Table of Contents
Radare2 cheat Sheet | All radare2 commands that you might need in an easily organized way.
Command line options
| command | definition |
|---|---|
| -L | List of supported IO plugins |
| -q | Exit after processing commands |
| -w | Write mode enabled |
| -i [file] | Interprets a r2 script |
| -A | Analyze executable at load time (xrefs, etc) |
| -n | Bare load. Do not load executable info as the entrypoint |
| -c ‘cmds’ | Run r2 and execute commands (eg: r2 -wqc’wx 3c @ main’) |
| -p [prj] | Creates a project for the file being analyzed (CC add a comment when opening a file as a project) |
| – | Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed) Similar to r2 malloc://512 |
Configuration properties
They can be used in evaluations:? ${asm.tabs}
e: Returns configuration properties
e <property>: Checks a specific property:
e asm.tabs => false
e <property>=<value>: Change property value
e asm.arch=ppc
e? help about a configuration property
e? cmd.stack
You will want to set your favourite options in ~/.radare2rc since every line there will be interpreted at the beginning of each session. Mine for reference:
# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true
# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true
# Solarized theme
eco solarized
# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true
There is an easier interface accessible from the Visual mode, just typing Ve
Basic Commands
Command syntax: [.][times][cmd][~grep][@[@iter]addr!size][|>pipe]
| command | definition | example |
|---|---|---|
; |
Command chaining | x 3;s+3;pi 3;s+3;pxo 4; |
| |
Pipe with shell commands | pd | less |
! |
Run shell commands | !cat /etc/passwd |
!! |
Escapes to shell | run command and pass output to radare buffer |
| Note | The double exclamation mark tells radare to skip the plugin list to | find an IO |
\` |
Radare commands | wx `!ragg2 -i exec` |
~ |
grep | |
~! |
grep -v | |
~[n] |
grep by columns | afl~[0] |
~:n |
grep by rows | afl~:0 |
pi~mov,eax ; lines with mov or eax
pi~mov&eax ; lines with mov and eax
pi~mov,eax:6 ; 6 first lines with mov or eax
pd 20~call[0]:0 ; grep first column of the first row matching 'call'
.cmdInterprets command output
is* prints symbols
.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
| command | definition |
|---|---|
.. |
repeats last commands (same as enter \n) |
( |
Used to define and run macros |
$ |
Used to define alias |
$$ |
Resolves to current address |
Offsets (@) are absolute, we can use $$ for relative ones @ $$+4 |
|
? |
Evaluate expression |
[0x00000000]> ? 33 +2
35 0x23 043 0000:0023 35 00100011 35.0 0.000000
Note: | and & need to be escaped
| command | definition |
|---|---|
?$? |
Help for variables used in expressions |
$$ |
Here |
$s |
File size |
$b |
Block size |
$l |
Opcode length |
$j |
When $$ is at a jmp, $j is the address where we are going to jump to |
$f |
Same for jmp fail address |
$m |
Opcode memory reference (e.g. mov eax,[0x10] => 0x10) |
??? |
Help for ? command |
?i |
Takes input from stdin. Eg ?i username |
?? |
Result from previous operations |
?s from to [step] |
Generates sequence from <from> to <to> every <step> |
?p |
Get physical address for given virtual address |
?P |
Get virtual address for given physical one |
?v |
Show hex value of math expr |
?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
?v 0x4141414a - 0x41414140 = 0xa
| command | definition |
|---|---|
?l str |
Returns the length of string |
@@ |
Used for iterations |
wx ff @@10 20 30 Writes ff at offsets 10, 20 and 30
wx ff @@`?s 1 10 2` Writes ff at offsets 1, 2 and 3
wx 90 @@ sym.* Writes a nop on every symbol
Positioning
| command | definition |
|---|---|
| s address | Move cursor to address or symbol |
| s-5 | (5 bytes backwards) |
| s- | undo seek |
| s+ | redo seek |
Block size
The block size is the default view size for radare. All commands will work with this constraint, but you can always temporally change the block size just giving a numeric argument to the print commands for example (px 20)
| command | definition |
|---|---|
| b size | Change block size |
JSON Output
Most of commands such as (i)nfo and (p)rint commands accept a j to print their output in json
[0x100000d78]> ij
{"bin":{"type":"mach0","class":"MACH064","endian":"little","machine":"x86 64 all","arch":"x86","os":"osx","lang":"c","pic":true,"canary":false,"nx":false,"crypto":false,"va":true,"bits":64,"stripped":true,"static":false,"linenums":false,"syms":false,"relocs":false},"core":{"type":"Executable file","os":"osx","arch":"x86 64 all","bits":64,"endian":"little","file":"/bin/ls","fd":6,"size":34640,"mode":"r--","block":256,"uri":"/bin/ls","format":"mach064"}}
Analyze
| command | definition |
|---|---|
| aa | Analyze all (fcns + bbs) same that running r2 with -A |
| ad | Analyze data |
| [email protected] | (analyze the stack) |
| ahl (length) (range) | fake opcode length for a range of bytes |
Function analysis (normal mode)
| command | definition | notes |
|---|---|---|
| af | Analyze functions | |
| afl | List all functions | |
| afl~? | number of functions | |
| afi | Returns information about the functions we are currently at | |
| afr | Rename function: structure and flag | |
| afr off | Restore function name set by r2 | |
| afn | Rename function | afn strlen 0x080483f0 |
| af- | Removes metadata generated by the function analysis | |
| af+ | Define a function manually given the start address and length | af+ 0xd6f 403 checker_loop |
| axt | Returns cross references to (xref to) | |
| axf | Returns cross references from (xref from) |
Function analysis (visual mode)
| command | definition |
|---|---|
| d, f | Function analysis |
| d, u | Remove metadata generated by function analysis |
Opcode analysis
| command | definition |
|---|---|
| ao x | Analyze x opcodes from current offset |
| a8 bytes | Analyze the instruction represented by specified bytes |
Information
| command | definition |
|---|---|
| iI | File info |
| iz | Strings in data section |
| izz | Strings in the whole binary |
| iS | Sections |
| iS~w | returns writable sections |
| is | Symbols |
| is~FUNC | exports |
| il | Linked libraries |
| ii | Imports |
| ie | Entrypoint |
Mitigations
| command | definition |
|---|---|
| i~pic | check if the binary has position-independent-code |
| i~nx | check if the binary has non-executable stack |
| i~canary | check if the binary has canaries |
Get function address in GOT table: pd 1 @ sym.imp<funct> Returns a jmp [addr] where addr is the address of function in the GOT. Similar to objdump -R | grep <func>
| command | definition |
|---|---|
| psz n @ offset | Print n zero terminated String |
| px n @ offset | Print hexdump (or just x) of n bytes |
| pxw n @ offset | Print hexdump of n words |
| pxw [email protected] | prints hexadecimal words at address |
| pd n @ offset | Print n opcodes disassembled |
| pD n @ offset | Print n bytes disassembled |
| pi n @ offset | Print n instructions disassembled (no address, XREFs, etc. just instructions) |
| pdf @ offset | Print disassembled function |
| pdf~XREF | (grep: XREFs) |
| pdf~call | (grep: calls) |
| pcp n @ offset | Print n bytes in python string output. |
pcp 0x20@0x8048550
import struct
buf = struct.pack ("32B",
0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
| command | definition |
|---|---|
| p8 n @ offset | Print n bytes (8bits) (no hexdump) |
| pv | Print file contents as IDA bar and shows metadata for each byte (flags , …) |
| pt | Interpret data as dates |
| pf | Print with format |
| pf. | list all formats |
| p= | Print entropy ascii graph |
Write
| command | definition |
|---|---|
| wx | Write hex values in current offset |
| wx 123456 | |
| wx ff @ 4 | |
| wa | Write assembly |
| wa jnz 0x400d24 | |
| wc | Write cache commit |
| wv | Writes value doing endian conversion and padding to byte |
| wo[x] | Write result of operation |
wow 11223344 @102!10
write looped value from 102 to 102+10
0x00000066 1122 3344 1122 3344 1122 0000 0000 0000
wox 0x90
XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
wox 67 @4!10
XOR from offset 4 to 10 with value 67
| command | definition |
|---|---|
| wf file | Writes the content of the file at the current address or specified offset (ASCII characters only) |
| wF file | Writes the content of the file at the current address or specified offset |
| wt file [sz] | Write to file (from current seek, blocksize or sz bytes) |
| Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF) | |
| wopO 41424344 | get the index in the De Bruijn Pattern of the given word |
Flags
Flags are labels for offsets. They can be grouped in namespaces as sym for symbols …
| command | definition |
|---|---|
| f | List flags |
| f label @ offset | Define a flag label at offset |
| f str.pass_len @ 0x804999c | |
| f-label | Removes flag |
| fr | Rename flag |
| fd | Returns position from nearest flag (looking backwards). Eg => entry+21 |
| fs | Show all flag spaces |
| fs flagspace | Change to the specified flag space |
yank & paste
| command | definition |
|---|---|
| y n | Copies n bytes from current position |
| y | Shows yank buffer content with address and length where each entry was copied from |
| yp | Prints yank buffer |
| yy offset | Paste the contents of the yank buffer at the specified offset |
| yt n target @ source | Yank to. Copy n bytes from source to target address |
Visual Mode
V enters visual mode
| command | definition |
|---|---|
| q | Exits visual mode |
| hjkl | move around (or HJKL) (left-down-up-right) |
| o | go/seek to given offset |
| ? | Help |
| . | Seek EIP |
| (enter) | Follow address of the current jump/call |
| :cmd | Enter radare commands. Eg: x @ esi |
| d[f?] | Define cursor as a string, data, code, a function, or simply to undefine it. |
| dr | Rename a function |
| df | Define a function |
| v | Get into the visual code analysis menu to edit/look closely at the current function. |
| p/P | Rotate print (visualization) modes |
hex, the hexadecimal view
disasm, the disassembly listing
Use numbers in [] to follow jump
Use "u" to go back
debug, the debugger
words, the word-hexidecimal view
buf, the C-formatted buffer
annotated, the annotated hexdump.
