radare2 / rizin cheatsheet
Warning: This cheatsheet was originally created for r2, but it should still be compatibile for rizin
Debugging
Manage file
# open in debug mode
r2 -d $FILE
doo # re-open file in debug mode
ood # /
Flow control
# display / set breakpoint
db [flag/addr]
# continue to breakpoint
dc
# continue until addr / flag (without setting breakpoint)
dcu <flag/addr>
# break on syscall name / value
dcs <syscall>
# step into N instructions
ds [N]
# step over N instructions
dso [N]
Reverse debugging
dts?
# select some point
db sym.foo
# store point in time / start recording?
dts+
dc
# go to the previous instruction
dsb
# write / read ALL trace sessions to / from disk
dtst sessions.dbg
dtsf sessions.dbg
Read values
# show registers
drr
# show stack contents
pxr @ rsp!32
Scripting (hooks)
# auto-run command on breakpoint
db main # set breakpoint
dbc main drr # set command on breakpoint
Custom environment
Note that when first starting radare2 in debug mode, you will actually be debugging rarun2! You need to first continue execution (dc) which will leave you in the loader for the program itself.
# run program with custom environment
r2 -d rarun2 program=./<program_name> arg0=foo stdin=./<some_file> setenv=ENV_VAR=<value>
==OR==
#!/usr/bin/rarun2
program=./<program_name>
arg0=foo
stdin=./<some_file>
setenv=ENV_VAR=<value>
r2 -d rarun2 script.rr2
Visual debugging
(Enter
Vcommand to enter orVV/VV!), with [p] / [P] you can change views)
With
dmyou can check if you are still in loader code - search for ()*.
- [.] -> seek to program counter
- [c] -> toggle cursor
- [o] -> toggle asm / pseudo
- [g] -> seek to…
- [G] -> seek to highlighted
- [u], [U] -> undo / redo seek
- , -> xrefs from/to
- [B], [F2] -> toggle breakpoint
- [s], [F7] -> step into
- [S], [F8] -> step over
- [F9] -> continue
- [t] -> tab managment
ESIL
e asm.emu = true # esil comments
e io.cache = true # write in memory cache
Visual mode
- [O] - toggle pseudocode / ESIL
Commands
# check used registers by the function
aeaf
Example session
aei # init esil vm
aeim # init mem
aeip # set esil vm pointer to current seek
aer # handle esil registers
# example set value
aer eax=0x1234 #
# continue until eax is not greater than on start
"aecue eax,0x1234,>"
Macros
Example session
# set up relative breakpoints. one per cmp instruction*
db sym.check_code_int+0x00001289-0x00001265
db sym.check_code_int+0x000012b7-0x00001265
db sym.check_code_int+0x000012e2-0x00001265
db sym.check_code_int+0x0000130d-0x00001265*#* *execute program*
dc* # input four digits (doesn't matter which ones)*
1
1
1
1*# define a macro that replaces the value *
*# of ebx with the content of eax and stores it into a file*
!rm ./crack_code
(eax_replace, dr ebx=`dr eax` | tee -a crack_code, dc)*# use the macro*
.(eax_replace )@@=0 1 2 3*# show the results*
!cat ./crack_code
Malware Analysis
ob= # show open files
afl= # list function ranges
aflt # show function table
p= # show hist of entropy
p== # show hist entropy horizontal
Operations
Writing
r2 -w binary
# write null-terminated string
wz "hello there"
psz # print it
# write number at offset
wx deadbeef @ 0x30
p8 @ 0x30!4 # print
Write in block
wo?
# write bytes in sequence starting from 42, incrementing by 3
woe 42 3 @ edi!32
# xor block of memory by 41
wx 41 @ esp!32
Visual mode
- [TAB] -> switch between columns
- [c] -> toggle cursor mode
- [i] -> enter insert mode
- [A] -> assemble binary:
- enter your asm,
- instructions can be separated with
;, - press [Enter] and [y] to save changes.
Copy/Paste
- Enter to visual mode.
- Enable cursor mode with [c].
- Press [Shift] to select area to copy, ten press [y].
- Go to desired place and press [Y] to paste copied data.
Code analysis
- Enter to Visual mode.
- Seek to piece of code for analysis
- Enter [d], then [f] for define function.