Skip to content

Instantly share code, notes, and snippets.

@Enigmatrix

Enigmatrix/r2-notes.md

Last active July 12, 2018 14:09
Show Gist options
  • Save Enigmatrix/36f036a687926e63815f5577236f9ef1 to your computer and use it in GitHub Desktop.
Save Enigmatrix/36f036a687926e63815f5577236f9ef1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
r2-notes.md

Start (can combine options e.g. r2 -d -A file)

  • r2 file - start r2 session about file
  • r2 -d pid - start r2 debug session attached to pid
  • r2 -d file - start r2 debug session
  • r2 -A file - start session, analyse everything first
  • r2 -R profile.rr2 - start session using profile

Learning Notes

  1. <cmd> - run cmd (duh)
  2. <cmd> @ <addr> - runs cmd at addr
  3. <cmd>~<regex> - <cmd> | grep <regex>

Analyse/Add metadata

  • aa - analyse
  • aaaaa - analyse everything
  • afl - list all functions
  • afvn <old> <new> - rename function arguments
  • axt @ <addr> - find xrefs to <addr>
  • afv <idx> <name> <type> - rename local var at rbp-idx to name, and of type, where type is [qd ]word|byte

General

  • ? <expr> - evaluate (math?) expression
  • pdf @ <addr> - dissasembly at addr
  • ps <len>? @ <addr> - print string of len (default is till /0) at addr
  • pi <len>? @ <addr> - print instructions of len (default is ~50) at addr
  • pcp n @ offset - print python formatted buffer
  • f <name> <length> <addr> - set a flag to block of memory (e.g. string stored on stack) to name
  • / <term> - find <term>
  • /R <term> - search for instructions matching <term> e.g. /R call e[abcd]x matches call eax|ebx|ecx|edx instructions
  • dmi <lib> <func> - get addr of function in library
  • e.g. dmi libc system - get addr of system()
  • pxr - print memory, also highlight nx and flags - best print option
  • o dbg://pid - attach to PID

Info

  • i - shows all info
  • i~pic : check if the binary has position-independent-code
  • i~nx : check if the binary has non-executable stack
  • i~canary : check if the binary has canaries

Visual Mode

  1. V - enter visual mode
  2. p until a good mode
  • :<cmd> - run cmd
  • V (again) - to see graph of current function
  • df - define function at current point
  • dr - rename function at current point
  • df followed by dr name will mark current address as a function with name
  • d[bBwW] - set as byte/short/dword/qword
  • dn - rename non-fn to mark it
  • dW followed by dn name will mark current address as a global var (flag, atleast) with name
  • . - go to eip
  • _ - search for function
  • ; <comment>
  • o <offset> - goto offset
  • x/X - find xrefs/refs
  • <enter> - follow jmp/call
  • s - step into
  • S - step over
  • b - toogle breakpoint

Debug

  • dc - continue
  • dcu <addr> - continue until <addr>
  • db <addr> - set breakpoint
  • db- <addr> - remove breakpoint
  • ds - step into
  • dso - step over

Patching

  • Start r2 with -w option (write mode)
  • w* commands will now edit the binary, and will save after close
  • wx 909090 - write 3 \x90 bytes (nop) into the current position
  • wa instr0; instr1 - write assembly into the current position. Multiple lines of assembly are ; seperated
  • A in Visual Mode will open the Visual Assembler, write assembly and it will modify the binary interactively.

With IO redirection

1.

profile.rr2

#!/usr/bin/rarun2
arg0=wtv
arg1=wtv
stdio=./output.txt
stdin=./input.txt

r2 -d ./program -e dbg.profile=profile.rr2

2. - Self-Tool (r2debug)

In one terminal,

tty; (rmb the output)
clear; sleep 99999999999

In another,

r2debug program <output of tty> (e.g. /dev/pts/1)
Raw
r2debug
#!/bin/bash
file=$(realpath $1)
ttyfd=$2
args=$3
if [ ! -f "$file.rr2" ]
then
$(touch "$file.rr2")
fi
needed=( "#!/usr/bin/rarun2" "program=$file" "stdio=$ttyfd" )
content=$(cat "$file.rr2")
for i in "${needed[@]}"
do :
if [[ $content != *"$i"* ]]; then
printf '%s\n' "$i" >> "$file.rr2"
fi
done
exec r2 -d $file -A -R $file.rr2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment