Radare is an open source portable reversing framework that can do many things, among those things it can disassemble 6502 code.
Download and install radare
- First, download radare from github. You need a recent version in order to disassemble 6502 code.
- And then install it by running sys/install.sh (or sys/user.sh for local installation):
Loading a c64 .prg
Radare has many command line options. But in order to load 6502 programs we need just two:
- -a6502 to specify the 6502 architecture.
- -mMemoryAddress to map the file to a certain memory address. Use 2047 for “normal” programs. Usually they start at $0801 (2049), but we have to subtract 2 from the .prg header.
Example:
Disassembling
Radare doesn’t have a GUI, like IDA. Instead is has a powerful command line interface (think of GDB). Example:
And 0x7ff (2047) is the seek address, meaning that all commands will use that address as the base address. Let’s print the first 32 bytes. ( px = print hexa):
The “2061” that we see, is part of the BASIC “SYS 2061” command that usually appears in all C64 programs. So, let’s disassemble the first 12 instructions from 2061. ( pd = print disassemble):
In case we don’t know the meaning of a certain opcode, we can print its description with ?d:
Or if we want to print the description in every disassembled line, we can do:
And then disassemble again:
For more disassembling options just type p?
Searching
In order to search for something, like in Vi, we have to use the / command. Examples:
Search for asm opcodes: /c opcode. The following will search for sta $d020, sta $d021, sta $d022, etc…
Search for strings (although this is not very useful since most probably the strings are stored in screen codes and not in PETSCII):
Search for a sequence of hexadecimal bytes: /x. The following searches for the MSB of the music frequency table:
We can use the flag hit0_0 to refer to that address. For example, in order to dump the first 32 bytes from hit0_0 we can do:
For more search options just type /?
Visual Mode
Besides the Command Line Interface, Radare has another interface called the Visual Mode. It is similar to Vi, where each key has an associated function. In this mode, instead of entering commands, you just press one or two keys without pressing Enter.
In fact, some keys have the same Vi functionality:
- hjkl: move around
- gG: go top/bottom of page
- : : Enter a command
Visual mode has 8 different view modes that can be activated by pressing p
- hex, the hexadecimal view
- disasm, the disassembly listing
- debug, the debugger
- words, the word-hexidecimal view
- buf, the C-formatted buffer
- annotated, the annotated op analysis color map
- annotated, the annotated hexdump
Adding Comments
While analyzing code, sometimes it is useful to add comments. While in Visual Mode, we can add comments by pressing ; plus the comment.
Example:
Saving
After adding some comments, we should save the project in order not to loose the changes. To save a project just enter Ps projectName (Project save), and to open an existing project enter Po projectName (Project open). And enter Pl to list existing projects. Example:
And from the command line, we can open existing projects with the -p argument. Example:
Getting help
Just append ? to each command to get more help about that command. Example:
- ? :to list all the possible commands
- P? :to get help about the Project (P) command
- p? :to get help about the Print (p) command
- p8? :to get help about the Print 8bit hexpair command
- and so on.
When in Visual Mode, also press ? to get help.
Other resources
- Radare book
- IRC: irc.freenode.net #radare
- Twitter: @radareorg