💾 Archived View for radare.org › book › refcard › intro.gmi captured on 2024-05-10 at 11:18:05. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
This chapter is based on the Radare 2 reference card by Thanat0s, which is under the GNU GPL. Original license is as follows:
This card may be freely distributed under the terms of the GNU general public licence — Copyright by Thanat0s - v0.1 -
Those are the basic commands you will want to know and use for moving around a binary and getting information about it.
| Command | Description | |:| | s (tab) | Seek to a different place | | x [nbytes] | Hexdump of nbytes, $b by default | | aa | Auto analyze | | pdf@ funcname[1] | Disassemble function (main, fcn, etc.) | | f fcn(Tab) | List functions | | f str(Tab) | List strings | | fr [flagname] [newname] | Rename flag | | psz [offset]~grep | Print strings and grep for one | | axF [flag] | Find cross reference for a flag |
Flags are like bookmarks, but they carry some extra information like size, tags or associated flagspace. Use the `f` command to list, set, get them.
| Command | Description | |:| | f | List flags | | fd $ | Describe an offset | | fj | Display flags in JSON | | fl | Show flag length | | fx [flagname] | Show hexdump of flag | | fC [name] [comment] | Set flag comment |
Flags are created into a flagspace, by default none is selected, and listing flags will list them all. To display a subset of flags you can use the `fs` command to restrict it.
| Command | Description | |:| | fs | Display flagspaces | | fs * | Select all flagspaces | | fs [space] | Select one flagspace |
Binary files have information stored inside the headers. The `i` command uses the RBin api and allows us to the same things rabin2 do. Those are the most common ones.
| Command | Description | |:| | ii | Information on imports | | iI | Info on binary | | ie | Display entrypoint | | iS | Display sections | | ir | Display relocations | | iz | List strings (izz, izzz) |
There are different ways to represent a string in memory. The `ps` command allows us to print it in utf-16, pascal, zero terminated, .. formats.
| Command | Description | |:| | psz [offset] | Print zero terminated string | | psb [offset] | Print strings in current block | | psx [offset] | Show string with scaped chars | | psp [offset] | Print pascal string | | psw [offset] | Print wide string |
The visual mode is the standard interactive interface of radare2.
To enter in visual mode use the `v` or `V` command, and then you'll only have to press keys to get the actions happen instead of commands.
| Command | Description | |:| | V | Enter visual mode | | p/P | Rotate modes (hex, disasm, debug, words, buf) | | c | Toggle (c)ursor | | q | Back to Radare shell | | hjkl | Move around (or HJKL) (left-down-up-right) | | Enter | Follow address of jump/call | | sS | Step/step over | | o | Toggle asm.pseudo and asm.esil | | . | Seek to program counter | | / | In cursor mode, search in current block | | :cmd | Run radare command | | ;[-]cmt | Add/remove comment | | /*+-[] | Change block size, [] = resize hex.cols | | <,> | Seek aligned to block size | | i/a/A | (i)nsert hex, (a)ssemble code, visual (A)ssembler | | b | Toggle breakpoint | | B | Browse evals, symbols, flags, classes, ... | | d[f?] | Define function, data, code, .. | | D | Enter visual diff mode (set diff.from/to) | | e | Edit eval configuration variables | | f/F | Set/unset flag | | gG | Go seek to begin and end of file (0-$s) | | mK/’K | Mark/go to Key (any key) | | M | Walk the mounted filesystems | | n/N | Seek next/prev function/flag/hit (scr.nkey) | | C | Toggle (C)olors | | R | Randomize color palette (ecr) | | tT | Tab related. see also tab[1] | | v | Visual code analysis menu | | V | (V)iew graph (agv?) | | wW | Seek cursor to next/prev word | | uU | Undo/redo seek | | x | Show xrefs of current func from/to data/code | | yY | Copy and paste selection | | z | fold/unfold comments in diassembly |
There are many situations where we need to find a value inside a binary or in some specific regions. Use the `e search.in=?` command to choose where the `/` command may search for the given value.
| Command | Description | |:| | / foo\00 | Search for string ’foo\0’ | | /b | Search backwards | | // | Repeat last search | | /w foo | Search for wide string ’f\0o\0o\0’ | | /wi foo | Search for wide string ignoring case | | /! ff | Search for first occurrence not matching | | /i foo | Search for string ’foo’ ignoring case | | /e /E.F/i | Match regular expression | | /x a1b2c3 | Search for bytes; spaces and uppercase nibbles are allowed, same as /x A1 B2 C3| | /x a1..c3 | Search for bytes ignoring some nibbles (auto-generates mask, in this example: ff00ff)| | /x a1b2:fff3 | Search for bytes with mask (specify individual bits)| | /d 101112 | Search for a deltified sequence of bytes | | /!x 00 | Inverse hexa search (find first byte != 0x00) | | /c jmp [esp] | Search for asm code (see search.asmstr) | | /a jmp eax | Assemble opcode and search its bytes | | /A | Search for AES expanded keys | | /r sym.printf | Analyze opcode reference an offset | | /R | Search for ROP gadgets | | /P | Show offset of previous instruction | | /m magicfile | Search for matching magic file | | /p patternsize | Search for pattern of given size | | /z min max | Search for strings of given size | | /v[?248] num | Look for a asm.bigendian 32bit value |
This feature has broken and not been resolved at the time of writing these words (Nov.16th 2020). check #Issue 6945: META - Project files[1] and #Issue 17034[2] for more details.
1: #Issue 6945: META - Project files
To save your analysis for now, write your own script which records the function name, variable name, etc. for example: ```sh vim sample_A.r2
e scr.utf8 = false s 0x000403ce0 aaa s fcn.00403130 afn return_delta_to_heapaddr afvn iter var_04h ...
## Usable variables in expression
The `?$?` command will display the variables that can be used in any math
operation inside the r2 shell. For example, using the `? $` command to evaluate
a number or `?v` to just the value in one format.
All commands in r2 that accept a number supports the use of those variables.
| Command | Description |
|:|
| $ | here (current virtual seek)|
| $$ | current non-temporary virtual seek|
| $? | last comparison value|
| $alias=value | alias commands (simple macros)|
| $b | block size|
| $B | base address (aligned lowest map address)|
| $f | jump fail address (e.g. jz 0x10 => next instruction)|
| $fl | flag length (size) at current address (fla; pD $l @ entry0)|
| $F | current function size|
| $FB | begin of function|
| $Fb | address of the current basic block|
| $Fs | size of the current basic block|
| $FE | end of function|
| $FS | function size|
| $Fj | function jump destination|
| $Ff | function false destination|
| $FI | function instructions|
| $c,$r | get width and height of terminal|
| $Cn | get nth call of function|
| $Dn | get nth data reference in function|
| $D | current debug map base address ?v $D @ rsp|
| $DD | current debug map size|
| $e | 1 if end of block, else 0|
| $j | jump address (e.g. jmp 0x10, jz 0x10 => 0x10)|
| $Ja | get nth jump of function|
| $Xn | get nth xref of function|
| $l | opcode length|
| $m | opcode memory reference (e.g. mov eax,[0x10] => 0x10)|
| $M | map address (lowest map address)|
| $o | here (current disk io offset)|
| $p | getpid()|
| $P | pid of children (only in debug)|
| $s | file size|
| $S | section offset|
| $SS | section size|
| $v | opcode immediate value (e.g. lui a0,0x8010 => 0x8010)|
| $w | get word size, 4 if asm.bits=32, 8 if 64, ...|
| ${ev} | get value of eval config variable|
| $r{reg} | get value of named register|
| $k{kv} | get value of an sdb query value|
| $s{flag} | get size of flag|
| RNum | $variables usable in math expressions|