Reversing with Radare2 Shell interaction Some variables
asm.pseudo enable pseudo-code syntax
Command output can be redirected to a file by appending >filename (in visual mode, toggle with: $) Starting Radare or piped to an external command with |progname [args]. Examples: asm.bytes display bytes of each instruction The basic usage is radare2 executable (on some systems you can use afl > all functions and afl | wc -l. asm.describe show opcode description r2 instead of radare2); if you want to run radare2 without opening asm.cmtright comments at right of disassembly if they fit External commands can be run with !!progname [args]. Note: if a any file, you can use -- instead of an executable name. asm.emu run ESIL emulation analysis on disasm command starts with a single !, the rest of the string is passed to cur- Some command-line options are: asm.demangle Show demangled symbols in disasm rently loaded IO plugin (only if no plugin can handle the command, -d file|pid debug executable file or process pid it is passed to the shell). -A analyze all referenced code (aaa command) bin.demangle Import demangled symbols from RBin -R profile.rr2 specifies rarun2 profile (same as External commands can also be run with #!pipe, see below in Python -e dbg.profile=profile.rr2) scripting. cmd.stack command to display the stack in visual -w open file in write mode debug mode (Eg: px 32) The output of external programs can be used as arguments for internal -p prj use project prj commands by using back-ticks to enclose the invocation of external dbg.follow.child continue tracing the child process on fork -p list projects commands; e.g. pdf echo 3 @ echo entry0. -h show help message (-hh the verbose one) io.cache enable cache for IO changes Example: r2 -dA /bin/ls (AKA non-persistent write-mode) Radare scripting General information scr.utf8 show nice UTF-8 chars instead of ANSI . filename interpret r2 script filename (Windows: switch code-page with chcp 65001) The command ? prints the help. Command names are hierarchically .! command interpret output of command as r2 commands scr.nkey select seek mode (fun, hit, flag); affects commands defined; for instance, all printing commands start with p. So, to un- n and N during visual mode derstand what a command does, you can append ? to a prefix of such scr.wheel enables mouse-wheel in visual mode a command; for instance, to learn what pdf does, you can first try pd?, then the more general p?. Python scripting Example: my ~/.radare2rc Single-line comments can be entered using #; e.g. s # where R we?. Assuming that Python extension has been installed (#! lists installed e asm.bytes=0 Command ? can also be used to evaluate an expression and print its extensions) an, interactive Python interpreter can be spawned with result in various format; e.g. ? 5 * 8 + 2 (note the space between e scr.utf8=true #!python and a script can be run with #!python script-filename. e asm.cmtright=true ? and the expression). There are also some special $-variables (list all of them with: ?$?): Inside the spawned interpreter r2 is an r2pipe object that can be used e cmd.stack=px 32 to interact with the same instance of Radare, by invoking method cmd; e scr.wheel=false $$ current virtual seek eco solarized $b block size e.g. print(r2.cmd(pdf @ entry0)). Where an address addx is expected, you can provide any expression In a script, and inside any Python interpreter (in)directly run with that evaluates to an address, e.g. a function name or a register name. #!pipe cmd, the same behaviour can be obtained by importing r2pipe Searching: / In this cheatsheet we sometimes use fn-name, instead of addx, to and inizializing r2 with r2pipe.open("#!pipe"). emphasize that the argument is supposed to be a function starting / str search for string str address. As default address is (usually?) used the current seek: $$. You can make most Radare2 commands output in JSON format by /x hstr search for hex-string hstr appending a j; e.g. pdfj (instead of pdf). /a asm-instr assemble instruction and search for its bytes All commands that: /R opcode find ROP gadgets containing opcode; accept an optional size (e.g. pd), use the current block size by Method cmdj can de-serialize JSON output into Python objects; e.g. see: http://radare.today/posts/ropnroll/ default (see: b) f = r2.cmdj(pdfj @ entry0) It seems you need to be in debug mode to use this (?!?) print f[name], f[addr], f[ops][0][opcode] Also: e??search for options accept an optional address (e.g., pdf), use the current position by default (see: s) Configuration Seeking: s Internal grep-like filtering s print current position/address You can filter command output by appending ~[!]str, to display only e?? list all variable names and descriptions s addx seek to addx rows [not] containing string str ; e.g. pdf~rdx and pdf~!rdx. You can e?[?] var-name show description of var-name s+ n seek n bytes forward further filter by appending e var-name show the value of var-name s++ seek block-size bytes forward e show the value of all variables s- n seek n bytes backward :r to display row r (0 r < #rows or, backwards eco theme-name select theme; eg. eco solarized s-- seek block-size bytes backward with: #rows r 1) eco list available themes s- undo seek [c] to display column c (0 c < #cols) b display current block size s+ redo seek :r[c] to display column c of row r b size set block size s= list seek history Examples: afl~[0], afl~malloc[0], pdf~:2 and pdf~mov:2 env [name [=value]] get/set environment variables s* list seek history as r2-commands Writing: w Debugging: d Seeking (in Visual Mode) wa asm-instr assemble and write opcodes; for more instructions ?d opcode description of opcode (eg. ?d jle) . seeks to program counter the whole command must be quoted: dc continue (or start) execution Enter on jump/call instructions, follow target address "wa asm-instr1 ; asm-instr2 ; . . . " dcu addx continue until addx is reached u undo w str write string str dcs [name] continue until the next syscall (named name, U redo wz str write string str and append byte \x00 if specified) o go/seek to given offset wx hex-pairs write hex-pairs dcr continue until ret (uses step over) 0 seek to beginning of current function dr= show general-purpose regs and their values d (a non-zero digit) jump to the target marked [d] Analysis (functions and syscalls): a dro show previous (old) values of registers ml (a letter) mark the spot with letter l aaa analyze (aa) and auto-name all functions drr show register references (telescoping) l jump to mark l afl list functions dr reg-name = value set register value n jump to next function afll list functions with details drt list register types N jump to previous function afi fn-name show verbose info for fn-name drt type list registers of type type and their values Debugging (in Visual Mode) afn new-name addx name function at address addx db list breakpoints afn new-name old-name rename function db addx add breakpoint b or F2 toggle breakpoint asl list syscalls db -addx remove breakpoint F4 run to cursor asl name display syscall-number for name doo args (re)start debugging s or F7 step-into asl n display name of syscall number n ood synonym for doo S or F8 step-over afvd var-name output r2 command for displaying the ds step into F9 continue address and value of arg/local var-name dso step over Flags (AKA bookmarks): f .afvd var-name display address and value of var-name dbt display backtrace Note: in order to get your defined names appear in disassembly, you afvn name new-name rename argument/local variable drx hardware breakpoints must include a prefix (fun, sub, obj, . . . ); e.g. f obj.foo @ 0x1234 afvt name type change type for given argument/local dm list memory maps; the asterisk shows where f name @ addx or axt addx find data/code references to addx the current offset is f name = addx associate name name to address addx dmp change page permissions (see: dmp?) Graphviz/graph code: ag f- @ addx remove the association at address addx ag addr output graphviz code (BB at addr and children) Types: t f- name remove the association with name name E.g. view the function graph with: ag $$ | xdot - "td C-type-def " define a new type Comments: C agc addr callgraph of function at addx CC list all comments in human friendly form t t-name show type t-name in pf syntax agC full program callgraph CCu text [@ addx ] set (update?) comment text at addx .t t-name @ addx display the value (of type t-name) at addx CC text [@ addx ] append comment text at addx Information: i t list (base?) types CC- [@ addx ] remove comment at addx i show info of current file te list enums ts list structs CC. [@ addx ] show comment at addx ie entrypoint tu list unions CC! [@ addx ] edit comment using cfg.editor (vim, . . . ) iz strings in data sections to file parse type information from C header file izz strings in the whole binary tl t-name link t-name to current address Projects: P il libraries Pl list all projects ii imports tl t-name = addx link t-name to address addx tl list all links in readable format Ps [prj-name] save project prj-name iS sections Po prj-name open project prj-name Printing: p Visual mode: V Pd prj-name delete project prj-name ps [@ addx ] print C-string at addx (or current position) Command V enters visual mode. Running in different environments: rarun2 pxr [n] [@ addx ] print n bytes (or block-size), as words, with q exit visual-mode rarun2 is used as a launcher for running programs with different envi- references to flags and code (telescoping) at c cursor-mode, tab switches among stack/regs/disassembly ronment, arguments, permissions, directories and overridden default addx (or current position) : execute a normal-mode command; e.g. :dm file-descriptors. Usage: px [n] [@ addx ] hexdump p and P rotate forward/backward print modes rarun2 [-t|script-name.rr2] [directives] [--] [prog-name] [args] pxh . . . hexdump half-words (16 bits) /str highlight occurences of string str rarun2 -t shows the terminal name, say , and wait for a connec- pxw . . . hexdump words (32 bits) $ toggle pseudo-syntax tion from another process. For instance, from another terminal, you pxq . . . hexdump quad-words (64 bits) O toggle ESIL-asm can execute rarun2 stdio= program=/bin/sh (use stdin/stdout to pxl [n] [@ addx ] display n rows of hexdump ; add/remove comments (to current offset) redirect one stream only). px/fmt [@ addx ] gdb-style printing fmt (in gdb see: help x x browse xrefs-to current offset rarun2 supports a lot of directives, see the man page. from r2: !!gdb -q -ex help x -ex quit) X browse xrefs-from current function pd [n] [@ addx ] disassemble n instructions browse flags Copyright
2017 c by zxgio; cheat-sheet built on August 21, 2017 pD [n] [@ addx ] disassemble n bytes d define function, end-function, rename, . . . This cheat-sheet may be freely distributed under the terms of the GNU General Public License; the latest version can be found at: pd -n [@ addx ] disassemble n instructions backwards V enter block-graph viewer https://github.com/zxgio/r2-cheatsheet/ pdf [@ fn-name] disassemble function fn-name A enter visual-assembler pdc [@ fn-name] pseudo-disassemble in C-like syntax n/N seek next/previous function/flag/hit (see scr.nkey)