Reversing with Radare2 Shell interaction Some variables

asm.pseudo enable pseudo-code syntax

Command output can be redirected to a file by appending >filename (in visual mode, toggle with: $)
Starting Radare or piped to an external command with |progname [args]. Examples: asm.bytes display bytes of each instruction
The basic usage is radare2 executable (on some systems you can use afl > all functions and afl | wc -l. asm.describe show opcode description
r2 instead of radare2); if you want to run radare2 without opening asm.cmtright comments at right of disassembly if they fit
External commands can be run with !!progname [args]. Note: if a
any file, you can use -- instead of an executable name. asm.emu run ESIL emulation analysis on disasm
command starts with a single !, the rest of the string is passed to cur-
Some command-line options are: asm.demangle Show demangled symbols in disasm
rently loaded IO plugin (only if no plugin can handle the command,
-d file|pid debug executable file or process pid it is passed to the shell).
-A analyze all referenced code (aaa command) bin.demangle Import demangled symbols from RBin
-R profile.rr2 specifies rarun2 profile (same as External commands can also be run with #!pipe, see below in Python
-e dbg.profile=profile.rr2) scripting. cmd.stack command to display the stack in visual
-w open file in write mode debug mode (Eg: px 32)
The output of external programs can be used as arguments for internal
-p prj use project prj
commands by using back-ticks to enclose the invocation of external dbg.follow.child continue tracing the child process on fork
-p list projects
commands; e.g. pdf echo 3 @ echo entry0.
-h show help message (-hh the verbose one)
io.cache enable cache for IO changes
Example: r2 -dA /bin/ls (AKA non-persistent write-mode)
Radare scripting
General information scr.utf8 show nice UTF-8 chars instead of ANSI
. filename interpret r2 script filename (Windows: switch code-page with chcp 65001)
The command ? prints the help. Command names are hierarchically
.! command interpret output of command as r2 commands scr.nkey select seek mode (fun, hit, flag); affects commands
defined; for instance, all printing commands start with p. So, to un-
n and N during visual mode
derstand what a command does, you can append ? to a prefix of such
scr.wheel enables mouse-wheel in visual mode
a command; for instance, to learn what pdf does, you can first try
pd?, then the more general p?.
Python scripting
Example: my ~/.radare2rc
Single-line comments can be entered using #; e.g. s # where R we?.
Assuming that Python extension has been installed (#! lists installed e asm.bytes=0
Command ? can also be used to evaluate an expression and print its extensions) an, interactive Python interpreter can be spawned with
result in various format; e.g. ? 5 * 8 + 2 (note the space between e scr.utf8=true
#!python and a script can be run with #!python script-filename. e asm.cmtright=true
? and the expression). There are also some special $-variables (list
all of them with: ?$?): Inside the spawned interpreter r2 is an r2pipe object that can be used e cmd.stack=px 32
to interact with the same instance of Radare, by invoking method cmd; e scr.wheel=false
$$ current virtual seek eco solarized
$b block size e.g. print(r2.cmd(pdf @ entry0)).
Where an address addx is expected, you can provide any expression In a script, and inside any Python interpreter (in)directly run with
that evaluates to an address, e.g. a function name or a register name. #!pipe cmd, the same behaviour can be obtained by importing r2pipe Searching: /
In this cheatsheet we sometimes use fn-name, instead of addx, to and inizializing r2 with r2pipe.open("#!pipe").
emphasize that the argument is supposed to be a function starting / str search for string str
address. As default address is (usually?) used the current seek: $$. You can make most Radare2 commands output in JSON format by /x hstr search for hex-string hstr
appending a j; e.g. pdfj (instead of pdf). /a asm-instr assemble instruction and search for its bytes
All commands that:
/R opcode find ROP gadgets containing opcode;
accept an optional size (e.g. pd), use the current block size by Method cmdj can de-serialize JSON output into Python objects; e.g. see: http://radare.today/posts/ropnroll/
default (see: b) f = r2.cmdj(pdfj @ entry0) It seems you need to be in debug mode to use this (?!?)
