Fact-checked by Grok 2 weeks ago

Radare2

Radare2, often abbreviated as r2, is a free and open-source framework and command-line toolset designed for binaries, providing capabilities for disassembly, , , , and patching across a wide range of architectures and operating systems. Originally developed as a simple command-line hexadecimal editor focused on tasks, the radare project has evolved into a comprehensive, extensible platform distributed under the LGPLv3 license, supporting scripting in and integration with external tools like GDB, , and for advanced process manipulation and dynamic . It operates in multiple modes—including batch, command-line, visual, and panel-based interfaces—and includes a for enhancements such as decompilation (via r2ghidra) and binary lifting, making it suitable for low-level tasks in software , , and . With native support for architectures like x86, , , and , as well as cross-platform compatibility on systems, Windows, and , Radare2 emphasizes modularity through libraries, standalone utilities (e.g., rasm2 for , rabin2 for ), and a web-based interface for collaborative workflows. The project maintains regular releases every six weeks, with documentation available in an official book and self-help commands within the tool itself.

Overview

Description and Purpose

Radare2, commonly referred to as , is a and open-source reverse engineering framework and command-line toolset designed for various operating systems, including UNIX-like systems, Windows, and . It is distributed under the GNU Lesser General Public License version 3 (LGPLv3), allowing for broad use and modification while requiring derivative works to adhere to compatible licensing terms. As a comprehensive toolkit, Radare2 enables users to perform low-level operations on binaries without relying on . The primary purposes of Radare2 include binary analysis, disassembly, , , patching, and forensics, all tailored for software and security research. It supports the dissection of executable files to reveal internal structures, control flows, and behaviors, facilitating tasks such as code navigation, pattern searching, and data modification. Through its extensible architecture, including scripting via r2pipe and integration with debuggers like GDB and , Radare2 serves as a foundational tool for examining software at the assembly level across diverse platforms. Originally developed as a simple command-line hexadecimal editor focused on forensic tasks, Radare2 has evolved into a full-featured capable of handling complex binaries through advanced scripting and support. This progression reflects its growth from basic file editing to a versatile system for using the ESIL engine and visual analysis modes, enhancing its utility in intricate workflows. Key applications of Radare2 encompass , where it aids in disassembling and inspecting malicious binaries, such as Android trojans, to identify suspicious behaviors and extract embedded data. It is also employed in vulnerability discovery, particularly for , by enabling the auditing of binaries for flaws through disassembly and . In , Radare2 supports the modification and testing of binaries to attacks, leveraging its patching and debugging capabilities. Additionally, it is widely used in embedded systems , providing tools for analyzing and low-level software on constrained devices.

Core Components

Radare2 serves as the central (CLI) in the , enabling users to load files, perform analysis, and interact with the system through various modes including command-line, batch, visual, and panels. It acts as the primary entry point for tasks, supporting file editing, kernel memory viewing, and local or remote debugging via protocols like GDB or . r2pipe functions as the (IPC) library for Radare2, facilitating scripting and integration by allowing access to Radare2's core functions from external programs in multiple languages. It supports bindings in , (), and Go, with backends for pipe, , HTTP, RAP, and protocols to enable synchronous or asynchronous interactions without direct handling of native APIs. The plugin system in Radare2 enhances its extensibility, with core plugins handling essential operations such as disassembly via rasm2, which serves as a standalone assembler and supporting numerous architectures bidirectionally. Assembly is managed through dedicated asm plugins, while emulation and analysis are supported by io and anal plugins, respectively. For decompilation, the r2ghidra plugin integrates the Ghidra decompiler's C++ logic directly into Radare2, enabling advanced code recovery without requiring the full installation. Plugins can be written in C or as external scripts and are managed via the r2pm . Radare2's modular architecture is built on a collection of LGPLv3-licensed libraries that support plugins for diverse operating systems, architectures, and file formats, allowing seamless extensions through C-based plugins or scripts in other languages. This design promotes portability and customization, enabling the framework to adapt to specialized needs. Key utilities complement the core by providing focused functionalities: rabin2 extracts binary information such as imports, exports, sections, symbols, strings, and dependencies from formats like , , , and CLASS, with output options including for programmatic use. radiff2 performs binary diffing, supporting one-to-one comparisons, delta patches, code analysis, and graph-based diffs across architectures. ragg2, the egg compiler, assembles relocatable code snippets or high-level scripts into minimal binaries for x86, , , and other architectures, supporting outputs like raw binaries, C arrays, or executable formats with encoding and padding options for generation.

