# Command Line options
-L: List of supported IO plugins
-q: Exit after processing commands
-w: Write mode enabled
-i: Interprets a r2 script
-A: Analize executable at load time (xrefs, etc)
-n: Bare load. Do not load executable info as the entrypoint
-c'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
-p: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
-: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed); Similar to r2 malloc://512
-----------------------------------------------------------------------------------------------------------------------------
# Configuration properties
e: Returs configuration properties
e <property>: Checks a specific property:
e asm.tabs => false
e <property>=<value>: Change property value
e asm.arch=ppc
e? help about a configuration property
e? cmd.stack
# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true
# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true
# Display stack and register values on top of disasembly view (visual mode)
e cmd.stack = true
# Solarized theme
eco solarized
# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true
-----------------------------------------------------------------------------------------------------------------------------
# Basic Commands
; Command chaining: x 3;s+3;pi 3;s+3;pxo 4;
| Pipe with shell commands: pd | less
! Run shell commands: !cat /etc/passwd
!! Escapes to shell, run command and pass output to radare buffer
Note: The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this
command to launch it directly to the shell. A single one will walk through the io plugin list.
` Radare commands: wx `!ragg2 -i exec`
~ grep
~! grep -v
~[n] grep by columns afl~[0]
~:n grep by rows afl~:0
<command>~.. less/more mode
+-------------------------------------------------------------------
pi~mov,eax ; lines with mov or eax
pi~mov&eax ; lines with mov and eax
pi~mov,eax:6 ; 6 first lines with mov or eax
pd 20~call[0]:0 ; grep first column of the first row matching 'call'
+-------------------------------------------------------------------
.cmd Interprets command output
+-------------------------------------------------------------------
is* prints symbolos
.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
+-------------------------------------------------------------------
.. repeats last commands (same as enter \n)
( Used to define and run macros
$ Used to define alias
$$: Resolves to current address
Offsets (@) are absolute, we can use $$ for relative ones @ $$+4
? Evaluate expression
+-------------------------------------------------------------------
[0x00000000]> ? 33 +2
35 0x23 043 0000:0023 35 00100011 35.0 0.000000
Note: | and & need to be escaped
+-------------------------------------------------------------------
?$? Help for variables used in expressions
$$: Here
$s: File size
$b: Block size
$l: Opcode length
$j: When $$ is at a jmp, $j is the address where we are going to jump to
$f: Same for jmp fail address
$m: Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
??? Help for ? command
?i Takes input from stdin. Eg ?i username
?? Result from previous operations
?s from to [step]: Generates sequence from to every
?p: Get physical address for given virtual address
?P: Get virtual address for given physical one
?v Show hex value of math expr
+-------------------------------------------------------------------
?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
?v 0x4141414a - 0x41414140 = 0xa
+-------------------------------------------------------------------
?l str: Returns the length of string
@@: Used for iteractions
+-------------------------------------------------------------------
wx ff @@10 20 30 Writes ff at offsets 10, 20 and 30
wx ff @@`?s 1 10 2` Writes ff at offsets 1, 2 and 3
wx 90 @@ sym.* Writes a nop on every symbol
+-------------------------------------------------------------------
# Positioning
s address: Move cursor to address or symbol
s-5 (5 bytes backwards)
s- undo seek
# Block Size
b size: Change block size
# Analyze
aa: Analyze all (fcns + bbs) same that running r2 with -A
ahl <length> <range>: fake opcode length for a range of bytes
ad: Analyze data
ad@rsp (analize the stack)
+ Normal mode
af: Analyze functions
afl: List all functions
number of functions: afl~?
