Reversing with Radare2 Internal grep-like filtering To open a background web-service in r2 use command =h&.

You may
You can filter command output by appending ~[!]str, to display only also want to take a look at configuration variable http.sandbox.
Starting Radare rows [not] containing string str; e.g. pdf~rdx and pdf~!rdx. You can Configuration
further filter by appending
The basic usage is radare2 exe (on some systems you can use simply e?? list all variable names and descriptions
:r display row r (0 ≤ r < #rows or, backwards
r2 instead of radare2). If there exists a script named exe.r2, then e?[?] var-name show description of var-name
with: −#rows ≤ r ≤ −1)
it gets executed after the others rc-files. If you want to run radare2 e [var-name] show the value of all variables [var-name only]
[c1 [, c2 , . . .]] display columns c1 , c2 , . . . (0 ≤ ci < #cols)
without opening any file, you can use -- instead of an executable e var-name =?[?] print valid values of var-name [with descript.]
:r[c1 , . . . , cn ] display columns c1 , . . . , cn of row r
name. E.g. e asm.arch=??
.. pipe output into less-like viewer
Some command-line options are: eco theme-name select theme; eg. eco solarized
... pipe into HUD, which filters space separated strings
-d file debug executable file eco list available themes
-d pid debug process pid Examples: afl~[0], afl~malloc[0], pdf~:2 and pdf~mov:2 b [size] display [set] current block size
-A analyze all referenced code (aaa command) There is much more (sorting, counting, . . . ); see: ~? env [name [=value]] get/set environment variables
-r profile.rr2 specifies rarun2 profile (same as Shell interaction Some variables
-e dbg.profile=profile.rr2)
Command output can be redirected to a file by appending >filename asm.bytes display bytes of each instruction
-w open file in write mode
or piped to an external command with |progname [args]. Examples: asm.describe show opcode description
-p [prj] list projects / use project prj
afl > all_functions and afl | wc -l. asm.cmt.right comments at right of disassembly if they fit
-h show help message (-hh the verbose one)
External commands can be run with !!progname [args]. Note: if a asm.emu run ESIL emulation analysis on disasm
Example: r2 -dA /bin/ls
command starts with a single !, the rest of the string is passed to cur- asm.demangle Show demangled symbols in disasm
Running in different environments: rarun2 rently loaded IO plugin (only if no plugin can handle the command, asm.shortcut Shortcut (e.g. [1],[2],. . . ) position in visual mode
rarun2 runs programs with different environments, arguments, per- it is passed to the shell). bin.baddr base address of the binary
missions, directories and overridden default file-descriptors. Usage: Moreover, backticks can be used to send the output of r2-commands cmd.bp command to run when a breakpoint is hit;
rarun2 [-t|script-name.rr2] [directives] [--] [prog-name] [args] as arguments; e.g. !!echo ‘? 42‘. Vice versa output of external e.g. cmd.bp=!!program
rarun2 -t shows the terminal name, say α, and wait for a connec- programs can be used as arguments for internal commands; e.g. pdf cmd.stack command to display the stack in visual
tion from another process. For instance, from another terminal, you ‘echo 3‘ @ ‘echo entry0‘. debug mode (Eg: px 32)
can execute rarun2 stdio=α program=/bin/sh (use stdin/stdout to Some common Unix-like commands are implemented as built-ins; e.g. dbg.follow.child continue tracing the child process on fork
redirect one stream only). Run rarun2 -h to get a sample .rr2 file. ls, cd, pwd, mkdir and rm. dbg.funcarg display func. arguments in visual mode [experimental]
rarun2 supports a lot of directives, see the man page for details. dbg.slow show stack and regs in visual mode, in a slow but
Radare scripting verbose (e.g. telescoping) mode; check column mode
General information . filename interpret r2 script filename dbg.trace trace program execution (check also asm.trace)
The command ? prints the help. Command names are hierarchically .! command interpret output of command as r2 commands io.cache enable cache for IO (=non-persistent write-mode)
defined; for instance, all printing commands start with p. So, to un- scr.utf8 show nice UTF-8 chars instead of ANSI
derstand what a command does, you can append ? to a prefix of such
Python scripting (via r2pipe) (Windows: switch code-page with chcp 65001)
a command; e.g., to learn what pdf does, you can first try pd?, then You can script Radare2 with Python, by leveraging r2pipe, that can scr.utf8.curvy show curved UTF-8 corners (requires scr.utf8)
the more general p?. You can get recursive help with ?*; e.g.: p?* be easily installed (inside any Python 2 virtual environment) with: scr.nkey select seek mode; affects n/N in visual mode
Single-line comments can be entered using #; e.g. s # where R we?. pip install r2pipe. scr.breaklines break lines in Visual instead of truncating them
Command ? can also be used to evaluate an expression and print Then, you can spawn a Python interpreter, from inside r2, with: scr.html disassembly outputs in HTML syntax
its result in various format; e.g. ? 5 * 8+2 (note the space after ?). #!pipe python [python-file] Searching: /
Commands ?v/?vi print result only in hex/decimal. There are also or simply:
/ str search for string str
some special $-variables (list them all with: ?$?); e.g.: #. python-file
/c instr search for instruction instr
$$ current virtual seek Once you are in Python-world, you can connect to r2 by
/x hstr search for hex-string hstr
$b block size importing r2pipe and inizializing some variable, say r2, with
/a asm-instr assemble instruction and search for its bytes
Where an address addx is expected, you can provide any expression r2pipe.open("#!pipe"), or simply r2pipe.open().
/R[/] opcode find ROP gadgets [with r.e.] containing opcode;
that evaluates to an address, e.g. a function name or a register name. Then you can interact with Radare by invoking method cmd; e.g.
see: http://radare.today/posts/ropnroll/
In this cheatsheet we sometimes use fn-name, instead of addx, to print(r2.cmd(’pdf @ entry0’)).
/A type find instructions of type type (/A? for the listof types)
emphasize that the argument is supposed to be a function starting You can make most Radare2 commands output in JSON format by Also: e search.in=?? and e??search for options
address. As default address is (usually?) used the current seek: $$. appending a j; e.g. pdfj (instead of pdf).
All commands that: Method cmdj can de-serialize JSON output into Python objects; e.g. Seeking: s
• accept an optional size (e.g. pd), use the current block size by f = r2.cmdj(’pdfj @ entry0’) s print current position/address
default (see: b) print f[’name’], f[’addr’], f[’ops’][0][’opcode’] s addx seek to addx
r2pipe: connecting to other r2 instances s.. hex changes least-significant part of current address to hex
• accept an optional address (e.g., pdf), use the current position
s+ n and s- n seek n bytes forward/backward
by default (see: s) You can connect to any web-listening instance of r2 by passing s++ and s-- seek block-size bytes forward/backward
Commands can be chained by using ;; e.g. s fun; pd 2. r2pipe.open a string of the form ’http://host:port’. By using this s- and s+ undo/redo seek
A single command can be applied to each element of a sequence by approach you get your own seek-cursor: your seek commands won’t s= list seek history
using @@; e.g. axt @@ str.*, see @@?. affect others. s* list seek history as r2-commands
Writing: w Debugging: d Information: i (and S)
wa asm-instr assemble+write opcodes; quote the whole command dc continue (or start) execution i show info of current file
for more instructions: "wa instr1 ; instr2 ; . . . " dcu addx continue until addx is reached iz[z] strings in data sections [whole binary]
wao . . . replace current instruction; see wao? for details dcs [name] continue until the next syscall [name] i{e|i|l|S|SS} entrypoint/imports/libraries/sections/segments
w[z] str write string str [and append byte \x00] dcr continue until ret (uses step over)
wx hex-pairs write hex-pairs dr= show general-purpose regs and their values Visual mode: V (q exits)
wc list pending changes (see variable io.cache) dro show previous (old) values of registers Command V enters visual mode.
wtf [file] [size] write to file drr show register references (telescoping) q exit visual-mode
wopO v print offset of v inside De Bruijn pattern; equiv. to dr reg-name = value set register value c cursor-mode, tab switches among panels
ragg2 -q v; to produce a pattern: ragg2 -r -P size drt list register types +/- increment/decrement current byte
drt type list registers of type type and their values : execute a normal-mode command; e.g. :dm
Analysis (functions and syscalls): a db list breakpoints p and P rotate forward/backward print modes
aaa analyze (aa) and auto-name functions db[-] addx add [remove] breakpoint /str highlight occurrences of string str
aod opcode description of opcode (eg. aod jle) doo [args] (re)start debugging; synonym of ood # toggle bytes
afl[l] list functions [with details] ds[o] step into [over] O toggle ESIL-asm
afi fn-name show verbose info for fn-name dbt display backtrace (check dbg.btdepth/btalgo) ; add/remove comments (to current offset)
afn new-name addx (re)name function at address addx drx hardware breakpoints x browse xrefs-to current offset
asl list syscalls dm list memory maps; the asterisk shows where X browse xrefs-from current function
asl name display syscall-number for name the current offset is _ browse flags
asl n display name of syscall number n dmh show heap allocation (see: dmh?) d define function, end-function, rename, . . .