| command | definition |
|---|---|
| c | Changes to cursor mode or exits the cursor mode |
| select | Shift+[hjkl] |
| i | Insert mode |
| a | assembly inline |
| A | Assembly in visual mode |
| y | Copy |
| Y | Paste |
| f | Creates a flag where cursor points to |
| (tab) | in the hexdump view to toggle between hex and strings columns |
| V | View ascii-art basic block graph of current function |
| W | WebUI |
| x, X | XREFs to current function. (“u” to go back) |
| t | track flags (browse symbols, functions..) |
| gG | Begging or end of file |
HUD
| command | definition |
|---|---|
| _ | Show HUD |
| backspace | Exits HUD |
| We can add new commands to HUD in: radare2/shlr/hud/main | |
| ;[-]cmt | Add/remove comment |
| m(char) | Define a bookmark |
| ‘(char) | Go to previously defined bookmark |
ROP
| command | definition | notes |
|---|---|---|
| /R opcodes | Search opcodes | /R pop,pop,ret |
| /Rl opcodes | Search opcodes and print them in linear way | /Rl jmp eax,call ebx |
| /a | Search assembly | /a jmp eax |
| pda | Returns a library of gadgets that can be use. These gadgets are obtained by disassembling byte per byte instead of obeying to opcode length |
Search depth can be configure with following properties:
e search.roplen = 4 (change the depth of the search, to speed-up the hunt)
Searching
| command | definition | notes |
|---|---|---|
| / bytes | Search bytes | \x7fELF |
Example: Searching function preludes:
push ebp
mov ebp, esp
Opcodes: 5589e5
/x 5589e5
[# ]hits: 54c0f4 < 0x0804c600 hits = 1
0x08049f70 hit0_0 5589e557565383e4f081ec
0x0804c31a hit0_1 5589e583ec18c704246031
0x0804c353 hit0_2 5589e583ec1889442404c7
0x0804c379 hit0_3 5589e583ec08e87cffffff
0x0804c3a2 hit0_4 5589e583ec18c70424302d
pi 5 @@hit* (Print 5 first instructions of every hit)
Its possible to run a command for each hit. Use the cmd.hit property:
e cmd.hit=px
Comments and defines
| command | definition |
|---|---|
| Cd [size] | Define as data |
| C- [size] | Define as code |
| Cs [size] | Define as String |
| Cf [size] | Define as struct |
We can define structures to be shown in the disassembly
| command | definition |
|---|---|
| CC | List all comments or add a new comment in console mode |
| C* | Show all comments/metadata |
| CC (comment) | add new comment |
| CC- | remove comment |
Magic files
| command | definition |
|---|---|
| pm | Print Magic files analysis |
[0x00000000]> pm
0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1
Search for magic numbers
| command | definition |
|---|---|
| /m [magicfile] | Search magic number headers with libmagic |
Search can be controlled with following properties
search.align
search.from (0 = beginning)
search.to (0 = end)
search.asmstr
search.in
Yara
Yara can also be used for detecting file signatures to determine compiler types, shellcodes, protections and more.
:yara scan
Zignatures
Zignatures are useful when dealing with stripped binaries. We can take a non-stripped binary, run zignatures on it and apply it to a different binary that was compiled statically with the same libraries.