afi: Returns information about the functions we are currently at
afr: Rename function: structure and flag
afr off: Restore function name set by r2
afn: Rename function
afn strlen 0x080483f0
af-: Removes metadata generated by the function analysis
af+: Define a function manually given the start address and length
af+ 0xd6f 403 checker_loop
axt: Returns cross references to (xref to)
axf: Returns cross references from (xref from)
+ Visual mode
d, f: Function analysis
d, u: Remove metadata generated by function analysis
+ Opcode analysis
ao x: Analize x opcodes from current offset
a8 bytes: Analize the instruction represented by specified bytes
# Information
iI: File info
iz: Strings in data section
izz: Strings in the whole binary
iS: Sections
iS~w returns writable sections
is: Symbols
is~FUNC exports
il: Linked libraries
ii: Imports
ie: Entrypoint
+ Mitigations
i~pic : check if the binary has position-independent-code
i~nx : check if the binary has non-executable stack
i~canary : check if the binary has canaries
# Print
psz n @ offset: Print n zero terminated String
px n @ offset: Print hexdump (or just x) of n bytes
pxw n @ offset: Print hexdump of n words
pxw size@offset prints hexadecimal words at address
pd n @ offset: Print n opcodes disassambled
pD n @ offset: Print n bytes disassembled
pi n @ offset: Print n instructions disassambeled (no address, XREFs, etc. just instrunctions)
pdf @ offset: Print disassembled function
pdf~XREF (grep: XREFs)
pdf~call (grep: calls)
pcp n @ offset: Print n bytes in python string output.
pcp 0x20@0x8048550
import struct
buf = struct.pack ("32B",
0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
p8 n @ offset: Print n bytes (8bits) (no hexdump)
pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)
pt: Interpret data as dates
pf: Print with format
pf.: list all formats
p=: Print entropy ascii graph
# Write
wx: Write hex values in current offset
wx 123456
wx ff @ 4
wa: Write assembly
wa jnz 0x400d24
wc: Write cache commit
wv: Writes value doing endian conversion and padding to byte
wo[x]: Write result of operation
wow 11223344 @102!10
write looped value from 102 to 102+10
0x00000066 1122 3344 1122 3344 1122 0000 0000 0000
wox 0x90
XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
wox 67 @4!10
XOR from offset 4 to 10 with value 67
wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)
wF file: Writes the content of the file at the current address or specified offset
wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
woO 41424344 : get the index in the De Bruijn Pattern of the given word
# Flags
f: List flags
f label @ offset: Define a flag `label` at offset
f str.pass_len @ 0x804999c
f -label: Removes flag
fr: Rename flag
fd: Returns position from nearest flag (looking backwards). Eg => entry+21
fs: Show all flag spaces
fs flagspace: Change to the specified flag space
fe loop and create numbered flags:
1. fs demo_flagspace
2. fe demo_flagspace @@=`pdf~jne[1]`
# Yank & Paste
y n: Copies n bytes from current position
y: Shows yank buffer contentent with address and length where each entry was copied from
yp: Prints yank buffer
yy offset: Paste the contents of the yank buffer at the specified offset
yt n target @ source: Yank to. Copy n bytes fromsource to target address
# Visual Mode
q: Exits visual mode
hjkl: move around (or HJKL) (left-down-up-right)
o: go/seek to given offset
?: Help
.: Seek EIP
<enter>: Follow address of the current jump/call
:cmd: Enter radare commands. Eg: x @ esi
d[f?]: Define cursor as a string, data, code, a function, or simply to undefine it.
dr: Rename a function
df: Define a function
v: Get into the visual code analysis menu to edit/look closely at the current function.
p/P: Rotate print (visualization) modes
hex, the hexadecimal view
disasm, the disassembly listing
Use numbers in [] to follow jump
Use "u" to go back
debug, the debugger
words, the word-hexidecimal view
buf, the C-formatted buffer
annotated, the annotated hexdump.
c: Changes to cursor mode or exits the cursor mode
select: Shift+[hjkl]
i: Insert mode
a: assembly inline
A: Assembly in visual mode
y: Copy
Y: Paste
f: Creates a flag where cursor points to
<tab> in the hexdump view to toggle between hex and strings columns
V: View ascii-art basic block graph of current function
W: WebUI
x, X: XREFs to current function. ("u" to go back)
t: track flags (browse symbols, functions..)
