The Official Radare2 Book — страница 64 из 64

To enter in visual mode use the v or V command, and then you'll only have to press keys to get the actions happen instead of commands.

Command	Description
V	Enter visual mode
p/P	Rotate modes (hex, disasm, debug, words, buf)
c	Toggle (c)ursor
q	Back to Radare shell
hjkl	Move around (or HJKL) (left-down-up-right)
Enter	Follow address of jump/call
sS	Step/step over
o	Toggle asm.pseudo and asm.esil
.	Seek to program counter
/	In cursor mode, search in current block
:cmd	Run radare command
;[-]cmt	Add/remove comment
/*+-[]	Change block size, [] = resize hex.cols
<,>	Seek aligned to block size
i/a/A	(i)nsert hex, (a)ssemble code, visual (A)ssembler
b	Toggle breakpoint
B	Browse evals, symbols, flags, classes, ...
d[f?]	Define function, data, code, ..
D	Enter visual diff mode (set diff.from/to)
e	Edit eval configuration variables
f/F	Set/unset flag
gG	Go seek to begin and end of file (0-$s)
mK/’K	Mark/go to Key (any key)
M	Walk the mounted filesystems
n/N	Seek next/prev function/flag/hit (scr.nkey)
C	Toggle (C)olors
R	Randomize color palette (ecr)
tT	Tab related. see also tab
v	Visual code analysis menu
V	(V)iew graph (agv?)
wW	Seek cursor to next/prev word
uU	Undo/redo seek
x	Show xrefs of current func from/to data/code
yY	Copy and paste selection
z	fold/unfold comments in diassembly

Searching

There are many situations where we need to find a value inside a binary or in some specific regions. Use the e search.in=? command to choose where the / command may search for the given value.

Command	Description
/ foo\00	Search for string ’foo\0’
/b	Search backwards
//	Repeat last search
/w foo	Search for wide string ’f\0o\0o\0’
/wi foo	Search for wide string ignoring case
/! ff	Search for first occurrence not matching
/i foo	Search for string ’foo’ ignoring case
/e /E.F/i	Match regular expression
/x a1b2c3	Search for bytes; spaces and uppercase nibbles are allowed, same as /x A1 B2 C3
/x a1..c3	Search for bytes ignoring some nibbles (auto-generates mask, in this example: ff00ff)
/x a1b2:fff3	Search for bytes with mask (specify individual bits)
/d 101112	Search for a deltified sequence of bytes
/!x 00	Inverse hexa search (find first byte != 0x00)
/c jmp [esp]	Search for asm code (see search.asmstr)
/a jmp eax	Assemble opcode and search its bytes
/A	Search for AES expanded keys
/r sym.printf	Analyze opcode reference an offset
/R	Search for ROP gadgets
/P	Show offset of previous instruction
/m magicfile	Search for matching magic file
/p patternsize	Search for pattern of given size
/z min max	Search for strings of given size
/v[?248] num	Look for a asm.bigendian 32bit value

Saving (Broken)

This feature has broken and not been resolved at the time of writing these words (Nov.16th 2020). check #Issue 6945: META - Project files and #Issue 17034 for more details.

To save your analysis for now, write your own script which records the function name, variable name, etc. for example:

vim sample_A.r2

e scr.utf8 = false
s 0x000403ce0
aaa
s fcn.00403130
afn return_delta_to_heapaddr
afvn iter var_04h
...

Usable variables in expression

The ?$? command will display the variables that can be used in any math operation inside the r2 shell. For example, using the ? $$ command to evaluate a number or ?v to just the value in one format.

All commands in r2 that accept a number supports the use of those variables.

Command	Description
$$	here (current virtual seek)
$$$	current non-temporary virtual seek
$?	last comparison value
$alias=value	alias commands (simple macros)
$b	block size
$B	base address (aligned lowest map address)
$f	jump fail address (e.g. jz 0x10 => next instruction)
$fl	flag length (size) at current address (fla; pD $l @ entry0)
$F	current function size
$FB	begin of function
$Fb	address of the current basic block
$Fs	size of the current basic block
$FE	end of function
$FS	function size
$Fj	function jump destination
$Ff	function false destination
$FI	function instructions
$c,$r	get width and height of terminal
$Cn	get nth call of function
$Dn	get nth data reference in function
$D	current debug map base address ?v $D @ rsp
$DD	current debug map size
$e	1 if end of block, else 0
$j	jump address (e.g. jmp 0x10, jz 0x10 => 0x10)
$Ja	get nth jump of function
$Xn	get nth xref of function
$l	opcode length
$m	opcode memory reference (e.g. mov eax,[0x10] => 0x10)
$M	map address (lowest map address)
$o	here (current disk io offset)
$p	getpid()
$P	pid of children (only in debug)
$s	file size
$S	section offset
$SS	section size
$v	opcode immediate value (e.g. lui a0,0x8010 => 0x8010)
$w	get word size, 4 if asm.bits=32, 8 if 64, ...
${ev}	get value of eval config variable
$r{reg}	get value of named register
$k{kv}	get value of an sdb query value
$s{flag}	get size of flag
RNum	$variables usable in math expressions

Authors & Contributors

This book wouldn't be possible without the help of a large list of contributors who have been reviewing, writing and reporting bugs and stuff in the radare2 project as well as in this book.

The radare2 book

This book was started by maijin as a new version of the original radare book written by pancake.

   • Old radare1 book http://www.radare.org/get/radare.pdf

Many thanks to everyone who has been involved with the gitbook:

Adrian Studer, Ahmed Mohamed Abd El-MAwgood, Akshay Krishnan R, Andrew Hoog, Anton Kochkov, Antonio Sánchez, Austin Hartzheim, Aswin C (officialcjunior), Bob131, DZ_ruyk, David Tomaschik, Eric, Fangrui Song, Francesco Tamagni, FreeArtMan, Gerardo García Peña, Giuseppe, Grigory Rechistov, Hui Peng, ITAYC0HEN, Itay Cohen, Jeffrey Crowell, John, Judge Dredd (key 6E23685A), Jupiter, Kevin Grandemange, Kevin Laeufer, Luca Di Bartolomeo, Lukas Dresel, Maijin, Michael Scherer, Mike, Nikita Abdullin, Paul, Paweł Łukasik, Peter C, RandomLive, Ren Kimura, Reto Schneider, SchumBlubBlub, SkUaTeR, Solomon, Srimanta Barua, Sushant Dinesh, TDKPS, Thanat0s, Vanellope, Vex Woo, Vorlent, XYlearn, Yuri Slobodyanyuk, ali, aoighost, condret, hdznrrd, izhuer, jvoisin, kij, madblobfish, muzlightbeer, pancake, polym (Tim), puddl3glum, radare, sghctoma, shakreiner, sivaramaaa, taiyu, vane11ope, xarkes.