playbooks

home / skills / 2389-research / claude-plugins / tool-setup

tool-setup skill

/binary-re/skills/tool-setup

This skill helps you install and configure reverse engineering tools across platforms, ensuring ready-to-use environments for cross-architecture analysis.

npx playbooks add skill 2389-research/claude-plugins --skill tool-setup

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
10.6 KB
---
name: binary-re:tool-setup
description: Use when reverse engineering tools are missing, not working, or need configuration. Installation guides for radare2 (r2), Ghidra, GDB, QEMU, Frida, binutils, and cross-compilation toolchains. Keywords - "install radare2", "setup ghidra", "r2 not found", "qemu missing", "tool not installed", "configure gdb", "cross-compiler"
---

# Tool Setup

## Purpose

Ensure required reverse engineering tools are available and properly configured for cross-architecture analysis.

## When to Use

- Before first analysis session
- When tool commands fail
- Setting up new analysis environment
- Updating to newer tool versions

## Required Tools

| Tool | Purpose | Priority |
|------|---------|----------|
| radare2 | Static analysis, disassembly | **Required** |
| rabin2 | Fast binary triage | **Required** (part of r2) |
| qemu-user | Cross-arch emulation | **Required** |
| gdb-multiarch | Cross-arch debugging | **Required** |
| Ghidra | Decompilation | Recommended |
| GEF | GDB enhancements | Recommended |
| Frida | Dynamic instrumentation | Optional |
| Unicorn | Snippet emulation | Optional |
| Angr | Symbolic execution | Optional |

## Installation by Platform

### Ubuntu/Debian

```bash
# Core tools
sudo apt update
sudo apt install -y \
  radare2 \
  qemu-user \
  qemu-user-static \
  gdb-multiarch \
  binutils-multiarch \
  jq                    # Required for JSON parsing in skill commands

# ARM sysroots (for QEMU)
sudo apt install -y \
  libc6-armhf-cross \
  libc6-arm64-cross \
  libc6-dev-armhf-cross \
  libc6-dev-arm64-cross

# Additional utilities
sudo apt install -y \
  file \
  binutils \
  elfutils \
  patchelf
```

### Windows (WSL2)

Windows users should use WSL2 with Ubuntu for full compatibility:

```powershell
# PowerShell (Administrator) - Install WSL2 with Ubuntu
wsl --install -d Ubuntu

# Restart computer when prompted, then open Ubuntu terminal
```

Inside WSL2 Ubuntu:

```bash
# Install all required tools
sudo apt update && sudo apt install -y \
  radare2 \
  qemu-user \
  qemu-user-static \
  gdb-multiarch \
  binutils-multiarch \
  jq \
  file \
  patchelf

# Fix file permissions for Windows-mounted drives
sudo tee -a /etc/wsl.conf > /dev/null << 'EOF'
[automount]
options = "metadata,umask=22,fmask=11"
EOF

# Restart WSL to apply changes
# (In PowerShell: wsl --shutdown)
```

**WSL2 Tips:**
- Copy binaries into `~` rather than using `/mnt/c/...` paths (fewer permission issues)
- Use `wsl --shutdown` in PowerShell to restart WSL after config changes
- Docker Desktop integrates with WSL2 for container-based analysis

### macOS (Homebrew)

```bash
# Core tools
brew install radare2 jq

# NOTE: Homebrew QEMU may lack qemu-user targets
# Verify: qemu-arm --version || echo "qemu-user missing"
# If missing, use Docker for cross-arch execution (see below)

# GDB requires special handling on macOS
brew install gdb
# Note: Code signing required for debugging

# ARM cross tools (optional, for static analysis only)
brew install arm-linux-gnueabihf-binutils
```

### macOS Docker Setup for Dynamic Analysis

Since Homebrew doesn't provide `qemu-user`, use Docker for cross-architecture execution:

```bash
# Install Docker runtime (Colima is lightweight alternative to Docker Desktop)
brew install colima docker

# Start Colima
colima start

# Register multi-architecture emulation handlers
docker run --rm --privileged --platform linux/arm64 \
  tonistiigi/binfmt --install arm

# Verify ARM32 emulation works
docker run --rm --platform linux/arm/v7 arm32v7/debian:bullseye-slim uname -m
# Should output: armv7l

# Verify ARM64 emulation works
docker run --rm --platform linux/arm64 arm64v8/debian:bullseye-slim uname -m
# Should output: aarch64

# Verify x86-32 emulation works
docker run --rm --platform linux/i386 i386/debian:bullseye-slim uname -m
# Should output: i686
```

**IMPORTANT:** On Colima, always mount from `~/` not `/tmp/`:
```bash
# ✅ Works
docker run -v ~/samples:/work ...

# ❌ May fail silently
docker run -v /tmp/samples:/work ...
```

### Arch Linux

```bash
sudo pacman -S radare2 qemu-user gdb
yay -S arm-linux-gnueabihf-glibc  # From AUR
```

## Tool-Specific Setup

### radare2

```bash
# Verify installation
r2 -v
rabin2 -v

# Install r2ghidra plugin (decompilation)
r2pm init
r2pm update
r2pm -ci r2ghidra  # -ci = clean install

# Verify r2ghidra is working (CRITICAL CHECK)
r2 -qc 'pdg?' - 2>/dev/null | grep -q Usage && echo "r2ghidra OK" || echo "r2ghidra MISSING"

# Alternative verification
r2 -c 'Ld' /bin/ls | grep -i ghidra
```

**Common r2ghidra issues:**

| Symptom | Cause | Fix |
|---------|-------|-----|
| `pdg` unknown command | Plugin not loaded | `r2pm -ci r2ghidra` |
| Plugin loads but crashes | Version mismatch | Update both r2 and plugin |
| Decompilation hangs | Large function | Use `pdf` instead, or Ghidra headless |

**Configuration (~/.radare2rc):**
```
# Disable colors for scripting
e scr.color=false

# Increase analysis limits
e anal.timeout=120
e anal.maxsize=67108864

# JSON output by default for scripts
e cfg.json.num=true
```

### Ghidra (Headless)

```bash
# Download from https://ghidra-sre.org/
# Extract to /opt/ghidra

# Verify headless script
/opt/ghidra/support/analyzeHeadless --help

# Add to PATH
echo 'export PATH=$PATH:/opt/ghidra/support' >> ~/.bashrc
```

**Memory configuration (for large binaries):**
Edit `/opt/ghidra/support/analyzeHeadless`:
```bash
MAXMEM=4G  # Increase from default
```

### GEF (GDB Enhanced Features)

```bash
# Install GEF
bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

# Verify
gdb -q -ex "gef help" -ex "quit"

# For ARM Cortex-M support, also install gef-extras
git clone https://github.com/hugsy/gef-extras.git ~/.gef-extras
echo 'source ~/.gef-extras/scripts/checksec.py' >> ~/.gdbinit
```

### Frida

```bash
# Install Frida tools
pip install frida-tools

# Verify
frida --version

# Install frida-server for device debugging (optional)
# Download from https://github.com/frida/frida/releases
```

### Unicorn (Python bindings)

```bash
pip install unicorn

# Verify
python -c "from unicorn import *; print('OK')"
```

### Angr

```bash
# Create virtual environment (recommended)
python -m venv ~/angr-venv
source ~/angr-venv/bin/activate

# Install angr
pip install angr

# Verify
python -c "import angr; print('OK')"
```

### YARA

```bash
# Ubuntu/Debian
sudo apt install yara

# Or from source for latest
git clone https://github.com/VirusTotal/yara.git
cd yara
./bootstrap.sh
./configure
make && sudo make install

# Python bindings
pip install yara-python
```

## Sysroot Setup

### Standard Debian/Ubuntu Sysroots

Already installed via `libc6-*-cross` packages:

```bash
# Verify paths
ls /usr/arm-linux-gnueabihf/lib/
ls /usr/aarch64-linux-gnu/lib/
```

### Custom Sysroot from Device

```bash
# Pull from device via SSH
mkdir -p ~/sysroots/device
ssh user@device "tar czf - /lib /usr/lib" | tar xzf - -C ~/sysroots/device

# Or minimal extraction
ssh user@device "tar czf - /lib/ld-* /lib/libc.* /lib/libpthread.* /lib/libdl.*" \
  | tar xzf - -C ~/sysroots/device
```

### Musl Sysroot

```bash
# From Alpine Linux
docker run -it --rm -v ~/sysroots:/out alpine:latest sh -c \
  "apk add musl musl-dev && cp -a /lib /usr /out/alpine-musl"
```

## Verification Script

Run this to verify all tools are working:

```bash
#!/bin/bash
set -e

echo "=== Binary RE Tool Verification ==="

# radare2
echo -n "radare2: "
r2 -v | head -1

# rabin2
echo -n "rabin2: "
rabin2 -v | head -1

# QEMU
echo -n "qemu-arm: "
qemu-arm --version | head -1

echo -n "qemu-aarch64: "
qemu-aarch64 --version | head -1

# GDB
echo -n "gdb-multiarch: "
gdb-multiarch --version | head -1

# Ghidra (optional)
if command -v analyzeHeadless &> /dev/null; then
  echo -n "Ghidra: "
  analyzeHeadless 2>&1 | head -1 || echo "available"
else
  echo "Ghidra: not installed (optional)"
fi

# Frida (optional)
if command -v frida &> /dev/null; then
  echo -n "Frida: "
  frida --version
else
  echo "Frida: not installed (optional)"
fi

# Sysroots
echo ""
echo "=== Sysroots ==="
[ -d /usr/arm-linux-gnueabihf ] && echo "ARM hard-float: OK" || echo "ARM hard-float: MISSING"
[ -d /usr/aarch64-linux-gnu ] && echo "ARM64: OK" || echo "ARM64: MISSING"

echo ""
echo "=== Verification Complete ==="
```

## Troubleshooting

### Common Issues Quick Reference

| Symptom | Cause | Fix |
|---------|-------|-----|
| `exec format error` in Docker | binfmt not registered | `docker run --privileged tonistiigi/binfmt --install arm` |
| `ld-linux.so.3 not found` | Linker path mismatch | `ln -sf /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3` |
| `libXXX.so not found` | Missing dependency | `apt install` in container (check `rabin2 -l`) |
| r2 `pdg` unknown command | r2ghidra not installed | `r2pm -ci r2ghidra` |
| Empty xrefs from `axtj` | Shallow analysis | Use `aa; aac` or manual `af @addr` |
| Empty Docker mount | Colima /tmp issue | Use `~/path` instead of `/tmp/path` |
| strace fails in container | ptrace not implemented | Use `LD_DEBUG=files,libs` |

### r2 "Cannot open file"

```bash
# Check permissions
ls -la binary

# Try with explicit format
r2 -b 32 binary
```

### QEMU "Invalid ELF image"

```bash
# Verify architecture matches
file binary

# Check QEMU variant
qemu-arm --help | grep -i "target"
```

### Docker "exec format error"

```bash
# Register binfmt handlers (one-time setup)
docker run --rm --privileged --platform linux/arm64 \
  tonistiigi/binfmt --install arm

# Verify registration
cat /proc/sys/fs/binfmt_misc/qemu-arm
```

### GDB "Cannot execute binary"

```bash
# Use QEMU as gdbserver
qemu-arm -g 1234 ./binary &
gdb-multiarch -ex "target remote :1234" ./binary
```

### Ghidra "Out of memory"

```bash
# Increase heap in analyzeHeadless script
# Or pass explicitly:
analyzeHeadless ... -max-cpu 4 -analysisTimeoutPerFile 600
```

### Missing ARM libraries in QEMU

```bash
# Set LD_LIBRARY_PATH in QEMU environment
qemu-arm -E LD_LIBRARY_PATH=/lib:/usr/lib -L /sysroot ./binary

# Or use patchelf to modify binary's rpath
patchelf --set-rpath /lib:/usr/lib ./binary
```

### Docker container can't find libraries

```bash
# Inside container, install common dependencies
apt-get update && apt-get install -y libcap2 libacl1

# Check what the binary needs
# (Run rabin2 -l on host before entering container)
```

## Version Recommendations

| Tool | Minimum | Recommended |
|------|---------|-------------|
| radare2 | 5.8.0 | Latest |
| QEMU | 7.0 | 8.0+ |
| GDB | 12.0 | 14.0+ |
| Ghidra | 10.3 | 11.0+ |
| Frida | 16.0 | Latest |

## Environment Variables

Add to `~/.bashrc` or `~/.zshrc`:

```bash
# Ghidra
export GHIDRA_HOME=/opt/ghidra
export PATH=$PATH:$GHIDRA_HOME/support

# Default sysroot for QEMU
export QEMU_LD_PREFIX=/usr/arm-linux-gnueabihf

# Angr virtual environment
alias angr-activate='source ~/angr-venv/bin/activate'
```

Overview

This skill helps install, verify, and configure common reverse-engineering tools when they are missing, failing, or need cross-architecture setup. It provides concrete installation commands, verification scripts, and platform-specific tips for Ubuntu/Debian, WSL2, macOS (Homebrew/Docker), and Arch. The goal is a reliable analysis environment with radare2, QEMU, GDB, Ghidra, Frida, and cross toolchains.

How this skill works

The skill inspects your environment for required tools and sysroots, offers step-by-step install commands per platform, and supplies verification scripts you can run. It includes tool-specific setup (r2 plugins, Ghidra headless, GEF, frida/unicorn/angr), Docker/Colima guidance for missing qemu-user targets, and troubleshooting recipes for common errors. Use the verification script to confirm each tool and sysroot is correctly installed.

When to use it

  • Before first reverse-engineering session to prepare the environment
  • When commands like r2, qemu-arm, or gdb-multiarch return errors
  • Setting up a new machine or WSL2 instance for binary analysis
  • After updating tools when plugins or decompilers stop working
  • When cross-architecture emulation or sysroots are missing

Best practices

  • Use package managers per platform (apt, brew, pacman) for core tools and pip/venv for Python bindings
  • Prefer WSL2 on Windows and copy binaries into home (~) to avoid permission issues
  • Keep r2 and r2ghidra versions aligned; verify r2ghidra with a quick pdg check
  • Use Docker/Colima to provide qemu-user targets on macOS when Homebrew qemu lacks targets
  • Create and activate virtual environments for angr, Unicorn, and other Python libs to avoid global conflicts

Example use cases

  • Install a complete Ubuntu toolchain (radare2, qemu-user, gdb-multiarch, cross libc packages) before analyzing ARM binaries
  • Fix r2 'pdg unknown command' by reinstalling r2ghidra with r2pm and re-verifying
  • Run Docker with binfmt registration to eliminate 'exec format error' when testing ARM containers
  • Prepare a Ghidra headless server with increased MAXMEM for decompiling large binaries
  • Collect a device sysroot over SSH to run QEMU with correct libraries and avoid 'ld-linux.so.* not found'

FAQ

How do I verify r2ghidra is installed correctly?

Run r2 -qc 'pdg?' - and check for a Usage line or run r2 -c 'Ld' /bin/ls and grep for ghidra. Reinstall via r2pm -ci r2ghidra if missing.

What to do if Docker shows 'exec format error'?

Register binfmt handlers with tonistiigi/binfmt --install arm (run privileged) and verify /proc/sys/fs/binfmt_misc/qemu-arm is present. For Colima, ensure mounts use ~/ not /tmp.