gG: Begging or end of file
HUD
_ Show HUD
backspace: Exits HUD
We can add new commands to HUD in: radare2/shlr/hud/main
;[-]cmt: Add/remove comment
m<char>: Define a bookmark
'<char>: Go to previously defined bookmark
# ROP
/R opcodes: Search opcodes
/R pop,pop,ret
/Rl opcodes: Search opcodes and print them in linear way
/Rl jmp eax,call ebx
/a: Search assembly
/a jmp eax
pda: Returns a library of gadgets that can be use. These gadgets are obtained by disassembling byte per byte instead of obeying to opcode leng
e search.roplen = 4 (change the depth of the search, to speed-up the hunt)
# Searching
/ bytes: Search bytes
\x7fELF
+-------------------------------------------------------------------
push ebp
mov ebp, esp
Opcodes: 5589e5
/x 5589e5
[# ]hits: 54c0f4 < 0x0804c600 hits = 1
0x08049f70 hit0_0 5589e557565383e4f081ec
0x0804c31a hit0_1 5589e583ec18c704246031
0x0804c353 hit0_2 5589e583ec1889442404c7
0x0804c379 hit0_3 5589e583ec08e87cffffff
0x0804c3a2 hit0_4 5589e583ec18c70424302d
pi 5 @@hit* (Print 5 first instructions of every hit)
+-------------------------------------------------------------------
Its possible to run a command for each hit. Use the cmd.hit property:
e cmd.hit=px
# Comments and defines
Cd [size]: Define as data
C- [size]: Define as code
Cs [size]: Define as String
Cf [size]: Define as struct
We can define structures to be shown in the disassmbly
CC: List all comments or add a new comment in console mode
C* Show all comments/metadata
CC <comment> add new comment
CC- remove comment
# Magic files
pm: Print Magic files analysis
[0x00000000]> pm
0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1
/m [magicfile]: Search magic number headers with libmagic
search.align
search.from (0 = beginning)
search.to (0 = end)
search.asmstr
search.in
# Yara
:yara scan
# Zignatures
zg <language> <output file>: Generate signatures
eg: zg go go.z
Run the generated script to load signatures
eg: . go.z
z: To show signatures loaded:
+-------------------------------------------------------------------
r2-(pid2)> pd 35 @ 0x08049adb-10
| 0x08049adb call fcn.0805b030
| fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
| 0x08049ae0 add esp, 0xc
| 0x08049ae3 call fcn.08095580
+-------------------------------------------------------------------
# Compare Files
r2 -m 0xf0000 /etc/fstab ; Open source file
o /etc/issue ; Open file2 at offset 0
o ; List both files
cc offset: Diff by columns between current offset address and "offset"
# Graphs
+ Basic block graphs
af: Load function metadata
ag $$ > a.dot: Dump basic block graph to file
ag $$ | xdot: Show current function basic block graph
+ Call graphs
af: Load function metadata
agc $$ > b.dot: Dump basic block graph to file
+ Convert .dot in .png
dot -Tpng -o /tmp/b.png b.dot
+ Generate graph for file
radiff2 -g main crackme.bin crackme.bin > /tmp/a
xdot /tmp/a
# Debugger
+ Start r2 in debugger mode. r2 will fork and attach
r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")
ptrace://pid (debug backend does not notice, only access to mapped memory)
+ Pass arguments
r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)
+ Pass stdin
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
+ Commands
do: Reopen program
dp: Shows debugged process, child processes and threads
dc: Continue
dcu <address or symbol>: Continue until symbol (sets bp in address, continua until bp and remove bp)
dc[sfcp]: Continue until syscall(eg: write), fork, call, program address (To exit a library)
ds: Step in
dso: Step out
dss: Skip instruction
dr register=value: Change register value
dr(=)?: Show register values
db address: Sets a breakpoint at address
db sym.main add breakpoint into sym.main
db 0x804800 add breakpoint
db -0x804800 remove breakpoint
dsi (conditional step): Eg: "dsi eax==3,ecx>0"
dbt: Shows backtrace
drr: Display in colors and words all the refs from registers or memory
dm: Shows memory map (* indicates current section)
[0xb776c110]> dm
sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
sys 0xb776a000 - 0xb776b000 s r-x [vdso]
sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]
+ To follow child processes in forks (set-follow-fork-mode in gdb)
dcf until a fork happen then use dp to select what process you want to debug.
