Installation
#apt-get install build-essential
#git clone https://github.com/radare/radare2.git
#radare2/sys/user.sh
#radare2/sys/user.sh
#r2pm init
#r2pm -i r2dec
#r2pm -l
Analyzing
#r2 challenge
#r2 -A challenge
#r2 -A -q -c 'iI' challenge
# execute iI command and exit
[Command mode]
[addr]>aaa
# Analysis = aa + aar + aac + aan [addr]>aaaa
# Experimental analysis = aaa + aae + aat + aav [addr]>pd 10
# print disassemble 10 instructions at current seek [addr]>3 pd 10
# 3 times, print disassemble 10 instructions at current seek [addr]>pd 10 @ main
# print disassemble 10 instructions at main [addr]>pd @ main ! 10
# print disassemble at current seek and limit to 10 bytes [addr]>b 64
# set block size to 64 [addr]>i~machine,os
# grep machine or os, at info output [addr]>drr~[0]
# awk first column [addr]>drr~:0
# grep first line [addr]>drr~:0[0]
# grep first line and awk first column [addr]>/ secret ; px @@ hit0_*
# find secret string and foreach hit, print hexdump [addr]>? 0x7a69
# quick numeric conversion [addr]>i?
# like rabin2 [addr]>f myflag @ main+123
# set a flag at main+123 [addr]>afl
# list functions [addr]>s sym.main
# seek to addr/symbol [addr]># print disassemble function
[Visual mode]
[addr]>vV
# view graph p/P
# rotate graph modes <
# global callgraph >
# function callgraph
Decompiling
#r2 -A challenge
[addr]>pdd
[addr]>pdda
Debugging
#r2 -Ad `pgrep challenge`
# attach and debug pid #r2 -Ad challenge
# run and debug program #r2 -Ad rarun2 script.rr2
# debug in a custom environment
[Command mode]
[addr]>db
# list breakpoints [addr]>ds 10
# step into 10 instructions [addr]>dso 10
# step over 10 instructions [addr]>dcu main
# continue until main [addr]>drr
# show registers references (telescoping) [addr]>db 0x0040081d
# add breakpoint [addr]>dbc 0x0040081d drr
# run command when breakpoint is hit [addr]>dm
# list memory maps [addr]>dm=
# list memory maps (ascii art)
[Visual mode]
[addr]>vpp
# debug view :<cmd>
# run radare command ;
# comment b
# breakpoint o
# seek to offset p/P
# rotate print modes _
# fuzzy flag searcher x/X
# show xrefs/refs d
# define function f
# analyze function d
# define r
# rename function fun.callme
# function name
Editing
# r2 -w challenge
[Command mode]
[addr]>oo+
# Reopen the current file in read-write [addr]>wz "See you in shell"
# write string\00 at current seek [addr]>wx 0xcafe @ 0x100
# write 0xcafe at 0x100 [addr]>wb 0x010203
# write the current block cycling 0x010203 pattern [addr]>woe 42 3 @ edi ! 32
# a = 42; for i in xrange(32): edi[i] = a; a += 3 [addr]>wox 0xcafe @ ebx ! 2
# cf = [0xca, 0xfe]; for i in xrange(2): ebx[i] ^= cf[i]
[Visual mode]
[addr]>v
# hex view c
# cursor <tab>
# switch between hex and plain areas i
# insert values <shift><hjkl> + y
# select and copy <hjkl> + Y
# find position and paste [addr]>v
# hex view a
# assemble code A
# visual assembler
ESIL (Evaluable String Intermediate Language)
[addr]>vip
:>s 0x08048486
:>e asm.emu = true
# Run ESIL emulation analysis on disasm :>e asm.esil = true
# Show ESIL instead of mnemonic :>e io.cache = true
# Enable cache for io changes :>aei
# initialize ESIL VM state :>aeip
# initialize ESIL pc to curseek :>aer eax=0x1234
:>aer
:>"aecue 0x1234,eax,^"
# Continue until evil expression is true :>s `aer~eip[1]`
:>pd -1
Exploiting
[addr]>iI~canary,nx,pic,crypto,class,arch,bits,stripped,static
[addr]>wopD 100 @ eax
# Write a De Bruijn pattern [addr]>wopO 0x41614141
# or wopO $$ - Finds the value into a De Bruijn pattern [addr]>gi exec
# Compile shellcode [addr]>wx `g` @ eax
# Write shellcode at @eax [addr]>wb 0x90 @ eax+24 ! 52
[addr]>wv `/R call eax~eax:1[0]` @ eax+76
# Write value (address) [addr]>pcp 80 @ eax
# Print Code Python
Project management
[addr]>Ps <name>
# save project [addr]>Po <name>
# open project [addr]>Pn
# show project notes [addr]>Pn -
# edit project notes