Radare 2 is a reverse engineering framework that is used for analyzing binaries. It is a command line tool that is used to disassemble, debug, and analyze binary files. It is a very powerful tool that is used by many reverse engineers and security researchers.
You can start radare 2 with the following options:
-q: Exit after processing the
commands-w: Enable write mode-A: Analyze executable at load time-c 'cmds': Run r2 and execute commands (eg:
r2 -wqc'wx 3c @ main')-L: List of supported IO plugins-i [script]: Interprets a r2 scriptIf you are lost just type the ? to get a help menu. This
will give you a general help menu, if you want help with a specific
command you can type: command? to get help with that
specific command.
You can configure a lot of option in radare to help during your journey with it take for example the following options:
# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true
# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true
# Solarized theme
eco solarized
# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = trueYou can put this options in the ~/.radare2rc file in
order to have them loaded eache time you start radare 2. You can also
set them with the e command.
e: Returns configuration properties
e <property>: Checks a specific property:
e asm.tabs => false
e <property>=<value>: Change property value
e asm.arch=ppc
e? help about a configuration property
e? cmd.stackThe command syntax is the following:
[.][times][cmd][~grep][@[@iter]addr!size][|>pipe]
You can chain commands with the ; like with a bash shell.
You can even pipe the output of a radare2 command with a shell program
with the |, eg: pd | less With the
! you can run shell commands:
!cat /bin/etc/passwd. If you use: !! you run a
shell command and pass the output to the radare2 buffer, the double
exclamation mark tells radare to ignore the list of plugins and launch
it directly in the shell.
If you want to move around the binary you can use th s
command, with the following syntax: s <addr>,
s <symbol>. Here are some tips about the
s command:
s-5 (move cursor 5 bytes backwards)s- undo seeks+ redo seekIf you want to analyze the binary you can use the a
command, if you type more a you’ll increase the deep of the
analysis, eg: aaa.
af: Analyze functions
afl: List all functions
number of functions: afl~?
afi: Returns information about the functions we are currently at
afr: Rename function: structure and flag
afr off: Restore function name set by r2
afn: Rename function
afn strlen 0x080483f0
af-: Removes metadata generated by the function analysis
af+: Define a function manually given the start address and length
af+ 0xd6f 403 checker_loop
axt: Returns cross references to (xref to)
axf: Returns cross references from (xref from)If you want to get information about the binary you can use the
i command.
iI: File info
iz: Strings in data section
izz: Strings in the whole binary
iS: Sections
iS~w returns writable sections
is: Symbols
is~FUNC exports
il: Linked libraries
ii: Imports
ie: EntrypointYou can even obtain information about the protection that are present in the binary:
i~pic : check if the binary has position-independent-code
i~nx : check if the binary has non-executable stack
i~canary : check if the binary has canariespsz n @ offset: Print n zero terminated String
px n @ offset: Print hexdump (or just x) of n bytes
pxw n @ offset: Print hexdump of n words
pxw size@offset prints hexadecimal words at address
pd n @ offset: Print n opcodes disassembled
pD n @ offset: Print n bytes disassembled
pi n @ offset: Print n instructions disassembled (no address, XREFs, etc. just instructions)
pdf @ offset: Print disassembled function
pdf~XREF (grep: XREFs)
pdf~call (grep: calls)
pcp n @ offset: Print n bytes in python string output.
pcp 0x20@0x8048550
import struct
buf = struct.pack ("32B",
0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
p8 n @ offset: Print n bytes (8bits) (no hexdump)
pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)
pt: Interpret data as dates
pf: Print with format
pf.: list all formats
p=: Print entropy ascii graphwx: Write hex values in current offset
wx 123456
wx ff @ 4
wa: Write assembly
wa jnz 0x400d24
wc: Write cache commit
wv: Writes value doing endian conversion and padding to byte
wo[x]: Write result of operation
wow 11223344 @102!10
write looped value from 102 to 102+10
0x00000066 1122 3344 1122 3344 1122 0000 0000 0000
wox 0x90
XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
wox 67 @4!10
XOR from offset 4 to 10 with value 67
wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)
wF file: Writes the content of the file at the current address or specified offset
wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
wopO 41424344 : get the index in the De Bruijn Pattern of the given word