Managing variables

    The main variables commands are located in afv namespace:

    afvr, afvb and afvs commands are uniform but allow manipulation of register-based arguments and variables, BP/FP-based arguments and variables, and SP-based arguments and variables respectively. If we check the help for afvr we will get the way two others commands works too:

    1. |Usage: afvr [reg] [type] [name]
    2. | afvr                        list register based arguments
    3. | afvr*                       same as afvr but in r2 commands
    4. | afvr [reg] [name] ([type])  define register arguments
    5. | afvrj                       return list of register arguments in JSON format
    6. | afvr- [name]                delete register arguments at the given index
    7. | afvrg [reg] [addr]          define argument get reference
    8. | afvrs [reg] [addr]          define argument set reference

    Like many other things variables detection is performed by radare2 automatically, but results can be changed with those arguments/variables control commands. This kind of analysis relies heavily on preloaded function prototypes and the calling-convention, thus loading symbols can improve it. Moreover, after changing something we can rerun variables analysis with afva command. Quite often variables analysis is accompanied with , see afta command.

    As mentioned before the analysis loop relies heavily on types information while performing variables analysis stages. Thus comes next very important command - afvt, which allows you to change the type of variable:

    Less commonly used feature, which is still under heavy development - distinction between variables being read and written. You can list those being read with afvR command and those being written with afvW command. Both commands provide a list of the places those operations are performed:

    1. [0x00003b92]> afvR
    2. local_48h  0x48ee
    4. local_10h  0x4b53,0x5225,0x53bd,0x50cc
    5. local_8h  0x4d40,0x4d99,0x5221,0x53b9,0x50c8,0x4620
    6. local_28h  0x503a,0x51d8,0x51fa,0x52d3,0x531b
    7. local_38h
    8. local_45h  0x50a1
    9. local_46h
    10. local_32h  0x3cb1
    11. [0x00003b92]> afvW
    12. local_48h  0x3adf
    13. local_30h  0x3d3e,0x4868,0x5030
    14. local_10h  0x3d0e,0x5035
    15. local_8h  0x3d13,0x4d39,0x5025
    16. local_28h  0x4d00,0x52dc,0x53af,0x5060,0x507a,0x508b
    17. local_38h  0x486d
    18. local_45h  0x5014,0x5068
    19. local_47h  0x501b
    20. local_46h  0x5083
    21. local_32h
    22. [0x00003b92]>

    The type inference for local variables and arguments is well integrated with the command afta.

    • After applying afta
    2. [0x000007aa]> pdf
    3. | ;-- rip:
    4. / (fcn) sym.main 157
    5. | sym.main ();
    6. | ; var size_t local_20h @ rbp-0x20
    7. | ; var size_t size @ rbp-0x1c
    8. | ; var char *src @ rbp-0x18
    9. | ; var char *s2 @ rbp-0x10
    10. | ; var char *dest @ rbp-0x8
    11. | ; DATA XREF from entry0 (0x6bd)
    12. | 0x000007aa  push rbp
    13. | 0x000007ab  mov rbp, rsp
    14. | 0x000007ae  sub rsp, 0x20
    15. | 0x000007b2  lea rax, str.Hello          ; 0x8d4 ; "Hello"
    16. | 0x000007b9  mov qword [src], rax
    17. | 0x000007bd  lea rax, str.r2_folks       ; 0x8da ; " r2-folks"
    18. | 0x000007c4  mov qword [s2], rax
    19. | 0x000007c8  mov rax, qword [src]
    20. | 0x000007cf  call sym.imp.strlen         ; size_t strlen(const char *s)

    It also extracts type information from format strings like printf ("fmt : %s , %u , %d", ...), the format specifications are extracted from

    You could create a new profile for specifying a set of format chars depending on different libraries/operating systems/programming languages like this :

    Then change your default specification to newly created one using this config variable e anal.spec = win