我的书签
添加书签
移除书签Radare2 Reference Card
Those are the basic commands you will want to know and use for moving around a binary and getting information about it.
Flags
Flags are like bookmarks, but they carry some extra information like size, tags or associated flagspace. Use the command to list, set, get them.
| Command | Description |
|---|---|
| f | List flags |
| fd $$ | Describe an offset |
| fj | Display flags in JSON |
| fl | Show flag length |
| fx [flagname] | Show hexdump of flag |
| fC [name] [comment] | Set flag comment |
Flagspaces
Flags are created into a flagspace, by default none is selected, and listing flags will list them all. To display a subset of flags you can use the fs command to restrict it.
| Command | Description |
|---|---|
| ii | Information on imports |
| iI | Info on binary |
| ie | Display entrypoint |
| iS | Display sections |
| ir | Display relocations |
| iz | List strings (izz, izzz) |
Print string
There are different ways to represent a string in memory. The ps command allows us to print it in utf-16, pascal, zero terminated, .. formats.
Visual mode
The visual mode is the standard interactive interface of radare2.
To enter in visual mode use the v or V command, and then you’ll only have to press keys to get the actions happen instead of commands.
| Command | Description |
|---|---|
| V | Enter visual mode |
| p/P | Rotate modes (hex, disasm, debug, words, buf) |
| c | Toggle (c)ursor |
| q | Back to Radare shell |
| hjkl | Move around (or HJKL) (left-down-up-right) |
| Enter | Follow address of jump/call |
| sS | Step/step over |
| o | Toggle asm.pseudo and asm.esil |
| . | Seek to program counter |
| / | In cursor mode, search in current block |
| :cmd | Run radare command |
| ;[-]cmt | Add/remove comment |
| /*+-[] | Change block size, [] = resize hex.cols |
| <,> | Seek aligned to block size |
| i/a/A | (i)nsert hex, (a)ssemble code, visual (A)ssembler |
| b | Toggle breakpoint |
| B | Browse evals, symbols, flags, classes, … |
| d[f?] | Define function, data, code, .. |
| D | Enter visual diff mode (set diff.from/to) |
| e | Edit eval configuration variables |
| f/F | Set/unset flag |
| gG | Go seek to begin and end of file (0-$s) |
| mK/’K | Mark/go to Key (any key) |
| M | Walk the mounted filesystems |
| n/N | Seek next/prev function/flag/hit (scr.nkey) |
| C | Toggle (C)olors |
| R | Randomize color palette (ecr) |
| tT | Tab related. see also |
| v | Visual code analysis menu |
| V | (V)iew graph (agv?) |
| wW | Seek cursor to next/prev word |
| uU | Undo/redo seek |
| x | Show xrefs of current func from/to data/code |
| yY | Copy and paste selection |
| z | fold/unfold comments in diassembly |
This feature has broken and not been resolved at the time of writing these words (Nov.16th 2020). check #Issue 6945: META - Project files and for more details.
To save your analysis for now, write your own script which records the function name, variable name, etc. for example:
vim sample_A.r2s 0x000403ce0s fcn.00403130afn return_delta_to_heapaddrafvn iter var_04h
The ?$? command will display the variables that can be used in any math operation inside the r2 shell. For example, using the command to evaluate a number or ?v to just the value in one format.
| Command | Description |
|---|---|
| $$ | here (current virtual seek) |
| $$$ | current non-temporary virtual seek |
| $? | last comparison value |
| $alias=value | alias commands (simple macros) |
| $b | block size |
| $B | base address (aligned lowest map address) |
| $f | jump fail address (e.g. jz 0x10 => next instruction) |
| $fl | flag length (size) at current address (fla; pD $l @ entry0) |
| $F | current function size |
| $FB | begin of function |
| $Fb | address of the current basic block |
| $Fs | size of the current basic block |
| $FE | end of function |
| $FS | function size |
| $Fj | function jump destination |
| $Ff | function false destination |
| $FI | function instructions |
| $c,$r | get width and height of terminal |
| $Cn | get nth call of function |
| $Dn | get nth data reference in function |
| $D | current debug map base address ?v $D @ rsp |
| $DD | current debug map size |
| $e | 1 if end of block, else 0 |
| $j | jump address (e.g. jmp 0x10, jz 0x10 => 0x10) |
| $Ja | get nth jump of function |
| $Xn | get nth xref of function |
| $l | opcode length |
| $m | opcode memory reference (e.g. mov eax,[0x10] => 0x10) |
| $M | map address (lowest map address) |
| $o | here (current disk io offset) |
| $p | getpid() |
| $P | pid of children (only in debug) |
| $s | file size |
| $S | section offset |
| $SS | section size |
| $v | opcode immediate value (e.g. lui a0,0x8010 => 0x8010) |
| $w | get word size, 4 if asm.bits=32, 8 if 64, … |
| ${ev} | get value of eval config variable |
| $r{reg} | get value of named register |
| $k{kv} | get value of an sdb query value |
| $s{flag} | get size of flag |
| RNum | $variables usable in math expressions |
