############ Radare2 tips ############ Data ---- ``iz``, ``izz`` - list nil-terminated strings. ``px @`` - hexdump ```` bytes at ````. If you want to use address from a register, you can refer to it as ``@reg``. [#px-for-registers]_ Example usage: .. code-block:: :> px 4 @esp - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0xffd5df4c 7860 5656 x`VV :> px 4 @esp+4 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0xffd5df50 0a00 0000 .... :> px 4 @esp-4 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0xffd5df48 0090 5656 ..VV ``wao `` - Write Assembly Opcode, change the opcode of current instruction. ``wao nocj`` - change opcode of conditional jump at the current offset to be nonconditional. ``wai `` - Write Assembly Instruction - literally write any full assembly instruction instead of current instruction, if it would fit, of course. If new instruction is shorter, then NOPs are added. ``w 'string'``, ``w 'a'`` - overWrite inplace a string or a single letter. ``wx FFAA00`` - overWrite sequence of heX tetrads. Spaces are ignored. ``wx `` - Overwrites high tetrad of byte to be ``F``, so, e.g. byte ``00`` becomes ``F0``. ``wx FFF`` - Overwrites first byte and high tetrad of second byte to be ``F``, so, e.g. sequence ``12 34`` becomes ``FF F4``. ``/ `` - Search for a string. Note that space is mandatory. Functions --------- ``afl`` - list functions. ``afx`` - show current function references. ``afn`` - rename function. ``axt`` - xrefs to. ``axf`` - xrefs from. Press ``v`` in capital-V-mode to bring up the list of functions. ``pdd`` - print decompiled code. Requires installing ``r2dec`` [#r2dec]_ ``afv-*``, ``afv-[name]`` - remove annoying variables and args aliases automatically declared at the beginning of the function. ``afva`` - get variables and args aliases back. While reversing SMD (Sega MegaDrive ROM) there may be a crap ton of lables defined over first address (0x200) due to all addresses in IVT are set to 0x200. Here are some tips about this: - ``f sym.shit`` - define new shitty label (flag) you don't need. The ``sym.`` prefix is optional, it is just what r2 uses for creating the shit. - ``f- sym.*`` - remove all these shitty lables (flags) you don't need. These without the ``sym.`` prefix are actually OK and are not irritating at all, they are rather useful. Note: labels are removed globally, not only for current address. Project ------- ``Ps`` - save project. ``$ r2 -p `` - open a project from shell. Visual (capital-V-mode) and moving around ----------------------------------------- Press ``C`` - rotate no color/terminal colorscheme/truecolor colorscheme. Press ``R`` - random truecolor coloscheme. Press ``v`` - bring up the list of functions. ``ecd`` - set default truecolor coloscheme (reset colorscheme). Press ENTER to follow jump Press ``u``/``U`` - undo/redo seek or jump following. Confusing abbreviations and words ----------------------------------------- ``nbbs`` may stand for `number of basic blocks`. Found in ``aflj`` command output. ``cc`` stands for `calling convention`. Found in ``aflj`` command output, may be set via ``e anal.cc``. Working with a firmware image binary blob ----------------------------------------- Useful combination of flags to load a firmware image into r2:: r2 -m 0x08000000 -a arm -b 16 -A firmware.bin Options description: - ``-m 0x08000000`` - Map the file to the specified address. The ``firmware.bin`` image will get mapped at the offset ``0x08000000`` in this case. - ``-a arm`` - Architecture ``arm``, obviously. - ``-b 16`` - Set architecture bits to 16, equivalent to ``e asm.bits=16`` command inside the radare2 shell. Useful for ARM Cortex-M (thumb2) binaries. - ``-A`` - Analyze, Equivalent to ``aaa`` command inside the radare2 shell. While reversing ARM Cortex-M (thumb2) binaries, especially ELF binaries without symbols, the asm.bits is always 32 and running ``e asm.bits=16`` does not change anything. To fix this one must use ``ahb 16``: - ``ahb 16`` set bitness to 16 (useful for ARM thumb) [#asmbits16]_ Footnotes --------- .. [#px-for-registers] `how to get value at an address with radare / stackoverflow.com `_ .. [#r2dec] `How to install r2dec / stackoverflow.com `_ .. [#asmbits16] `Cannot set asm.bits to 16 for arm arch #13019 / github.com `_