History

Origins and Early Development

Radare2 originated from the radare project, initiated in February 2006 by Sergi Alvarez, known by the pseudonym "," as a simple command-line editor designed to handle 64-bit offsets. This initial version, often referred to as radare v1, was developed to address needs in low-level file manipulation, particularly for recovering deleted files through manual and interactive carving from disk or . Alvarez, working as a at the time, created the tool while attempting to retrieve data from an older G3, highlighting its roots in practical forensic challenges. The early focus of radare emphasized forensics and basic binary editing, drawing inspiration from established Unix utilities such as xxd and hexedit for its straightforward, text-based interface. This design choice aligned with the of small, modular programs that interact via standard input and output, promoting simplicity and ease of integration into pipelines. Motivations for its creation stemmed from the lack of free, open-source alternatives to proprietary tools, with a strong emphasis on portability across systems including , BSD, and macOS. By providing an accessible editor for without licensing restrictions, radare aimed to empower researchers and analysts in resource-constrained environments. Initial public releases of radare v1 appeared shortly after its inception in 2006, distributed via repositories and early like the 2008 radare , which outlined its growing capabilities in disassembly and scripting. Around 2008-2010, Alvarez undertook a complete rewrite, resulting in radare2, to improve architectural support, cleanliness, and cross-platform compatibility, transforming it from a basic editor into a more robust framework. This shift laid the groundwork for broader adoption while preserving the project's core commitment to open-source tools.

Major Releases and Evolution

Radare2 achieved its first stable release, version 1.0, in 2016, which introduced foundational multi-architecture support for disassembling and analyzing binaries across various platforms. This milestone marked the project's shift from early prototypes to a robust framework, enabling broader adoption in tasks. Subsequent versions built on this base, with version 3.0 released in 2018 featuring significant improvements to scripting capabilities, including enhanced support for automation through languages like and . Version 5.0 followed in 2021, focusing on advancements in through the ESIL , allowing for more accurate of binary execution paths during analysis. In late 2020, due to disagreements between the original author and a group of contributors, the project experienced a significant fork with the creation of Rizin, a separate framework. This event also led to the forking of the Cutter GUI to support Rizin, prompting the Radare2 team to re-establish its official graphical interface as Iaito in early 2021. The project transitioned to the 6.x series starting around 2023, with ongoing releases through 2025 emphasizing performance and architecture-specific enhancements. For instance, version 6.0.5, released in late 2025, included optimizations for and ARM64 handling, such as improved disassembly accuracy and support for Plan 9 64 binaries, facilitating analysis of embedded and modern processor workloads. These updates reflect the framework's maturation, with cumulative commits exceeding 24,000 by mid-2025. Community-driven developments have been integral to Radare2's evolution. In 2020, the r2ghidra plugin integrated the natively, enabling high-level decompilation within the Radare2 ecosystem without external dependencies. Additionally, in 2021, following the , the official graphical user interface, previously known as , was renamed to Iaito to align with the project's original vision and streamline maintenance under the radareorg umbrella. Recent advancements include the introduction of the r2ai extension in 2024-2025, which leverages large language models for assisting in , such as generating explanations for disassembled code and automating . This was highlighted in r2con 2025 presentations on automated binary morphing, where tools like r2morph demonstrated semantic-preserving transformations for evasion analytics. Since its inception on in 2011, Radare2 has been governed as an open-source project, amassing over 800 contributors by 2025 through collaborative pull requests and community events.

