source/radare2-tips.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

Radare2 tips
============

Data
----

``iz``, ``izz`` - list nil-terminated strings.

``px <size> @<offset>`` - hexdump ``<size>`` bytes at ``<offset>``. If you want
to use address from a register, you can refer to it as ``@reg``. [#px-for-registers]_

Example usage:

.. code-block::

    :> px 4 @esp
    - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    0xffd5df4c  7860 5656                                x`VV
    :> px 4 @esp+4
    - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    0xffd5df50  0a00 0000                                ....
    :> px 4 @esp-4
    - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
    0xffd5df48  0090 5656                                ..VV


``wao <asm-instr>`` - Write Assembly Opcode, change the opcode of current instruction.

``wao nocj`` - change opcode of conditional jump at the current offset to be nonconditional.

``wai <instruction>`` - Write Assembly Instruction - literally write any full assembly instruction instead of current instruction, if it would fit, of course. If new instruction is shorter, then NOPs are added.

``w 'string'``, ``w 'a'`` - overWrite inplace a string or a single letter.

``wx FFAA00`` - overWrite sequence of heX tetrads. Spaces are ignored.

``wx <hex-seq>`` - Overwrites high tetrad of byte to be ``F``, so, e.g. byte ``00`` becomes ``F0``.

``wx FFF`` - Overwrites first byte and high tetrad of second byte to be ``F``, so, e.g. sequence ``12 34`` becomes ``FF F4``.

``/ <string>`` - Search for a string. Note that space is mandatory.

Functions
---------

``afl`` - list functions.

``afx`` - show current function references.

``afn`` - rename function.

``axt`` - xrefs to.

``axf`` - xrefs from.

Press ``v`` in capital-V-mode to bring up the list of functions.

``pdd`` - print decompiled code. Requires installing ``r2dec`` [#r2dec]_

``afv-*``, ``afv-[name]`` - remove annoying variables and args aliases automatically declared at the beginning of the function.

``afva`` - get variables and args aliases back.

While reversing SMD (Sega MegaDrive ROM) there may be a crap ton of lables
defined over first address (0x200) due to all addresses in IVT are set to 0x200.
Here are some tips about this:

- ``f sym.shit`` - define new shitty label (flag) you don't need. The ``sym.``
  prefix is optional, it is just what r2 uses for creating the shit.

- ``f- sym.*`` - remove all these shitty lables (flags) you don't need. These
  without the ``sym.`` prefix are actually OK and are not irritating at all,
  they are rather useful. Note: labels are removed globally, not only for
  current address.

While reversing ARM Cortex-M (thumb2) binaries, especially ELF binaries without
symbols, the asm.bits is always 32 and running ``e asm.bits=16`` does not change
anything. To fix this one must use ``ahb 16``:

- ``ahb 16`` set bitness to 16 (useful for ARM thumb) [#asmbits16]_

Project
-------

``Ps`` - save project.

``$ r2 -p <projectname>`` - open a project from shell.

Visual (capital-V-mode) and moving around
-----------------------------------------

Press ``C`` - rotate no color/terminal colorscheme/truecolor colorscheme.

Press ``R`` - random truecolor coloscheme.

Press ``v`` - bring up the list of functions.

``ecd`` - set default truecolor coloscheme (reset colorscheme).

Press ENTER to follow jump

Press ``u``/``U`` - undo/redo seek or jump following.

Confusing abbreviations and words
-----------------------------------------

``nbbs`` may stand for `number of basic blocks`. Found in ``aflj`` command
output.

``cc`` stands for `calling convention`. Found in ``aflj`` command output, may be
set via ``e anal.cc``.

Footnotes
---------

.. [#px-for-registers] `how to get value at an address with radare / stackoverflow.com <https://stackoverflow.com/a/54264998>`_
.. [#r2dec] `How to install r2dec / stackoverflow.com <https://stackoverflow.com/a/51466052>`_
.. [#asmbits16] `Cannot set asm.bits to 16 for arm arch #13019 / github.com <https://github.com/radareorg/radare2/issues/13019#issuecomment-461775283>`_