afvd var-name output r2 command for displaying the dmm list modules (libraries, loaded binaries) di{b|o|d|h|s} define immediate bin/oct/dec/hex or str
address and value of arg/local var-name dmi [addr|lib] [sym] list symbols of target lib V enter block-graph viewer (space toggles visual/graph)
.afvd var-name display address and value of var-name dmp change page permissions (see: dmp?) A enter visual-assembler (preview must be confirmed)
afvn new-name old-name rename argument/local variable dt[d] list all traces [disassembled] n/N seek next/previous function/flag/hit (see scr.nkey)
afvt name type change type for given argument/local dd handle file descriptors (see: dd?) i enter insert mode
afv- name removes variable name e configures internal variables
axt addx find data/code references to addx Types: t " toggle the column mode
ahi {b|d|h|o|r|S|s} @ addx define binary/decimal/hex/octal/IP/ f (un)set flags
"td C-type-def " define a new type
syscall/string base for immediate Seeking (in Visual Mode)
ESIL code emulation: ae t t-name show type t-name in pf syntax
aei[m] initialize ESIL VM state [stack] .t t-name @ addx display the value (of type t-name) at addx . seeks to program counter
aepc addr change ESIL PC to addx (aeip sets PC to curseek) t[e/s/u] list all-types/enums/structs/unions Enter on jump/call instructions, follow target address
aer . . . handle ESIL registers like dr does to file parse type information from C header file u/U undo / redo
aes[b|o] perform emulated debugger step [back|over] tl t-name link t-name to current address o go/seek to given offset
aecu addr continue until given address tl t-name = addx link t-name to address addx 0 (zero) seek to beginning of current function
tl list all links in readable format d (a non-zero digit) jump to the jmp/lea-hint marked [d]
Graphviz/graph code: ag tp t-name = addx cast data at addx to type t-name, r toggle jmp/lea hints
agfd addr output graphviz code (BB at addr and children) and prints it ml (a letter) mark the spot with letter l
E.g. view the function graph with: agfd $$ | xdot - ’l jump to mark l
agcd addr callgraph of function at addx Printing: p n/N jump to next/previous function
agCd full program callgraph
ps [@ addx] print C-string at addx (or current position) Debugging (in Visual Mode)
Flags (AKA “bookmarks”): f psb [@ addx] print C-strings at addx (or current block)
B (b in older versions) or F2 toggle breakpoint
fs [name ] display flagspaces [select/create fs name] pxr [n] [@ addx] print with references to flags/code (telescoping)
F4 run to cursor
fs+ name push previous flagspace and set name px [n] [@ addx] hexdump — note: x is an alias for px
s or F7 step-into
fs- pop to the previous flagspace px{h|w|q} . . . hexdump in 16/32/64 bit words
S or F8 step-over
f list flags px{H|W|Q} . . . as the previous one, but one per line
F9 continue
f name @ addx or pxl [n] [@ addx] display n rows of hexdump
f name = addx associate name name to address addx px/fmt [@ addx] gdb-style printing fmt (in gdb see: help x Projects: P [unstable feature]
f- @ addx remove the association at address addx from r2: !!gdb -q -ex ’help x’ -ex quit)
Pl list all projects
f- name remove the association with name name pd [n] [@ addx] disassemble n instructions (backwards if n < 0)
P{o|s|d} [prj-name] open/save/delete project prj-name
p8 [n] [@ addx] print bytes
Pc prj-name show project script to console
Comments: C pD [n] [@ addx] disassemble n bytes
CCu text [@ addx] set (update?) comment text at addx pdf [@ fn-name] disassemble function fn-name Copyright 2017
c by zxgio; cheat-sheet built on November 15, 2018
CC text [@ addx] append comment text at addx pc[p] [n] [@ addx] dumps in C [Python] format This cheat-sheet may be freely distributed under the terms of the GNU
General Public License; the latest version can be found at:
CC- [@ addx] remove comment at addx * addx [=value] shortcut for reading/writing at addx https://github.com/zxgio/r2-cheatsheet/
CC. [@ addx] show comment at addx pf fmt a1 [, a2 , . . .] formatted print, see pf?? and pf???
CC! [@ addx] edit comment using cfg.editor (vim, . . . ) pa[d] . . . assemble-to/disassemble-from hex-pairs