source/radare2-tips.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

############
Radare2 tips
############

Data
----

``iz``, ``izz`` - list nil-terminated strings.

``px <size> @<offset>`` - hexdump ``<size>`` bytes at ``<offset>``. If you want
to use address from a register, you can refer to it as ``@reg``. [#px-for-registers]_

Example usage:

.. code-block::

    :> px 4 @esp
    - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    0xffd5df4c  7860 5656                                x`VV
    :> px 4 @esp+4
    - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    0xffd5df50  0a00 0000                                ....
    :> px 4 @esp-4
    - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    0xffd5df48  0090 5656                                ..VV


``wao <asm-instr>`` - Write Assembly Opcode, change the opcode of current instruction.

``wao nocj`` - change opcode of conditional jump at the current offset to be nonconditional.

``wai <instruction>`` - Write Assembly Instruction - literally write any full assembly instruction instead of current instruction, if it would fit, of course. If new instruction is shorter, then NOPs are added.

``w 'string'``, ``w 'a'`` - overWrite inplace a string or a single letter.

``wx FFAA00`` - overWrite sequence of heX tetrads. Spaces are ignored.

``wx <hex-seq>`` - Overwrites high tetrad of byte to be ``F``, so, e.g. byte ``00`` becomes ``F0``.

``wx FFF`` - Overwrites first byte and high tetrad of second byte to be ``F``, so, e.g. sequence ``12 34`` becomes ``FF F4``.

``/ <string>`` - Search for a string. Note that space is mandatory.

Functions
---------

``afl`` - list functions.

``afx`` - show current function references.

``afn`` - rename function.

``axt`` - xrefs to.

``axf`` - xrefs from.

Press ``v`` in capital-V-mode to bring up the list of functions.

``pdd`` - print decompiled code. Requires installing ``r2dec`` [#r2dec]_

``afv-*``, ``afv-[name]`` - remove annoying variables and args aliases automatically declared at the beginning of the function.

``afva`` - get variables and args aliases back.

While reversing SMD (Sega MegaDrive ROM) there may be a crap ton of lables
defined over first address (0x200) due to all addresses in IVT are set to 0x200.
Here are some tips about this:

- ``f sym.shit`` - define new shitty label (flag) you don't need. The ``sym.``
  prefix is optional, it is just what r2 uses for creating the shit.

- ``f- sym.*`` - remove all these shitty lables (flags) you don't need. These
  without the ``sym.`` prefix are actually OK and are not irritating at all,
  they are rather useful. Note: labels are removed globally, not only for
  current address.

Project
-------

``Ps`` - save project.

``$ r2 -p <projectname>`` - open a project from shell.

Visual (capital-V-mode) and moving around
-----------------------------------------

Press ``C`` - rotate no color/terminal colorscheme/truecolor colorscheme.

Press ``R`` - random truecolor coloscheme.

Press ``v`` - bring up the list of functions.

``ecd`` - set default truecolor coloscheme (reset colorscheme).

Press ENTER to follow jump

Press ``u``/``U`` - undo/redo seek or jump following.

Confusing abbreviations and words
-----------------------------------------

``nbbs`` may stand for `number of basic blocks`. Found in ``aflj`` command
output.

``cc`` stands for `calling convention`. Found in ``aflj`` command output, may be
set via ``e anal.cc``.

Working with a firmware image binary blob
-----------------------------------------

Useful combination of flags to load a firmware image into r2::

  r2 -m 0x08000000 -a arm -b 16 -A firmware.bin

Options description:

- ``-m 0x08000000`` - Map the file to the specified address. The
  ``firmware.bin`` image will get mapped at the offset ``0x08000000`` in this
  case.

- ``-a arm`` - Architecture ``arm``, obviously.

- ``-b 16`` - Set architecture bits to 16, equivalent to ``e asm.bits=16``
  command inside the radare2 shell. Useful for ARM Cortex-M (thumb2) binaries.

- ``-A`` - Analyze, Equivalent to ``aaa`` command inside the radare2 shell.

While reversing ARM Cortex-M (thumb2) binaries, especially ELF binaries without
symbols, the asm.bits is always 32 and running ``e asm.bits=16`` does not change
anything. To fix this one must use ``ahb 16``:

- ``ahb 16`` set bitness to 16 (useful for ARM thumb) [#asmbits16]_

Footnotes
---------

.. [#px-for-registers] `how to get value at an address with radare / stackoverflow.com <https://stackoverflow.com/a/54264998>`_
.. [#r2dec] `How to install r2dec / stackoverflow.com <https://stackoverflow.com/a/51466052>`_
.. [#asmbits16] `Cannot set asm.bits to 16 for arm arch #13019 / github.com <https://github.com/radareorg/radare2/issues/13019#issuecomment-461775283>`_