| command | definition | notes |
|---|---|---|
| zg (language) (output file) | Generate signatures | |
| eg | zg go go.z | Run the generated script to load signatures eg: . go.z |
| z | To show signatures loaded |
Zignatures are applied as comments
r2-(pid2)> pd 35 @ 0x08049adb-10
| 0x08049adb call fcn.0805b030
| fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
| 0x08049ae0 add esp, 0xc
| 0x08049ae3 call fcn.08095580
Compare files
| command | definition |
|---|---|
| r2 -m 0xf0000 /etc/fstab | Open source file |
| o /etc/issue | Open file2 at offset 0 |
| o | List both files |
| cc offset | Diff by columns between current offset address and “offset” |
Graphs
Basic block graphs
| command | definition |
|---|---|
| af | Load function metadata |
| ag $$ > a.dot | Dump basic block graph to file |
| ag $$ | xdot – | Show current function basic block graph |
Call graphs
| command | definition |
|---|---|
| af | Load function metadata |
| agc $$ > b.dot | Dump basic block graph to file |
Convert .dot in .png
$ dot -Tpng -o /tmp/b.png b.dot
Generate graph for file:
$ radiff2 -g main crackme.bin crackme.bin > /tmp/a
$ xdot /tmp/a
Debugger
Start r2 in debugger mode. r2 will fork and attach
$ r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")
$ ptrace://pid (debug backend does not notice, only access to mapped memory)
To pass arguments
$ r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)
To pass stdin
$ r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
Commands
| command | definition |
|---|---|
| do | Reopen program |
| dp | Shows debugged process, child processes and threads |
| dc | Continue |
| dcu (address or symbol) | Continue until symbol (sets bp in address, continua until bp and remove bp) |
| dc[sfcp] | Continue until syscall(eg: write), fork, call, program address (To exit a library) |
| ds | Step in |
| dso | Step out |
| dss | Skip instruction |
| dr register=value | Change register value |
| dr(=)? | Show register values |
| db address | Sets a breakpoint at address |
| db sym.main | add breakpoint into sym.main |
| db 0x804800 | add breakpoint |
| db -0x804800 | remove breakpoint |
| dsi (conditional step) | Eg: “dsi eax==3,ecx>0” |
| dbt | Shows backtrace |
| drr | Display in colors and words all the refs from registers or memory |
| dm | Shows memory map (* indicates current section) |
[0xb776c110]> dm
sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
sys 0xb776a000 - 0xb776b000 s r-x [vdso]
sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]
To follow child processes in forks (set-follow-fork-mode in gdb)
dcf until a fork happen
then use dp to select what process you want to debug.
PEDA like details: drr;pd [email protected];pxr [email protected]
Debug in visual mode
toggl breakpoints with F2
single-step with F7 (s)
step-over with F8 (S)
continue with F9
WebGUI (Enyo)
=h: Start the server
=H: Start server and browser
Radare2 suite commands
All suite commands include a -r flag to generate instructions for r2
rax2 – Base conversion
| command | definition |
|---|---|
| -e | Change endian |
| -K | random ASCII art to represent a number/hash. Similar to how SSH represents keys |
| -s | hexstr -> raw |
| -S | raw -> hexstr |
rahash2 – Entropy, hashes and checksums
| command | definition |
|---|---|
| -a | Specify the algorithm |
| -b XXX | Block size |
| -B | Print all blocks |
| -a entropy | Show file entropy or entropy per block (-B -b 512 -a entropy) |
radiff2 – File diffing
| command | definition |
|---|---|
| -s | Calculate text distance from two files. |
| -d | Delta diffing (For files with different sizes. Its not byte per byte) |
| -C | Code diffing (instead of data) |
Examples
Diff original and patched on x86_32, using graphdiff algorithm
$ radiff2 -a x86 -b32 -C original patched
Show differences between original and patched on x86_32
$ radiff2 -a x86 -b32 original patched :
rasm2 – Assembly/Disassembly
| command | definition | notes |
|---|---|---|
| -L | Supported architectures | |
| -a arch instruction | Sets architecture | rasm2 -a x86 ‘mov eax,30’ => b81e000000 |
| -b tam | Sets block size | |
| -d | Disassembly | rasm2 -d b81e000000 => mov eax, 0x1e |
| -C | Assembly in C output | rasm2 -C ‘mov eax,30’ => “\xb8\x1e\x00\x00\x00” |
| -D | Disassemble showing hexpair and opcode | rasm2 -D b81e0000 => 0x00000000 5 b81e000000 mov eax, 0x1e |
| -f | Read data from file instead of ARG. | |
| -O filename | Write data to file |
rafind2 – Search
| command | definition |
|---|---|
| -Z | Look for Zero terminated strings |
| -s str | Look for specific string |
ragg2 – Shellcode generator, C/opcode compiler
| command | definition | notes |
|---|---|---|
| -P | Generate De Bruijn patterns | ragg2 -P 300 -r |
| -a arch | Configure architecture | |
| -b bits | Specify architecture bits (32/64) | |
| -i shellcode | Specify shellcode to generate | |
| -e encoder | Specify encoder |
Example
Generate a x86, 32 bits exec shellcode
$ ragg2 -a x86 -b 32 -i exec
rabin2 – Executable analysis: symbols, imports, strings …
| command | definition |
|---|---|
| -I | Executable information |
| -c | Returns classes. Useful to list Java Classes |
| -l | Dynamic linked libraries |
| -s | Symbols |
| -z | Strings |
rarun2 – Launcher to run programs with different environments, args, stdin, permissions, fds
Examples:
$ r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r)
runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
$ r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
runs /bin/ls with the output of exploit.py directed to stdin