+ PEDA like details
drr;pd 10@-10;pxr 40@esp
+ Debug in visual mode
toggl breakpoints with F2
single-step with F7 (s)
step-over with F8 (S)
continue with F9
# WebGUI
=h: Start the server
=H: Start server and browser
# rax2 - Base Conversion
-e: Change endian
-k: random ASCII art to represent a number/hash. Similar to how SSH represents keys
-s: ASCII to hex
rax2 -S hola (from string to hex)
rax2 -s 686f6c61 (from hex to string)
-S: binary to hex (for files)
-N: pack an integer
rax2 -N 0x1234 # \x34\x12\x00\x00
# rahash2 - Entropy, hashes and checksums
-a: Specify the algorithm
-b XXX: Block size
-B: Print all blocks
-a entropy: Show file entropy or entropy per block (-B -b 512 -a entropy)
+ Rot13 with rahash2
rahash2 -E rot -S s:13 -s ‘Hello\n’
# radiff2 - File diffing
-s: Calculate text distance from two files.
-d: Delta diffing (For files with different sizes. Its not byte per byte)
-C: Code diffing (instead of data)
+-------------------------------------------------------------------
Diff original and patched on x86_32, using graphdiff algorithm
radiff2 -a x86 -b32 -C original patched
Show differences between original and patched on x86_32
radiff2 -a x86 -b32 original patched :
+-------------------------------------------------------------------
# rasm2 - Assembly/Disasembly
-L: Supported architectures
-a arch instruction: Sets architecture
rasm2 -a x86 'mov eax,30' => b81e000000
-b tam: Sets block size
-d: Disassembly
rasm2 -d b81e000000 => mov eax, 0x1e
-C: Assembly in C output
rasm2 -C 'mov eax,30' => "\xb8\x1e\x00\x00\x00"
-D: Disassemble showing hexpair and opcode
rasm2 -D b81e0000 => 0x00000000 5 b81e000000 mov eax, 0x1e
-f: Read data from file instead of ARG.
-t: Write data to file
+ Disassemble shellcode from hex stdin
+-------------------------------------------------------------------
echo -n "31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05" | rasm2 -a x86 -b 64 -d -
xor eax, eax
movabs rbx, 0xff978cd091969dd1
neg rbx
push rbx
push rsp
pop rdi
cdq
push rdx
push rdi
push rsp
pop rsi
mov al, 0x3b
syscall
+-------------------------------------------------------------------
# rafind2 - Search
-Z: Look for Zero terminated strings
-s str: Look for specifc string
-X: Hex dump around output
+ Search "/bin/sh" in libc
rafind2 -X -s "/bin/sh" /usr/lib/libc.so.6
# ragg2 - Shellcode generator, C/opcode compiler
P: Generate De Bruijn patterns
ragg2 -P 300 -r
-a arch: Configure architecture
-b bits: Specify architecture bits (32/64)
-i shellcode: Specify shellcode to generate
-e encoder: Specify encoder
+ ragg2-cc: Generate shellcode from c
+ Generate a x86, 32 bits exec shellcode
ragg2 -a x86 -b 32 -i exec
# rabin2 - Executable analysis: symbols, imports, strings
-I: Executable information
-C: Returns classes. Useful to list Java Classes
-l: Dynamic linked libraries
-s: Symbols
-z: Strings
# rarun2 - Launcher to run programs with different environments, args, stdin, permissions, fds
r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py) : runs /bin/ls with the output of exploit.py directed to stdin
# ESIL emulation
1) aei: Initialize ESIL VM
2) aeim: Assign ESIL stack
aeim 0xffffd000 0x1000 stack
3) aeip: Program counter to current seek
4) e io.cache=true: Enable caching read/write of virtual memory (Important if self modifying code)
5) aes: Single stepping in emulation mode
+ Toggle IL representation via O in Visual Mode
# ESIL Linear emulation
Find all references to curr. address using linear esil emulation on all imports.