Technical Architecture

Command-Line Interface

Radare2's command-line interface (CLI) serves as the primary method for interacting with the tool, providing a lightweight and efficient environment for tasks. Users initiate a session by invoking the r2 command followed by the target file path, such as r2 /bin/ls, which loads the into for without requiring graphical dependencies. This approach ensures consistency across platforms, including systems, Windows, and embedded environments, making it suitable for resource-constrained settings. Once loaded, the CLI supports multiple interaction modes to facilitate navigation and analysis. The visual mode, entered via the V command, offers an interactive disassembly view, while VV displays a graphical representation of control flow. Panel-based layouts are available in visual panels mode, entered via the V! command, where the p command rotates through different layouts combining views like hex dumps and disassembly. Debugging sessions can be managed with commands like dcu, which continues execution until a specified address or breakpoint. Essential analysis commands include aaa for comprehensive program analysis, pdf to disassemble the current function, and afl to list all detected functions. Patching is achieved using wx to write hexadecimal bytes at specific offsets, and strings can be extracted or exported with izz. A typical workflow begins with loading the binary (r2 [file]), followed by analysis (aaa), function navigation (afl), and disassembly (pdf @ main). Users can then seek to offsets (s 0xaddress), patch modifications (wx 90 @ 0xdeadbeef), and export results, such as strings to a file (izz > strings.txt). This sequence enables rapid iteration from initial inspection to targeted modifications. Customization enhances CLI efficiency through configuration files, aliases, and keybindings. The primary user configuration file, ~/.radare2rc, loads automatically on startup and accepts e commands to set variables, such as e scr.color=true for colored output. Aliases are defined with the $ prefix, for example, $dis=pdf to shorten disassembly calls, and can be listed with $. Keybindings, particularly in visual mode, allow remapping actions via config directives like e key.v=v for custom navigation. These features support scripting extensions for automated tasks. The CLI's advantages lie in its minimal footprint, requiring no additional runtime libraries beyond the core binary, which promotes portability and performance on diverse hardware. Its scriptable nature, via inline commands or external files, integrates seamlessly with pipelines, while uniform syntax ensures reliability across operating systems.

Libraries and Plugins

Radare2's extensibility relies on a modular architecture built around several core libraries that provide foundational functionality for input/output operations, code analysis, assembly, and binary parsing. The primary library, libr_core, manages core input/output (IO) tasks and analysis workflows, including URI-based file handling for local files, process memory, remote connections, and debugging sessions, while also supporting emulation through the ESIL engine. Complementing this, libr_asm handles assembly and disassembly operations across numerous CPU architectures, enabling the conversion of mnemonic instructions to machine code and vice versa. Similarly, libr_bin is responsible for parsing various binary formats, extracting structural elements such as symbols, sections, imports, and headers from executables like ELF and PE files. The plugin ecosystem extends these libraries by allowing dynamic addition of specialized components without recompiling the core framework. Plugins are categorized by type, including analyzers that enhance code analysis (e.g., generating control flow graphs via anal plugins), IO plugins that abstract file system interactions for non-standard sources like network streams or debuggers, and format handlers (e.g., bin plugins) that support additional binary formats beyond the built-in ones. IO plugins, in particular, wrap operations such as open, read, write, and system calls to treat diverse data sources—ranging from malloc-allocated buffers to remote processes—as virtual files, facilitating tasks like remote debugging over GDB or HTTP. Plugins load dynamically at startup when the configuration variable cfg.plugins is set to true, which is the default behavior, enabling seamless integration of both core plugins (bundled with the distribution) and user-added ones installed via the into directories such as ~/.local/share/radare2/plugins for user-specific extensions or system-wide paths like /usr/share/radare2/plugins. This separation allows core plugins to provide essential commands and backends, while user plugins can extend functionality without altering the base installation. Radare2 exposes its internals through a C API for direct embedding in custom applications, offering low-level access to core functions like and management. For integration with non-C languages, the r2pipe provides bindings that communicate via pipes, HTTP, sockets, or the RAP protocol, supporting scripting in languages such as , , , and Go to automate tasks like batch or tool chaining. Representative examples of this ecosystem include the r2ghidra plugin, which integrates the decompiler's C++ backend directly into Radare2 for function decompilation using commands like pdg after analysis, enhancing static code understanding without requiring the full Ghidra suite. Another is the r2frida plugin, which combines Radare2 with for dynamic instrumentation of running processes, allowing memory manipulation, script execution in JavaScript or C, and attachment to local or remote targets via IO URIs like frida://pid. These plugins exemplify how the library and plugin system enables hybrid static-dynamic workflows in reverse engineering.

