Loops

    We can loop over flags:

    For example, we want to see function information with command:

    1. [0x004047d6]> afi
    2. #
    3. offset: 0x004047d0
    4. name: entry0
    5. size: 42
    6. realsz: 42
    7. stackframe: 0
    8. call-convention: amd64
    9. cyclomatic-complexity: 1
    10. bits: 64
    11. type: fcn [NEW]
    12. num-bbs: 1
    13. edges: 0
    14. end-bbs: 1
    15. call-refs: 0x00402450 C
    16. data-refs: 0x004136c0 0x00413660 0x004027e0
    17. code-xrefs:
    18. data-xrefs:
    19. locals:0
    20. args: 0
    21. diff: type: new
    22. [0x004047d6]>

    Now let’s say, for example, that we’d like see a particular field from this output for all functions found by analysis. We can do that with a loop over all function flags (whose names begin with fcn.):

    1. [0x004047d6]> fs functions
    2. [0x004047d6]> afi @@ fcn.* ~name

    This command will extract the name field from the afi output of every flag with a name matching the regexp fcn.*. There are also a predefined loop called @@f, which runs your command on every functions found by r2:

    1. @@=1 2 3 ... N

    For example, say we want to see the opcode information for 2 offsets: the current one, and at current + 2:

    1. [0x004047d6]> ao @@=$$ $$+2
    2. address: 0x4047d6
    3. opcode: mov rdx, rsp
    5. bytes: 4889e2
    6. refptr: 0
    7. type: mov
    8. esil: rsp,rdx,=
    9. stack: null
    10. family: cpu
    11. address: 0x4047d8
    12. opcode: loop 0x404822
    13. prefix: 0
    14. bytes: e248
    15. refptr: 0
    16. size: 2
    17. type: cjmp
    18. esil: 1,rcx,-=,rcx,?{,4212770,rip,=,}
    19. jump: 0x00404822
    20. fail: 0x004047da
    21. stack: null
    22. cond: al
    23. family: cpu
    24. [0x004047d6]>

    Note we’re using the variable which evaluates to the current offset. Also note that +2 is evaluated before looping, so we can use the simple arithmetic expressions.

    A third way to loop is by having the offsets be loaded from a file. This file should contain one offset per line.

    radare2 also offers various foreach constructs for looping. One of the most useful is for looping through all the instructions of a function:

    1. [0x004047d0]> pdf
    2.  (fcn) entry0 42
    3. │; UNKNOWN XREF from 0x00400018 (unk)
    4. │; DATA XREF from 0x004064bf (sub.strlen_460)
    5. │; DATA XREF from 0x00406511 (sub.strlen_460)
    6. │; DATA XREF from 0x0040b080 (unk)
    7. │; DATA XREF from 0x0040b0ef (unk)
    8. 0x004047d0  xor ebp, ebp
    9. 0x004047d2  mov r9, rdx
    11. 0x004047d6  mov rdx, rsp
    12. 0x004047d9  and rsp, 0xfffffffffffffff0
    13. 0x004047dd  push rax
    14. 0x004047df  mov r8, 0x4136c0
    15. 0x004047e6  mov rcx, 0x413660      ; "AWA..AVI..AUI..ATL.%.. "
    16. 0A..AVI..AUI.
    17. 0x004047ed  mov rdi, main          ; "AWAVAUATUH..S..H...." @
    18. 0
    19. 0x004047f4  call sym.imp.__libc_start_main
    20. 0x004047f9  hlt
    21. [0x004047d0]> pi 1 @@i
    22. mov r9, rdx
    23. pop rsi
    24. mov rdx, rsp
    25. and rsp, 0xfffffffffffffff0
    26. push rax
    27. push rsp
    28. mov r8, 0x4136c0
    29. mov rcx, 0x413660
    30. mov rdi, main
    31. call sym.imp.__libc_start_main
    32. hlt
    • @@k sdbquery - iterate over all offsets returned by that sdbquery
    • @@t- iterate over on all threads (see dp)
    • @@b - iterate over all basic blocks of current function (see afb)
    • @@f - iterate over all functions (see aflq)

    The last kind of looping lets you loop through predefined iterator types:

    • symbols
    • imports
    • registers
    • threads
    • comments
    • functions
    • flags

    This is done using the @@@ command. The previous example of listing information about functions can also be done using the @@@ command:

    1. [0x004047d6]> afi @@@ functions ~name

    This will extract name field from output and will output a huge list of function names. We can choose only the second column, to remove the redundant name: on every line:

    Beware, @@@ is not compatible with JSON commands.