e asm.cmt.right=true # Show comments at right of disassembly if they fit in screen e asm.pseudo = true # Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok eco solarized # Solarized theme e scr.utf8 = true # Use UTF-8 to show cool arrows instead of ASCII
You can open a binary using radare2 with the command : radare2 [binary].
the prompt always tells you where you are in the binary.
In the radare2 shell, you can use ? after any command to get some help. Here is a list of the most common category of commands :
_ # Print last output =[?] [cmd] # Remote (rap://, raps://, udp://, http://, <fd>) /[?] # Search for bytes, regexps, patterns, ... Similar to GDB ![?] [cmd] # Run given command as in system(3) a[?] # Analysis commands d[?] # Debugger commands g[?] [arg] # Generate shellcodes with r_egg i[?] [file] # Get info about opened file from r_bin o[?] [file] ([offset]) # Open file at optional address p[?] [len] # Print current block with format and length P[?] # Project management utilities s[?] [addr] # Seek to address (also for '0x', '0x1' == 's 0x1') v # Visual mode (v! = panels, vv = fcnview, vV = fcngraph, vVV = callgraph) w[?] [str] # Multiple write operations
P # list all the projects Po [name] # open a project Ps [name] # save a project P- [name] # delete a project (alias for `Pd`) Pn - # edit project notes
You can navigate through the flagspaces (symbols, imports, functions, strings…) using the fs command :
fs [name] # select the given flagspace (list the flagspaces if no name is given) f # print the content of the selected flagspace
If you use fs, you will notice that every flagspace is marked with a *, meaning it is selected. Then, if you use f, the content of every flagspace will be printed.
If you use fs [name] and then fs, you will notice that only the given flagspace will be selected (it will be the only one marked with a *). Using f will then print out the content of that selected flagspace.
s # print current address s [addr] # seek to the given address (you can give a symbol instead) s- # undo seek s+ # redo seek @ # temporary seek (for exemple, if you want to print the disassembled main's function, you can use pdf @main, radare2 will seek to the main, perform the pdf command, and then come back where you were)
Common analysis commands
aa [none] # analyse all function aaa [none] # analyse all function and rename the functions av [none] # search for vtables and print the result ax [none] # manage Xref (list them) axt [addr] # find Xref to this address axf [addr] # find Xref from this address afl [none] # list the functions afn [name] # rename the function at the current location (you can specify an address if you want) afa [addr] # show function's argument (if no addr given, takes the current location) afv [addr] # show function's variable (if no addr given, takes the current location) agc [addr] # show function's call graph (if no addr given, takes the current location) afvn [new_name] [old_name] # rename a function's variable afvt [name] [new_type] # change the type of a function's variable afvd [name] [new_value] # show the variables's value, and change it if a new value is given
Common debugger commands
If you want to debug a binary, open it directly in debugging mode : radare2 -d [binary]
doo [none] # alias for `ood`, reopen the file in debugger mode. db [addr] # set up a breakpoint at the given address dc # continue the execution ds [x] # step **x** instructions dsu [addr] # step until reaching the given address dr [name] # print a register's value. No name = all general purpose registers are printed out.
Informations about the binary
iI # binary informations ie # list the entrypoints iS # list the sections ii # list the imports iz # list the strings (add more z for more strings) idp # load a pdb file information idpi # show the pdb file information
pdf [addr] # print the disassembled function from the address pd [x] [addr] # print x line of disassembled instructions from the address px [x] [addr] # print x bytes as hexadecimal from the address pxw [x] [addr] # print x bytes as hexadecimal words (32bits) from the address
wz [string] # write a zero-terminated string (C-style) at the current address wo XX [addr] # write hexadecimal XX to the address. If none is given, write to the current address instead woR [addr] # write random bytes to the address. If none is given, write to the current address instead
CC # list all comments CC [text] # append comment at current address CC! # append comment at current address using the editor CC- # remove comment at current address CCf # list comments in the function CCf- # delete all comments in the function
Attention: graph mode is different from visual mode
VV # enter graph mode tab # move to the next block TAB # move the previous block +/- # resize the selected block . # center graph to the current block g # seek to an offset u/U # undo/redo seek t/f # follow true/false statement ; # add comment in the current block :[cmd] # run r2 command
- You can use rax2 to play with integers and switch from decimal to hexadecimal, including with Two’s complement.
- You can add the Ghidra’s decompiler in radare2, using this module (use it with the pdg command).
- You can use r2pipe from python or any others scripting language to automate some reverse task.
- You might want to test Cutter, a nice GUI for radare2 including a decompiler.
- Read the doc !