Key Features

Static Binary Analysis

Radare2 provides robust capabilities for static , enabling reverse engineers to examine files without execution to uncover structure, logic, and potential vulnerabilities. This includes decoding instructions, recovering higher-level representations, identifying elements, and modeling program flow, all through a and integrated tools. These features rely on the framework's engine, which processes to build internal representations like boundaries and cross-references. Disassembly in Radare2 is handled primarily by the rasm2 tool and integrated commands within the main interface. Rasm2 serves as a standalone assembler and supporting numerous architectures, such as x86, , and , by converting hexpair or binary input into readable instructions using the -d flag for basic output or -D for detailed views with offsets and bytes. For example, rasm2 -a x86 -b 32 -d '90' disassembles to [nop](/page/NOP). Within Radare2, commands like pd N disassemble N instructions at the current offset, while pD N focuses on N bytes, and pda covers all opcodes for tasks like analysis. For decompilation, the r2ghidra integrates Ghidra's C++ to generate pseudo-C code from disassembled functions, invoked via pdg or pdgo for offset-annotated output. occurs through Radare2's with r2pm -i r2ghidra, and options like e r2ghidra.lang=c refine the output language. This yields structured representations of control structures and variables, though accuracy depends on prior analysis. Symbol and function identification begins with auto-analysis commands such as aa to scan entry points and symbols, populating internal data structures. The is command lists imports, exports, and symbols across formats, with is* setting flags for navigation; for instance, is~sym greps for specific symbols like imports. Functions are identified via af for analysis at an address, with afl listing all detected functions including address, size, basic blocks, and names—e.g., aflj outputs in JSON for scripting. Call graphs are generated using agc, which visualizes inter-function relationships; agcd exports to Graphviz DOT format for external rendering, aiding in understanding call hierarchies. Control flow analysis identifies basic blocks and edges through recursive traversal post-disassembly, configured by options like anal.jmp.indir=true for indirect jumps. The afb command lists blocks within a function, showing start/end es and jump types, while manual blocks can be added with afb+. Data flow aspects include reference tracking via aar for data refs and axt for code refs to an . Variable recovery employs afv to list locals and arguments, with afva re-analyzing for stack/register-based vars; types are inferred via afta and modified with afvt, enhancing decompilation readability. calculation for strings, useful for distinguishing code from data, uses ph entropy [len] on blocks or pze in print modes to quantify —e.g., high indicates encrypted strings. Strings themselves are extracted with iz for data-section listings or izz for raw searches. Binary patching allows in-place modifications without external tools, using s to to an (e.g., s 0x8048300) followed by wx <hex> to write bytes—such as wx 123456 to overwrite three bytes. Changes are tracked with wc for a list and committed via w or w!! for the full file. This facilitates quick fixes or behavioral alterations during . Tool integration extends static through radiff2, which performs diffing for similarity detection, particularly in families via (-O) or graph (-g) modes with thresholds (e.g., -t 70%). It supports formats like (-j) or unified (-u), enabling comparison of code structures across samples to identify variants.

Dynamic Analysis and Debugging

Radare2 supports dynamic analysis through its integrated capabilities, allowing users to attach to running processes, step through execution, and inspect states on various platforms. Debugging sessions can be initiated in native mode using the ptrace on or equivalent mechanisms on other operating systems, by launching r2 -d <program> to and debug a new process or r2 dbg://<PID> to attach to an existing one. Remote debugging is facilitated via GDB integration, enabling connections like r2 gdb://localhost:1234 for cross-machine or emulated environments such as . Additionally, kernel-level is supported through plugins such as the plugin, providing low-level access to process signals and memory in multi-OS environments including / and Windows. For instruction-level simulation without full process execution, Radare2 employs ESIL (Evaluable Strings Intermediate Language), a stack-based that translates CPU opcodes into a Forth-like notation for across multiple architectures. ESIL enables partial or imprecise full to resolve behaviors like indirect branches or syscalls, initialized with commands such as aei for the or aes to step through instructions. This multi-architecture support allows simulation of non-native code, with expressions like 0,eax,=,1,zf,= representing operations such as xor eax, eax, facilitating dynamic insights independent of the host CPU. Breakpoints and tracing enhance control over execution flow, with the db command family managing breakpoints—such as db <addr> to set one at a specific address or db sym.main at a function entry—and supporting conditional logic via scripts like dbc <addr> <cmd> to execute commands (e.g., register dumps) upon hit. Tracing, enabled by e asm.trace=1; e dbg.trace=1, uses dt commands to record instruction paths, including dt to list traces, dt+ <addr> <times> to limit traces at an address, and dtg for graphical call/return visualizations, aiding in coverage analysis during debugging or ESIL steps. Runtime inspection is streamlined through dedicated commands for registers and memory. The dr command displays or modifies registers, as in dr for all general-purpose values (e.g., rax = 0x00000000) or dr rip for a specific one, with dr* exporting states for saving and restoration via drp. Memory examination via dm reveals process maps (e.g., dm lists segments like stack and ), while dm= provides ASCII-art overviews; heap-specific analysis includes dmh to map malloc chunks and dmhg for graphical layouts of bins and pointers. To counter anti-debugging measures, Radare2 aids in detecting and evading techniques like timing checks, where execution delays from breakpoints are measured against expected timestamps, and monitoring, which probes for tracers via syscalls like PTRACE_TRACEME that fail under attachment. Users can intercept such checks by setting breakpoints on ptrace imports, modifying return values with dr to simulate success (e.g., 0), or patching binaries to alter failure conditions, often combined with tools like R2Frida for dynamic interception.

Forensics and Binary Patching

Radare2 provides robust forensics capabilities through commands designed for data extraction and verification in investigative contexts. The izz command extracts printable strings across the entire binary, aiding in the identification of embedded text, URLs, or error messages that may reveal artifacts in or corrupted files. Similarly, the ph command computes cryptographic hashes such as or SHA-256 for specified blocks, enabling integrity checks against known good samples during evidence validation. For data carving, the pc command displays raw bytes in columnar format, facilitating manual recovery of file headers or structures from unstructured disk sectors without relying on . In binary manipulation, Radare2 supports non-destructive via write invoked with r2 -w, allowing users to patches while preserving the original file through mechanisms like reversal (u command). Block-based uses the b command to define granular sections for modification, such as altering opcodes or injecting payloads, which is essential for . extraction leverages these tools by loading raw images and carving embedded , often combining searches for magic bytes with block exports to isolate components like bootloaders. For vulnerability exploitation, Radare2 includes aids like the /R search for ROP gadgets, which scans for instruction sequences ending in returns (e.g., /R pop rdi; ret), supporting construction in exploit development. Crypto constant detection employs the /ca command to identify expanded or SM4 keys within binaries, helping uncover hardcoded secrets in assessments. File recovery in Radare2 handles corrupted binaries by parsing partial structures with commands like iS for sections and iz for residual strings, even when headers are damaged. Sector of disk images involves loading devices (e.g., r2 /dev/sda) and using offset-based seeks with s to probe for recoverable data, originating from its roots as a tool for RAM and disk forensics. Integration with external forensics workflows is facilitated by export options, such as tools in the radare2ida repository for generating scripts importable into IDA Pro, enabling seamless transfer of analysis annotations. For memory forensics, Radare2 can process memory dumps by loading them as binary files, compatible with outputs from tools like , and outputs hex or data for cross-tool correlation.

Scripting and Automation

Radare2 supports extensive scripting and automation capabilities through its r2pipe , which enables programmatic interaction with the tool for creating repeatable workflows and custom analysis tasks. The r2pipe facilitates (IPC) using -formatted output, allowing users to pipe commands to a running Radare2 instance via backends such as spawn pipes (e.g., r2 -0), HTTP queries for cloud environments, or sockets (e.g., r2 -c). This design originated as a interface to extend the web-based r2.js to command-line usage, but it has since been implemented across multiple languages. Scripting in Radare2 is achieved through built-in support for JavaScript via the R2JS runtime, an embedded QuickJS ES6 interpreter introduced in version 5.8.x, which allows execution of .r2.js files using the . command or the -i flag (e.g., r2 -i script.r2.js /bin/ls). For evaluation within the shell, dot commands (prefixed with .) load and run scripts directly, supporting quick prototyping without external dependencies. Python integration occurs via r2pipe bindings, where users can open binaries and issue commands programmatically, such as import r2pipe; r2 = r2pipe.open("/bin/ls"); r2.cmd("aa"); print(r2.cmdj("aflj")) to perform analysis and retrieve JSON-formatted function lists. These mechanisms enable seamless automation of reverse engineering tasks. Radare2 provides official language bindings generated via Valabind and for , Go, , , , , , and Vala, allowing direct access to the core for embedding in larger applications. Community-maintained bindings extend this to languages like and . For instance, the Go binding supports r2pipe operations for tasks like binary loading and command execution. These bindings facilitate the development of automated tools that leverage Radare2's analysis engine without relying solely on command-line piping. Automation examples include batch scripts that process multiple binaries, such as iterating over a with for i in ./*; do r2pipe_script $i; done, where the script opens each , runs full (aaa), and extracts data like call graphs or strings. Custom analyzers can be implemented as plugins in the libr/anal/p/ , using skeletons from r2skel to extend the for specific architectures or logic, which are then loaded dynamically to enhance core functionality. Advanced automation involves hooking into analysis callbacks through the core API, particularly in emulation and plugin contexts, to enable real-time processing during disassembly or function analysis. For example, ESIL (Radare2's emulator) uses callbacks for interrupt handling and traps, allowing scripts to intercept and modify analysis flows dynamically via bindings or C extensions. This supports custom workflows like on-the-fly data annotation in large-scale binary reviews.

User Interfaces

Graphical Interfaces

Iaito serves as the official graphical user interface (GUI) for Radare2, providing a Qt-based frontend that enhances the framework's core capabilities with visual tools for reverse engineering tasks. Originally named Iaito and renamed to Cutter in 2017, following the Rizin fork it was renamed back to Iaito for the Radare2 version, supporting cross-platform operation on Linux, macOS, and Windows, emphasizing simplicity and parity with Radare2's command-line features. Key functionalities include interactive disassembly views, control flow graphs for navigation, hex editors for binary manipulation, and a forensics mode for detailed analysis, all integrated seamlessly with Radare2's backend. Additionally, Iaito accommodates plugin support, allowing users to leverage extensions like r2yara for YARA-based pattern matching directly within its interface. Beyond full GUIs like Iaito, Radare2 incorporates built-in visual modes accessible via commands, offering lightweight graphical extensions for users preferring a command-line . The V mode displays an interactive and hex view with cursor navigation, while VV enables graph-based of , facilitating quick disassembly inspection without external tools. These modes provide essential visual feedback, such as zooming and panel layouts, but remain tied to the CLI paradigm. Other community-developed graphical interfaces include web-based options like the Radare2 WebUI, which enables browser-accessible analysis through HTTP servers, supporting remote disassembly and graphing for collaborative workflows. Compared to the core CLI, these graphical interfaces offer advantages such as drag-and-drop file loading, multi-tabbed sessions for managing multiple binaries, and intuitive navigation tools that lower the entry barrier for beginners while preserving advanced scripting capabilities. Recent developments in Iaito, with version 6.0.4 released in October 2025, align closely with Radare2 6.0.4, incorporating enhancements like improved plugin compatibility and support for AI-assisted analysis through the r2ai extension, which integrates large language models for tasks such as automated decompilation and . This evolution maintains Iaito's role as a user-friendly layer atop Radare2's robust , promoting broader adoption in communities.

Integration with Other Tools

Radare2 facilitates integration with external tools through its r2pipe interface, which provides a command-line and mechanism for scripting and data in various programming languages, enabling seamless workflows with software such as IDA Pro, , and . This allows users to automate tasks like importing analysis results or exporting disassembly via scripts, for instance, using bindings to bridge Radare2's output with Ghidra's scripting environment. Such integrations enhance interoperability without requiring native support in the external tools. For dynamic analysis, Radare2 connects with through the r2frida plugin, which combines static disassembly with runtime instrumentation to inspect and manipulate processes across platforms like , , and . Additionally, Radare2 supports for full-system , allowing users to execute and analyze binaries in emulated environments via its ESIL , which can pipe execution traces back into Radare2 sessions. Data sharing is enabled through export and import capabilities in formats like for structured output of symbols, sections, and analysis results, as well as support for importing Pro's IDB databases using the ida2r2.py script based on python-idb. PDB files for Windows executables can be parsed via the rabin2 tool to extract type information and symbols. These features position Radare2 as a backend for custom applications, where its C libraries and r2pipe allow embedding binary analysis into larger pipelines, such as security research tools. In exploit development, Radare2 integrates with by using its emulation to unpack and analyze encoded payloads, facilitating the creation of custom exploits through scripted disassembly and patching. For network forensics, it complements tools like by exporting binary data for correlation with packet captures in mixed-protocol investigations. The Radare2 ecosystem includes tools like r2dec, a that generates pseudo-C code from , installable to extend output for integration with higher-level analysis pipelines. Package management is handled by r2pm, which simplifies installing and updating third-party plugins and bindings to maintain compatibility with external workflows.

Supported Platforms

Architectures

Radare2 provides disassembly and emulation support for a wide range of CPU architectures, enabling reverse engineers to analyze binaries across diverse instruction set architectures (ISAs). The framework's architecture plugins leverage libraries such as for disassembly and custom implementations for assembly and , ensuring compatibility with both big-endian and little-endian byte orders in architectures like and . Among the core supported ISAs are x86 and for and processors, in 32-bit and 64-bit variants (including mode for compact 16-bit instructions), in 32-bit and 64-bit forms (with handling for extensions), for modern open-source designs, PowerPC for and server systems, for legacy Unix workstations, and AVR for microcontrollers. These architectures cover a from general-purpose to devices, with Radare2 supporting over 60 ISAs as of 2025. Users can query the full list of supported architectures using the command-line tool rasm2 -L or the in-session command La within Radare2. For emulation, Radare2's ESIL (Radare2 Emulation Standard Intermediate Language) provides partial coverage for key architectures such as and , facilitating dynamic analysis and simulation of instruction execution. Ongoing improvements in version 6.x, released starting in , have enhanced ESIL's visual debugging and instruction emulation accuracy for these ISAs. However, support for emerging ISAs like , with disassembly and emulation capabilities.

