radare2 cheatsheet

gistfile1.txt

# ----------------------------------------------------------------------
#	Radare2 
#		(Quick n'dirty) Cheat-Sheet
# 													lucam.ko@gmail.com
# ----------------------------------------------------------------------
# See http://radare.org/doc/html/contents.html for details
# ----------------------------------------------------------------------


# MISC

?
	Help command, try to abuse of it (also in combination with other commands)
ia
	show all info (imports, exports, sections..)
f
	print flags (see "fs" for understanding what flags are)
fs [symbols|imports|sections|strings|regs|maps|*]
	select flags to print during "f" command execution
S
	print SECTION LIST in several ways (S? for help)
s <address_or_label>
	seek to specified address or label.
	Note sS <section_num> will seek to the specified section

# PRINT

x
	print EXadecimal DUMP (alias of px)
ps
	print string ("..abc\x11\xcc..")
pb
	print bitstream ("..00100101..")

# PRINT::DISASSEMBLE

pD <N>
	disassemble <N> bytes
pd
	disassemble "b" blocks (use command b to see how many)
pdf
	disassemble a whole function (usefull in case "well-formed" functions)

<disassemble_command>@<address_or_label>
	disassembe starting from specified address 

# SEARCH

/ <string>
	search for string
/w foo
	search for wide string 'f\0o\0o\0'
/!_
	search for first occurrence not matching.
/i <string>
	ignoring case
/e /<regex>/i
	match regular expression
/x <hexstr>
	search for hex string
/c jmp [esp]
	SEARCH for ASM code (see search.asmstr)
/a jmp eax
	ASSEMBLE opcode and SEARCH its bytes
/A
	search for AES expanded keys
/z <min> <max>
	search for strings of given size
//
	REPEAT last SEARCH

# PATCHING
# Notes:	-default write mode is replace (not insert)
# 			-launch radare with "-w" option to disable read-only mode (default)
#			-start writing on seek position (default)
w  <string> [@<address_or_label>]; write plain with escaped chars string

wA '<opcode>' [@<address_or_label>]
	WRITE ASSEMBLY using asm.arch and rsc asm
wa <opcode>
	write assembly using asm.arch and rasm
wv <expr>
	write the result of the expression.
	Note: expression might contains label (eg. eip+34)
wf <file>
	write contents of file at current seek
r <size>
	Resize the file to <size> bytes
	Other Example: 
		r -10 @ 33	//strip 10 bytes at offset 33

# PATCHING::WRITE IN BLOCK

wo_ <hexvalue||hex_pair>@<address>[:block_size]
	in order to emulate the effect of this self modifying code, we can 
	modify code applying a specified operation to a chunk of bytes 
	(wo? for help).

# DEBUG
# Substantially provides a common general interface to specific debuggers
# http://radare.org/doc/html/Chapter20.html#debugging
//TODO

# UNDO/REDO
# not in radare2 :(
u
	list all write changes
	u 3   //undo write change at index 3
	u -3  //redo write change at index 3

# VISUAL MODE
#
V
	starts the visual mode
	Help output:
		>||<    - seek aligned to block size
		hjkl    - move around (HJKL for faster movements)
		pP      - rotate print modes (hex,string,disass,bitstream ...)
		/*+-[]  - change block size, [] = resize scr.cols
		cC      - toggle cursor and colors
		gG      - go seek to begin and end of file (0-$s)
		d[f?]   - define function, data, code, ..
		x       - show xrefs to seek between them
		sS      - step / step over
		e       - edit eval configuration variables
		t       - track flags (browse symbols, functions..)
		T       - browse anal info and comments
		v       - visual code analysis menu
		fF      - seek next/prev function/flag/hit (scr.fkey)
		B       - toggle automatic block size
		uU      - undo/redo seek
		yY      - copy and paste selection
		mK/'K   - mark/go to Key (any key)
		M       - show mount points
		:cmd    - run radare command
		;[-]cmt - add/remove comment
		.       - seek to program counter
		z       - toggle zoom mode
		q       - back to radare shell

# ASSEMBLE

rasm2 "<asm-instruction>[;asm-instruction>]"
	Obtain the opcode of the specified intruction list.