Radare2 cheat Sheet

Radare2 cheat Sheet | All radare2 commands that you might need in an easily organized way.

 

Command line options

commanddefinition
-LList of supported IO plugins
-qExit after processing commands
-wWrite mode enabled
-i [file]Interprets a r2 script
-AAnalyze executable at load time (xrefs, etc)
-nBare load. Do not load executable info as the entrypoint
-c ‘cmds’Run r2 and execute commands (eg: r2 -wqc’wx 3c @ main’)
-p [prj]Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed) Similar to r2 malloc://512

Configuration properties

They can be used in evaluations:? ${asm.tabs}

e: Returns configuration properties
e <property>: Checks a specific property:
  e asm.tabs => false
e <property>=<value>: Change property value
  e asm.arch=ppc
e? help about a configuration property
  e? cmd.stack

You will want to set your favourite options in ~/.radare2rc since every line there will be interpreted at the beginning of each session. Mine for reference:

# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true

# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true

# Solarized theme
eco solarized

# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true

There is an easier interface accessible from the Visual mode, just typing Ve

Basic Commands

Command syntax: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe]

commanddefinitionexample
;Command chainingx 3;s+3;pi 3;s+3;pxo 4;
|Pipe with shell commandspd | less
!Run shell commands!cat /etc/passwd
!!Escapes to shellrun command and pass output to radare buffer
NoteThe double exclamation mark tells radare to skip the plugin list tofind an IO
\`Radare commandswx `!ragg2 -i exec`
~grep
~!grep -v
~[n]grep by columnsafl~[0]
~:ngrep by rowsafl~:0
  pi~mov,eax        ; lines with mov or eax
  pi~mov&eax        ; lines with mov and eax
  pi~mov,eax:6        ; 6 first lines with mov or eax
  pd 20~call[0]:0       ; grep first column of the first row matching 'call'
  • .cmd Interprets command output
is* prints symbols
.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
commanddefinition
..repeats last commands (same as enter \n)
(Used to define and run macros
$Used to define alias
$$Resolves to current address
Offsets (@) are absolute, we can use $$ for relative ones @ $$+4
?Evaluate expression
[0x00000000]> ? 33 +2
35 0x23 043 0000:0023 35 00100011 35.0 0.000000

Note: | and & need to be escaped
commanddefinition
?$?Help for variables used in expressions
$$Here
$sFile size
$bBlock size
$lOpcode length
$jWhen $$ is at a jmp$j is the address where we are going to jump to
$fSame for jmp fail address
$mOpcode memory reference (e.g. mov eax,[0x10] => 0x10)
???Help for ? command
?iTakes input from stdin. Eg ?i username
??Result from previous operations
?s from to [step]Generates sequence from <from> to <to> every <step>
?pGet physical address for given virtual address
?PGet virtual address for given physical one
?vShow hex value of math expr
?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
?v 0x4141414a - 0x41414140  = 0xa
commanddefinition
?l strReturns the length of string
@@Used for iterations
wx ff @@10 20 30      Writes ff at offsets 10, 20 and 30
wx ff @@`?s  1 10 2`  Writes ff at offsets 1, 2 and 3
wx 90 @@ sym.*        Writes a nop on every symbol

Positioning

commanddefinition
s addressMove cursor to address or symbol
s-5(5 bytes backwards)
s-undo seek
s+redo seek

Block size

The block size is the default view size for radare. All commands will work with this constraint, but you can always temporally change the block size just giving a numeric argument to the print commands for example (px 20)

commanddefinition
b sizeChange block size

JSON Output

Most of commands such as (i)nfo and (p)rint commands accept a j to print their output in json

[0x100000d78]> ij
{"bin":{"type":"mach0","class":"MACH064","endian":"little","machine":"x86 64 all","arch":"x86","os":"osx","lang":"c","pic":true,"canary":false,"nx":false,"crypto":false,"va":true,"bits":64,"stripped":true,"static":false,"linenums":false,"syms":false,"relocs":false},"core":{"type":"Executable file","os":"osx","arch":"x86 64 all","bits":64,"endian":"little","file":"/bin/ls","fd":6,"size":34640,"mode":"r--","block":256,"uri":"/bin/ls","format":"mach064"}}

Analyze

commanddefinition
aaAnalyze all (fcns + bbs) same that running r2 with -A
adAnalyze data
[email protected](analyze the stack)
ahl (length) (range)fake opcode length for a range of bytes

Function analysis (normal mode)

commanddefinitionnotes
afAnalyze functions
aflList all functions
afl~?number of functions
afiReturns information about the functions we are currently at
afrRename function: structure and flag
afr offRestore function name set by r2
afnRename functionafn strlen 0x080483f0
af-Removes metadata generated by the function analysis
af+Define a function manually given the start address and lengthaf+ 0xd6f 403 checker_loop
axtReturns cross references to (xref to)
axfReturns cross references from (xref from)

Function analysis (visual mode)

commanddefinition
d, fFunction analysis
d, uRemove metadata generated by function analysis

Opcode analysis

commanddefinition
ao xAnalyze x opcodes from current offset
a8 bytesAnalyze the instruction represented by specified bytes

Information

commanddefinition
iIFile info
izStrings in data section
izzStrings in the whole binary
iSSections
iS~wreturns writable sections
isSymbols
is~FUNCexports
ilLinked libraries
iiImports
ieEntrypoint

Mitigations

commanddefinition
i~piccheck if the binary has position-independent-code
i~nxcheck if the binary has non-executable stack
i~canarycheck if the binary has canaries

Get function address in GOT table: pd 1 @ sym.imp<funct> Returns a jmp [addr] where addr is the address of function in the GOT. Similar to objdump -R | grep <func>

Print

commanddefinition
psz n @ offsetPrint n zero terminated String
px n @ offsetPrint hexdump (or just x) of n bytes
pxw n @ offsetPrint hexdump of n words
pxw [email protected]prints hexadecimal words at address
pd n @ offsetPrint n opcodes disassembled
pD n @ offsetPrint n bytes disassembled
pi n @ offsetPrint n instructions disassembled (no address, XREFs, etc. just instructions)
pdf @ offsetPrint disassembled function
pdf~XREF(grep: XREFs)
pdf~call(grep: calls)
pcp n @ offsetPrint n bytes in python string output.
pcp 0x20@0x8048550
import struct
buf = struct.pack ("32B",
0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
commanddefinition
p8 n @ offsetPrint n bytes (8bits) (no hexdump)
pvPrint file contents as IDA bar and shows metadata for each byte (flags , …)
ptInterpret data as dates
pfPrint with format
pf.list all formats
p=Print entropy ascii graph

Write

commanddefinition
wxWrite hex values in current offset
wx 123456
wx ff @ 4
waWrite assembly
wa jnz 0x400d24
wcWrite cache commit
wvWrites value doing endian conversion and padding to byte
wo[x]Write result of operation
  wow 11223344 @102!10
    write looped value from 102 to 102+10
    0x00000066  1122 3344 1122 3344 1122 0000 0000 0000
  wox 0x90
    XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
  wox 67 @4!10
    XOR from offset 4 to 10 with value 67
commanddefinition
wf fileWrites the content of the file at the current address or specified offset (ASCII characters only)
wF fileWrites the content of the file at the current address or specified offset
wt file [sz]Write to file (from current seek, blocksize or sz bytes)
Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
wopO 41424344get the index in the De Bruijn Pattern of the given word

Flags

Flags are labels for offsets. They can be grouped in namespaces as sym for symbols …

commanddefinition
fList flags
f label @ offsetDefine a flag label at offset
f str.pass_len @ 0x804999c
f-labelRemoves flag
frRename flag
fdReturns position from nearest flag (looking backwards). Eg => entry+21
fsShow all flag spaces
fs flagspaceChange to the specified flag space

yank & paste

commanddefinition
y nCopies n bytes from current position
yShows yank buffer content with address and length where each entry was copied from
ypPrints yank buffer
yy offsetPaste the contents of the yank buffer at the specified offset
yt n target @ sourceYank to. Copy n bytes from source to target address

