213 terms

Radare2 Debugger Complete Cheat Sheet

STUDY
PLAY
radare2 -L
List of supported IO plugins
radare2 -q
Exit after processing commands
radare2 -w
Write mode enabled
radare2 -i
Interprets a r2 script
radare2 -A
Analyze executable at load time (xrefs, etc)
radare2 -n
Bare load. Do not load executable info as the entrypoint
radare2 -c'cmds'
Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
radare2 -p
Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
radare2 -
Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed)
;
Command chaining: `x 3;s+3;pi 3;s+3;pxo 4;`
|
Pipe with shell commands: `pd | less`
!
Run shell commands: `!cat /etc/passwd`
!!` Escapes to shell, run command and pass output to radare buffer
...
~
grep
~!
grep -v
~[n]
grep by columns `afl~[0]`
~:n
grep by rows `afl~:0`
* `.cmd`
Interprets command output
is*
prints symbols
.is*
interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
* `..`
repeats last commands (same as enter \n)
* `(`
Used to define and run macros
* `$`
Used to define alias
* `$$`
Resolves to current address
* Offsets (`@`)
are absolute, we can use $$ for relative ones `@ $$+4`
* `?`
Evaluate expression
* `?$?`
Help for variables used in expressions
* `$$`
Here
* `$s`
File size
* `$b`
Block size
* `$l`
Opcode length
* `$j`
When `$$` is at a `jmp`, `$j` is the address where we are going to jump to
* `$f`
Same for `jmp` fail address
* `$m`
Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
* `???`
Help for `?` command
* `?i`
Takes input from stdin. Eg `?i username`
* `??`
Result from previous operations
* `?s from to [step]`
Generates sequence from <from> to <to> every <step>
* `?p`
Get physical address for given virtual address
* `?P`
Get virtual address for given physical one
* `?v`
Show hex value of math expr
* `?l str`
Returns the length of string
* `@@`
Used for iteractions
s address
Move cursor to address or symbol
##
Block size
b size
Change block size
aa
Analyze all (fcns + bbs) same that running r2 with -A
ahl <length> <range>
fake opcode length for a range of bytes
ad
Analyze data
af
Analyze functions
afl
List all functions
afi
Returns information about the functions we are currently at
afr
Rename function: structure and flag
afr off
Restore function name set by r2
afn
Rename function
af-
Removes metadata generated by the function analysis
af+
Define a function manually given the start address and length
axt
Returns cross references to (xref to)
axf
Returns cross references from (xref from)
d, f
Function analysis
d, u
Remove metadata generated by function analysis
ao x
Analize x opcodes from current offset
a8 bytes
Analize the instruction represented by specified bytes
iI
File info
iz
Strings in data section
izz
Strings in the whole binary
iS
Sections
is
Symbols
il
Linked libraries
ii
Imports
ie
Entrypoint
i~pic
check if the binary has position-independent-code
i~nx
check if the binary has non-executable stack
i~canary
check if the binary has canaries
psz n @ offset
Print n zero terminated String
px n @ offset
Print hexdump (or just x) of n bytes
pxw n @ offset
Print hexdump of n words
pd n @ offset
Print n opcodes disassambled
pD n @ offset
Print n bytes disassembled
pi n @ offset
Print n instructions disassambeled (no address, XREFs, etc. just instructions)
pdf @ offset
Print disassembled function
pcp n @ offset
Print n bytes in python string output.
p8 n @ offset
Print n bytes (8bits) (no hexdump)
pv
Print file contents as IDA bar and shows metadata for each byte (flags , ...)
pt
Interpret data as dates
pf
Print with format
pf.
list all formats
p=
Print entropy ascii graph
wx
Write hex values in current offset
wa
Write assembly
wc
Write cache commit
wv
Writes value doing endian conversion and padding to byte
wo[x]
Write result of operation
wf file
Writes the content of the file at the current address or specified offset (ASCII characters only)
wF file
Writes the content of the file at the current address or specified offset
wt file [sz]
Write to file (from current seek, blocksize or sz bytes)
woO 41424344
get the index in the De Bruijn Pattern of the given word
f
List flags
f label @ offset
Define a flag `label` at offset
f -label
Removes flag
fr
Rename flag
fd
Returns position from nearest flag (looking backwards). Eg => entry+21
fs
Show all flag spaces
fs flagspace
Change to the specified flag space
y n.
Copies n bytes from current position
y
Shows yank buffer contentent with address and length where each entry was copied from
yp
Prints yank buffer
yy offset
Paste the contents of the yank buffer at the specified offset
yt n target @ source
Yank to. Copy n bytes fromsource to target address
`V`
enters visual mode
q
Exits visual mode
hjkl
move around (or HJKL) (left-down-up-right)
o
go/seek to given offset
?
Help
.
Seek EIP
<enter>
Follow address of the current jump/call
:cmd
Enter radare commands. Eg: x @ esi
d[f?]
Define cursor as a string, data, code, a function, or simply to undefine it.
dr
Rename a function
df
Define a function
v
Get into the visual code analysis menu to edit/look closely at the current function.
p/P
Rotate print (visualization) modes
c
Changes to cursor mode or exits the cursor mode
V
View ascii-art basic block graph of current function
W
WebUI
x, X
XREFs to current function. ("u" to go back)
t
track flags (browse symbols, functions..)
gG
Begging or end of file
;[-]cmt
Add/remove comment
m<char>
Define a bookmark
'<char>
Go to previously defined bookmark
/R opcodes
Search opcodes
/Rl opcodes
Search opcodes and print them in linear way
/a
Search assembly
pda
Returns a library of gadgets that can be use. These gadgets are obtained by disassmbling byte per byte instead of obeying to opcode length
/ bytes
Search bytes
Cd [size]
Define as data
C- [size]
Define as code
Cs [size]
Define as String
Cf [size]
Define as struct
CC
List all comments or add a new comment in console mode
pm
Print Magic files analysis
/m [magicfile]
Search magic number headers with libmagic
:yara scan
Yara can also be used for detecting file signatures to determine compiler types, shellcodes, protections and more.
zg <language> <output file>
Generate signatures
z
To show signatures loaded
af
Load function metadata
ag $$ > a.dot
Dump basic block graph to file
ag $$ | xdot
Show current function basic block graph
af
Load function metadata
agc $$ > b.dot
Dump basic block graph to file
do
Reopen program
dp
Shows debugged process, child processes and threads
dc
Continue
dcu <address or symbol>
Continue until symbol (sets bp in address, continua until bp and remove bp)
dc[sfcp]
Continue until syscall(eg: write), fork, call, program address (To exit a library)
ds
Step in
dso
Step out
dss
Skip instruction
dr register=value
Change register value
dr(=)?
Show register values
db address
Sets a breakpoint at address
dsi (conditional step)
step until condition is met, Eg: "dsi eax==3,ecx>0"
dbt
Shows backtrace
drr
Display in colors and words all the refs from registers or memory
dm
Shows memory map (* indicates current section)
=h
Start the server
=H
Start server and browser
rax2 -e
Change endian
rax2 -k
random ASCII art to represent a number/hash. Similar to how SSH represents keys
rax2 -s
ASCII to hex
rax2 -S
binary to hex (for files)
rahash2 -a
Specify the algorithm
rahash2 -b XXX
Block size
rahash2 -B
Print all blocks
rahash2 -a entropy
Show file entropy or entropy per block (-B -b 512 -a entropy)
radiff2 -s
Calculate text distance from two files.
radiff2 -d
Delta diffing (For files with different sizes. Its not byte per byte)
radiff2 -C
Code diffing (instead of data)
rasm2 -L
Supported architectures
rasm2 -a arch instruction
Sets architecture
rasm2 -b tam
Sets block size
rasm2 -d
Disassembly
rasm2 -C
Assembly in C output
rasm2 -D : Disassemble showing hexpair and opcode
...
rasm2 -f
Read data from file instead of ARG.
rasm2 -t
Write data to file
rafind2 -Z
Look for Zero terminated strings
rafind2 -s str
Look for specifc string
ragg2 -P
Generate De Bruijn patterns
-a arch
Configure architecture
-b bits
Specify architecture bits (32/64)
-i shellcode
Specify shellcode to generate
-e encoder
Specify encoder
rabin2 -I
Executable information
rabin2 -C
Returns classes. Useful to list Java Classes
rabin2 -l
Dynamic linked libraries
rabin2 -s
Symbols
rabin2 -z
Strings
r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r)
runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
runs /bin/ls with the output of exploit.py directed to stdin
r2pm -i,info
r2pm -i # pkgs info
r2pm -i,install <pkgname>
r2pm -i baleful
r2pm -u,uninstall <pkgname>
r2pm -u baleful (-uu to force)
r2pm -l,list
list installed pkgs
r2pm -lu
list uninstalled packages
r2pm -t,test FX,XX,BR BID
check in travis regressions
r2pm -s,search [<keyword>]
search in database
r2pm -v,version
show version
r2pm -h,help
show this message
r2pm -c,clean
clear source cache
r2pm -i r2pipe-go
runs r2pm and installs r2pipe API for Go
r2pm -i bokken
runs r2pm and installs Bokken GUI
YOU MIGHT ALSO LIKE...