Created
May 10, 2020 16:27
-
-
Save chronos2810/6a72f7b9563c96d7863eb87bea375554 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ██▀███ ▄▄▄ ▓█████▄ ▄▄▄ ██▀███ ▓█████ | |
| ▓██ ▒ ██▒▒████▄ ▒██▀ ██▌▒████▄ ▓██ ▒ ██▒▓█ ▀ | |
| ▓██ ░▄█ ▒▒██ ▀█▄ ░██ █▌▒██ ▀█▄ ▓██ ░▄█ ▒▒███ | |
| ▒██▀▀█▄ ░██▄▄▄▄██ ░▓█▄ ▌░██▄▄▄▄██ ▒██▀▀█▄ ▒▓█ ▄ | |
| ░██▓ ▒██▒ ▓█ ▓██▒░▒████▓ ▓█ ▓██▒░██▓ ▒██▒░▒████▒ | |
| ░ ▒▓ ░▒▓░ ▒▒ ▓▒█░ ▒▒▓ ▒ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░░ ▒░ ░ | |
| ░▒ ░ ▒░ ▒ ▒▒ ░ ░ ▒ ▒ ▒ ▒▒ ░ ░▒ ░ ▒░ ░ ░ ░ | |
| ░░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ | |
| ░ ░ ░ ░ ░ ░ ░ ░ ░ | |
| ░ | |
| ----------------------------------------------------------- | |
| # --[ Table of contents ] | |
| ----------------------------------------------------------- | |
| - 0x00 References | |
| - 0x01 Useful Commands | |
| - 0x02 Gathering information | |
| - 0x03 Memory | |
| 0x03a Writing into memory (w) | |
| 0x03b Printing and Examining Memory | |
| 0x03c Seeking (Debbuger Movement to Address) | |
| - 0x04 Searching | |
| - 0x05 Debugging | |
| - 0x06 Visual Modes | |
| - 0x07 Misc - In Deep | |
| 0x07a Classic Debug Workflow | |
| 0x07b Misc | |
| 0x07c Command Line Parameters | |
| 0x07d Variables & functions | |
| 0x07e Radare Visualization | |
| - 0x08 Other Radare Tools | |
| 0x08a rabin2 - Get Binary information | |
| 0x08b rahash2 - Hashes utility | |
| 0x08c rax2 - Numeric Converter | |
| 0x08d rasm2 - Assembler & disassembler | |
| 0x08e radiff2 - Binary Diffing Tool | |
| - 0x09 Radare2 Automation | |
| 0x09a Simple Scripting Within Debugger | |
| 0x09b Macros | |
| 0x09c Python Scripting | |
| ----------------------------------------------------------- | |
| # --[ 0x00 References ] | |
| ----------------------------------------------------------- | |
| This cheatsheet has been designed to be viewed with the notes package for Sublime Text. | |
| https://radare.gitbooks.io/radare2book/search_bytes/basic_searches.html | |
| Beautiful Documentation | |
| https://www.megabeets.net/a-journey-into-radare-2-part-2/ | |
| https://radareorg.github.io/blog/posts/using-radare2/ | |
| https://github.com/zxgio/r2-cheatsheet/blob/master/r2-cheatsheet.pdf | |
| Gral usage - r2-cheatsheet | |
| Keep in mind that: | |
| Every character has a meaning (w stands for write, p stands for print, …) | |
| Every command can be a succession of character (pdf stands for p: print, d: disassemble, f: function | |
| Every command is documented with ? (pdf?, ???, …) | |
| The @ symbol is used to specify that something is an address in memory | |
| ----------------------------------------------------------- | |
| # --[ 0x01 Useful Commands ] | |
| ----------------------------------------------------------- | |
| dcu main | |
| dcr | |
| VV | |
| agf | |
| ii | |
| dm | |
| dmi | |
| dmi libc system | |
| pxq | |
| pxw | |
| axt [offset|yourfunctioname] | |
| dr; pdf | |
| Command Concatenation | |
| ? 0xdeadbeef | |
| Converts the number provided (0xdeadbeef) to various bases and formats | |
| ~<value> | |
| ~+ (case insensitive) | |
| Grep | |
| ~.. | |
| Pipe less | |
| ----------------------------------------------------------- | |
| # --[ 0x02 Gathering information ] | |
| ----------------------------------------------------------- | |
| $ rabin2 -I ./program | |
| Binary info (same as i from radare2 shell) | |
| ii | |
| show imports (functions) | |
| ia | |
| Show all info (imports, exports, sections..) | |
| izz | |
| iZ | |
| Search for Strings in the whole binary | |
| iM | |
| Address of Main | |
| ?v sym.imp.func_name — Get address of func_name@PLT | |
| ?v reloc.func_name — Get address of func_name@GOT | |
| ie [q] — Get address of Entrypoint | |
| iS — Show sections with permissions (r/x/w) | |
| i~canary — Check canaries | |
| i~pic — Check if Position Independent Code | |
| i~nx — Check if compiled with NX | |
| ----------------------------------------------------------- | |
| # --[ 0x03 Memory ] | |
| ----------------------------------------------------------- | |
| dm | |
| Show memory maps of target process | |
| dmi | |
| dmm | |
| List modules (libraries, binaries loaded in memory) | |
| dmi [addr|libname] [symname] | |
| dmi libc system | |
| List symbols of target lib | |
| ------------[ 0x03a Writing into memory (w) ]------------ | |
| w? | |
| Write help | |
| w foobar | |
| Write string 'foobar' (at current memory address) | |
| wc | |
| List all write changes | |
| wa[?] push ebp | |
| wa nop | |
| write opcode, separated by ';' (use '"' around the command) | |
| ------------[ 0x03b Printing and Examining Memory ]------------ | |
| @ | |
| The @ symbol is used to specify that something is an address in memory | |
| px @address | |
| Print hex | |
| pxw @address | |
| Print word (x32) | |
| pxq @address | |
| Print quad word (x64) | |
| ps | |
| Print string | |
| ------------[ 0x03c Seeking (Debbuger Movement to Address)]------------ | |
| s | |
| Print current address | |
| s main | |
| Seek to main/function | |
| s @main | |
| Print main address | |
| s- | |
| Undo seek | |
| ----------------------------------------------------------- | |
| # --[ 0x04 Searching ] | |
| ----------------------------------------------------------- | |
| e search.* — | |
| e search.in = dbg.maps | |
| e search.in = dbg.stack | |
| e search.in = ? | |
| Edit searching configuration, dbg.maps: search in all memory maps | |
| https://reverseengineering.stackexchange.com/questions/16755/what-is-radare2s-equivalent-to-gdbs-find-system-9999999-bin-sh | |
| / string | |
| Search string in memory/binary | |
| /x 9090 | |
| search bytes pattern | |
| /? — List search subcommands | |
| /R [?] — Search for ROP gadgets | |
| /R/ — Search for ROP gadgets with a regular expressions | |
| ----------------------------------------------------------- | |
| # --[ 0x05 Debugging ] | |
| ----------------------------------------------------------- | |
| dc | |
| Start / Continue execution | |
| dcu addr | |
| dcu main | |
| Continue execution until address | |
| dcr | |
| Continue until ret (uses step over) | |
| ds / dso | |
| Step into / Step over | |
| db 0x55ae52836612 | |
| db main | |
| Set breakpoints | |
| dbi | |
| List breakpoints | |
| dr | |
| dr rax | |
| View Registers | |
| dbt [?] — Display backtrace based on dbg.btdepth and dbg.btalgo | |
| doo [args] — Reopen in debugger mode with args | |
| ----------------------------------------------------------- | |
| # --[ 0x06 Visual Modes ] | |
| ----------------------------------------------------------- | |
| pdf @ addr | |
| Print the assembly of a function in the given offset | |
| V | |
| Visual mode, use p/P to toggle between different modes | |
| VV | |
| Visual Graph mode, navigating through ASCII graphs | |
| agf | |
| Ascii Visualization of function (Similar to VV) | |
| v | |
| V! | |
| Visual panels mode. Very useful for exploitation | |
| ---{ 0x0 On Visual Mode Commands }--- | |
| s/S | |
| Step Into / Step Over | |
| : | |
| Run radare command | |
| ; / ;- | |
| Add/Remove Comment (Check cursor mode) | |
| c | |
| Enter cursor mode, useful for check where a jump goes. | |
| m | |
| Open and navigate Menu | |
| <Tab> | |
| Switch between panels | |
| <Enter> (On panel) | |
| Zoom Mode | |
| Also with <Tab> on Zoom Mode, Switch Between Panels (Zoomed) | |
| <Space on Zoom> | |
| Enter Block Mode (Ascii Code Flow) | |
| ----------------------------------------------------------- | |
| # --[ 0x07 Misc - In Deep ] | |
| ----------------------------------------------------------- | |
| In deep functions, variables, r2... | |
| ------------[ 0x07a Classic Debug Workflow ]------------ | |
| $ r2 -A -d buffer-overflow args | |
| ... | |
| dcu main | |
| afl | |
| ------------[ 0x07b Misc ]------------ | |
| radare2 -I <program> | |
| Show Binary Info | |
| idp STACK1_VS_2017.pdb | |
| Load Program Symbols | |
| e asm.syntax=intel | |
| Use intel syntax | |
| aaa | |
| Analyze program | |
| Ps <name> | |
| Save Project | |
| Po <name> | |
| Load Project | |
| x @ 0xdeadbeef | |
| Examines memory at address 0xdeadbeef | |
| ? 0xdeadbeef | |
| Converts the number provided (0xdeadbeef) to various bases and formats | |
| ragg2 -P $SIZE -r | |
| Generate cyclical pattern | |
| wopO $VALUE | |
| find offset of pattern | |
| ~ | |
| Grep, afl ~mai == afl | grep mai | |
| find writeable sections: iS | grep perm=..w | |
| find executables sections: iS | grep perm=...x | |
| find xref of a function: axt [offset|yourfunctioname] | |
| list libc imports: is~imp. | |
| ------------[ 0x07c Command Line Parameters ]------------ | |
| -d | |
| debug the executable 'file' or running process 'pid' | |
| Open program in Debbuger Mode | |
| -A | |
| run 'aaa' command to analyze all referenced code | |
| -w | |
| open file in write mode | |
| ------------[ 0x07d Variables & functions ]------------ | |
| ---{ 0x0 Functions }--- | |
| afl | |
| afll | |
| List all functions | |
| pdf @main | |
| Analyze Func | |
| afn <name> <Func> | |
| Rename Func | |
| ---{ 0x0 Variables }--- | |
| afvn <new_name> <var> | |
| Rename Var | |
| afvb* | |
| List EBP related Variables | |
| afvd | |
| See current function Variable values (analyze function variables display) | |
| .afvd local_14h | |
| Display variable by name | |
| afvt temp_char char | |
| Change datatype of variable temp_char to char | |
| px @rbp-04x | |
| Print hex variable value | |
| ------------[ 0x07e Radare Visualization ]------------ | |
| eco | |
| List themes | |
| eco <theme> | |
| Set Theme | |
| ----------------------------------------------------------- | |
| # --[ 0x08 Other Radare Tools ] | |
| ----------------------------------------------------------- | |
| ------------[ 0x08a rabin2 - Get Binary information ]------------ | |
| rabin2 -I <prg> | |
| Binary information | |
| -h | |
| Show help | |
| -i | |
| Get imports | |
| -e | |
| Get sntry point | |
| -zz | |
| Get strings | |
| -g | |
| Includes: [Sections], [Segments], [Entrypoints],[Constructors],[Main],[Imports],[Symbols],[Strings], header structures, [Relocations],etc. | |
| -S | |
| Get sections and memory addresses | |
| ------------[ 0x08b rahash2 - Hashes utility ]------------ | |
| rahash2 -a all <prg> | |
| Show hashes with all algotrithms | |
| -B -b 512 -a md5 | |
| Computes MD5 every 512 bytes | |
| -B -b 512 -a entropy | |
| Calculate entropy every 512 bytes | |
| echo -n ”admin” | rahash2 -a md5 -s ” | |
| Calculate MD5 from string | |
| ------------[ 0x08c rax2 - Numeric Converter ]------------ | |
| rax2 10 | |
| 0xa | |
| rax2 0xa | |
| 10 | |
| rax2 -s 4142434445 | |
| ABCDE | |
| rax2 -S ADB | |
| 414442 | |
| rax2 4+8 | |
| 0xc | |
| -k | |
| Keep base! | |
| ------------[ 0x08d rasm2 - Assembler & disassembler ]------------ | |
| rasm2 -d 4141 | |
| inc ecx | |
| inc ecx | |
| 32bit Disass | |
| rasm2 -a x86 -b 32 "mov eax,33" | |
| b821000000 | |
| 32bit Assembler | |
| rasm2 -a x86 -b 32 "call eax" | |
| rasm2 -a x86 -b 64 "mov rax,33" | |
| 48c7c021000000 | |
| 64bit Assembler | |
| ------------[ 0x08e radiff2 - Binary Diffing Tool ]------------ | |
| radiff2 ABO1_VS_2017.exe ABO1_VS_2017changed.exe | |
| 0x00000742 72 => 7c 0x00000742 | |
| 0x000007da 75 => 45 0x000007da | |
| ------------------------------------------------------------ | |
| # --[ 0x09 Radare2 Automation ] | |
| ----------------------------------------------------------- | |
| Radare2 provides a wide set of a features to automate boring work. It ranges from the simple sequencing of the commands to the calling scripts/another programs via IPC (Inter-Process Communication), called r2pipe. | |
| ------------[ 0x09a Simple Scripting Within Debugger ]------------ | |
| https://radare.gitbooks.io/radare2book/scripting/intro.html | |
| There is an ability to sequence commands using ; semicolon operator: | |
| [0x00404800]> pd 1 ; ao 1 | |
| 0x00404800 b827e66100 mov eax, 0x61e627 ; "tab" | |
| address: 0x404800 | |
| opcode: mov eax, 0x61e627 | |
| prefix: 0 | |
| bytes: b827e66100 | |
| ptr: 0x0061e627 | |
| refptr: 0 | |
| size: 5 | |
| type: mov | |
| esil: 6415911,rax,= | |
| stack: null | |
| family: cpu | |
| [0x00404800]> | |
| The second important way to sequence the commands is with a simple pipe |: | |
| ao | grep address | |
| And of course it's possible to redirect the output of an r2 command into a file, using the > and >> commands: | |
| [0x00404800]> px 10 @ `ao~ptr[1]` > example.txt | |
| [0x00404800]> px 10 @ `ao~ptr[1]` >> example.txt | |
| ------------[ 0x09b Macros ]------------ | |
| (? | |
| Macros Help | |
| (Hello, dr, pdf) | |
| Define Macro | |
| .(Hello) | |
| Run Macro | |
| (* | |
| List Macros | |
| Argument support: | |
| (foo x y, $0 @ $1) define fun with args (x - $0, y - $1) | |
| .(foo 128 0x804800) call it with args | |
| ------------[ 0x09c Python Scripting ]------------ | |
| https://radare.gitbooks.io/radare2book/scripting/r2pipe.html | |
| $ pip install r2pipe | |
| [python] | |
| import r2pipe | |
| r2 = r2pipe.open("buffer-overflow") | |
| r2.cmd('aaa') | |
| print(r2.cmd("afl")) | |
| print(r2.cmd("dr")) | |
| print(r2.cmd("pdf")) | |
| [\python] | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment