💾 Archived View for radare.org › book › analysis › intro.gmi captured on 2023-11-04 at 11:48:22. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Radare2 has a very rich set of commands and configuration options to perform data and code analysis, to extract useful information from a binary, like pointers, string references, basic blocks, opcode data, jump targets, cross references and much more.
These operations are handled by the `a` (analyze) command family:
|Usage: a[abdefFghoprxstc] [...] | aa[?] analyze all (fcns + bbs) (aa0 to avoid sub renaming) | a8 [hexpairs] analyze bytes | ab[b] [addr] analyze block at given address | abb [len] analyze N basic blocks in [len] (section.size by default) | abt [addr] find paths in the bb function graph from current offset to given address | ac [cycles] analyze which op could be executed in [cycles] | ad[?] analyze data trampoline (wip) | ad [from] [to] analyze data pointers to (from-to) | ae[?] [expr] analyze opcode eval expression (see ao) | af[?] analyze Functions | aF same as above, but using anal.depth=1 | ag[?] [options] draw graphs in various formats | ah[?] analysis hints (force opcode size, ...) | ai [addr] address information (show perms, stack, heap, ...) | an [name] [@addr] show/rename/create whatever flag/function is used at addr | ao[?] [len] analyze Opcodes (or emulate it) | aO[?] [len] Analyze N instructions in M bytes | ap find prelude for current offset | ar[?] like 'dr' but for the esil vm. (registers) | as[?] [num] analyze syscall using dbg.reg | av[?] [.] show vtables | ax[?] manage refs/xrefs (see also afx?)
In fact, `a` namespace is one of the biggest in radare2 tool and allows to control very different parts of the analysis:
- Code flow analysis
- Data references analysis
- Using loaded symbols
- Managing different type of graphs, like CFG and call graph
- Manage variables
- Manage types
- Emulation using ESIL VM
- Opcode introspection
- Objects information, like virtual tables