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
0x47: External resources
0x31: Assembly Instructions
High-level overview of Assembly: http://ian.seyler.me/easy_x86-64/
x86 Instruction reference: https://www.aldeid.com/wiki/X86-assembly#Pages_in_this_category
Video tutorial of basic assembly: https://www.youtube.com/watch?v=busHtSyx2-w

0x32: Function Prologue and Epilogue


Look here for which registers are preserved across function/syscalls:
https://stackoverflow.com/questions/18024672/what-registers-are-preserved-through-a-linux-x86-64-function-call
Stack frame layout on x86-64: http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64
Ridiculously drawn (with terrible audio) but accurate: https://www.youtube.com/watch?v=kSgrKtA0rJM

0x33: Stack Frames


Use `man ascii` to see what ordinal values correspond to which letters of the alphabet! (or visit a page like
http://www.ascii-code.com/)

0x34: Quick note about Endianness


More about endianness: https://en.wikipedia.org/wiki/Endianness

0x40: Radare2
Official radare2 repo (with install instructions): https://github.com/radare/radare2
My custom radare2 Cheat Sheet:
https://docs.google.com/document/d/1our_fcFcufIJ13QsZoDuGOEBqftF6o0zEkDsqzAy43U/edit?usp=sharing
Unofficial radare2 Cheat Sheet (a little outdated):
https://github.com/pwntester/cheatsheets/blob/master/radare2.md

You might also like