Basic Commands

    The general format for a valid command (as explained in the chapter) looks like this:

    For example,

    1. > 3s +1024    ; seeks three times 1024 from the current seek

    If a command starts with =!, the rest of the string is passed to the currently loaded IO plugin (a debugger, for example). Most plugins provide help messages with =!? or =!help.

    1. $ r2 -d /bin/ls
    2. > =!help      ; handled by the IO plugin

    The meaning of the arguments (iter, addr, size) depends on the specific command. As a rule of thumb, most commands take a number as an argument to specify the number of bytes to work with, instead of the currently defined block size. Some commands accept math expressions or strings.

    2. > s base+0x33 ; seeks to flag 'base' plus 0x33

    The @ sign is used to specify a temporary offset location or a seek position at which the command is executed, instead of current seek position. This is quite useful as you don’t have to seek around all the time.

    1. > p8 10 @ 0x4010  ; show 10 bytes at offset 0x4010
    2. > f patata @ 0x10 ; set 'patata' flag at offset 0x10

    Using @@ you can execute a single command on a list of flags matching the glob. You can think of this as a foreach operation:

    1. > pr > dump.bin   ; dump 'raw' bytes of current block to file named 'dump.bin'
    2. > f  > flags.txt  ; dump flag list to 'flags.txt'

    The operation (pipe) is similar to what you are used to expect from it in a *NIX shell: an output of one command as input to another.

    1. [0x4A13B8C0]> f | grep section | grep text
    2. 0x080d24b0 512 section._text_end

    You can pass several commands in a single line by separating them with a semicolon ;:

    Using _, you can print the result that was obtained by the last command.

    1. [0x00001060]> axt 0x00002004
    2. main 0x1181 [DATA] lea rdi, str.argv__2d_:__s
    3. [0x00001060]> _
    4. main 0x1181 [DATA] lea rdi, str.argv__2d_:__s