Reference Card

This chapter is based on the Radare 2 reference card by Thanat0s, which is under the GNU GPL. Original license is as follows:

This card may be freely distributed under the terms of the GNU
general public licence — Copyright by Thanat0s - v0.1 -

Survival Guide

Those are the basic commands you will want to know and use for moving around a binary and getting information about it.

Command

Description

s (tab)

Seek to a different place

x [nbytes]

Hexdump of nbytes, $b by default

Auto analyze

pdf@fcn(Tab)

Disassemble function

f fcn(Tab)

List functions

f str(Tab)

List strings

fr [flagname] [newname]

Rename flag

psz [offset]~grep

Print strings and grep for one

arf [flag]

Find cross reference for a flag

Flags

Flags are like bookmarks, but they carry some extra information like size, tags or associated flagspace. Use the f command to list, set, get them.

Command

Description

List flags

fd $$

Describe an offset

Display flags in JSON

Show flag length

Show hexdump of flag

fC [name] [comment]

Set flag comment

Flagspaces

Flags are created into a flagspace, by default none is selected, and listing flags will list them all. To display a subset of flags you can use the fs command to restrict it.

Command

Description

Display flagspaces

fs *

Select all flagspaces

fs [sections]

Select one flagspace

Information

Binary files have information stored inside the headers. The i command uses the RBin api and allows us to the same things rabin2 do. Those are the most common ones.

Command

Description

Information on imports

Info on binary

Display entrypoint

Display sections

Display relocations

List strings (izz, izzz)

Print string

There are different ways to represent a string in memory. The ps command allows us to print it in utf-16, pascal, zero terminated, .. formats.

Command

Description

psz [offset]

Print zero terminated string

psb [offset]

Print strings in current block

psx [offset]

Show string with scaped chars

psp [offset]

Print pascal string

psw [offset]

Print wide string

Visual mode

The visual mode is the standard interactive interface of radare2.

To enter in visual mode use the v or V command, and then you'll only have to press keys to get the actions happen instead of commands.

Command

Description

Enter visual mode

p/P

Rotate modes (hex, disasm, debug, words, buf)

Toggle (c)ursor

Back to Radare shell

hjkl

Move around (or HJKL) (left-down-up-right)

Enter

Follow address of jump/call

Step/step over

Go/seek to given offset

Seek to program counter

In cursor mode, search in current block

:cmd

Run radare command

;[-]cmt

Add/remove comment

x+-/[]

Change block size, [] = resize hex.cols

>||<

Seek aligned to block size

i/a/A

(i)nsert hex, (a)ssemble code, visual (A)ssembler

b/B

Toggle breakpoint / automatic block size

d[f?]

Define function, data, code, ..

Enter visual diff mode (set diff.from/to)

Edit eval configuration variables

f/F

Set/unset flag

Go seek to begin and end of file (0-$s)

mK/’K

Mark/go to Key (any key)

Walk the mounted filesystems

n/N

Seek next/prev function/flag/hit (scr.nkey)

Go/seek to given offset

Toggle (C)olors

Randomize color palette (ecr)

Track flags (browse symbols, functions..)

Browse anal info and comments

Visual code analysis menu

V/W

(V)iew graph (agv?), open (W)ebUI

Undo/redo seek

Show xrefs to seek between them

Copy and paste selection

Toggle zoom mode

Searching

There are many situations where we need to find a value inside a binary or in some specific regions. Use the e search.in=? command to choose where the / command may search for the given value.

Command

Description

/ foo\00

Search for string ’foo\0’

Search backwards

Repeat last search

/w foo

Search for wide string ’f\0o\0o\0’

/wi foo

Search for wide string ignoring case

/! ff

Search for first occurrence not matching

/i foo

Search for string ’foo’ ignoring case

/e /E.F/i

Match regular expression

/x a1b2c3

Search for bytes; spaces and uppercase nibbles are allowed, same as /x A1 B2 C3

/x a1..c3

Search for bytes ignoring some nibbles (auto-generates mask, in this example: ff00ff)

/x a1b2:fff3

Search for bytes with mask (specify individual bits)

/d 101112

Search for a deltified sequence of bytes

/!x 00

Inverse hexa search (find first byte != 0x00)

/c jmp [esp]

Search for asm code (see search.asmstr)

/a jmp eax

Assemble opcode and search its bytes

Search for AES expanded keys

/r sym.printf

Analyze opcode reference an offset

Search for ROP gadgets

Show offset of previous instruction

/m magicfile

Search for matching magic file

/p patternsize

Search for pattern of given size

/z min max

Search for strings of given size

/v[?248] num

Look for a asm.bigendian 32bit value

Saving

By default, when you open a file in write mode (r2 -w) all changes will be written directly into the file. No undo history is saved by default.

