Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save tin-z/b80498d4ded2d55a74b0372b10653910 to your computer and use it in GitHub Desktop.
Save tin-z/b80498d4ded2d55a74b0372b10653910 to your computer and use it in GitHub Desktop.

radare2

Basics

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

  • analyze all: aa
  • show sections: iS
  • list functions: afl
  • list imports: ii
  • list entrypoints: ie
  • seek to function: s sym.main

project management

  • open project: Po <name>
  • save project: Ps <name>
  • edit project notes: Pn -

inspecting a function

  • show basic block disassembly: pdb
  • show function disassembly: pdf
  • show function arguments: afa
  • show function variables: afv
  • rename function variable: afvn
  • set function variable type: afvt
  • add/analyze function: af

comments:

by default, these get displayed in disassembly listings to the right of a line. disable them in V visual mode using ' (single quote).

multiline comments are not rendered handled well. they don't look pretty.

  • add comment (using editor): CC!
    • note: multiline comments are not formatted nicely
  • append comment: CC <text>
  • overwrite comment: CCu <text>
  • show comment: CC.
  • show comment in this function: CCf

pipe,grep,etc

  • exec multiple cmd: ;
  • pipeline cmd: |
  • run shell cmd: '!' , and give output back to r2 buffer: '!!'
  • grep:
    • <cmd>~<string> grep string from command output
    • <cmd>~[n] grep also the 'n' column
    • <cmd>~:n grep also the 'n' row

Analysis, assembly, memory

  • analyze functions: af
  • analyze stack: ad@rsp or ad@esp
  • Search for opcode: /a
  • Search for rop/jop/etc: /R
  • Search for bytes: /x
  • Get offset for the actual seek point address: ?p

Visual mode

  • enter visual mode: V
  • select function, variable, xref: v
  • quick command/seek: _ <search string>
  • custom quick command list: ??
  • show cursor: c
  • set function name: d
  • add comment: ;
  • remove comment: ;-

"flag" means give something a type. like function or symbol.

graph mode

graph mode is not visual mode!

  • enter graph modes: VV

  • cycle types of graphs:

    • forward: p
    • backwards: P
  • types of graphs:

    • graph view
    • graph view + opcode bytes
    • esil
    • esil + comments
    • overview
  • seek to function: g<identifier>

  • undo seek: u

  • show comments: '

  • add comment: /

  • add comment (complex): :CC!

  • select bb: ???

  • seek to next bb: tab

  • seek to previous bb: TAB

  • if bb has conditional branch:

    • seek to True target: t
    • seek to False target: f

Configuration

recommended contents of ~/.radare2rc:

# Show comments at right of disassembly if they fit in screen
e asm.cmt.right=true

# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true

# Solarized theme
eco solarized

# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true

via: https://github.com/radare/radare2/blob/25fec0ebec47b2df5d5413f81db773d674cc65bb/doc/intro.md#configuration-properties

Other cheatsheet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment