Skip to content

Instantly share code, notes, and snippets.

@sharpicx

sharpicx/Radare2.md

Forked from xelemental/Radare2.md
Created November 2, 2022 17:01
Show Gist options
  • Save sharpicx/e2e581ea5cc7a21f0e1fbc010de2701b to your computer and use it in GitHub Desktop.
Save sharpicx/e2e581ea5cc7a21f0e1fbc010de2701b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Radare2.md

Command line options

-L: List of supported IO plugins
-q: Exit after processing commands
-w: Write mode enabled
-i [file]: Interprets a r2 script
-A: Analyze executable at load time (xrefs, etc)
-n: Bare load. Do not load executable info as the entrypoint
-c 'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
-p [prj]: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
-: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed)
	Similar to r2 malloc://512

Configuration properties

They can be used in evaluations:? ${asm.tabs}

e: Returns configuration properties
e <property>: Checks a specific property:
	e asm.tabs => false
e <property>=<value>: Change property value
	e asm.arch=ppc
e? help about a configuration property
	e? cmd.stack

Basic Commands

Command syntax: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe]

    ; Command chaining: x 3;s+3;pi 3;s+3;pxo 4;
    | Pipe with shell commands: pd | less
    ! Run shell commands: !cat /etc/passwd
    !! Escapes to shell, run command and pass output to radare buffer
    Note: The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this command to launch it directly to the shell. A single one will walk through the io plugin list.
    ` Radare commands: wx `!ragg2 -i exec`
    ~ grep
    ~! grep -v
    ~[n] grep by columns afl~[0]
    ~:n grep by rows afl~:0


    ?$? Help for variables used in expressions
    $$: Here
    $s: File size
    $b: Block size
    $l: Opcode length
    $j: When $$ is at a jmp, $j is the address where we are going to jump to
    $f: Same for jmp fail address
    $m: Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
    ??? Help for ? command
    ?i Takes input from stdin. Eg ?i username
    ?? Result from previous operations
    ?s from to [step]: Generates sequence from to every
    ?p: Get physical address for given virtual address
    ?P: Get virtual address for given physical one
    ?v Show hex value of math expr

Function analysis (normal mode)

af: Analyze functions
afl: List all functions
	number of functions: afl~?
afi: Returns information about the functions we are currently at
afr: Rename function: structure and flag
afr off: Restore function name set by r2
afn: Rename function
	afn strlen 0x080483f0
af-: Removes metadata generated by the function analysis
af+: Define a function manually given the start address and length
	af+ 0xd6f 403 checker_loop
axt: Returns cross references to (xref to)
axf: Returns cross references from (xref from)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment