2015-02-19 21:47:16 +00:00
# Radare2
## Command line options
```
-L: List of supported IO plugins
-q: Exit after processing commands
-w: Write mode enabled
2017-02-08 17:26:07 +00:00
-i [file]: Interprets a r2 script
2015-09-27 18:48:12 +00:00
-A: Analyze executable at load time (xrefs, etc)
2015-02-19 21:47:16 +00:00
-n: Bare load. Do not load executable info as the entrypoint
2017-02-08 17:26:07 +00:00
-c 'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
-p [prj]: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
2015-02-19 21:47:16 +00:00
-: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed)
Similar to r2 malloc://512
```
## Configuration properties
They can be used in evaluations:`? ${asm.tabs}`
```
2015-12-28 19:44:35 +00:00
e: Returns configuration properties
2015-02-19 21:47:16 +00:00
e < property > : Checks a specific property:
e asm.tabs => false
e < property > =< value > : Change property value
e asm.arch=ppc
e? help about a configuration property
e? cmd.stack
```
You will want to set your favourite options in `~/.radare2rc` since every line there will be interpreted at the beginning of each session. Mine for reference:
```
# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true
# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true
# Solarized theme
2015-02-20 03:26:09 +00:00
eco solarized
2015-02-19 21:47:16 +00:00
# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true
```
There is an easier interface accessible from the Visual mode, just typing `Ve`
## Basic Commands
Command syntax: `[.][times][cmd][~grep][@[@iter]addr!size][|>pipe]`
* `;` Command chaining: `x 3;s+3;pi 3;s+3;pxo 4;`
* `|` Pipe with shell commands: `pd | less`
* `!` Run shell commands: `!cat /etc/passwd`
* `!!` Escapes to shell, run command and pass output to radare buffer
* Note: The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this command to launch it directly to the shell. A single one will walk through the io plugin list.
* `` ` `` Radare commands: `` wx ` !ragg2 -i exec` ``
* `~` grep
* `~!` grep -v
* `~[n]` grep by columns `afl~[0]`
* `~:n` grep by rows `afl~:0`
```
pi~mov,eax ; lines with mov or eax
pi~mov& eax ; lines with mov and eax
pi~mov,eax:6 ; 6 first lines with mov or eax
pd 20~call[0]:0 ; grep first column of the first row matching 'call'
```
* `.cmd` Interprets command output
```
2015-12-28 19:44:35 +00:00
is* prints symbols
2015-02-19 21:47:16 +00:00
.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
```
* `..` repeats last commands (same as enter \n)
* `(` Used to define and run macros
* `$` Used to define alias
* `$$` : Resolves to current address
* Offsets (`@`) are absolute, we can use $$ for relative ones `@ $$+4`
* `?` Evaluate expression
```
[0x00000000]> ? 33 +2
35 0x23 043 0000:0023 35 00100011 35.0 0.000000
Note: | and & need to be escaped
```
* `?$?` Help for variables used in expressions
* `$$` : Here
* `$s` : File size
* `$b` : Block size
* `$l` : Opcode length
* `$j` : When `$$` is at a `jmp` , `$j` is the address where we are going to jump to
* `$f` : Same for `jmp` fail address
* `$m` : Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
* `???` Help for `?` command
* `?i` Takes input from stdin. Eg `?i username`
* `??` Result from previous operations
* `?s from to [step]` : Generates sequence from < from > to < to > every < step >
* `?p` : Get physical address for given virtual address
* `?P` : Get virtual address for given physical one
* `?v` Show hex value of math expr
```
?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
?v 0x4141414a - 0x41414140 = 0xa
```
* `?l str` : Returns the length of string
2017-02-08 17:26:07 +00:00
* `@@` : Used for iterations
2015-02-19 21:47:16 +00:00
```
wx ff @@10 20 30 Writes ff at offsets 10, 20 and 30
wx ff @@`?s 1 10 2` Writes ff at offsets 1, 2 and 3
wx 90 @@ sym.* Writes a nop on every symbol
```
## Positioning
```
s address: Move cursor to address or symbol
s-5 (5 bytes backwards)
s- undo seek
s+ redo seek
```
## Block size
The block size is the default view size for radare. All commands will work with this constraint, but you can always temporally change the block size just giving a numeric argument to the print commands for example (px 20)
```
b size: Change block size
```
## JSON Output
Most of commands such as (i)nfo and (p)rint commands accept a `j` to print their output in `json`
```
[0x100000d78]> ij
{"bin":{"type":"mach0","class":"MACH064","endian":"little","machine":"x86 64 all","arch":"x86","os":"osx","lang":"c","pic":true,"canary":false,"nx":false,"crypto":false,"va":true,"bits":64,"stripped":true,"static":false,"linenums":false,"syms":false,"relocs":false},"core":{"type":"Executable file","os":"osx","arch":"x86 64 all","bits":64,"endian":"little","file":"/bin/ls","fd":6,"size":34640,"mode":"r--","block":256,"uri":"/bin/ls","format":"mach064"}}
```
## Analyze
```
aa: Analyze all (fcns + bbs) same that running r2 with -A
ahl < length > < range > : fake opcode length for a range of bytes
ad: Analyze data
2015-09-27 18:48:12 +00:00
ad@rsp (analyze the stack)
2015-02-19 21:47:16 +00:00
```
Function analysis (normal mode)
```
af: Analyze functions
afl: List all functions
number of functions: afl~?
afi: Returns information about the functions we are currently at
afr: Rename function: structure and flag
afr off: Restore function name set by r2
afn: Rename function
afn strlen 0x080483f0
af-: Removes metadata generated by the function analysis
af+: Define a function manually given the start address and length
af+ 0xd6f 403 checker_loop
axt: Returns cross references to (xref to)
axf: Returns cross references from (xref from)
```
Function analysis (visual mode)
```
d, f: Function analysis
d, u: Remove metadata generated by function analysis
```
Opcode analysis:
```
2015-09-27 18:48:12 +00:00
ao x: Analyze x opcodes from current offset
a8 bytes: Analyze the instruction represented by specified bytes
2015-02-19 21:47:16 +00:00
```
## Information
```
iI: File info
iz: Strings in data section
izz: Strings in the whole binary
iS: Sections
iS~w returns writable sections
is: Symbols
is~FUNC exports
il: Linked libraries
ii: Imports
ie: Entrypoint
```
Mitigations:
```
i~pic : check if the binary has position-independent-code
i~nx : check if the binary has non-executable stack
i~canary : check if the binary has canaries
```
Get function address in GOT table:
`pd 1 @ sym.imp<funct>`
2016-02-16 20:46:12 +00:00
Returns a `jmp [addr]` where `addr` is the address of function in the GOT. Similar to `objdump -R | grep <func>`
2015-02-19 21:47:16 +00:00
# Print
```
psz n @ offset: Print n zero terminated String
px n @ offset: Print hexdump (or just x) of n bytes
pxw n @ offset: Print hexdump of n words
pxw size@offset prints hexadecimal words at address
2016-02-16 20:46:12 +00:00
pd n @ offset: Print n opcodes disassembled
2015-02-19 21:47:16 +00:00
pD n @ offset: Print n bytes disassembled
2016-02-16 20:46:12 +00:00
pi n @ offset: Print n instructions disassembled (no address, XREFs, etc. just instructions)
2015-02-19 21:47:16 +00:00
pdf @ offset: Print disassembled function
pdf~XREF (grep: XREFs)
pdf~call (grep: calls)
pcp n @ offset: Print n bytes in python string output.
pcp 0x20@0x8048550
import struct
buf = struct.pack ("32B",
0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
p8 n @ offset: Print n bytes (8bits) (no hexdump)
pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)
pt: Interpret data as dates
pf: Print with format
pf.: list all formats
p=: Print entropy ascii graph
```
## Write
```
wx: Write hex values in current offset
wx 123456
wx ff @ 4
wa: Write assembly
wa jnz 0x400d24
wc: Write cache commit
wv: Writes value doing endian conversion and padding to byte
wo[x]: Write result of operation
wow 11223344 @102 !10
write looped value from 102 to 102+10
0x00000066 1122 3344 1122 3344 1122 0000 0000 0000
wox 0x90
XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
wox 67 @4 !10
XOR from offset 4 to 10 with value 67
wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)
wF file: Writes the content of the file at the current address or specified offset
wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
woO 41424344 : get the index in the De Bruijn Pattern of the given word
```
## Flags
Flags are labels for offsets. They can be grouped in namespaces as `sym` for symbols ...
```
f: List flags
f label @ offset: Define a flag `label` at offset
f str.pass_len @ 0x804999c
f -label: Removes flag
fr: Rename flag
fd: Returns position from nearest flag (looking backwards). Eg => entry+21
fs: Show all flag spaces
fs flagspace: Change to the specified flag space
```
## yank & paste
```
y n: Copies n bytes from current position
2016-02-16 20:46:12 +00:00
y: Shows yank buffer content with address and length where each entry was copied from
2015-02-19 21:47:16 +00:00
yp: Prints yank buffer
yy offset: Paste the contents of the yank buffer at the specified offset
2016-02-16 20:46:12 +00:00
yt n target @ source: Yank to. Copy n bytes from source to target address
2015-02-19 21:47:16 +00:00
```
## Visual Mode:
`V` enters visual mode
```
q: Exits visual mode
hjkl: move around (or HJKL) (left-down-up-right)
o: go/seek to given offset
?: Help
.: Seek EIP
< enter > : Follow address of the current jump/call
:cmd: Enter radare commands. Eg: x @ esi
d[f?]: Define cursor as a string, data, code, a function, or simply to undefine it.
dr: Rename a function
df: Define a function
v: Get into the visual code analysis menu to edit/look closely at the current function.
p/P: Rotate print (visualization) modes
hex, the hexadecimal view
disasm, the disassembly listing
Use numbers in [] to follow jump
Use "u" to go back
debug, the debugger
words, the word-hexidecimal view
buf, the C-formatted buffer
annotated, the annotated hexdump.
c: Changes to cursor mode or exits the cursor mode
select: Shift+[hjkl]
i: Insert mode
a: assembly inline
A: Assembly in visual mode
y: Copy
Y: Paste
f: Creates a flag where cursor points to
< tab > in the hexdump view to toggle between hex and strings columns
V: View ascii-art basic block graph of current function
W: WebUI
x, X: XREFs to current function. ("u" to go back)
t: track flags (browse symbols, functions..)
gG: Begging or end of file
HUD
_ Show HUD
backspace: Exits HUD
We can add new commands to HUD in: radare2/shlr/hud/main
;[-]cmt: Add/remove comment
m< char > : Define a bookmark
'< char > : Go to previously defined bookmark
```
## ROP
```
/R opcodes: Search opcodes
/R pop,pop,ret
/Rl opcodes: Search opcodes and print them in linear way
/Rl jmp eax,call ebx
/a: Search assembly
/a jmp eax
2016-02-16 20:46:12 +00:00
pda: Returns a library of gadgets that can be use. These gadgets are obtained by disassembling byte per byte instead of obeying to opcode length
2015-02-19 21:47:16 +00:00
```
Search depth can be configure with following properties:
```
e search.roplen = 4 (change the depth of the search, to speed-up the hunt)
```
## Searching
```
/ bytes: Search bytes
\x7fELF
```
Example: Searching function preludes:
```
push ebp
mov ebp, esp
Opcodes: 5589e5
/x 5589e5
[# ]hits: 54c0f4 < 0x0804c600 hits = 1
0x08049f70 hit0_0 5589e557565383e4f081ec
0x0804c31a hit0_1 5589e583ec18c704246031
0x0804c353 hit0_2 5589e583ec1889442404c7
0x0804c379 hit0_3 5589e583ec08e87cffffff
0x0804c3a2 hit0_4 5589e583ec18c70424302d
pi 5 @@hit* (Print 5 first instructions of every hit)
```
Its possible to run a command for each hit. Use the `cmd.hit` property:
```
e cmd.hit=px
```
## Comments and defines
```
Cd [size]: Define as data
C- [size]: Define as code
Cs [size]: Define as String
Cf [size]: Define as struct
2016-02-16 20:46:12 +00:00
We can define structures to be shown in the disassembly
2015-02-19 21:47:16 +00:00
CC: List all comments or add a new comment in console mode
C* Show all comments/metadata
CC < comment > add new comment
CC- remove comment
```
## Magic files
```
pm: Print Magic files analysis
[0x00000000]> pm
0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1
```
Search for magic numbers
```
/m [magicfile]: Search magic number headers with libmagic
```
Search can be controlled with following properties:
```
search.align
search.from (0 = beginning)
search.to (0 = end)
search.asmstr
search.in
```
## Yara
Yara can also be used for detecting file signatures to determine compiler types, shellcodes, protections and more.
```
:yara scan
```
## Zignatures
Zignatures are useful when dealing with stripped binaries. We can take a non-stripped binary, run zignatures on it and apply it to a different binary that was compiled statically with the same libraries.
```
zg < language > < output file > : Generate signatures
eg: zg go go.z
Run the generated script to load signatures
eg: . go.z
z: To show signatures loaded:
```
Zignatures are applied as comments:
```
r2-(pid2)> pd 35 @ 0x08049adb-10
| 0x08049adb call fcn.0805b030
| fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
| 0x08049ae0 add esp, 0xc
| 0x08049ae3 call fcn.08095580
```
## Compare files
```
r2 -m 0xf0000 /etc/fstab ; Open source file
o /etc/issue ; Open file2 at offset 0
o ; List both files
cc offset: Diff by columns between current offset address and "offset"
```
## Graphs
Basic block graphs
```
af: Load function metadata
ag $$ > a.dot: Dump basic block graph to file
ag $$ | xdot: Show current function basic block graph
```
Call graphs
```
af: Load function metadata
agc $$ > b.dot: Dump basic block graph to file
```
Convert .dot in .png
```
dot -Tpng -o /tmp/b.png b.dot
```
Generate graph for file:
```
radiff2 -g main crackme.bin crackme.bin > /tmp/a
xdot /tmp/a
```
## Debugger
Start r2 in debugger mode. r2 will fork and attach
```
r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")
ptrace://pid (debug backend does not notice, only access to mapped memory)
```
To pass arguments:
```
r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)
```
To pass stdin:
```
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
```
Commands
```
do: Reopen program
dp: Shows debugged process, child processes and threads
dc: Continue
dcu < address or symbol > : Continue until symbol (sets bp in address, continua until bp and remove bp)
dc[sfcp]: Continue until syscall(eg: write), fork, call, program address (To exit a library)
ds: Step in
dso: Step out
dss: Skip instruction
dr register=value: Change register value
dr(=)?: Show register values
db address: Sets a breakpoint at address
db sym.main add breakpoint into sym.main
db 0x804800 add breakpoint
db -0x804800 remove breakpoint
dsi (conditional step): Eg: "dsi eax==3,ecx>0"
dbt: Shows backtrace
drr: Display in colors and words all the refs from registers or memory
dm: Shows memory map (* indicates current section)
[0xb776c110]> dm
sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
sys 0xb776a000 - 0xb776b000 s r-x [vdso]
sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]
```
To follow child processes in forks (set-follow-fork-mode in gdb)
```
dcf until a fork happen
then use dp to select what process you want to debug.
```
PEDA like details: `drr;pd 10@-10;pxr 40@esp`
Debug in visual mode
```
toggl breakpoints with F2
single-step with F7 (s)
step-over with F8 (S)
continue with F9
```
## WebGUI (Enyo)
```
=h: Start the server
=H: Start server and browser
```
2015-12-28 19:44:35 +00:00
# Radare2 suite commands
2015-02-19 21:47:16 +00:00
All suite commands include a `-r` flag to generate instructions for r2
## rax2 - Base conversion
```
-e: Change endian
-k: random ASCII art to represent a number/hash. Similar to how SSH represents keys
-s: ASCII to hex
rax2 -S hola (from string to hex)
rax2 -s 686f6c61 (from hex to string)
-S: binary to hex (for files)
```
## rahash2 - Entropy, hashes and checksums
```
-a: Specify the algorithm
-b XXX: Block size
-B: Print all blocks
-a entropy: Show file entropy or entropy per block (-B -b 512 -a entropy)
```
## radiff2 - File diffing
```
-s: Calculate text distance from two files.
-d: Delta diffing (For files with different sizes. Its not byte per byte)
-C: Code diffing (instead of data)
```
Examples:
```
Diff original and patched on x86_32, using graphdiff algorithm
radiff2 -a x86 -b32 -C original patched
Show differences between original and patched on x86_32
radiff2 -a x86 -b32 original patched :
```
## rasm2 - Assembly/Disassembly
```
-L: Supported architectures
-a arch instruction: Sets architecture
rasm2 -a x86 'mov eax,30' => b81e000000
-b tam: Sets block size
-d: Disassembly
rasm2 -d b81e000000 => mov eax, 0x1e
-C: Assembly in C output
rasm2 -C 'mov eax,30' => "\xb8\x1e\x00\x00\x00"
-D: Disassemble showing hexpair and opcode
rasm2 -D b81e0000 => 0x00000000 5 b81e000000 mov eax, 0x1e
-f: Read data from file instead of ARG.
-t: Write data to file
```
## rafind2 - Search
```
-Z: Look for Zero terminated strings
-s str: Look for specifc string
```
## ragg2 - Shellcode generator, C/opcode compiler
```
-P: Generate De Bruijn patterns
ragg2 -P 300 -r
-a arch: Configure architecture
-b bits: Specify architecture bits (32/64)
-i shellcode: Specify shellcode to generate
-e encoder: Specify encoder
```
Example:
```
Generate a x86, 32 bits exec shellcode
ragg2 -a x86 -b 32 -i exec
```
## rabin2 - Executable analysis: symbols, imports, strings ...
```
-I: Executable information
-C: Returns classes. Useful to list Java Classes
-l: Dynamic linked libraries
-s: Symbols
-z: Strings
```
## rarun2 - Launcher to run programs with different environments, args, stdin, permissions, fds
Examples:
```
r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py) : runs /bin/ls with the output of exploit.py directed to stdin
```