💾 Archived View for radare.org › book › debugger › migration.gmi captured on 2024-08-25 at 00:23:00. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-08-18)
-=-=-=-=-=-=-
This chapter aims to ease that migration process for users coming from debuggers like IDA Pro, LLDB, GDB, or WinDBG. We'll explore how common debugging workflows and commands map between these tools and radare2, highlighting both similarities and key differences.
`r2 -d /bin/ls` - start in debugger mode => [video[1]]
`r2 -d <pid>` - attach to process
`r2 ptrace://pid` - same as above, but only for io (not debugger backend hooked)
`[0x7fff6ad90028]> o-225` - close fd=225 (listed in `o~[1]:0`)
`r2 -D gdb gdb://localhost:1234` - attach to gdbserver
Use `rarun2` (`libpath=$PWD:/tmp/lib`, `arg2=hello`, `setenv=FOO=BAR` ...) see `rarun2 -h` / `man rarun2`
`r2 -i <scriptfile> ...` - run a script **after** loading the file => [video[1]]
`r2 -I <scriptfile> ...` - run a script **before** loading the file
`r2 -c $@ | awk $@` - run through awk to get asm from function => [link[1]]
`[0x80480423]> . scriptfile` - interpret this file => [video[1]]
`[0x80480423]> #!c` - enter C repl (see `#!` to list all available RLang plugins) => [video[1]], everything have to be done in a oneliner or a .c file must be passed as an argument.
To get `#!python` and much more, just build radare2-bindings[1]
`CL @ sym.main` - though the feature is highly experimental
| Command | IDA Pro | radare2 | r2 (visual mode) | GDB | WinDbg | | | |**Analysis** | | | |Analysis of everything |`Automatically launched when opening a binary` |`aaa or -A (aaaa or -AA for even experimental analysis)` | `N/A` |N/A |N/A |**Navigation** | | | |xref to |`x` |`axt` | `x` |N/A |N/A |xref from |`ctrl + j` |`axf` | `X` |N/A |N/A |xref to graph |? |`agt [offset]` | ? |N/A |N/A |xref from graph|? |`agf [offset]` | ? |N/A |N/A |list functions |`alt + 1` |`afl;is` | `t` |N/A |N/A |listing |`alt + 2` |`pdf` | `p` |N/A |N/A |hex mode |`alt + 3` |`pxa` | `P` |N/A |N/A |imports |`alt + 6` |`ii` | `:ii` |N/A |N/A |exports |`alt + 7` |`is~FUNC` | ? |N/A |N/A |follow jmp/call|`enter` |`s offset` |`enter` or `0`-`9`|N/A |N/A |undo seek |`esc` |`s-` | `u` |N/A |N/A |redo seek |`ctrl+enter` |`s+` | `U` |N/A |N/A |show graph |`space` |`agv` | `V` |N/A |N/A |**Edit** | | | |rename |`n` |`afn`| `dr` |N/A |N/A |graph view |`space` |`agv` | `V` |N/A |N/A |define as data |`d` |`Cd [size]` | `dd`,`db`,`dw`,`dW`|N/A |N/A |define as code |`c` |`C- [size]` | `d-` or `du` |N/A |N/A |define as undefined|`u` |`C- [size]` | `d-` or `du` |N/A |N/A |define as string|`A` |`Cs [size]` | `ds` |N/A |N/A |define as struct|`Alt+Q` |`Cf [size]` | `dF` |N/A |N/A |**Debugger** | | | | |Start Process/ Continue execution|`F9` |`dc` | `F9` | `r` and `c` | `g` |Terminate Process|`Ctrl+F2` |`dk 9` | ? | `kill` | `q` |Detach |`?` | `o-` | ? | `detach` | |step into |`F7` |`ds` | `s` | `n` | `t` |step into 4 instructions | ? | `ds 4` | F7 | `n 4` | `t 4` |step over |`F8` |`dso` | `S` | `s` | `p` |step until a specific address|?|`dsu <addr>` | ? | `s` | `g <addr>` |Run until return|`Ctrl+F7` |`dcr` | ? | `finish` | `gu` |Run until cursor|`F4` |#249[1]| #249[2] | N/A | N/A |Show Backtrace |`?` |`dbt` | ? | `bt` | |display Register|On register Windows|`dr all` | Shown in Visual mode | `info registers` | `r` |display eax |On register Windows |`dr?eax` | Shown in Visual mode | `info registers eax` | `r rax` |display old state of all registers |? |`dro` | ? | ? | ? |display function addr + N |? |`afi $` - display function information of current offset (`$`) | ? | ? | ? |display frame state |? |`pxw rbp-rsp@rsp`| ? | `i f` | ? |How to step until condition is true |? |`dsi` | ? | ? | ? |Update a register value |? |`dr rip=0x456` | ? | `set $rip=0x456` | `r rip=456` |**Disassembly** | | | | |disassembly forward | N/A | `pd` | `Vp` | `disas` | `uf`, `u` |disassembly N instructions | N/A | `pd X` | Vp | x/<N>i | `u <addr> LX` |disassembly N (backward) | N/A | `pd -X` | `Vp` | `disas <a-o> <a>` | `ub` |**Information on the bin** | | | | |Sections/regions | `Menu sections` | `iS` or `S` (append j for json) | N/A | maint info sections | !address |**Load symbol file** | | | | |Sections/regions | `pdb menu` | `asm.dwarf.file`, `pdb.XX`) | N/A | add-symbol-file | r |**BackTrace** | | | | |Stack Trace | N/A | `dbt` | N/A | `bt` | `k` |Stack Trace in Json | N/A | `dbtj` | N/A | | |Partial Backtrace (innermost) | N/A | `dbt` (`dbg.btdepth` `dbg.btalgo`) | N/A | bt <N> | k <N> |Partial Backtrace (outermost) | N/A | `dbt` (`dbg.btdepth` `dbg.btalgo`) | N/A | bt -<N> | |Stacktrace for all threads | N/A | `dbt@t` | N/A | `thread apply all bt` | `~* k` |**Breakpoints** | | | | | |Breakpoint list |`Ctrl+Alt+B` |`db` | ? | `info breakpoints` | `bl` |add breakpoint |`F2` |`db [offset]` |`F2` | `break`| `bp` |**Threads** | | | | | |Switch to thread |`Thread menu` |`dp` | N/A | `thread <N>`| `~<N>s` |**Frames** | | | | | |Frame Numbers |`N/A` |`?` | N/A | `any bt command`| `kn` |Select Frame |`N/A` |`?` | N/A | `frame`| `.frame` |**Parameters/Locals** | | | | | |Display parameters |`N/A` |`afv` | N/A | `info args`| `dv /t /i /V` |Display parameters |`N/A` |`afv` | N/A | `info locals`| `dv /t /i /V` |Display parameters/locals in json |`N/A` |`afvj` | N/A | `info locals`| `dv /t /i /V` |list addresses where vars are accessed(R/W) |`N/A` |`afvR/afvW` | N/A | `?`| `?` |**Project Related** | | | | |open project | |`Po [file]` | | ? |save project | automatic |`Ps [file]` | | ? |show project informations | |`Pi [file]` | | ? |**Miscellaneous** | | | | |Dump byte char array | `N/A` |`pc?` (json, C, char, etc.) | Vpppp | x/<N>bc | db |options |option menu |`e?` | `e` | |search |search menu |`/?` | Select the zone with the cursor `c` then `/` | | `s`
This can be done using 2 commands:
- `dcf` - until a fork happen
- Then use `dp` to select the process to debug.
- r2 accepts FLIRT signatures
- r2 can connect to GDB, LLVM and WinDbg
- r2 can write/patch in place
- r2 have fortunes and [s]easter eggs[/s]balls of steel
- r2 can do basic loading of ELF core files from the box and MDMP (Windows minidumps)