Use e io.cache.write=true and the wc command to manage the write cache history changes. To undo, redo, commit them to write the changes on the file..

If, instead, we want to save the analysis information, comments, flags and other user-created metadata, we may want to use projects with r2 -p and the P command.

Command

Description

Po [file]

Open project

Ps [file]

Save project

Pi [file]

Show project information

Usable variables in expression

The ?$? command will display the variables that can be used in any math operation inside the r2 shell. For example, using the ? $$ command to evaluate a number or ?v to just the value in one format.

All commands in r2 that accept a number supports the use of those variables.

Command

Description

here (current virtual seek)

$$$

current non-temporary virtual seek

last comparison value

$alias=value

alias commands (simple macros)

block size

base address (aligned lowest map address)

jump fail address (e.g. jz 0x10 => next instruction)

$fl

flag length (size) at current address (fla; pD $l @ entry0)

current function size

$FB

begin of function

$Fb

address of the current basic block

$Fs

size of the current basic block

$FE

end of function

$FS

function size

$Fj

function jump destination

$Ff

function false destination

$FI

function instructions

$c,$r

get width and height of terminal

$Cn

get nth call of function

$Dn

get nth data reference in function

current debug map base address ?v $D @ rsp

$DD

current debug map size

1 if end of block, else 0

jump address (e.g. jmp 0x10, jz 0x10 => 0x10)

$Ja

get nth jump of function

$Xn

get nth xref of function

opcode length

opcode memory reference (e.g. mov eax,[0x10] => 0x10)

map address (lowest map address)

here (current disk io offset)

getpid()

pid of children (only in debug)

file size

section offset

$SS

section size

opcode immediate value (e.g. lui a0,0x8010 => 0x8010)

get word size, 4 if asm.bits=32, 8 if 64, ...

${ev}

get value of eval config variable

$r{reg}

get value of named register

$k{kv}

get value of an sdb query value

$s{flag}

get size of flag

RNum

$variables usable in math expressions

上一页.outro 下一页Acknowledgments

最后更新于4年前

这有帮助吗？

Reference Card

This chapter is based on the Radare 2 reference card by Thanat0s, which is under the GNU GPL. Original license is as follows:

This card may be freely distributed under the terms of the GNU
general public licence — Copyright by Thanat0s - v0.1 -

Survival Guide

Those are the basic commands you will want to know and use for moving around a binary and getting information about it.

Command

Description

s (tab)

Seek to a different place

x [nbytes]

Hexdump of nbytes, $b by default

Auto analyze

pdf@fcn(Tab)

Disassemble function

f fcn(Tab)

List functions

f str(Tab)

List strings

fr [flagname] [newname]

Rename flag

psz [offset]~grep

Print strings and grep for one

arf [flag]

Find cross reference for a flag

Flags

Flags are like bookmarks, but they carry some extra information like size, tags or associated flagspace. Use the f command to list, set, get them.

Command

Description

List flags

fd $$

Describe an offset

Display flags in JSON

Show flag length

Show hexdump of flag

fC [name] [comment]

Set flag comment

Flagspaces

Flags are created into a flagspace, by default none is selected, and listing flags will list them all. To display a subset of flags you can use the fs command to restrict it.

Command

Description

Display flagspaces

fs *

Select all flagspaces

fs [sections]

Select one flagspace

Information

Binary files have information stored inside the headers. The i command uses the RBin api and allows us to the same things rabin2 do. Those are the most common ones.

Command

Description

Information on imports

Info on binary

Display entrypoint

Display sections

Display relocations

List strings (izz, izzz)

Print string

There are different ways to represent a string in memory. The ps command allows us to print it in utf-16, pascal, zero terminated, .. formats.

Command

Description

psz [offset]

Print zero terminated string

psb [offset]

Print strings in current block

psx [offset]

Show string with scaped chars

psp [offset]

Print pascal string

psw [offset]

Print wide string

Visual mode

The visual mode is the standard interactive interface of radare2.

To enter in visual mode use the v or V command, and then you'll only have to press keys to get the actions happen instead of commands.

Command

Description

Enter visual mode

p/P

Rotate modes (hex, disasm, debug, words, buf)

Toggle (c)ursor

Back to Radare shell

hjkl

Move around (or HJKL) (left-down-up-right)

Enter

Follow address of jump/call

Step/step over

Go/seek to given offset

Seek to program counter

In cursor mode, search in current block

:cmd

Run radare command

;[-]cmt

Add/remove comment

x+-/[]

Change block size, [] = resize hex.cols

>||<

Seek aligned to block size

i/a/A

(i)nsert hex, (a)ssemble code, visual (A)ssembler

b/B

Toggle breakpoint / automatic block size

d[f?]

Define function, data, code, ..

Enter visual diff mode (set diff.from/to)

Edit eval configuration variables

f/F

Set/unset flag

Go seek to begin and end of file (0-$s)

mK/’K

Mark/go to Key (any key)

Walk the mounted filesystems

n/N

Seek next/prev function/flag/hit (scr.nkey)

Go/seek to given offset

Toggle (C)olors

Randomize color palette (ecr)

Track flags (browse symbols, functions..)

Browse anal info and comments

Visual code analysis menu

V/W

(V)iew graph (agv?), open (W)ebUI

Undo/redo seek

Show xrefs to seek between them

Copy and paste selection

Toggle zoom mode

Searching

There are many situations where we need to find a value inside a binary or in some specific regions. Use the e search.in=? command to choose where the / command may search for the given value.

Command

Description

/ foo\00

Search for string ’foo\0’

Search backwards

Repeat last search

/w foo

Search for wide string ’f\0o\0o\0’

/wi foo

Search for wide string ignoring case

/! ff

Search for first occurrence not matching

/i foo

Search for string ’foo’ ignoring case

/e /E.F/i

Match regular expression

/x a1b2c3

Search for bytes; spaces and uppercase nibbles are allowed, same as /x A1 B2 C3

/x a1..c3

Search for bytes ignoring some nibbles (auto-generates mask, in this example: ff00ff)

/x a1b2:fff3

Search for bytes with mask (specify individual bits)

/d 101112

Search for a deltified sequence of bytes

/!x 00

Inverse hexa search (find first byte != 0x00)

/c jmp [esp]

Search for asm code (see search.asmstr)

/a jmp eax

Assemble opcode and search its bytes

Search for AES expanded keys

/r sym.printf

Analyze opcode reference an offset

Search for ROP gadgets

Show offset of previous instruction

/m magicfile

Search for matching magic file

/p patternsize

Search for pattern of given size

/z min max

Search for strings of given size

/v[?248] num

Look for a asm.bigendian 32bit value

Saving

By default, when you open a file in write mode (r2 -w) all changes will be written directly into the file. No undo history is saved by default.

Use e io.cache.write=true and the wc command to manage the write cache history changes. To undo, redo, commit them to write the changes on the file..

If, instead, we want to save the analysis information, comments, flags and other user-created metadata, we may want to use projects with r2 -p and the P command.

Command

Description

Po [file]

Open project

Ps [file]

Save project

Pi [file]

Show project information

Usable variables in expression

All commands in r2 that accept a number supports the use of those variables.

Command

Description

here (current virtual seek)

$$$

current non-temporary virtual seek

last comparison value

$alias=value

alias commands (simple macros)

block size

base address (aligned lowest map address)

jump fail address (e.g. jz 0x10 => next instruction)

$fl

flag length (size) at current address (fla; pD $l @ entry0)

current function size

$FB

begin of function

$Fb

address of the current basic block

$Fs

size of the current basic block

$FE

end of function

$FS

function size

$Fj

function jump destination

$Ff

function false destination

$FI

function instructions

$c,$r

get width and height of terminal

$Cn

get nth call of function

$Dn

get nth data reference in function

current debug map base address ?v $D @ rsp

$DD

current debug map size

1 if end of block, else 0

jump address (e.g. jmp 0x10, jz 0x10 => 0x10)

$Ja

get nth jump of function

$Xn

get nth xref of function

opcode length

opcode memory reference (e.g. mov eax,[0x10] => 0x10)

map address (lowest map address)

here (current disk io offset)

getpid()

pid of children (only in debug)

file size

section offset

$SS

section size

opcode immediate value (e.g. lui a0,0x8010 => 0x8010)

get word size, 4 if asm.bits=32, 8 if 64, ...

${ev}

get value of eval config variable

$r{reg}

get value of named register

$k{kv}

get value of an sdb query value

$s{flag}

get size of flag

RNum

$variables usable in math expressions

上一页.outro 下一页Acknowledgments

最后更新于4年前

这有帮助吗？