radare2 / rizin cheatsheet

Warning: This cheatsheet was originally created for r2, but it should still be compatibile for rizin

Debugging

Manage file

# open in debug mode
r2 -d $FILE

doo # re-open file in debug mode
ood # /

Flow control

# display / set breakpoint
db [flag/addr]

# continue to breakpoint
dc

# continue until addr / flag (without setting breakpoint)
dcu <flag/addr>

# break on syscall name / value
dcs <syscall>

# step into N instructions
ds [N]

# step over N instructions
dso [N]

Reverse debugging

dts?

# select some point
db sym.foo

# store point in time / start recording?
dts+
dc

# go to the previous instruction
dsb

# write / read ALL trace sessions to / from disk
dtst sessions.dbg
dtsf sessions.dbg

Read values

# show registers
drr

# show stack contents
pxr @ rsp!32

Scripting (hooks)

# auto-run command on breakpoint
db main  						# set breakpoint
dbc main drr					# set command on breakpoint 

Custom environment

Note that when first starting radare2 in debug mode, you will actually be debugging rarun2! You need to first continue execution (dc) which will leave you in the loader for the program itself.

# run program with custom environment
r2 -d rarun2 program=./<program_name> arg0=foo stdin=./<some_file> setenv=ENV_VAR=<value>

==OR==

#!/usr/bin/rarun2
program=./<program_name>
arg0=foo
stdin=./<some_file>
setenv=ENV_VAR=<value>
r2 -d rarun2 script.rr2

Visual debugging

(Enter V command to enter or VV / VV!), with [p] / [P] you can change views)

With dm you can check if you are still in loader code - search for ()*.

  • [.] -> seek to program counter
  • [c] -> toggle cursor
  • [o] -> toggle asm / pseudo
  • [g] -> seek to…
  • [G] -> seek to highlighted
  • [u], [U] -> undo / redo seek
  • , -> xrefs from/to
  • [B], [F2] -> toggle breakpoint
  • [s], [F7] -> step into
  • [S], [F8] -> step over
  • [F9] -> continue
  • [t] -> tab managment

ESIL

e asm.emu = true # esil comments
e io.cache = true # write in memory cache

Visual mode

  • [O] - toggle pseudocode / ESIL

Commands

# check used registers by the function
aeaf

Example session

aei 	# init esil vm 
aeim  # init mem 
aeip 	# set esil vm pointer to current seek
aer	# handle esil registers

# example set value
aer eax=0x1234 #

# continue until eax is not greater than on start
"aecue eax,0x1234,>"

Macros

Macros · Radare2 Book

Example session

# set up relative breakpoints. one per cmp instruction*
db sym.check_code_int+0x00001289-0x00001265
db sym.check_code_int+0x000012b7-0x00001265
db sym.check_code_int+0x000012e2-0x00001265
db sym.check_code_int+0x0000130d-0x00001265*#* *execute program*
dc* # input four digits (doesn't matter which ones)*
1
1
1
1*# define a macro that replaces the value *
*# of ebx with the content of eax and stores it into a file*
!rm ./crack_code
(eax_replace, dr ebx=`dr eax` | tee -a crack_code, dc)*# use the macro*
.(eax_replace )@@=0 1 2 3*# show the results*
!cat ./crack_code

Malware Analysis

ob=  # show open files
afl= # list function ranges
aflt # show function table

p=   # show hist of entropy
p==  # show hist entropy horizontal

Operations

Writing

r2 -w binary
# write null-terminated string
wz "hello there"
psz # print it

# write number at offset
wx deadbeef @ 0x30
p8 @ 0x30!4 # print

Write in block

wo?

# write bytes in sequence starting from 42, incrementing by 3
woe 42 3 @ edi!32

# xor block of memory by 41
wx 41 @ esp!32

Visual mode

  • [TAB] -> switch between columns
  • [c] -> toggle cursor mode
  • [i] -> enter insert mode
  • [A] -> assemble binary:
    • enter your asm,
    • instructions can be separated with ;,
    • press [Enter] and [y] to save changes.

Copy/Paste

  1. Enter to visual mode.
  2. Enable cursor mode with [c].
  3. Press [Shift] to select area to copy, ten press [y].
  4. Go to desired place and press [Y] to paste copied data.

Code analysis

  1. Enter to Visual mode.
  2. Seek to piece of code for analysis
  3. Enter [d], then [f] for define function.

References / Furtker Reading