/re$$@@ sym.imp.*
# ESIL IL Representation
op esil
------------
mov =
mul *
div /
and &
neg !
read []
if ?{
add +
sub -
xor ^
or |
cmp ==
write =[]
+ prefix is %
+ carry from bit x -> %cx
+ borrow from bit x -> %bx
+ zero-flag -> %z
+ parity of dst -> %p
+ sign-flag -> %s
+ overflow-flag -> %o
+ BREAK - Stop parsing and emulate next instruction
+ LOOP - restart emulation of instruction
+ GOTO n - jump to n
+ TODO - stop emulation and eprintf("TDOD %s", ins)
x86 ESIL
------------------------------------------------------
mov eax, ebx ebx,eax,=
jz 0xaabbccdd zf,?{,0xaabbccdd,eip,=,}
cmp ecx,edx edx,ecx,==,%z,zf,=,%b32,cf,=,%p,pf,=,%s,sf,=
push ebp 4,esp,-=ebp,esp,=[4]
+ ESIL Doc
https://github.com/radare/radare2book/blob/master/esil.md
# r2pipe commands
+ Invoke r2pipe script via r2 cmdline
[0x00000000]> #!pipe node script.js
[0x00000000]> #!pipe python script.py
+ Good collection:
https://radare.org/get/r2pipe-nn2015.pdf
https://github.com/jpenalbae/r2-scripts
# Parsing ELF
!!! open with r2 -nn
+ Parse 9 program headers (elf_phdr) from curr. seek plus offset 0x40 with temporary block size 0x200 in less mode (~..)
[0x00000000]> pf 9? (elf_phdr)phdr @ $$+0x40!0x200~..
# pf Templates
+ Generate templates for structs/enums with td command
"td enum elf_class {ELFCLASSNONE=0, ELFCLASS32=1, ELFCLASS64=2};"
https://github.com/Maijin/r2-pf-templates/
+ Cast data @ <addr> to <type> and print it
tp <type> = <address>
# r2scapy
r2 -i r2scapy.py dump.bin
[0x00000000]> scapy DNS 0x81de3c 48
DNS(aa=1L, qr=1L, an=DNSRR(rclass=32769, ttl=120, rrname='flashair.local.', rdata='192.168.0.1', type=1), ad=0L, nscount=0, qdcount=1, ns=None, tc=0L, rd=1L, arcount=0, ar=None, opcode=0L, ra=0L, cd=0L, z=0L, rcode=0L, id=0, ancount=1, qd=DNSQR(qclass=32769, qtype=255, qname='flashair.local.'))
+ generate packets with scapy
>>> from scapy.all import *
>>> sr1(IP(dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="www.thepacketgeek.com")),verbose=0)
# r2m2 -Miasm Intermediate Representation Plugin
+ Assemble and disassemble MIPS32 using rasm2
r2m2$ export R2M2_ARCH=mips32l; rasm2 -a r2m2 'addiu a0, a1, 2' |rasm2 -a r2m2 -d -
ADDIU A0, A1, 0x2
+ Disassemble random MSP430 instructions in r2
r2m2$ R2M2_ARCH=msp430 r2 -a r2m2 -qc 'woR; pd 5' -
0x00000000 07fa and.w R10, R7
0x00000002 47ad dadd.b R13, R7
0x00000004 f05e0778 add.b @R14+, 0x7807(PC)
0x00000008 f46d81ed addc.b @R13+, 0xED81(R4)
0x0000000c 3fdc bis.w @R12+, R15
+ Assemble MIPS32 using rasm2 and display the call graph using r2
r2m2$ R2M2_ARCH=mips32b rasm2 -a r2m2 'j 0x4; nop' -B > j_nop.bin
r2m2$ R2M2_ARCH=mips32b r2 -a r2m2 -qc 'pd 2' j_nop.bin
,=< 0x00000000 0c000001 JAL 0x4
`-> 0x00000004 00000000 NOP
# bin carving with r2
+ Open raw dump
r2 -n dump.bin
+ Searching for magic
[0x00000000]> / \x7fELF
Searching 4 bytes from 0x00000000 to 0x0000002d: 7f 45 4c 46
0x00001340 hit0_0
0x00001744 hit0_1
...
+ Dump 1M with at several hits
[0x00000000]> b 1M
[0x00000000]> wt @@ hit0*
+ Automate it
$ for a in dump.* ; do
sz=`rabin2 -Z $a` # get RBin.filesize
r2 -wnqc"r $sz" $a # resize file
done
http://radare.today/posts/carving-bins/
# r4ge - symbolic execution
+ https://github.com/gast04/r4ge
Usage: https://asciinema.org/a/155856
# r2wiki -Macro for using wiki in commandline
+ https://github.com/securisec/r2wiki
$wiki "query string"