Visual Mode

V enters visual mode

commanddefinition
qExits visual mode
hjklmove around (or HJKL) (left-down-up-right)
ogo/seek to given offset
?Help
.Seek EIP
(enter)Follow address of the current jump/call
:cmdEnter radare commands. Eg: x @ esi
d[f?]Define cursor as a string, data, code, a function, or simply to undefine it.
drRename a function
dfDefine a function
vGet into the visual code analysis menu to edit/look closely at the current function.
p/PRotate print (visualization) modes
    hex, the hexadecimal view
    disasm, the disassembly listing
    Use numbers in [] to follow jump
    Use "u" to go back
    debug, the debugger
    words, the word-hexidecimal view
    buf, the C-formatted buffer
    annotated, the annotated hexdump.
commanddefinition
cChanges to cursor mode or exits the cursor mode
selectShift+[hjkl]
iInsert mode
aassembly inline
AAssembly in visual mode
yCopy
YPaste
fCreates a flag where cursor points to
(tab)in the hexdump view to toggle between hex and strings columns
VView ascii-art basic block graph of current function
WWebUI
x, XXREFs to current function. (“u” to go back)
ttrack flags (browse symbols, functions..)
gGBegging or end of file

HUD

commanddefinition
_Show HUD
backspaceExits HUD
We can add new commands to HUD in: radare2/shlr/hud/main
;[-]cmtAdd/remove comment
m(char)Define a bookmark
‘(char)Go to previously defined bookmark

ROP

commanddefinitionnotes
/R opcodesSearch opcodes/R pop,pop,ret
/Rl opcodesSearch opcodes and print them in linear way/Rl jmp eax,call ebx
/aSearch assembly/a jmp eax
pdaReturns a library of gadgets that can be use. These gadgets are obtained by disassembling byte per byte instead of obeying to opcode length

Search depth can be configure with following properties:

e search.roplen = 4  (change the depth of the search, to speed-up the hunt)

Searching

commanddefinitionnotes
/ bytesSearch bytes\x7fELF

Example: Searching function preludes:

push ebp
mov ebp, esp

Opcodes: 5589e5

/x 5589e5
  [# ]hits: 54c0f4 < 0x0804c600  hits = 1
  0x08049f70 hit0_0 5589e557565383e4f081ec
  0x0804c31a hit0_1 5589e583ec18c704246031
  0x0804c353 hit0_2 5589e583ec1889442404c7
  0x0804c379 hit0_3 5589e583ec08e87cffffff
  0x0804c3a2 hit0_4 5589e583ec18c70424302d

pi 5 @@hit* (Print 5 first instructions of every hit)

Its possible to run a command for each hit. Use the cmd.hit property:

e cmd.hit=px

Comments and defines

commanddefinition
Cd [size]Define as data
C- [size]Define as code
Cs [size]Define as String
Cf [size]Define as struct

We can define structures to be shown in the disassembly

commanddefinition
CCList all comments or add a new comment in console mode
C*Show all comments/metadata
CC (comment)add new comment
CC-remove comment

Magic files

commanddefinition
pmPrint Magic files analysis
  [0x00000000]> pm
  0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1

Search for magic numbers

commanddefinition
/m [magicfile]Search magic number headers with libmagic

Search can be controlled with following properties

search.align
search.from (0 = beginning)
search.to (0 = end)
search.asmstr
search.in

Yara

Yara can also be used for detecting file signatures to determine compiler types, shellcodes, protections and more.

:yara scan

Zignatures

Zignatures are useful when dealing with stripped binaries. We can take a non-stripped binary, run zignatures on it and apply it to a different binary that was compiled statically with the same libraries.

commanddefinitionnotes
zg (language) (output file)Generate signatures
egzg go go.zRun the generated script to load signatures eg: . go.z
zTo show signatures loaded

Zignatures are applied as comments

r2-(pid2)> pd 35 @ 0x08049adb-10
|          0x08049adb   call fcn.0805b030
|             fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
|          0x08049ae0   add esp, 0xc
|          0x08049ae3   call fcn.08095580

Compare files

commanddefinition
r2 -m 0xf0000 /etc/fstabOpen source file
o /etc/issueOpen file2 at offset 0
oList both files
cc offsetDiff by columns between current offset address and “offset”

Graphs

Basic block graphs

commanddefinition
afLoad function metadata
ag $$ > a.dotDump basic block graph to file
ag $$ | xdot –Show current function basic block graph

Call graphs

commanddefinition
afLoad function metadata
agc $$ > b.dotDump basic block graph to file

Convert .dot in .png

$ dot -Tpng -o /tmp/b.png b.dot

Generate graph for file:

$ radiff2 -g main crackme.bin crackme.bin > /tmp/a
$ xdot /tmp/a

Debugger

Start r2 in debugger mode. r2 will fork and attach

$ r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")

$ ptrace://pid (debug backend does not notice, only access to mapped memory)

To pass arguments

$ r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)

To pass stdin

$ r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)

Commands

commanddefinition
doReopen program
dpShows debugged process, child processes and threads
dcContinue
dcu (address or symbol)Continue until symbol (sets bp in address, continua until bp and remove bp)
dc[sfcp]Continue until syscall(eg: write), fork, call, program address (To exit a library)
dsStep in
dsoStep out
dssSkip instruction
dr register=valueChange register value
dr(=)?Show register values
db addressSets a breakpoint at address
db sym.mainadd breakpoint into sym.main
db 0x804800add breakpoint
db -0x804800remove breakpoint
dsi (conditional step)Eg: “dsi eax==3,ecx>0”
dbtShows backtrace
drrDisplay in colors and words all the refs from registers or memory
dmShows memory map (* indicates current section)
  [0xb776c110]> dm
  sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
  sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
  sys 0xb776a000 - 0xb776b000 s r-x [vdso]
  sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
  sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
  sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]

To follow child processes in forks (set-follow-fork-mode in gdb)

dcf until a fork happen
then use dp to select what process you want to debug.

PEDA like details: drr;pd [email protected];pxr [email protected]

Debug in visual mode

toggl breakpoints with F2
single-step with F7 (s)
step-over with F8 (S)
continue with F9

WebGUI (Enyo)

=h: Start the server
=H: Start server and browser

Radare2 suite commands

All suite commands include a -r flag to generate instructions for r2

rax2 – Base conversion

commanddefinition
-eChange endian
-Krandom ASCII art to represent a number/hash. Similar to how SSH represents keys
-shexstr -> raw
-Sraw -> hexstr

rahash2 – Entropy, hashes and checksums

commanddefinition
-aSpecify the algorithm
-b XXXBlock size
-BPrint all blocks
-a entropyShow file entropy or entropy per block (-B -b 512 -a entropy)

radiff2 – File diffing

commanddefinition
-sCalculate text distance from two files.
-dDelta diffing (For files with different sizes. Its not byte per byte)
-CCode diffing (instead of data)

Examples

Diff original and patched on x86_32, using graphdiff algorithm
$ radiff2 -a x86 -b32 -C original patched
Show differences between original and patched on x86_32
$ radiff2 -a x86 -b32 original patched :

rasm2 – Assembly/Disassembly

commanddefinitionnotes
-LSupported architectures
-a arch instructionSets architecturerasm2 -a x86 ‘mov eax,30’ => b81e000000
-b tamSets block size
-dDisassemblyrasm2 -d b81e000000 => mov eax, 0x1e
-CAssembly in C outputrasm2 -C ‘mov eax,30’ => “\xb8\x1e\x00\x00\x00”
-DDisassemble showing hexpair and opcoderasm2 -D b81e0000 => 0x00000000 5 b81e000000 mov eax, 0x1e
-fRead data from file instead of ARG.
-O filenameWrite data to file

rafind2 – Search

commanddefinition
-ZLook for Zero terminated strings
-s strLook for specific string

ragg2 – Shellcode generator, C/opcode compiler

commanddefinitionnotes
-PGenerate De Bruijn patternsragg2 -P 300 -r
-a archConfigure architecture
-b bitsSpecify architecture bits (32/64)
-i shellcodeSpecify shellcode to generate
-e encoderSpecify encoder

Example

Generate a x86, 32 bits exec shellcode
$ ragg2 -a x86 -b 32 -i exec

rabin2 – Executable analysis: symbols, imports, strings …

commanddefinition
-IExecutable information
-cReturns classes. Useful to list Java Classes
-lDynamic linked libraries
-sSymbols
-zStrings

rarun2 – Launcher to run programs with different environments, args, stdin, permissions, fds

Examples:

$ r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r)
runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
$ r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
runs /bin/ls with the output of exploit.py directed to stdin

source

Leave a Reply