Reversing with Radare2 Internal grep-like filtering To open a background web-service in r2 use command =h&.

You may
You can filter command output by appending ~[!]str, to display only also want to take a look at configuration variable http.sandbox.
Starting Radare rows [not] containing string str; e.g. pdf~rdx and pdf~!rdx. You can Configuration
further filter by appending
The basic usage is radare2 exe (on some systems you can use simply e?? list all variable names and descriptions
:r display row r (0 ≤ r < #rows or, backwards
r2 instead of radare2). If there exists a script named exe.r2, then e?[?] var-name show description of var-name
with: −#rows ≤ r ≤ −1)
it gets executed after the others rc-files. If you want to run radare2 e [var-name] show the value of all variables [var-name only]
[c1 [, c2 , . . .]] display columns c1 , c2 , . . . (0 ≤ ci < #cols)
without opening any file, you can use -- instead of an executable e var-name =?[?] print valid values of var-name [with descript.]
:r[c1 , . . . , cn ] display columns c1 , . . . , cn of row r
name. E.g. e asm.arch=??
.. pipe output into less-like viewer
Some command-line options are: eco theme-name select theme; eg. eco solarized
... pipe into HUD, which filters space separated strings
-d file debug executable file eco list available themes
-d pid debug process pid Examples: afl~[0], afl~malloc[0], pdf~:2 and pdf~mov:2 b [size] display [set] current block size
-A analyze all referenced code (aaa command) There is much more (sorting, counting, . . . ); see: ~? env [name [=value]] get/set environment variables
-r profile.rr2 specifies rarun2 profile (same as Shell interaction Some variables
-e dbg.profile=profile.rr2)
Command output can be redirected to a file by appending >filename asm.pseudo enable pseudo-code syntax
-w open file in write mode
or piped to an external command with |progname [args]. Examples: asm.bytes display bytes of each instruction
-p [prj] list projects / use project prj
afl > all_functions and afl | wc -l. asm.describe show opcode description
-h show help message (-hh the verbose one)
External commands can be run with !!progname [args]. Note: if a asm.cmtright comments at right of disassembly if they fit
Example: r2 -dA /bin/ls
command starts with a single !, the rest of the string is passed to cur- asm.emu run ESIL emulation analysis on disasm
Running in different environments: rarun2 rently loaded IO plugin (only if no plugin can handle the command, asm.demangle Show demangled symbols in disasm
rarun2 runs programs with different environments, arguments, per- it is passed to the shell). bin.demangle Import demangled symbols from RBin
missions, directories and overridden default file-descriptors. Usage: Moreover, backticks can be used to send the output of r2-commands cmd.bp command to run when a breakpoint is hit;
rarun2 [-t|script-name.rr2] [directives] [--] [prog-name] [args] as arguments; e.g. !!echo ‘? 42‘. Vice versa output of external e.g. cmd.bp=!!program
rarun2 -t shows the terminal name, say α, and wait for a connec- programs can be used as arguments for internal commands; e.g. pdf cmd.stack command to display the stack in visual
tion from another process. For instance, from another terminal, you ‘echo 3‘ @ ‘echo entry0‘. debug mode (Eg: px 32)
can execute rarun2 stdio=α program=/bin/sh (use stdin/stdout to Some common Unix-like commands are implemented as built-ins; e.g. dbg.follow.child continue tracing the child process on fork
redirect one stream only). Run rarun2 -h to get a sample .rr2 file. ls, cd, pwd, mkdir and rm. dbg.slow show stack and regs in visual mode, in a slow but
rarun2 supports a lot of directives, see the man page for details. verbose (e.g. telescoping) mode; check column mode
Radare scripting dbg.trace trace program execution (check also asm.trace)
General information . filename interpret r2 script filename io.cache enable cache for IO (=non-persistent write-mode)
The command ? prints the help. Command names are hierarchically .! command interpret output of command as r2 commands scr.utf8 show nice UTF-8 chars instead of ANSI
defined; for instance, all printing commands start with p. So, to un- (Windows: switch code-page with chcp 65001)
derstand what a command does, you can append ? to a prefix of such
Python scripting (via r2pipe) scr.utf8.curvy show curved UTF-8 corners (requires scr.utf8)
a command; e.g., to learn what pdf does, you can first try pd?, then You can script Radare2 with Python, by leveraging r2pipe, that can scr.nkey select seek mode; affects n/N in visual mode
the more general p?. You can get recursive help with ?*; e.g.: p?* be easily installed (inside any Python 2 virtual environment) with: scr.breaklines break lines in Visual instead of truncating them
Single-line comments can be entered using #; e.g. s # where R we?. pip install r2pipe. scr.html disassembly outputs in HTML syntax
Command ? can also be used to evaluate an expression and print Then, you can spawn a Python interpreter, from inside r2, with: scr.wheel enables mouse-wheel in visual mode
its result in various format; e.g. ? 5 * 8+2 (note the space after ?). #!pipe python [python-file] Searching: /
Commands ?v/?vi print result only in hex/decimal. There are also or simply:
/ str search for string str
some special $-variables (list them all with: ?$?); e.g.: #. python-file
/x hstr search for hex-string hstr
$$ current virtual seek Once you are in Python-world, you can connect to r2 by
/a asm-instr assemble instruction and search for its bytes
$b block size importing r2pipe and inizializing some variable, say r2, with
/R[/] opcode find ROP gadgets [with r.e.] containing opcode;
Where an address addx is expected, you can provide any expression r2pipe.open("#!pipe"), or simply r2pipe.open().
see: http://radare.today/posts/ropnroll/
that evaluates to an address, e.g. a function name or a register name. Then you can interact with Radare by invoking method cmd; e.g.
/A type find instructions of type type (/A? for the listof types)
In this cheatsheet we sometimes use fn-name, instead of addx, to print(r2.cmd(’pdf @ entry0’)). Also: e search.in=?? and e??search for options
emphasize that the argument is supposed to be a function starting You can make most Radare2 commands output in JSON format by
address. As default address is (usually?) used the current seek: $$. appending a j; e.g. pdfj (instead of pdf). Seeking: s
All commands that: Method cmdj can de-serialize JSON output into Python objects; e.g. s print current position/address
• accept an optional size (e.g. pd), use the current block size by f = r2.cmdj(’pdfj @ entry0’) s addx seek to addx
default (see: b) print f[’name’], f[’addr’], f[’ops’][0][’opcode’] s.. hex changes least-significant part of current address to hex
r2pipe: connecting to other r2 instances s+ n and s- n seek n bytes forward/backward
• accept an optional address (e.g., pdf), use the current position
s++ and s-- seek block-size bytes forward/backward
by default (see: s) You can connect to any web-listening instance of r2 by passing s- undo seek
Commands can be chained by using ;; e.g. s fun; pd 2. r2pipe.open a string of the form ’http://host:port’. By using this s+ redo seek
A single command can be applied to each element of a sequence by approach you get your own seek-cursor: your seek commands won’t s= list seek history
using @@; e.g. axt @@ str.*, see @@?. affect others. s* list seek history as r2-commands
Writing: w Debugging: d Information: i (and S)
wa asm-instr assemble+write opcodes; quote the whole command ?d opcode description of opcode (eg. ?d jle) i show info of current file
for more instructions: "wa instr1 ; instr2 ; . . . " dc continue (or start) execution iz[z] strings in data sections [whole binary]
wao . . . replace current instruction; see wao? for details dcu addx continue until addx is reached i{e|i|l|S} entrypoint/imports/libraries/sections
w[z] str write string str [and append byte \x00] dcs [name] continue until the next syscall [name] S list segments (confusingly called sections?!?)
wx hex-pairs write hex-pairs dcr continue until ret (uses step over)
wc list pending changes (see variable io.cache) dr= show general-purpose regs and their values Visual mode: V (q exits)
wtf [file] [size] write to file dro show previous (old) values of registers Command V enters visual mode.
wopO v print offset of v inside De Bruijn pattern; equiv. to drr show register references (telescoping) q exit visual-mode
ragg2 -q v; to produce a pattern: ragg2 -r -P size dr reg-name = value set register value c cursor-mode, tab switches among panels
drt list register types +/- increment/decrement current byte
Analysis (functions and syscalls): a drt type list registers of type type and their values : execute a normal-mode command; e.g. :dm
aaa analyze (aa) and auto-name functions db list breakpoints p and P rotate forward/backward print modes
afl[l] list functions [with details] db[-] addx add [remove] breakpoint /str highlight occurrences of string str
afi fn-name show verbose info for fn-name doo [args] (re)start debugging $ toggle pseudo-syntax
afn new-name addx (re)name function at address addx ood synonym for doo O toggle ESIL-asm
asl list syscalls ds[o] step into [over] ; add/remove comments (to current offset)
asl name display syscall-number for name dbt display backtrace (check dbg.btdepth/btalgo) x browse xrefs-to current offset
asl n display name of syscall number n drx hardware breakpoints X browse xrefs-from current function
afvd var-name output r2 command for displaying the dm list memory maps; the asterisk shows where _ browse flags
address and value of arg/local var-name the current offset is d define function, end-function, rename, . . .
.afvd var-name display address and value of var-name dmm list modules (libraries, loaded binaries) di{b|o|d|h|s} define immediate bin/oct/dec/hex or str
afvn name new-name rename argument/local variable dmi [addr|lib] [sym] list symbols of target lib V enter block-graph viewer (space toggles visual/graph)
afvt name type change type for given argument/local dmp change page permissions (see: dmp?) A enter visual-assembler (preview must be confirmed)
afv- name removes variable name dt[d] list all traces [disassembled] n/N seek next/previous function/flag/hit (see scr.nkey)
axt addx find data/code references to addx i enter insert mode
ahi {b|d|h|o|r|S|s} @ addx define binary/decimal/hex/octal/IP/ Types: t e configures internal variables
syscall/string base for immediate " toggle the column mode
"td C-type-def " define a new type
ESIL: ae t t-name show type t-name in pf syntax Seeking (in Visual Mode)
aeim initialize ESIL VM stack .t t-name @ addx display the value (of type t-name) at addx . seeks to program counter
aepc addr change ESIL PC to addx (aeip sets PC to curseek) t list (base?) types Enter on jump/call instructions, follow target address
aer . . . handle ESIL registers like dr does te / ts / tu list enums/structs/unions u/U undo / redo
aes[b|o] perform emulated debugger step [back|over] to file parse type information from C header file o go/seek to given offset
aesu addr step until given address tl t-name link t-name to current address 0 (zero) seek to beginning of current function
tl t-name = addx link t-name to address addx d (a non-zero digit) jump to the target marked [d]
Graphviz/graph code: ag tl list all links in readable format ml (a letter) mark the spot with letter l
ag addr output graphviz code (BB at addr and children) tp t-name = addx cast data at addx to type t-name, ’l jump to mark l
E.g. view the function graph with: ag $$ | xdot - and prints it n/N jump to next/previous function
agc addr callgraph of function at addx
agC full program callgraph Printing: p Debugging (in Visual Mode)
b or F2 toggle breakpoint
Flags (AKA “bookmarks”): f ps [@ addx] print C-string at addx (or current position)
F4 run to cursor
fs [name ] display flagspaces [select/create fs name] pxr [n] [@ addx] print with references to flags/code (telescoping)
s or F7 step-into
fs+ name push previous flagspace and set name px [n] [@ addx] hexdump — note: x is an alias for px
S or F8 step-over
fs- pop to the previous flagspace px{h|w|q} . . . hexdump in 16/32/64 bit words
F9 continue
f list flags px{H|W|Q} . . . as the previous one, but one per line
f name @ addx or pxl [n] [@ addx] display n rows of hexdump Projects: P [unstable feature]
f name = addx associate name name to address addx px/fmt [@ addx] gdb-style printing fmt (in gdb see: help x
Pl list all projects
f- @ addx remove the association at address addx from r2: !!gdb -q -ex ’help x’ -ex quit)
P{o|s|d} [prj-name] open/save/delete project prj-name
f- name remove the association with name name pd [n] [@ addx] disassemble n instructions
Pc prj-name show project script to console
p8 [n] [@ addx] print bytes
Comments: C pD [n] [@ addx] disassemble n bytes Copyright 2017
c by zxgio; cheat-sheet built on November 10, 2017
CCu text [@ addx] set (update?) comment text at addx pd -n [@ addx] disassemble n instructions backwards This cheat-sheet may be freely distributed under the terms of the GNU
General Public License; the latest version can be found at:
CC text [@ addx] append comment text at addx pdf [@ fn-name] disassemble function fn-name https://github.com/zxgio/r2-cheatsheet/
CC- [@ addx] remove comment at addx pc[p] [n] [@ addx] dumps in C [Python] format
CC. [@ addx] show comment at addx * addx [=value] shortcut for reading/writing at addx
CC! [@ addx] edit comment using cfg.editor (vim, . . . ) pf fmt a1 [, a2 , . . .] formatted print, see pf?? and pf???