File Formats and Operating Systems

Radare2 supports a wide array of binary file formats through its core library, libr_bin, enabling comprehensive analysis of executables across various platforms. Key formats include for and systems, and PE+ for Windows, and Fat Mach-O for macOS and , DEX and ART for applications, and raw firmware formats such as BIN, UBOOT (via MBN/SBL loaders), /, and boot images. The libr_bin library provides robust parsing capabilities for these formats, extracting structural elements like section headers, symbol tables, and relocations to facilitate detailed binary inspection. It also handles debug information in formats such as for ELF and Mach-O binaries, and PDB for Windows files, allowing users to access variable names, source line mappings, and type information without relying on platform-specific APIs. As a host application, Radare2 runs on major operating systems including , Windows (from XP onward), macOS, BSD variants, , and , with additional support for niche environments like , , , and . For target analysis, it accommodates binaries from these hosts as well as embedded operating systems such as OS (RTOS) in , enabling cross-debugging and of diverse environments. Radare2's cross-platform nature is bolstered by its build systems, which include paired with for modern, efficient compilation across architectures, and traditional GNU Make; packaging is streamlined via the sys/install.sh for major distributions. In version 6.x releases, enhancements have improved and integration, such as fixing file-locking regressions on to better support mobile reverse engineering workflows.

Community and Extensions

Development Community

The Radare2 project is primarily led by its founder, Sergi Álvarez, known online as "," who initiated development in 2006 as a for forensic analysis and has remained the central figure in its evolution into a comprehensive . While handles much of the core and maintenance, the project relies on a distributed group of contributors with expertise in areas such as forensics. For example, the REMnux distribution integrates Radare2 for tasks. This involvement from users and integrators supports ongoing enhancements in areas like binary analysis and , with decisions often coordinated through informal leadership among frequent committers. Contributions to Radare2 follow an open-source model centered on its repository, where developers submit pull requests and report issues to propose and review changes. Community discussions occur via Discussions for broader announcements and collaboration, and the IRC channel #radare on for real-time support. This structure encourages participation from newcomers through labeled "good first issues" and guidelines, fostering incremental improvements in code, plugins, and usability. The development community is notably diverse and international, with over 935 contributors to the repository as of late 2025, reflecting strong involvement from —rooted in pancake's origins—and , alongside global participants from and . This broad base has enabled the project's growth, with contributions spanning code enhancements, bug fixes, and feature requests from users worldwide. Sustainability is supported through donations via Open Collective, which funds development time and infrastructure, supplemented by corporate sponsorships for annual events like r2con. Documentation efforts include the official Radare2 book, updated in 2024 to cover version 5.8 and later, alongside a community-maintained wiki and video tutorials available through project channels.

Plugins and Third-Party Tools

Radare2's plugin ecosystem is facilitated by r2pm, its dedicated , which enables users to install and manage external extensions that enhance the framework's capabilities for tasks. Notable official plugins include r2yara, which integrates the pattern-matching tool into Radare2 to identify and classify binary patterns using customizable rules. Another key extension is r2frida, which combines Radare2's static analysis with Frida's dynamic instrumentation to inspect and manipulate running processes locally or remotely. These plugins can be seamlessly installed via r2pm commands within the Radare2 environment, promoting modularity without altering the core framework. Third-party tools extend Radare2's functionality through community-developed integrations and forks. r2dec serves as a decompiler plugin, providing structured output from disassembled binaries to aid in deeper analysis. Rizin, a of Radare2 created due to development disagreements, focuses on improved , code cleanliness, and feature stability. The r2ai plugin introduces AI-driven capabilities, leveraging large models for automated reversing and decompilation, particularly effective in 2024-2025 malware analytics for and samples. This tool demonstrates high accuracy in tasks like function naming and detection, reducing manual effort in complex binaries. The annual r2con conference fosters innovation in Radare2's ecosystem, with the 2025 edition emphasizing evasion analytics and multi-architecture support through sessions on obfuscation techniques, binary research, and live demonstrations. Community resources for plugins and tools are abundant on , where repositories like radareorg/radare2 host core code, documentation, and extension development guidelines. Stack Exchange provides Q&A forums for troubleshooting plugin integrations and usage scenarios. Integrations with other tools, such as Ghidra's r2 importer via r2ghidra and r4ghidra plugins, allow bidirectional communication for enhanced decompilation and analysis workflows. Looking ahead, Radare2's plugin development prioritizes and extensions, building on r2ai for advanced dissection, alongside improved support through browser-based builds like r2web for client-side reversing post-2025. These directions aim to address emerging challenges in dynamic analysis and cross-platform compatibility.