print f[name], f[addr], f[ops][0][opcode] Also: e??search for options
accept an optional address (e.g., pdf), use the current position
by default (see: s)
Configuration Seeking: s
Internal grep-like filtering s print current position/address
You can filter command output by appending ~[!]str, to display only e?? list all variable names and descriptions s addx seek to addx
rows [not] containing string str ; e.g. pdf~rdx and pdf~!rdx. You can e?[?] var-name show description of var-name s+ n seek n bytes forward
further filter by appending e var-name show the value of var-name s++ seek block-size bytes forward
e show the value of all variables s- n seek n bytes backward
:r to display row r (0 r < #rows or, backwards
eco theme-name select theme; eg. eco solarized s-- seek block-size bytes backward
with: #rows r 1)
eco list available themes s- undo seek
[c] to display column c (0 c < #cols)
b display current block size s+ redo seek
:r[c] to display column c of row r
b size set block size s= list seek history
Examples: afl~[0], afl~malloc[0], pdf~:2 and pdf~mov:2 env [name [=value]] get/set environment variables s* list seek history as r2-commands
Writing: w Debugging: d Seeking (in Visual Mode)
wa asm-instr assemble and write opcodes; for more instructions ?d opcode description of opcode (eg. ?d jle) . seeks to program counter
the whole command must be quoted: dc continue (or start) execution Enter on jump/call instructions, follow target address
"wa asm-instr1 ; asm-instr2 ; . . . " dcu addx continue until addx is reached u undo
w str write string str dcs [name] continue until the next syscall (named name, U redo
wz str write string str and append byte \x00 if specified) o go/seek to given offset
wx hex-pairs write hex-pairs dcr continue until ret (uses step over) 0 seek to beginning of current function
dr= show general-purpose regs and their values d (a non-zero digit) jump to the target marked [d]
Analysis (functions and syscalls): a dro show previous (old) values of registers ml (a letter) mark the spot with letter l
aaa analyze (aa) and auto-name all functions drr show register references (telescoping) l jump to mark l
afl list functions dr reg-name = value set register value n jump to next function
afll list functions with details drt list register types N jump to previous function
afi fn-name show verbose info for fn-name drt type list registers of type type and their values Debugging (in Visual Mode)
afn new-name addx name function at address addx db list breakpoints
afn new-name old-name rename function db addx add breakpoint b or F2 toggle breakpoint
asl list syscalls db -addx remove breakpoint F4 run to cursor
asl name display syscall-number for name doo args (re)start debugging s or F7 step-into
asl n display name of syscall number n ood synonym for doo S or F8 step-over
afvd var-name output r2 command for displaying the ds step into F9 continue
address and value of arg/local var-name dso step over Flags (AKA bookmarks): f
.afvd var-name display address and value of var-name dbt display backtrace
Note: in order to get your defined names appear in disassembly, you
afvn name new-name rename argument/local variable drx hardware breakpoints
must include a prefix (fun, sub, obj, . . . ); e.g. f obj.foo @ 0x1234
afvt name type change type for given argument/local dm list memory maps; the asterisk shows where
f name @ addx or
axt addx find data/code references to addx the current offset is
f name = addx associate name name to address addx
dmp change page permissions (see: dmp?)
Graphviz/graph code: ag f- @ addx remove the association at address addx
ag addr output graphviz code (BB at addr and children) Types: t f- name remove the association with name name
E.g. view the function graph with: ag $$ | xdot -
"td C-type-def " define a new type Comments: C
agc addr callgraph of function at addx CC list all comments in human friendly form
t t-name show type t-name in pf syntax
agC full program callgraph CCu text [@ addx ] set (update?) comment text at addx
.t t-name @ addx display the value (of type t-name) at addx
CC text [@ addx ] append comment text at addx
Information: i t list (base?) types
CC- [@ addx ] remove comment at addx
i show info of current file te list enums
ts list structs CC. [@ addx ] show comment at addx
ie entrypoint
tu list unions CC! [@ addx ] edit comment using cfg.editor (vim, . . . )
iz strings in data sections
to file parse type information from C header file
izz strings in the whole binary
tl t-name link t-name to current address
Projects: P
il libraries Pl list all projects
ii imports tl t-name = addx link t-name to address addx
tl list all links in readable format Ps [prj-name] save project prj-name
iS sections Po prj-name open project prj-name
Printing: p Visual mode: V Pd prj-name delete project prj-name
ps [@ addx ] print C-string at addx (or current position) Command V enters visual mode. Running in different environments: rarun2
pxr [n] [@ addx ] print n bytes (or block-size), as words, with q exit visual-mode rarun2 is used as a launcher for running programs with different envi-
references to flags and code (telescoping) at c cursor-mode, tab switches among stack/regs/disassembly ronment, arguments, permissions, directories and overridden default
addx (or current position) : execute a normal-mode command; e.g. :dm file-descriptors. Usage:
px [n] [@ addx ] hexdump p and P rotate forward/backward print modes rarun2 [-t|script-name.rr2] [directives] [--] [prog-name] [args]
pxh . . . hexdump half-words (16 bits) /str highlight occurences of string str rarun2 -t shows the terminal name, say , and wait for a connec-
pxw . . . hexdump words (32 bits) $ toggle pseudo-syntax tion from another process. For instance, from another terminal, you
pxq . . . hexdump quad-words (64 bits) O toggle ESIL-asm can execute rarun2 stdio= program=/bin/sh (use stdin/stdout to
pxl [n] [@ addx ] display n rows of hexdump ; add/remove comments (to current offset) redirect one stream only).
px/fmt [@ addx ] gdb-style printing fmt (in gdb see: help x x browse xrefs-to current offset rarun2 supports a lot of directives, see the man page.
from r2: !!gdb -q -ex help x -ex quit) X browse xrefs-from current function
pd [n] [@ addx ] disassemble n instructions browse flags Copyright 2017
c by zxgio; cheat-sheet built on August 21, 2017
pD [n] [@ addx ] disassemble n bytes d define function, end-function, rename, . . . This cheat-sheet may be freely distributed under the terms of the GNU
General Public License; the latest version can be found at:
pd -n [@ addx ] disassemble n instructions backwards V enter block-graph viewer
https://github.com/zxgio/r2-cheatsheet/
pdf [@ fn-name] disassemble function fn-name A enter visual-assembler
pdc [@ fn-name] pseudo-disassemble in C-like syntax n/N seek next/previous function/flag/hit (see scr.nkey)