-w: open binary in read/write mode-a arm: specify architecture (asm.arch)-b 32: specify bits (asm.bits)-i file: run script file-m 0x000: map file at specified address
- Chain commands:
;for examplepd 10; px 3 - Grep:
~ - Get the first 10 lines of an output:
yourcmd~:0..10 - Evaluate an expression:
?. For example, to convert 0x61 to decimal:? 0x61will tell you it's 97 and also characteraetc. - Here:
$$ - Relative offsets:
@ $$+xfor examplepd 10 @ $$+4 - Loop:
@BEGIN!END:wox 0x90 @10!20performs XOR with 0x90 from offset 10 to 20. @@fiterate over all functions- Iterations:
@@for example, write ff at offsets 10, 20, 30 withwx ff @@10 20 30
- Change architecture:
e asm.arch=armorr2 -a arm... - Change bits:
e asm.bits=16 - Change CPU:
e asm.cpu=cortex
s addresss-5: seek 5 bytes backwardss-: undo seekafi.: Go to the beginning of a function (orsf.)sf sym.xxx: Go to function xxxs*: Show seek history
-
Search strings in the data section:
iz~STRING, -
Search for a string in disassembly:
pd @ func~STRING, You can search an entire section that way (but it will be long) -
Search imports:
ii~STRING, -
Search class names:
ic~STRING, -
Seach string in flags (constants, functions, importants):
f~STRING, -
Search name of function:
afl~STRING -
Search for a string "everywhere":
/ STRING -
Search for wide-character strings:
/w STRING -
Search case-insensitive strings:
/i STRING -
Search for bytes:
/x 04030201(depending on endianness etc you might need to reverse bytes) -
Search for bytes with some joker (
.):/x ab..efwill skill the 2 middle bytes -
Search for bytes with a pattern:
/x abcdef:ff00ffdoes the same as above. The second string is the mask for the pattern. -
Search for instructions:
/ad mov -
Repeat search:
// -
Search reference using emulation:
/re. Ex: search reference using emulation to the current address/re $$
Command to run for each hit, to be set with e cmd.hit.
For example: e cmd.hit=px
aa: Analyze All (all symbolx and entry points), same as runningr2 -A binary. For a stripped binary, more is usually necessary likeaaa,aar,aac...ad: Analyze dataaf: Analyze functionsaac: Find call instructions and assume destination is a functionaar: analyze data referencesaap: Search for function preludes
afl: List functions. The output is:
- Address of function
- The number of basic blocks in the function
- The size of the function (in bytes)
- The function's name
Advanced:
-
to sort the output and prioritize functions with most references:
afl,xref/sort/dec,1/head/15(thx to @ApkUnpacker) -
list function tab separated:
afl, :tsv -
afn: Rename function -
afvn: Rename local variable -
afvt: Change type of local variable -
axt: Cross references to -
axf: Cross references from -
afi: Find the function you are in -
af: Define a new function. Go to the beginning of the function, thenaf -
afx: See function references
iz: strings in the data sectionizz: strings in the whole binary/az: search for strings and possibly reconstruct the assembly when they are split
ie: List entry pointis: List symbolsiS: List sectionsii: List importsi~strip: Know if a binary is stripped ("get file info and search for 'strip'")
- Show all comments:
CC - Add a comment:
CC this is my comment @ addr - Remove a comment:
CC-
Comment properties:
- Show opcode description:
e asm.describe=true - Do not show comments:
e asm.comments=false - Change delimiter: ``e asm.cmt.token=#`
Show emulated assembly
- describes CPU opcodes
- will tell you what value was in this register before and after
- comments on the right of the disassembly
- enable with
e asm.emu = true - Read more Emulating Assembly in Radare2
Only display useful information concerning the output such as strings the program uses:
e emu.str = true(or 1)
Show ESIL (Evaluable Strings Intermediate Language): ESIL is Radare2's own intermediate language.
e asm.esil = true
C- size: define as codeCd size: define as dataCs size: define as stringCf size: define as struct
Flags are labels for offsets: str for strings, sym for symbols etc.
f: List flagsfr: Rename a flagfs: Show all flag spaces
Searches are stored in the search flag space.
To remove hits: f- hit*
ps @ offset: print stringpsz @ offset: print a zero-terminated stringpdf: print functionpx BYTES @ offset: print x bytespxw: print wordspi n @ offset: print n instructions disassembledpif: Show only the instructions of a given function (helpful to copy/paste a function)pD n @ offset: print n bytes disassembled- Pretty print:
~{} pcp: transform the given bytes in a Python array (choose language withpc?)p6es text: base64 encode.p6dsto decode- Show Pico:
?EC yourmessagegoeshere
Zignatures are recognizable patterns
- Generate zignatures:
zg(doaabefore) - Save zignatures to a file:
zos zigz.z - Load zignatures:
zo zigz.z
- Write to a file:
wtf filename size @ position - Open a file in write mode:
oo+ wx hex @ offset: write hex valueswa bl 0x20204: write assemblywox byte: XOR current block with byte and write it.wox key @ offset length: XORs length bytes at offset with the key. For the values to be written, you need to enable writing:e io.cache=true(or launchr2with-w)
Advanced:
wox 6 @4!10: XOR from offset 4 to 10 with value 6
poE/poD: encrypt / decrypt with a given algo and key (does not change the binary)/ca algo: search for magic indicating using of a given algopFa(orpFx): show decoded ASN.1 / DER certificate
- Save a session:
Ps filename. By default, sessions are stored in~/.config/radare2/projects. - To reload a session:
Po filename
V then press p to switch between virtual modes
- Enter visual mode:
V - Leave visual mode:
q
- Update:
r2pm update(or-U) - List all known packages:
r2pm -s
Install packages:
- Example:
r2pm -i axml2xml - Perform a clean install:
r2pm -ci XYZ
This works on a binary XML (note that strings --encoding=l works too):
rafind2 -ZS permissions AndroidManifest.xml
Show imports:
rabin2 -i classes.dex
XOR the string with key 0x88
rahash2 -D xor -S 0x88 -s 'THESTRING'