Skip to content

Instantly share code, notes, and snippets.

@ian-fox

ian-fox/r2.md

Last active June 7, 2021 14:52
Show Gist options
  • Save ian-fox/7ad1a23d745a60e348cbdf43a0b99cb3 to your computer and use it in GitHub Desktop.
Save ian-fox/7ad1a23d745a60e348cbdf43a0b99cb3 to your computer and use it in GitHub Desktop.
Download ZIP
R2 Notes
Raw
r2.md

R2 Notes

Todo:

  • Review elf format, calling conventions, ABI
  • Learn about saving projects and put in ##Project Management
  • Read about UPX binary compression
  • Check reddit, discords for crackme communities
  • Search this doc for "todo" and fix

Possible improvements:

  • improve speed of aaa checks
  • any issues on the r2 repo
  • improve r2 docs

Crackme sources:

  • crackmes.one
  • pwnable.kr

Other Links

Visual Mode

Press V to enter visual mode.

q: quit visual mode p: next visual view P: previous view :: commands <enter>: follow call u: unfollow call :: comment on seeked line

Arrow keys scroll, pageup/pagedown scroll faster.

Graph View

Instead of V for visual view, press VV.

Each block has a key combination at the top in square brackets, type that to jump to that block.

p and P switch views.

x cross references the seeked address, good to e.g. jump back to the caller. It'll list index numbers for all cross references, enter one to go to it.

Panel View

INstead of V, press !

  • Can click with mouse
  • <tab>: switch between panes
  • t: control tabs (new, switch, etc)
  • ": modify active pane
  • -: horizontal split current pane
  • |: probably vertical split? todo check this
  • w: enter window mode, for resizing/moving panels
  • X: close active pane

Commands

  • aaa: analyze (open with r2 -A or -AA to avoid the need for this)
  • pdf: print function
  • s: seek to address (need to hit enter again for screen to update)
  • axt: cross reference all callers
  • pf S @ rbp-8: print string pointed to by rbp-8
  • afvd: print local variables
    • afvd [var name] to print a specific variable
  • Use ~ to format output of commands
    • Postfix a command with ~.. to pipe the output to less.
    • Pipe the output of a command through grep, e.g. grep for main: afl ~main
    • Get help: ~?
  • Search with /
    • /ad/ cmp: find all cmp instructions
    • Get help: /?

Prefixes

  • a: analyze
    • f: functions
      • l: list
        • l: long (include titles for columns)
      • v variables
        • d: display
    • x: cross references
      • t: to
      • f: from
  • d: debug
    • b: breakpoint
    • c: continue
    • o: restart
    • s: step
      • f: until end of frame
  • i: information
    • i: imports
    • s: symbols
    • z: strings in .data
      • z: all strings
    • E: exports (if the thing is used as a library)
    • I: binary info (also rabin2)
    • S: sections
  • p: print
    • f: format
      • .: choose a structure to print as, e.g. pf.elf_header @ elf_header
        • need -nn to load structures (todo: is there a way to load that apart from flags)

Patching

r2 -w target

from visual mode:

A enters write mode on the current line, then you type your assembly.

Then hit enter.

Type w? to get help on other write commands.

Debugging

r2 -d target

Hit p twice in visual mode to get to the debugging view.

Change the stack size with :e stack.size = 256 (it's by bytes)

<F7>: step into <F8>: step over <F9>: continue .: return seek to $rip

Project Management

If you want your comments, e.g. to persist you'll need to save the project.

Todo

Other Tools

rabin2: binary information rafind2: find patterns in binary

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment