├── data ├── esil │ ├── scripts │ │ ├── Makefile │ │ └── bin2esiltsv.r2.js │ ├── esil_x86.tsv │ └── esil_arm.tsv ├── r2frida │ ├── r2frida_ok.tsv │ └── pending │ │ ├── o1-preview.txt │ │ ├── claude.txt │ │ ├── claude2.txt │ │ └── r2gpt.txt └── radare2 │ ├── pending │ ├── r2gpt-advent.tsv.ok │ ├── claude-numbers2.tsv.ok │ ├── claude-numbers2.tsv │ ├── claude-numbers.txt │ ├── claude-print.txt │ ├── 2024-10-28-binary_analysis-openai:gpt-4o-top_p-0.9-temp-0.7.tsv │ ├── 2024-10-28-reverse_engineering-openai:gpt-4o-top_p-0.9-temp-0.7.tsv │ ├── 2024-10-28-general-openai:gpt-4o-top_p-0.9-temp-0.7.tsv │ ├── quotes.txt │ ├── 2024-10-28-debugging-openai:gpt-4o-top_p-0.9-temp-0.7.tsv │ ├── 2024-10-28-crypto-openai:gpt-4o-top_p-0.9-temp-0.7.tsv │ ├── radare2_todo.tsv │ ├── r2gpt-advent.tsv.ignored │ ├── claude-numbers2.tsv.ignored │ ├── claude-search.txt │ ├── qwen-fortunes.tsv │ ├── 2024-10-28-binary_patching-openai:gpt-4o-top_p-0.9-temp-0.7.tsv │ └── 2024-10-28-forensics-openai:gpt-4o-top_p-0.9-temp-0.7.tsv │ ├── Attic │ ├── radaregpt.tsv │ ├── o1-preview.tsv │ ├── o1-mini.tsv │ └── radare2_train.tsv │ └── sources │ └── fortunes.tips ├── train ├── ec2 │ └── amazon-efs-utils-x64.deb ├── jupyter.sh └── main.py ├── Makefile ├── training ├── requirements.txt ├── requirements-nvidia.txt ├── Makefile ├── config.yaml └── README.md ├── README.md ├── review-pending.sh ├── prepare-dataset.py ├── r2cmd.py ├── enrich-dataset.py ├── generate-dataset.py └── parse_usage.py /data/esil/scripts/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | r2 -qi bin2esiltsv.r2.js /bin/ls | sort -u > ls.tsv 3 | -------------------------------------------------------------------------------- /train/ec2/amazon-efs-utils-x64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/r2ai-model/master/train/ec2/amazon-efs-utils-x64.deb -------------------------------------------------------------------------------- /data/esil/esil_x86.tsv: -------------------------------------------------------------------------------- 1 | inc eax 1,eax,+= eax += 1 Increment eax by 1 2 | add eax, 1 1,eax,+,eax,:= eax = eax + 1 Increment eax by 1 3 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | TSVFILE=data/radare2/pending/claude-numbers2.tsv 2 | # TSVFILE=data/radare2/pending/r2gpt-advent.tsv 3 | 4 | all: 5 | ./review-pending.sh "${TSVFILE}" 6 | -------------------------------------------------------------------------------- /training/requirements.txt: -------------------------------------------------------------------------------- 1 | # Core ML libraries 2 | torch>=2.0.0 3 | transformers>=4.30.0 4 | datasets>=2.10.0 5 | accelerate>=0.20.0 6 | peft>=0.4.0 7 | 8 | datasets 9 | openai 10 | mistral_common 11 | sentencepiece 12 | 13 | # Data processing 14 | pandas>=1.5.0 15 | pyyaml>=6.0 16 | tqdm>=4.65.0 17 | 18 | # Hugging Face 19 | huggingface_hub>=0.15.0 20 | 21 | # Optional: for GGUF conversion (install llama.cpp separately) 22 | # llama-cpp-python>=0.2.0 23 | 24 | # Optional: for MLX (macOS only) 25 | # mlx>=0.0.1 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # r2ai-model 2 | 3 | Collection of data sources to generate a dataset for training and finetuning LLM models to use radare2. 4 | 5 | ## Organization 6 | 7 | Dataset is stored in Q/A form (Question/Answer) separating them by tabs (TSV) where the question is phrased in English and the answer is an r2 oneliner to be executed by r2ai in auto mode. 8 | 9 | * / -> root directory, scripts to generate raw QA 10 | * `data/radare2_ok.tsv` -> validated statements 11 | * `data/radare2_todo.tsv` -> unanswered questions 12 | * data/Attic/ -> already processed files 13 | * data/sources -> unfiltered data sources to be used to generate questions 14 | -------------------------------------------------------------------------------- /data/r2frida/r2frida_ok.tsv: -------------------------------------------------------------------------------- 1 | How do I enumerate all the threads of the current process? :dpt 2 | Which is the target CPU architecture used in the current session? :i~^arch 3 | What is the target Operating System for the current binary? :i~^os 4 | Which libraries are loaded in memory? :ilq 5 | Enumerate the memory regions with read-write permissions: :dm~rw-$ 6 | List all named memory maps :dmm 7 | Show the current register values :dr* 8 | Show sections for the binary in the current address :iS 9 | Enumerate all libraries loaded in memory in JSON format :ilj 10 | Show which symbols are imported from other libraries on the current binary :ii 11 | Show exports symbols from the current binary :iE 12 | List all defined classes :ic 13 | -------------------------------------------------------------------------------- /training/requirements-nvidia.txt: -------------------------------------------------------------------------------- 1 | # Core ML/AI libraries with CUDA support 2 | torch>=2.0.0+cu118 --index-url https://download.pytorch.org/whl/cu118 3 | torchvision>=0.15.0+cu118 --index-url https://download.pytorch.org/whl/cu118 4 | torchaudio>=2.0.0+cu118 --index-url https://download.pytorch.org/whl/cu118 5 | 6 | # Transformers and datasets 7 | transformers>=4.30.0 8 | datasets>=2.12.0 9 | accelerate>=0.20.0 10 | peft>=0.4.0 11 | 12 | # Data processing 13 | numpy>=1.24.0 14 | pandas>=2.0.0 15 | 16 | # Configuration and utilities 17 | pyyaml>=6.0 18 | tqdm>=4.65.0 19 | 20 | # Optional: For GGUF export (requires llama.cpp) 21 | # git+https://github.com/ggerganov/llama.cpp.git 22 | 23 | # Development and testing 24 | pytest>=7.0.0 25 | black>=23.0.0 26 | flake8>=6.0.0 -------------------------------------------------------------------------------- /data/esil/scripts/bin2esiltsv.r2.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | function r2ai(q) { 3 | const host = "http://127.0.0.1:8080/cmd/"; 4 | const ss = q.replace(/ /g, "%20"); 5 | r2.syscmd('curl -s ' + host + '/' + "-R > /dev/null"); 6 | const cmd = 'curl -s ' + host + '/' + ss; 7 | return r2.syscmds(cmd).split(/\n/g)[0].trim(); 8 | } 9 | const a0 = +r2.cmd("?vi $S"); 10 | const a1 = +r2.cmd("?vi $S+$SS"); 11 | let count = 50; 12 | for (let a = a0; a < a1; ) { 13 | const op = r2.cmdj("aoj@ "+a)[0]; 14 | const json = JSON.stringify({description:op.description, opcode: op.opcode, esil:op.esil}) 15 | const q = `tell in one sentence '${op.pseudo}', do not use the expression or introduce your answer. consider this metadata ${json}` 16 | const ops = [ 17 | op.opcode, 18 | op.esil, 19 | op.pseudo, 20 | r2ai(q), 21 | ]; 22 | console.log(ops.join("\t")); 23 | a += op.size; 24 | if (count-- <0) { 25 | break; 26 | } 27 | } 28 | })(); 29 | -------------------------------------------------------------------------------- /review-pending.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | F="$1" 4 | [ -z "$EDITOR" ] && EDITOR=vim 5 | 6 | if [ -z "$F" ]; then 7 | echo "Usage: review-pending.sh [tsvfile]" 8 | exit 1 9 | fi 10 | 11 | cat_lastline() { 12 | tail -n1 "$F" 13 | } 14 | 15 | rm_lastline() { 16 | sed '$d' "$F" > "$F".tmp 17 | mv "$F".tmp "$F" 18 | } 19 | 20 | while : ; do 21 | echo "============================================" 22 | echo 23 | cat_lastline | sed -e 's/\t/\n\n/g' 24 | echo 25 | echo "============================================" 26 | echo "> (i)gnore (o)k (e)dit (r)emove (q)uit" 27 | read O 28 | case "$O" in 29 | i) 30 | cat_lastline >> "$F".ignored 31 | rm_lastline 32 | ;; 33 | o) 34 | cat_lastline >> "$F".ok 35 | rm_lastline 36 | ;; 37 | r) 38 | rm_lastline 39 | ;; 40 | e) 41 | cat_lastline > "$F".edit 42 | $EDITOR "$F".edit 43 | if [ -s "$F".edit ]; then 44 | rm_lastline 45 | head -n1 "$F".edit >> "$F" 46 | fi 47 | rm -f "$F".edit 48 | ;; 49 | q) 50 | exit 0 51 | ;; 52 | *) 53 | echo "Unknown action" 54 | ;; 55 | esac 56 | done 57 | -------------------------------------------------------------------------------- /prepare-dataset.py: -------------------------------------------------------------------------------- 1 | import pandas as pd 2 | import json 3 | 4 | SYSTEM_PROMPT = """ 5 | ***RADARE2 MODE: ON*** 6 | """ 7 | 8 | # Read the TSV file 9 | df = pd.read_csv('data/radare2/radare2_enriched.tsv', sep='\t') 10 | 11 | jsonl_data = [] 12 | for index in range(len(df)): 13 | try: 14 | row = df.iloc[index] 15 | q = row['q'] 16 | a = row['a'] 17 | 18 | # Skip rows with NaN values 19 | if pd.isna(q) or pd.isna(a): 20 | continue 21 | 22 | # Convert to string and skip empty strings 23 | q_str = str(q).strip() 24 | a_str = str(a).strip() 25 | 26 | if not q_str or not a_str: 27 | continue 28 | 29 | conversation = [ 30 | {"role": "system", "content": SYSTEM_PROMPT}, 31 | {"role": "user", "content": q_str}, 32 | {"role": "assistant", "content": a_str} 33 | ] 34 | jsonl_data.append(json.dumps({"messages": conversation})) 35 | 36 | except Exception as e: 37 | print(f"Skipping row {index} due to error: {e}") 38 | continue 39 | 40 | with open('data/radare2/radare2_train.jsonl', 'w') as f: 41 | for item in jsonl_data: 42 | f.write(item + '\n') 43 | 44 | print(f"Generated {len(jsonl_data)} valid examples") -------------------------------------------------------------------------------- /data/radare2/pending/r2gpt-advent.tsv.ok: -------------------------------------------------------------------------------- 1 | Debugging Techniques Provide the Radare2 command to continue execution until the 'main' function is reached dcu main 2 | Searching Patterns Explain the Radare2 command to search for the hexadecimal pattern '41 42 43'.. /x 414243 3 | Searching Provide the Radare2 command to find a 4-byte value 0x90 in little-endian format.. /v4 0x90 @ e:cfg.bigendian=false 4 | Finding Strings Search for the ascii string 'Hello' in case sensitive inside the binary? / Hello 5 | Scripting in Radare2 Run a script named 'script.r2' in the current radare2 session -i script.r2 6 | Examining Binary Headers Which Radare2 command is used to display detailed information about the binary headers.? ih;iH 7 | Analyzing Functions What command would you use to list all functions analyzed in the binary.? afl 8 | Analyzing Functions How can you list all functions analyzed in the binary. in Radare2? afl 9 | Searching Provide the Radare2 command to find a 4-byte value 0x90 in little-endian format.. /v4 0x90 @ e:cfg.bigendian=false 10 | Code Coverage Provide the Radare2 command to analyze all code call destinations and find additional functions aac 11 | Breakpoints Which Radare2 command is used to set a breakpoint at the symbol 'main'? db sym.main 12 | Analyzing Control Flow What command would you use to generate a graph of the function 'main'? agf @ main 13 | Using Plugins How can you install the r2frida plugin using r2pm. in Radare2? r2pm -ci r2frida 14 | Disassembling Code What command would you use to disassemble the next 10 instructions from the current offset? pd 10 15 | Edition How to reopen the file in read-write mode? oo+ 16 | Analysis How can I list all function signatures? afs@@F 17 | -------------------------------------------------------------------------------- /data/radare2/pending/claude-numbers2.tsv.ok: -------------------------------------------------------------------------------- 1 | PE Analysis How do I calculate file alignment? ?v 512-($o%512) 2 | PE Analysis How do I calculate aligned file size considering 512 byte pages? ?v $o+(512-($o%512)) 3 | Debug Info How do I calculate size of debug section? ?v $SS{.debug} 4 | Symbol Analysis How do I find size of string table section? ?v $SS{.strtab} 5 | Symbol Analysis How do I calculate size of symbol section? ?v $SS{.symtab} 6 | Exception Analysis How do I calculate stack frame size on x86-64? ?v $r:rbp-$r:rsp 7 | Import Analysis How do I calculate import thunk alignment? ?v `ii~:4[1]` - `ii~:3[1]` 8 | Import Analysis How do I find size of import name table? ?vi $SS:section..plt/`iiq~?` 9 | Import Analysis How do I get distance between imported functions? ?v `ii~:4[1]` - `ii~:3[1]` 10 | Control Flow How do I find offset to false branch? $Bf 11 | Control Flow How do I find offset to false branch? bj~{[0].fail} 12 | Stack Analysis How do I calculate stack variable space? ?v $r:BP-16-$r:SP 13 | Stack Analysis How do I find offset to stack canary? ?v $r:rbp-8 14 | Shell Code How do I get distance to return address? ?v $r:rsp-$r:rbp 15 | Code Coverage How do I calculate function coverage percentage? aai~cov[1] 16 | Memory Analysis How do I find size of memory page? ?v $DS 17 | Function Analysis How do I calculate function complexity metric? afi~complexity[1] 18 | Function Analysis How do I calculate number of basic blocks? afi~num-bbs[1] 19 | IO How do I get size of allocated memory block? ?v $MS 20 | Forensics How do I find size of binary in given offset? oba $$;ig 21 | Forensics How do I get sector alignment padding? ?v 512-($o%512) 22 | Malware Analysis How do I find size of code section? ?v $SS{.text} 23 | Firmware Analysis How do I get size of bootloader section? ?v $SS{bootloader} 24 | Firmware Analysis How do I calculate the crc32 checksum of current section? ph:crc32 $SS @ $SB 25 | -------------------------------------------------------------------------------- /data/radare2/pending/claude-numbers2.tsv: -------------------------------------------------------------------------------- 1 | Category Question Command 2 | Code Analysis How do I calculate the offset between current position and end of function? ?v $FE-$$ 3 | Code Analysis How do I display all instructions from current position to end of basic block? pD $Fe-$$ 4 | Code Analysis How can I check if I'm at the last instruction of a basic block? ?v $e 5 | Code Analysis How do I get size of current section for memory scanning? ?v $SS 6 | Code Analysis How do I disassemble n bytes before current function? pd $FB-$$ @ $$ 7 | Code Analysis How do I calculate distance to next function for gap analysis? ?v ($FB@$$+$FS)-$$ 8 | Code Analysis How do I get size of data at flag for buffer analysis? ?v $s{main} 9 | Code Analysis How do I disassemble whole function with offset annotations? pD $FS @ $FB 10 | Code Analysis How do I calculate total size of all basic blocks in function? ?v $FSS 11 | Code Analysis How do I check distance between current instruction and jump target? ?v $j-$$ 12 | Exploit Dev How do I calculate offset to return address on stack? ?v $r{rsp}-$B 13 | Exploit Dev How do I find distance between base and debug map for ASLR analysis? ?v $D-$B 14 | Exploit Dev How do I calculate size needed for buffer overflow to reach saved EIP? ?v $r{ebp}-$r{esp}+4 15 | Exploit Dev How do I get current block size for heap overflow calculation? ?v $b 16 | Exploit Dev How do I find offset between program base and specific function for ROP? ?v $FB-$DB 17 | Exploit Dev How do I calculate distance to next readable memory page? ?v $MM-$$ 18 | Exploit Dev How do I get stack frame size for local variable analysis? ?v $r{rbp}-$r{rsp} 19 | Exploit Dev How do I find offset between two consecutive function calls? ?v $Cn-$C{n-1} 20 | Exploit Dev How do I calculate padding needed to align stack? ?v 16-($r{rsp}%16) 21 | Exploit Dev How do I get size of memory region for heap spray? ?v $MM 22 | Firmware Analysis How do I get size of firmware section for extraction? ?v $SS 23 | -------------------------------------------------------------------------------- /training/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Radare2 AI Model Training 2 | 3 | .PHONY: all venv deps compile-dataset train clean help 4 | VPYTHON=$(shell pwd)/venv/bin/python3 5 | VPIP=$(shell pwd)/venv/bin/pip3 6 | 7 | # Default target 8 | all: venv deps compile-dataset train 9 | 10 | # Create virtual environment 11 | venv: 12 | @echo "Creating Python virtual environment..." 13 | python3 -m venv venv 14 | @echo "Virtual environment created. Activate with: source venv/bin/activate" 15 | 16 | # Install dependencies 17 | deps: venv 18 | @echo "Installing dependencies..." 19 | $(VPIP) install --upgrade pip 20 | $(VPIP) install -r requirements.txt 21 | @echo "Dependencies installed." 22 | 23 | # Compile dataset 24 | compile-dataset: 25 | @echo "Compiling dataset..." 26 | # Run dataset generation scripts 27 | #cd .. && $(VPYTHON) parse_usage.py # This may require API keys for LLMs 28 | #cd .. && $(VPYTHON) generate-dataset.py # This may require API keys for LLMs 29 | # cd .. && $(VPYTHON) enrich-dataset.py 30 | cd .. && $(VPYTHON) prepare-dataset.py 31 | cd .. && $(VPYTHON) r2cmd.py 32 | @echo "Dataset compilation completed." 33 | 34 | # Train the model 35 | train: venv deps compile-dataset 36 | @echo "Starting model training..." 37 | $(VPYTHON) train.py 38 | @echo "Training completed." 39 | 40 | # Clean up 41 | clean: 42 | @echo "Cleaning up..." 43 | rm -rf venv 44 | rm -rf output 45 | rm -rf __pycache__ 46 | rm -rf *.pyc 47 | @echo "Cleanup completed." 48 | 49 | # Help 50 | help: 51 | @echo "Available targets:" 52 | @echo " all - Run complete pipeline (venv, deps, compile-dataset, train)" 53 | @echo " venv - Create Python virtual environment" 54 | @echo " deps - Install Python dependencies" 55 | @echo " compile-dataset - Compile the dataset from source scripts" 56 | @echo " train - Train the model" 57 | @echo " clean - Clean up generated files and environments" 58 | @echo " help - Show this help message" 59 | @echo "" 60 | @echo "Usage: make -C training [target]" 61 | @echo "Example: make -C training all" 62 | -------------------------------------------------------------------------------- /training/config.yaml: -------------------------------------------------------------------------------- 1 | # Training Configuration for Radare2 AI Model Fine-tuning 2 | 3 | # Model Configuration 4 | model: 5 | name: "jan-hq/Qwen3-4B-no-think" # jan-hq Qwen3 model (4B params, transformers compatible) 6 | # name: "jan-hq/Jan-nano-orig" # jan-nano model (4B params, qwen3 architecture) - not transformers compatible 7 | # name: "HuggingFaceTB/SmolLM-135M" # Default model, can be changed to any HF model (commented) 8 | tokenizer: null # Use same as model if null 9 | 10 | # Dataset Configuration 11 | dataset: 12 | path: "../data/radare2/radare2_train.jsonl" # Path to the compiled dataset 13 | test_split: 0.1 # Fraction of data for testing 14 | 15 | # Training Hyperparameters 16 | training: 17 | output_dir: "./output" # Directory to save model checkpoints 18 | num_train_epochs: 3 19 | per_device_train_batch_size: 4 20 | per_device_eval_batch_size: 4 21 | gradient_accumulation_steps: 8 22 | learning_rate: 2e-5 23 | warmup_steps: 500 24 | logging_steps: 100 25 | save_steps: 500 26 | eval_steps: 500 27 | save_total_limit: 3 28 | load_best_model_at_end: true 29 | metric_for_best_model: "eval_loss" 30 | greater_is_better: false 31 | 32 | # Quantization (for GGUF export) 33 | quantization: 34 | # method: "q4_k_m" # Options: q4_0, q4_1, q5_0, q5_1, q8_0, f16, f32 35 | method: "bf16" # Options: q4_0, q4_1, q5_0, q5_1, q8_0, f16, f32 36 | use_fast_tokenizer: true 37 | 38 | # Platform-specific settings 39 | platform: 40 | linux: 41 | use_cuda: true 42 | cuda_visible_devices: "0" # GPU device IDs 43 | mac: 44 | use_mps: true # For Apple Silicon 45 | 46 | # Export settings 47 | export: 48 | gguf: true # Export to GGUF format (Linux/NVIDIA) 49 | mlx: false # Export to MLX format (Mac) 50 | output_name: "radare2-qwen3-4b-finetuned" 51 | 52 | # Additional options 53 | lora: 54 | use_lora: false # Use LoRA for efficient fine-tuning 55 | r: 8 56 | lora_alpha: 16 57 | target_modules: ["q_proj", "k_proj", "v_proj", "o_proj", "gate_proj", "up_proj", "down_proj"] 58 | 59 | # Dataset compilation settings (for reference) 60 | dataset_compilation: 61 | categories: ["crypto", "general", "vulnerability", "exploit", "reverse engineering", "binary analysis", "binary patching", "debugging"] 62 | num_examples_per_category: 100 63 | -------------------------------------------------------------------------------- /data/r2frida/pending/o1-preview.txt: -------------------------------------------------------------------------------- 1 | How do I inject a custom Frida script into the target process? 2 | css 3 | Copy code 4 | \. [script.js] 5 | How do I find all references to a function in r2frida? 6 | css 7 | Copy code 8 | axt [address] 9 | How do I search for a hex pattern in memory? 10 | bash 11 | Copy code 12 | /x [hex_pattern] 13 | How do I display help for r2frida commands? 14 | Copy code 15 | \? 16 | How do I get information about the target process? 17 | css 18 | Copy code 19 | \i 20 | How do I disassemble code at a specific address? 21 | less 22 | Copy code 23 | pd [number_of_instructions] @ [address] 24 | How do I set a breakpoint on a Java method in Android? 25 | php 26 | Copy code 27 | \db . 28 | How do I list all loaded libraries in the process? 29 | Copy code 30 | \il 31 | How do I call an Objective-C method in the target process using r2frida? 32 | less 33 | Copy code 34 | \dc objc:[class_name method_name] 35 | How do I get the base address of a module? 36 | php 37 | Copy code 38 | \iM 39 | How do I display the call stack of the current thread? 40 | Copy code 41 | \bt 42 | How do I set a hardware breakpoint at a specific address? 43 | css 44 | Copy code 45 | \dbhb [address] 46 | How do I dump the memory of a specific address range? 47 | css 48 | Copy code 49 | \dm [start_address] [size] 50 | How do I show a hexdump of memory at a specific address? 51 | less 52 | Copy code 53 | px [size] @ [address] 54 | How do I perform a format string on the target? 55 | css 56 | Copy code 57 | ?v [format_string] 58 | How do I evaluate an expression in r2frida? 59 | css 60 | Copy code 61 | ? [expression] 62 | How do I intercept and modify a function's arguments in r2frida? 63 | css 64 | Copy code 65 | \dtt [function_address] 66 | How do I exit r2frida? 67 | css 68 | Copy code 69 | q 70 | How do I connect to a remote device over USB in r2frida? 71 | arduino 72 | Copy code 73 | r2 frida://usb/[process_name_or_pid] 74 | How do I load symbols from a module? 75 | csharp 76 | Copy code 77 | \is [module_name] 78 | How do I list all functions in the current module? 79 | Copy code 80 | afl 81 | How do I find and replace a pattern in memory? 82 | less 83 | Copy code 84 | /x [hex_pattern]; wx [replacement_bytes] @ [address] 85 | How do I display the value of a variable in the target process? 86 | css 87 | Copy code 88 | \e [variable_name] 89 | How do I set a watchpoint on a memory address? 90 | css 91 | Copy code 92 | \dbw [address] 93 | How do I list all environment variables in the target process? 94 | bash 95 | Copy code 96 | \env 97 | How do I call a function at a specific address with arguments in r2frida? 98 | css 99 | Copy code 100 | \dc [address]([arguments]) 101 | -------------------------------------------------------------------------------- /train/jupyter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # Variables (Customize these as needed) 5 | JUPYTER_PASSWORD="your_secure_password_here" 6 | JUPYTER_PORT=8888 7 | USER_NAME="ubuntu" 8 | JUPYTER_HOME="/home/$USER_NAME" 9 | 10 | source activate pytorch 11 | pip install jupyter 12 | 13 | # Set Jupyter password and hash 14 | JUPYTER_HASH=$(python3 -c " 15 | from notebook.auth import passwd 16 | print(passwd('$JUPYTER_PASSWORD')) 17 | ") 18 | ESCAPED_HASH=$(echo "$JUPYTER_HASH" | sed 's/\$/\\$/g') 19 | 20 | # Create directories for SSL certificates 21 | # SSL_DIR="$JUPYTER_HOME/.jupyter/ssl" 22 | # sudo -u $USER_NAME mkdir -p $SSL_DIR 23 | 24 | # Generate self-signed SSL certificate 25 | # sudo -u $USER_NAME bash -c " 26 | # openssl req -x509 -nodes -days 365 \ 27 | # -subj '/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=localhost' \ 28 | # -newkey rsa:2048 \ 29 | # -keyout $SSL_DIR/jupyter.key \ 30 | # -out $SSL_DIR/jupyter.crt 31 | # " 32 | 33 | # Set permissions for SSL files 34 | chown -R $USER_NAME:$USER_NAME $JUPYTER_HOME/.jupyter 35 | # sudo chmod 600 $SSL_DIR/jupyter.key 36 | # sudo chmod 644 $SSL_DIR/jupyter.crt 37 | 38 | # Configure Jupyter Notebook with SSL 39 | sudo -u $USER_NAME -H bash -c "cat > $JUPYTER_HOME/.jupyter/jupyter_notebook_config.py << EOF 40 | c.NotebookApp.ip = '0.0.0.0' 41 | c.NotebookApp.port = $JUPYTER_PORT 42 | c.NotebookApp.password = '$ESCAPED_HASH' 43 | c.NotebookApp.allow_origin = '*' 44 | c.NotebookApp.allow_remote_access = True 45 | c.NotebookApp.open_browser = False 46 | c.NotebookApp.notebook_dir = '$JUPYTER_HOME' 47 | # SSL Configuration 48 | # c.NotebookApp.certfile = u'$SSL_DIR/jupyter.crt' 49 | # c.NotebookApp.keyfile = u'$SSL_DIR/jupyter.key' 50 | EOF 51 | " 52 | 53 | # Fix permissions 54 | chown -R $USER_NAME:$USER_NAME $JUPYTER_HOME/.jupyter 55 | # Ensure log files exist and set permissions 56 | touch /var/log/jupyter.log /var/log/jupyter_err.log 57 | chown $USER_NAME:$USER_NAME /var/log/jupyter.log /var/log/jupyter_err.log 58 | chmod 644 /var/log/jupyter.log /var/log/jupyter_err.log 59 | 60 | # Find Jupyter executable path 61 | JUPYTER_PATH=$(which jupyter) 62 | 63 | # Create systemd service file for Jupyter 64 | bash -c "cat > /etc/systemd/system/jupyter.service << EOF 65 | [Unit] 66 | Description=Jupyter Notebook Server 67 | After=network.target 68 | 69 | [Service] 70 | Type=simple 71 | User=$USER_NAME 72 | ExecStart=/bin/bash -c 'source activate pytorch && jupyter notebook' 73 | WorkingDirectory=$JUPYTER_HOME 74 | Restart=always 75 | RestartSec=10 76 | Environment=PATH=/usr/bin:/usr/local/bin 77 | Environment=HF_HUB_CACHE=$HF_HUB_CACHE 78 | 79 | # Logging 80 | StandardOutput=append:/var/log/jupyter.log 81 | StandardError=append:/var/log/jupyter_err.log 82 | 83 | [Install] 84 | WantedBy=multi-user.target 85 | EOF 86 | " 87 | 88 | # Reload systemd daemon, enable and start Jupyter service 89 | systemctl daemon-reload 90 | systemctl enable jupyter 91 | systemctl start jupyter 92 | -------------------------------------------------------------------------------- /data/radare2/pending/claude-numbers.txt: -------------------------------------------------------------------------------- 1 | # Radare2 RNum Variables - 200 Practical Questions and Answers 2 | 3 | ## Code Analysis Questions 4 | 5 | 1. Q: How do I calculate the offset between current position and end of function? 6 | A: `?v $FE-$$` 7 | 8 | 2. Q: How do I display all instructions from current position to end of basic block? 9 | A: `pD $Fe-$$` 10 | 11 | 3. Q: How can I check if I'm at the last instruction of a basic block? 12 | A: `?v $e` 13 | 14 | 4. Q: How do I get size of current section for memory scanning? 15 | A: `?v $SS` 16 | 17 | 5. Q: How do I disassemble n bytes before current function? 18 | A: `pd $FB-$$ @ $$` 19 | 20 | 6. Q: How do I calculate distance to next function for gap analysis? 21 | A: `?v ($FB@$$+$FS)-$$` 22 | 23 | 7. Q: How do I get size of data at flag for buffer analysis? 24 | A: `?v $s{main}` 25 | 26 | 8. Q: How do I disassemble whole function with offset annotations? 27 | A: `pD $FS @ $FB` 28 | 29 | 9. Q: How do I calculate total size of all basic blocks in function? 30 | A: `?v $FSS` 31 | 32 | 10. Q: How do I check distance between current instruction and jump target? 33 | A: `?v $j-$$` 34 | 35 | ## Exploit Development 36 | 37 | 11. Q: How do I calculate offset to return address on stack? 38 | A: `?v $r{rsp}-$B` 39 | 40 | 12. Q: How do I find distance between base and debug map for ASLR analysis? 41 | A: `?v $D-$B` 42 | 43 | 13. Q: How do I calculate size needed for buffer overflow to reach saved EIP? 44 | A: `?v $r{ebp}-$r{esp}+4` 45 | 46 | 14. Q: How do I get current block size for heap overflow calculation? 47 | A: `?v $b` 48 | 49 | 15. Q: How do I find offset between program base and specific function for ROP? 50 | A: `?v $FB-$DB` 51 | 52 | 16. Q: How do I calculate distance to next readable memory page? 53 | A: `?v $MM-$$` 54 | 55 | 17. Q: How do I get stack frame size for local variable analysis? 56 | A: `?v $r{rbp}-$r{rsp}` 57 | 58 | 18. Q: How do I find offset between two consecutive function calls? 59 | A: `?v $Cn-$C{n-1}` 60 | 61 | 19. Q: How do I calculate padding needed to align stack? 62 | A: `?v 16-($r{rsp}%16)` 63 | 64 | 20. Q: How do I get size of memory region for heap spray? 65 | A: `?v $MM` 66 | 67 | ## Firmware Analysis 68 | 69 | 21. Q: How do I get size of firmware section for extraction? 70 | A: `?v $SS` 71 | 72 | 22. Q: How do I calculate checksum range from section start? 73 | A: `?v $S+$SS` 74 | 75 | 23. Q: How do I find offset between two memory-mapped regions? 76 | A: `?v $M-$B` 77 | 78 | 24. Q: How do I get size of bootloader section? 79 | A: `?v $s{bootloader}` 80 | 81 | 25. Q: How do I calculate flash page boundaries? 82 | A: `?v $$-($$ % 4096)` 83 | 84 | [Note: Questions continue with practical scenarios for firmware analysis, forensics, malware analysis, and debugging. I'll continue with the rest but wanted to confirm this is the right direction and style you're looking for before proceeding with all 200 questions.] 85 | 86 | Would you like me to continue with the remaining questions, and are there any specific areas you'd like me to focus on more? 87 | -------------------------------------------------------------------------------- /r2cmd.py: -------------------------------------------------------------------------------- 1 | import json 2 | import uuid 3 | import random 4 | 5 | # Definition of the r2cmd tool 6 | tools = [ 7 | { 8 | "type": "function", 9 | "function": { 10 | "name": "r2cmd", 11 | "description": "Execute a radare2 command and return the output.", 12 | "parameters": { 13 | "type": "object", 14 | "properties": { 15 | "command": { 16 | "type": "string", 17 | "description": "The radare2 command to execute (e.g., 'CCf~cases', 'pdf', 'afl')." 18 | } 19 | }, 20 | "required": ["command"] 21 | } 22 | } 23 | } 24 | ] 25 | 26 | def convert_entry(original_entry): 27 | messages = original_entry["messages"] 28 | 29 | # Update the system message with the r2cmd description 30 | system_msg = messages[0] 31 | system_msg["content"] += "\n\nAvailable tool:\n- r2cmd: Execute radare2 commands. Usage: `r2cmd `" 32 | 33 | # Take the command from the original assistant response 34 | user_msg = messages[1] 35 | assistant_msg = messages[2] 36 | content = assistant_msg["content"] 37 | 38 | # Handle cases where content might be NaN or non-string 39 | if isinstance(content, str): 40 | r2_command = content.strip() 41 | else: 42 | # Skip entries with non-string content (like NaN) 43 | return None 44 | 45 | call_id = f"call{uuid.uuid4().hex[:5]}" 46 | 47 | new_messages = [ 48 | system_msg, 49 | user_msg, 50 | { 51 | "role": "assistant", 52 | "content": "", 53 | "tool_calls": [ 54 | { 55 | "id": call_id, 56 | "type": "function", 57 | "function": { 58 | "name": "r2cmd", 59 | "arguments": json.dumps({"command": r2_command}) 60 | } 61 | } 62 | ] 63 | }, 64 | { 65 | "role": "tool", 66 | "name": "r2cmd", 67 | "content": r2_command, 68 | "tool_call_id": call_id 69 | }, 70 | { 71 | "role": "assistant", 72 | "content": f"Command executed: `{r2_command}`\nResult:\n{r2_command}" 73 | } 74 | ] 75 | 76 | return { 77 | "messages": new_messages, 78 | "tools": tools 79 | } 80 | 81 | # Load the original dataset 82 | with open("./data/radare2/radare2_train.jsonl", "r") as f: 83 | original_entries = [json.loads(line) for line in f] 84 | 85 | # Convert and shuffle the entries 86 | converted_dataset = [convert_entry(entry) for entry in original_entries] 87 | converted_dataset = [entry for entry in converted_dataset if entry is not None] # Filter out None entries 88 | random.shuffle(converted_dataset) # Shuffle randomly 89 | 90 | # Save the shuffled dataset 91 | with open("./data/radare2/function_calling_r2cmd_dataset.jsonl", "w") as f: 92 | for entry in converted_dataset: 93 | f.write(json.dumps(entry, ensure_ascii=False) + "\n") 94 | -------------------------------------------------------------------------------- /train/main.py: -------------------------------------------------------------------------------- 1 | # main.py 2 | 3 | import os 4 | import argparse 5 | import sagemaker 6 | from sagemaker.huggingface import HuggingFace 7 | from datetime import datetime 8 | 9 | def setup_sagemaker_training(args): 10 | """Configure and launch SageMaker training job""" 11 | sagemaker_session = sagemaker.Session() 12 | # role = sagemaker.get_execution_role() 13 | role = 'arn:aws:iam::945472245533:role/service-role/SageMaker-MLOps' 14 | # Upload training data to S3 15 | train_data_s3 = sagemaker_session.upload_data( 16 | args.data_path, 17 | bucket=sagemaker_session.default_bucket(), 18 | key_prefix='llama-training-data' 19 | ) 20 | 21 | checkpoint_s3_uri = f's3://{sagemaker_session.default_bucket()}/checkpoints' 22 | 23 | # Define metrics for tracking 24 | metric_definitions = [ 25 | {'Name': 'train:loss', 'Regex': "'loss': ([0-9\\.]+)"}, 26 | {'Name': 'eval:loss', 'Regex': "'eval_loss': ([0-9\\.]+)"}, 27 | {'Name': 'gpu:memory', 'Regex': "'gpu_memory_allocated': ([0-9\\.]+)"}, 28 | {'Name': 'learning:rate', 'Regex': "'learning_rate': ([0-9\\.]+)"}, 29 | {'Name': 'checkpoint_step', 'Regex': "'checkpoint_saved_at_step': ([0-9]+)"}, 30 | ] 31 | 32 | huggingface_estimator = HuggingFace( 33 | entry_point='train.py', 34 | source_dir='./', 35 | instance_type='ml.g5.2xlarge', 36 | instance_count=1, 37 | role=role, 38 | transformers_version='4.36', 39 | pytorch_version='2.1', 40 | py_version='py310', 41 | base_job_name=f'radare2-llama3-2-1b-{datetime.now().strftime("%Y%m%d-%H%M%S")}', 42 | metric_definitions=metric_definitions, 43 | hyperparameters={ 44 | 'model_name': args.model_name, 45 | 'epochs': args.epochs, 46 | 'batch_size': 32, 47 | 'learning_rate': 3e-4, 48 | 'wandb_project': args.wandb_project, 49 | 'lora_r': 32, 50 | 'lora_alpha': 16, 51 | 'lora_dropout': 0.05, 52 | 'warmup_ratio': 0.05, 53 | 'weight_decay': 0.01, 54 | 'gradient_accumulation_steps': 1, 55 | 'max_grad_norm': 0.3, 56 | 'checkpoint_frequency': 100, 57 | }, 58 | environment={ 59 | 'WANDB_API_KEY': os.getenv('WANDB_API_KEY'), 60 | 'CHECKPOINT_DIR': '/opt/ml/checkpoints', 61 | 'METRICS_DIR': '/opt/ml/output/metrics', 62 | 'HF_TOKEN': os.getenv('HF_TOKEN'), 63 | }, 64 | use_spot_instances=True, 65 | max_wait=24 * 60 * 60, 66 | max_run=23 * 60 * 60, 67 | checkpoint_s3_uri=checkpoint_s3_uri, 68 | checkpoint_local_path='/opt/ml/checkpoints' 69 | ) 70 | 71 | huggingface_estimator.fit({'training': train_data_s3}, wait=True) 72 | return huggingface_estimator 73 | 74 | def main(): 75 | parser = argparse.ArgumentParser() 76 | parser.add_argument('--data_path', help='Path to JSONL data file', default='../data/radare2/radare2_train.jsonl') 77 | parser.add_argument('--model_name', default='meta-llama/Llama-3.2-1B-Instruct') 78 | parser.add_argument('--epochs', type=int, default=3) 79 | parser.add_argument('--wandb_project', default='radare2-llama3.2-1b') 80 | 81 | args = parser.parse_args() 82 | setup_sagemaker_training(args) 83 | 84 | if __name__ == "__main__": 85 | main() -------------------------------------------------------------------------------- /data/esil/esil_arm.tsv: -------------------------------------------------------------------------------- 1 | eor w11, w8, 1 0x1,w8,^,w11,= w11 = w8 ^ 1 Logical exclusive OR (XOR) of w8 and 1 and store the result in w11 2 | add x0, x0, 0x68 0x68,x0,+,x0,= x0 = x0 + 0x68 Add the hexadecimal value 0x68 to the value in the x0 register. 3 | add x0, x8, 0x68 0x68,x8,+,x0,= x0 = x8 + 0x68 Add 0x68 to the value in x8 and store the result in x0. 4 | add x1, x0, 0x68 0x68,x0,+,x1,= x1 = x0 + 0x68 Add the hexadecimal value 0x68 to the value in the x0 register and store the result in x1. 5 | add x1, x1, 0x68 0x68,x1,+,x1,= x1 = x1 + 0x68 Add the hexadecimal value 0x68 to the value in the x1 register and store the result in x1. 6 | add x1, x9, 0x68 0x68,x9,+,x1,= x1 = x9 + 0x68 Add 0x68 to the value in x9 and store the result in x1. 7 | add x8, x1, 0x68 0x68,x1,+,x8,= x8 = x1 + 0x68 Add the hexadecimal value 0x68 to the value in the x1 register and store the result in x8. 8 | add x8, x8, 0x2c 0x2c,x8,+,x8,= x8 = x8 + 0x2c Add the value 0x2c to the value in x8. 9 | adrp x8, 0x10000c000 4295016448,x8,= x8 = 0x10000c000 Set the value of x8 to 0x10000c000. 10 | b 0x100003814 4294981652,pc,:= goto 0x100003814 Branch the program counter to 0x100003814. 11 | b 0x1000077a8 4294997928,pc,:= goto 0x1000077a8 Branch the program counter to 0x1000077a8. 12 | b.ge 0x100003854 nf,vf,^,!,?{,4294981716,pc,:=,} if (a >= b) goto 0x100003854 If (a >= b), branch to 0x100003854. 13 | b.ge 0x1000038c8 nf,vf,^,!,?{,4294981832,pc,:=,} if (a >= b) goto 0x1000038c8 If (a >= b), branch to 0x1000038c8. 14 | b.gt 0x100003840 zf,!,nf,vf,^,!,&,?{,4294981696,pc,:=,} if (a > b) goto 0x100003840 If (a > b), branch to 0x100003840. 15 | b.gt 0x1000038b4 zf,!,nf,vf,^,!,&,?{,4294981812,pc,:=,} if (a > b) goto 0x1000038b4 If (a > b), branch to 0x1000038b4. 16 | b.le 0x100003848 zf,nf,vf,^,|,?{,4294981704,pc,:=,} if (a <= b) goto 0x100003848 If (a <= b), branch to 0x100003848. 17 | b.le 0x1000038bc zf,nf,vf,^,|,?{,4294981820,pc,:=,} if (a <= b) goto 0x1000038bc If (a <= b), branch to 0x1000038bc. 18 | b.lt 0x10000384c nf,vf,^,?{,4294981708,pc,:=,} if (a < b) goto 0x10000384c If (a < b), branch to 0x10000384c. 19 | b.lt 0x1000038c0 nf,vf,^,?{,4294981824,pc,:=,} if (a < b) goto 0x1000038c0 If (a < b), branch to 0x1000038c0. 20 | cmp w8, 0 0x0,w8,==,$z,zf,:=,31,$s,nf,:=,32,$b,!,cf,:=,31,$o,vf,:= (a, b) = compare (w8, 0) Compare the value in w8 with 0 and update the cpu flags 21 | cmp x10, x11 x11,x10,==,$z,zf,:=,63,$s,nf,:=,64,$b,!,cf,:=,63,$o,vf,:= (a, b) = compare (x10, x11) Compare the values in registers x10 and x11 and update the cpu flags 22 | cmp x8, x9 x9,x8,==,$z,zf,:=,63,$s,nf,:=,64,$b,!,cf,:=,63,$o,vf,:= (a, b) = compare (x8, x9) Compare the values in registers x8 and x9 and update the cpu flags 23 | csel x8, x0, x1, eq zf,?{,x0,}{,x1,},x8,= x8 = (eq)? x0 : x1 Set the value of x8 to the value of x0 if the zero flag is set, otherwise set it to the value of x1. 24 | csel x9, x1, x0, eq zf,?{,x1,}{,x0,},x9,= x9 = (eq)? x1 : x0 Set the value of x9 to the value of x1 if the zero flag is set, otherwise set it to the value of x0. 25 | ldr w8, [x8] 0,x8,+,DUP,tmp,=,[4],w8,= w8 = [x8] Read 4 bytes from the address pointed by the register x8 as a 32bit little endian number into the w8 register 26 | ldr x10, [x8, 0x20] 32,x8,+,DUP,tmp,=,[8],x10,= x10 = [x8 + 0x20] Load a 64 bit little endian number into the x10 register from the address computed from x8 + 0x20 27 | ldr x10, [x8, 0x30] 48,x8,+,DUP,tmp,=,[8],x10,= x10 = [x8 + 0x30] Load a 64 bit little endian number into the x10 register from the address computed from x8 + 0x30 28 | ldr x11, [x9, 0x20] 32,x9,+,DUP,tmp,=,[8],x11,= x11 = [x9 + 0x20] Load a 64 bit little endian number into the x11 register from the address computed from x8 + 0x20 29 | mov w0, -1 0xffffffffffffffff,w0,= w0 = -1 Move the value -1 to register w0. 30 | mov w0, 1 0x1,w0,= w0 = 1 Move the value 1 to register w0. 31 | mov x0, x1 x1,x0,= x0 = x1 Move the value in x1 to x0. 32 | mov x0, x8 x8,x0,= x0 = x8 Copy the value from x8 to x0. 33 | mov x1, x8 x8,x1,= x1 = x8 Move the value in x8 to x1. 34 | mov x8, x0 x0,x8,= x8 = x0 Move the value in x0 to x8. 35 | ret lr,pc,:= Return from the current subroutine. 36 | 37 | -------------------------------------------------------------------------------- /data/r2frida/pending/claude.txt: -------------------------------------------------------------------------------- 1 | # R2frida Mobile Reverse Engineering Q&A Guide 2 | 3 | ## Process Attachment & Basic Operations 4 | 5 | Q1: How do you attach to a process by name? 6 | A: `:attach Snapchat` 7 | 8 | Q2: How do you attach to a process by PID? 9 | A: `:attach 1234` 10 | 11 | Q3: How do you list all loaded modules? 12 | A: `:il` 13 | 14 | Q4: How do you search for specific module? 15 | A: `:il~Facebook` 16 | 17 | Q5: How do you list exports of a module? 18 | A: `:ie libSystem.B.dylib` 19 | 20 | Q6: How do you list imports of a module? 21 | A: `:ii libSystem.B.dylib` 22 | 23 | ## Memory Operations 24 | 25 | Q7: How do you search for a string in memory? 26 | A: `:/ password` 27 | 28 | Q8: How do you search for a hex pattern? 29 | A: `:x 90909090` 30 | 31 | Q9: How do you write a string to memory? 32 | A: `:wx hello @ address` 33 | 34 | Q10: How do you dump memory region? 35 | A: `:dd filepath` 36 | 37 | Q11: How do you list memory regions? 38 | A: `:dm` 39 | 40 | Q12: How do you search for specific memory permissions? 41 | A: `:dm rwx` 42 | 43 | ## Function Analysis 44 | 45 | Q13: How do you list all Objective-C classes? 46 | A: `:ic` 47 | 48 | Q14: How do you list methods of an Objective-C class? 49 | A: `:ic [ClassName]` 50 | 51 | Q15: How do you list Java classes (Android)? 52 | A: `:ic java` 53 | 54 | Q16: How do you trace function calls? 55 | A: `:dt func_name` 56 | 57 | Q17: How do you hook a native function? 58 | A: `:di func_name` 59 | 60 | ## Symbol Resolution 61 | 62 | Q18: How do you resolve a symbol address? 63 | A: `:is symbol_name` 64 | 65 | Q19: How do you list all symbols? 66 | A: `:is` 67 | 68 | Q20: How do you find references to a symbol? 69 | A: `:iE symbol_name` 70 | 71 | ## Debugging Operations 72 | 73 | Q21: How do you set a breakpoint? 74 | A: `:db address` 75 | 76 | Q22: How do you list all breakpoints? 77 | A: `:db` 78 | 79 | Q23: How do you delete a breakpoint? 80 | A: `:db- address` 81 | 82 | Q24: How do you continue execution? 83 | A: `:dc` 84 | 85 | Q25: How do you single step? 86 | A: `:ds` 87 | 88 | ## Information Gathering 89 | 90 | Q26: How do you show process information? 91 | A: `:i` 92 | 93 | Q27: How do you list currently running threads? 94 | A: `:dpt` 95 | 96 | Q28: How do you get binary entrypoint? 97 | A: `:ie` 98 | 99 | Q29: How do you show binary information? 100 | A: `:i*` 101 | 102 | Q30: How do you list environment variables? 103 | A: `:env` 104 | 105 | ## File System Operations 106 | 107 | Q31: How do you list files in app bundle (iOS)? 108 | A: `:ls /var/containers/Bundle/Application/*` 109 | 110 | Q32: How do you read a file? 111 | A: `:cat filepath` 112 | 113 | Q33: How do you write to a file? 114 | A: `:write filepath` 115 | 116 | Q34: How do you show current working directory? 117 | A: `:pwd` 118 | 119 | ## SSL Pinning & Network 120 | 121 | Q35: How do you disable SSL pinning (iOS)? 122 | A: `:eval ObjC.classes.NSURLSession.setTrustAllCerts(true)` 123 | 124 | Q36: How do you intercept network calls? 125 | A: `:dtf libSystem.B.dylib exports` 126 | 127 | ## Android Specific 128 | 129 | Q37: How do you list Android activities? 130 | A: `:ic android.app.Activity` 131 | 132 | Q38: How do you hook Java method? 133 | A: `:java className.methodName` 134 | 135 | Q39: How do you list loaded dex files? 136 | A: `:il~*.dex` 137 | 138 | Q40: How do you trace Java method calls? 139 | A: `:dt java_method` 140 | 141 | ## iOS Specific 142 | 143 | Q41: How do you list all UIViewController instances? 144 | A: `:ic UIViewController` 145 | 146 | Q42: How do you monitor UserDefaults? 147 | A: `:dtf NSUserDefaults.*` 148 | 149 | Q43: How do you list keychain items? 150 | A: `:eval ObjC.classes.KeychainAccess.allItems()` 151 | 152 | Q44: How do you bypass jailbreak detection? 153 | A: `:eval ObjC.classes.JailbreakDetection.setEnabled_(false)` 154 | 155 | ## Advanced Operations 156 | 157 | Q45: How do you execute custom scripts? 158 | A: `:. script.js` 159 | 160 | Q46: How do you set a watchpoint? 161 | A: `:dw address` 162 | 163 | Q47: How do you trace syscalls? 164 | A: `:dt syscall` 165 | 166 | Q48: How do you profile memory allocations? 167 | A: `:dm alloc` 168 | 169 | Q49: How do you monitor file operations? 170 | A: `:dtf open` 171 | 172 | Q50: How do you dump all strings? 173 | A: `:iz` 174 | -------------------------------------------------------------------------------- /data/radare2/pending/claude-print.txt: -------------------------------------------------------------------------------- 1 | Question Answer 2 | Print the current function as hex? pxf 3 | What's the command to see hex with comments? pxc 4 | Display raw bytes in hexadecimal format px 5 | Looking for null-terminated strings psz 6 | Convert current block to JSON format pj 7 | Which command shows entropy visualization? p=e 8 | Raw bytes output of current block pr 9 | Create QR code from these 32 bytes pq 32 10 | Calculate MD5 hash of this section ph md5 11 | Display words as 32-bit hex values pxw 12 | Need to see N instructions disassembled pd 13 | Can you show me bits in bitmap format? pxB 14 | Command for 64-bit hex quadwords? pxq 15 | Give me entropy bars for this data p-e 16 | Show me 16-bit values in hex please pxh 17 | Print strings until null byte found psz 18 | Need octal representation of data pxo 19 | Command for raw bytes with offsets? prl 20 | Show UTF-16 unicode strings psu 21 | What's used for 32-bit wide strings? psW 22 | Decompress and show gunzipped content prg 23 | Space-separated hex pairs command? p8 24 | Convert 4 bytes to signed decimal pxd4 25 | View 8-byte hex values pv8 26 | Need strings wrapped to screen width pss 27 | Decompress LZ4 data block prgl 28 | Print strings with escape sequences psx 29 | One hex value per line output pxH 30 | Show hex word references pxr 31 | Convert to DOS timestamp ptd 32 | What's the NTFS time command? ptn 33 | HFS timestamp conversion pth 34 | UNIX timestamp display format pt 35 | Print BEAT internet time ptb 36 | Get 1-byte unsigned ints pxu1 37 | Convert to 2-byte signed ints pxd2 38 | Sparse hexdump visualization pxs 39 | Color palette for bytes prc 40 | Clean hex dump without addresses pxx 41 | String output until newline psn 42 | Generate C array from bytes pcc 43 | Python byte array format pcp 44 | Convert to Kotlin byte array pck 45 | Bytes as Rust array pcr 46 | Golang byte array syntax pcg 47 | Java array representation pcv 48 | Swift array output format pcz 49 | Generate YARA pattern pcy 50 | Create shellscript from bytes pcS 51 | Format bytes as JSON pcj 52 | JavaScript array output pcJ 53 | Objective-C bytes format pco 54 | Clean C format without comments pcq 55 | Space-separated number list pcn 56 | Show raw image content pri 57 | Generate bit patterns pp 58 | Create debruijn sequence ppd 59 | Sequential byte pattern pp1 60 | Word pattern generator pp2 61 | Dword pattern output pp4 62 | Generate qword pattern pp8 63 | Print ASCII alphabet pattern ppa 64 | Fill buffer with 0xFF ppf 65 | Zero-filled buffer output pp0 66 | Decompress XZ block pFX 67 | Raw bytes with line numbers prl 68 | Show printable chars with offsets prx 69 | Find null-terminated raw strings prz 70 | View operation color map pxA 71 | Display data in zoom mode pz 72 | Calculate byte entropy in zoom pze 73 | Count flags in zoom view pzf 74 | Show first byte in zoom pzh 75 | Count printable chars in zoom pzp 76 | List strings in zoom range pzs 77 | Count zero bytes in zoom pz0 78 | Tally 0xFF bytes in zoom pzF 79 | 2-byte swap endianness po2 80 | 4-byte endian conversion po4 81 | Add value to current bytes poa 82 | Perform AND operation poA 83 | Divide current bytes pod 84 | Multiply byte values pom 85 | Apply OR operation poo 86 | XOR with given value pox 87 | Shift bytes left pol 88 | Right shift operation por 89 | Subtract from current bytes pos 90 | Encrypt block of data poE 91 | Decrypt current block poD 92 | Generate block signature poS 93 | Format hex pairs as JSON p8j 94 | Convert hex pairs to commands p8* 95 | Show bytes in decimal p8d 96 | Function bytes as hex pairs p8f 97 | Hex pairs with column layout p8x 98 | Print N bytes as bits pB 99 | Show bit stream format pb 100 | Convert to hex pairs p8 101 | Visualize bytes as bars p= 102 | Show function call count p=c 103 | Count jumps in block p=j 104 | Find invalid instructions p=i 105 | Count syscall instructions p=s 106 | Character count in strings p=z 107 | How many zero bytes? p=0 108 | Count 0xFF occurrences p=F 109 | Tally printable characters p=p 110 | Analyze basic block p=b 111 | List flags and marks p=m 112 | Show byte statistics p=d 113 | Create 16-bit waveform p=2 114 | Parse C++ string at offset ps+ 115 | Extract Swift immediate string pso 116 | Read wide character string psw 117 | Parse 32-bit wide string psW 118 | What shows all string types? psa 119 | String at current position psi 120 | Find printable string ps 121 | Get string in JSON format psj 122 | 2-byte length pascal string psp2 123 | 4-byte pascal string format psp4 124 | -------------------------------------------------------------------------------- /enrich-dataset.py: -------------------------------------------------------------------------------- 1 | import openai 2 | import pandas as pd 3 | import time 4 | from tqdm import tqdm 5 | import random 6 | import os 7 | import json 8 | from io import StringIO 9 | 10 | from datetime import datetime 11 | today = datetime.now().strftime("%Y-%m-%d") 12 | 13 | # OpenAI API configuration 14 | model = os.getenv("OPENAI_MODEL", "gpt-4o") 15 | base_url = os.getenv("OPENAI_BASE_URL", "https://api.openai.com/v1") 16 | api_key = os.getenv("OPENAI_API_KEY") 17 | max_tokens = 8000 18 | temperature = 0.7 19 | top_p = 0.9 20 | 21 | # Initialize OpenAI client 22 | client = openai.OpenAI( 23 | api_key=api_key, 24 | base_url=base_url 25 | ) 26 | 27 | def generate_dataset(num_examples=10): 28 | """Generate multiple examples and save to CSV""" 29 | 30 | data = pd.DataFrame() 31 | ok_data = pd.read_csv('data/radare2/radare2_ok.tsv', sep='\t') 32 | for i, row in ok_data.iterrows(): 33 | messages = [ 34 | {"role": "system", "content": f"""You are a helpful data expert who is tasked with enriching the dataset with additional examples. 35 | You'll be given a question and answer. 36 | The answer is a valid radare2 command. 37 | Generate {num_examples}-{num_examples*2} more examples that are very similar to the question and answer above. 38 | Only vary the answer if there are clear parameters that can be changed, like sorting, filtering, things like top N, numbers, addresses, etc. 39 | The questions should vary from minimal to longer. Minimal could be just the important part and nothing else. Sometimes, it's even just 1 word, always in english. 40 | Longer means should be looking more like a full question. 41 | If you can vary the command, do {num_examples}-{num_examples*2} more examples. 42 | respond in tsv format: Question\tAnswer 43 | """}, 44 | {"role": "user", "content": f"""{row['q']}\t{row['a']}"""} 45 | ] 46 | 47 | response = client.chat.completions.create( 48 | model=model, 49 | messages=messages, 50 | max_tokens=max_tokens, 51 | temperature=temperature, 52 | top_p=top_p 53 | ) 54 | content = response.choices[0].message.content 55 | print(content) 56 | 57 | parsed = pd.read_csv(StringIO(content), sep='\t', names=['q', 'a']) 58 | data = pd.concat([data, pd.DataFrame([row]), parsed], ignore_index=True) 59 | # Save intermediate results after each batch 60 | data.to_csv(f'data/radare2/radare2_enriched.tsv', sep='\t', index=False) 61 | 62 | # Convert to DataFrame and save 63 | df = pd.DataFrame(data) 64 | 65 | # Ensure the 'q' and 'a' columns are properly formatted 66 | df['q'] = df['q'].apply(lambda x: x if x else "") 67 | df['a'] = df['a'].apply(lambda x: x if x else "") 68 | 69 | # Save both train and validation sets 70 | # train_size = int(len(df) * 0.95) 71 | 72 | df_train = df 73 | # df_val = df[train_size:] 74 | 75 | df_train.to_csv(f'data/radare2/radare2_enriched.tsv', sep='\t', index=False) 76 | # df_val.to_csv(f'data/pending/{today}_radare2_val.tsv', sep='\t', index=False) 77 | 78 | print(f"Generated {len(df)} examples") 79 | print(f"Training examples: {len(df_train)}") 80 | # print(f"Validation examples: {len(df_val)}") 81 | 82 | # Display some examples 83 | print("\nSample examples:") 84 | for _, row in df.head(3).iterrows(): 85 | print("\nQ:", row['q']) 86 | print("A:", row['a']) 87 | print("-" * 50) 88 | return df 89 | 90 | def validate_dataset(file_path='data/radare2/radare2_train.tsv'): 91 | """Validate the generated dataset""" 92 | df = pd.read_csv(file_path, sep='\t') 93 | 94 | # Basic validation 95 | print("\nDataset Statistics:") 96 | print(f"Total examples: {len(df)}") 97 | print(f"Average question length: {df['q'].str.len().mean():.1f} characters") 98 | print(f"Average answer length: {df['a'].str.len().mean():.1f} characters") 99 | print(f"Null values: {df.isnull().sum().sum()}") 100 | 101 | # Check for duplicates 102 | duplicates = df.duplicated().sum() 103 | print(f"Duplicate entries: {duplicates}") 104 | 105 | if __name__ == "__main__": 106 | num_examples = 10 107 | ok_data = pd.read_csv('data/radare2/radare2_ok.tsv', sep='\t') 108 | generate_dataset(num_examples=num_examples) -------------------------------------------------------------------------------- /data/radare2/pending/2024-10-28-binary_analysis-openai:gpt-4o-top_p-0.9-temp-0.7.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How can I analyze the binary to find all functions? aaa 3 | Identify all the strings present in the binary. iz 4 | List all the imported symbols from the binary. ii 5 | Show detailed information about the binary headers. ih 6 | Find all cross-references to the function at address 0x400650. axt 0x400650 7 | Display all the sections in the binary. iS 8 | Decompile the function at the current address. pdd 9 | What is the entry point of this binary? ie 10 | Identify the architecture of the binary. e asm.arch 11 | List all exported symbols in the binary. iE 12 | Show a list of all functions in the binary. afl 13 | Print the disassembly of the current function. pdf 14 | Find all occurrences of the instruction 'call eax'. /a call eax 15 | List all the relocations in the binary. ir 16 | What is the base address of the binary? e file.baddr 17 | How can I view the main function's address? iM 18 | Show all the comments in the binary. CC 19 | Extract and display the resources embedded in the binary. iR 20 | List all symbols from the binary. is 21 | Show all the function signatures found in the binary. afsj 22 | Generate a call graph of the binary. agC 23 | Display all the libraries used by the binary. il 24 | How do I list all the memory maps of the process? dm 25 | What are the main sections of the binary? iS 26 | Identify the imports of the binary and classify them by type. iic 27 | List all classes, methods, and fields in the binary. ic 28 | Print the pseudocode for the current function. pdc 29 | What is the size of the binary file? e file.size 30 | Display the entropy of the binary. p=e 31 | Find all jump instructions in the binary. /a jmp 32 | How can I list all basic blocks in the current function? afb 33 | What is the compiler used for this binary? iI 34 | List all the types found in the binary. ts 35 | Show the cyclomatic complexity of functions. afCc 36 | List all the segments in the binary. iSS 37 | Display all local variables in the current function. afv 38 | Show the current seek offset in the binary. s 39 | Identify the syscall numbers used in the binary. as 40 | List all vtables found in the binary. av 41 | Display the assembly instructions of the current block. pdr 42 | Find all conditional jumps in the binary. /a j 43 | List all the comments in the current function. CCf 44 | How do I display the entry point address? ie 45 | Show all the data references in the binary. ax 46 | What are the entry points of the binary? ie 47 | List all imports from the binary. ii 48 | What is the format of this binary? e bin.format 49 | Analyze all syscalls in the binary. aas 50 | Display a summary of the current function. pdsf 51 | Find all ROP gadgets in the binary. /R 52 | List all NOP instructions in the binary. /a nop 53 | Show all exported functions. iE 54 | What are the global variables in the binary? avg 55 | List all indirect calls in the binary. /r 56 | Show all the imports grouped by class. iic 57 | Display the binary's version information. iV 58 | Show the list of all methods in a class. ic 59 | Identify the compiler flags used. iI 60 | List all the exported symbols. iE 61 | Find all loops in the binary. /af 62 | Display the DWARF information. id 63 | Show the entry point and constructors. iee 64 | List all the resources in the binary. iR 65 | Identify the endianess of the binary. e asm.endian 66 | Display all function arguments. afva 67 | Find all data references to a specific address. /r 0x400650 68 | How can I view all the known magic patterns? pm 69 | List all the types in the binary. ts 70 | Show the offsets of all function calls. aac 71 | Display all the hidden symbols. is 72 | List all the data sections. iS 73 | What is the binary type? e bin.type 74 | Show the current seek address. s 75 | List all the exported classes. ic 76 | Find all instructions that use a specific register. /ar 77 | Show all the segments in the binary. iSS 78 | What are the privileges required by the binary? iI 79 | Display all imported functions. ii 80 | List all function calls in the binary. aac 81 | Show the binary's architecture. e asm.arch 82 | What are the symbols in the binary? is 83 | Display all the class hierarchies. icg 84 | List all the functions in the binary. afl 85 | Show all the global data references. agA 86 | What are the main symbols in the binary? is 87 | Display all the file headers. ih 88 | Identify all the function signatures. afs 89 | Show all the relocations in the binary. ir 90 | What are the entry points in the binary? ie 91 | List all the exported symbols by name. iE 92 | Display all the imports classified by type. iic 93 | What is the endianness of the binary? e asm.endian 94 | Show all the indirect calls in the binary. /r 95 | Find all functions that call a specific function. axt 96 | List all the section hashes. iS 97 | Show the architecture of the binary. e asm.arch 98 | What are the imported classes? iic 99 | Display all the imported methods. iic 100 | What is the format of the binary file? e bin.format 101 | List all the global variables. avg 102 | -------------------------------------------------------------------------------- /data/radare2/pending/2024-10-28-reverse_engineering-openai:gpt-4o-top_p-0.9-temp-0.7.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How do I view all functions in the binary? afl 3 | How can I rename a function at the current offset? afn new_function_name 4 | What command disassembles the next 20 instructions? pd 20 5 | How do I search for the string 'password' in the binary? /c password 6 | How can I show the imports of the binary? ii 7 | What command allows me to view the call graph? agC 8 | How do I list all symbols in the binary? is 9 | How can I list all sections in the binary? iS 10 | What command shows all the relocation entries? ir 11 | How do I change the architecture to ARM? e asm.arch=arm 12 | What command shows the ELF headers? iH 13 | How do I view the entrypoint of the binary? ie 14 | How can I convert a virtual address to a file offset? ?p vaddr 15 | How do I search for a specific opcode sequence in the binary? /a opcode_sequence 16 | How can I identify and list all the exported functions? iE 17 | What command shows the dynamic linking information? il 18 | How do I find the basic blocks of the current function? afb 19 | What command lists all the classes in a binary? ic 20 | How do I patch a byte at the current offset? wx 90 21 | How can I view the debug symbols? id 22 | What command allows me to view the function prologues? aap 23 | How do I set a breakpoint at the entry point? db entry0 24 | How can I analyze all the functions in the binary? aa 25 | What command searches for UTF-16 strings? /w foo 26 | How do I convert a file offset to a virtual address? ?P file_offset 27 | How can I find all data references to a specific address? /rd address 28 | What command shows the registers and their values? dr 29 | How do I show all the backtrace information? dbt 30 | How can I dump the current function's assembly to a file? pD > function.asm 31 | What command lists all the threads of a process? dpt 32 | How do I inspect the stack frame of the current function? afF 33 | How can I emulate a specific instruction? ae instruction 34 | What command shows the syscall table? as 35 | How can I continue the execution until a specific address? dcu address 36 | What command allows me to list all the syscalls used? aS 37 | How do I perform a base64 decode of the current block? p6d 38 | What command lists all the libraries used by the binary? il 39 | How do I set a watchpoint on a variable? dbw variable 40 | How can I find the main function in a binary? af main 41 | What command shows the entry points of all functions? afl 42 | How do I print the current instruction as a hexadecimal string? px 4 43 | How can I list all the function arguments? afv 44 | What command lists the global variables? avg 45 | How can I decode the operation at the current offset? pa 46 | What command lists all the memory segments? iSS 47 | How do I search for all occurrences of a function call? /c call 48 | How can I perform an entropy analysis on the binary? p=e 49 | What command lists all the imported functions? ii 50 | How do I set the program counter to a specific address? sr PC=address 51 | How can I find all instances of a specific data pattern? /x data_pattern 52 | What command shows the CPU architecture of the binary? i~arch 53 | How do I list all the type definitions in the binary? ts 54 | How can I create a graph of function calls? agC 55 | What command lists all the hidden sections? iH 56 | How can I print the hex dump of the current block? px 57 | What command lists all the data types used in the binary? td 58 | How do I search for a sequence of assembly instructions? /a sequence 59 | How can I find the address of a specific symbol? is~symbol 60 | What command allows me to execute a command on all functions? afl~cmd 61 | How do I view the stack trace during a debug session? dbt 62 | How can I list all the sections with their permissions? iS 63 | What command lists all the class methods? ic 64 | How do I set a breakpoint at a specific memory address? db address 65 | How can I find all instances of a specific syscall? as syscall 66 | What command displays the contents of the clipboard? yp 67 | How do I view the function signatures in the binary? afsj 68 | How can I search for a specific hexadecimal pattern? /x pattern 69 | What command shows all the annotations in the binary? C* 70 | How can I search for all conditional jumps? /a jnz 71 | What command shows the file format of the binary? i~format 72 | How do I list all the constants defined in the binary? td 73 | How do I find all occurrences of a specific instruction? /a instruction 74 | How can I show the structure of the current function? pdf 75 | What command lists the dependencies of the binary? il 76 | How do I list all the section headers? iS 77 | How can I find all instances of a specific opcode? /a opcode 78 | What command shows the endianness of the binary? i~endian 79 | How can I print the raw bytes of the current block? pr 80 | What command allows me to decode base64 encoded data? p6d 81 | How can I analyze the control flow graph of a function? agf 82 | What command shows the dynamic symbols? is 83 | How can I identify the operating system of the binary? i~os 84 | How do I dump the current memory map to a file? dmd > map.dmp 85 | How can I convert a hexadecimal address to decimal? ?d hex_address 86 | What command lists all the code references? axt 87 | How do I set a breakpoint on a specific function call? db function_name 88 | How can I search for all function prologues? /c function_prologue 89 | -------------------------------------------------------------------------------- /training/README.md: -------------------------------------------------------------------------------- 1 | # Radare2 AI Model Training 2 | 3 | This directory contains the training pipeline for fine-tuning language models on Radare2 reverse engineering tasks. 4 | 5 | ## Project Structure 6 | 7 | ``` 8 | training/ 9 | ├── config.yaml # Configuration file for model, training, and export settings 10 | ├── train.py # Main training script 11 | ├── Makefile # Automation script for the entire pipeline 12 | └── README.md # This file 13 | ``` 14 | 15 | ## Quick Start 16 | 17 | To run the complete training pipeline: 18 | 19 | ```bash 20 | make -C training 21 | ``` 22 | 23 | This will: 24 | 1. Create a Python virtual environment 25 | 2. Install all required dependencies 26 | 3. Compile the dataset from the parent directory's scripts 27 | 4. Fine-tune the model 28 | 5. Export to GGUF format (Linux/NVIDIA) or MLX format (Mac) 29 | 30 | ## Prerequisites 31 | 32 | - Python 3.8+ 33 | - CUDA-compatible GPU (recommended for Linux) 34 | - Sufficient disk space for model weights and datasets 35 | - API keys for LLM services (if regenerating dataset from scratch) 36 | 37 | ## Configuration 38 | 39 | Edit `config.yaml` to customize: 40 | 41 | - **Model**: Change `model.name` to any Hugging Face model (default: SmolLM-135M) 42 | - **Training**: Adjust epochs, batch size, learning rate, etc. 43 | - **Quantization**: Set GGUF quantization method 44 | - **Platform**: Configure CUDA/MPS settings 45 | - **LoRA**: Enable parameter-efficient fine-tuning 46 | 47 | ## Manual Usage 48 | 49 | ### 1. Setup Environment 50 | ```bash 51 | make -C training venv 52 | source training/venv/bin/activate 53 | make -C training deps 54 | ``` 55 | 56 | ### 2. Compile Dataset 57 | ```bash 58 | make -C training compile-dataset 59 | ``` 60 | 61 | This runs the dataset generation scripts from the parent directory: 62 | - `parse_usage.py` - Parse radare2 command documentation 63 | - `generate-dataset.py` - Generate Q&A pairs using LLMs 64 | - `enrich-dataset.py` - Expand the dataset with variations 65 | - `prepare-dataset.py` - Convert to JSONL format 66 | - `r2cmd.py` - Convert to function calling format 67 | 68 | ### 3. Train Model 69 | ```bash 70 | make -C training train 71 | ``` 72 | 73 | ### 4. Individual Targets 74 | ```bash 75 | make -C training help # Show all available targets 76 | make -C training clean # Clean up environment and outputs 77 | ``` 78 | 79 | ## Dataset 80 | 81 | The training uses the Radare2 dataset located at `../data/radare2/radare2_train.jsonl`. This dataset contains: 82 | - Questions about radare2 usage 83 | - Corresponding radare2 commands as answers 84 | - Conversational format with system prompts 85 | 86 | ## Model Export 87 | 88 | ### Linux/NVIDIA (GGUF) 89 | - Exports to GGUF format using llama.cpp 90 | - Supports various quantization levels (Q4_K_M, Q5_0, etc.) 91 | - Optimized for GPU inference 92 | 93 | ### Mac (MLX) 94 | - Exports to Apple's MLX format 95 | - Optimized for Apple Silicon GPUs 96 | - Requires MLX library 97 | 98 | ## Platform Support 99 | 100 | - **Linux + NVIDIA**: Full CUDA acceleration, GGUF export 101 | - **macOS**: MPS acceleration, MLX export (experimental) 102 | - **Other platforms**: CPU-only training, limited export options 103 | 104 | ## Troubleshooting 105 | 106 | ### Common Issues 107 | 108 | 1. **CUDA out of memory**: Reduce `per_device_train_batch_size` or increase `gradient_accumulation_steps` 109 | 110 | 2. **Dataset compilation fails**: Ensure API keys are set for LLM services, or use existing compiled dataset 111 | 112 | 3. **GGUF export fails**: Install llama.cpp and ensure it's in PATH 113 | 114 | 4. **MLX export fails**: Install Apple's MLX library 115 | 116 | ### Performance Tips 117 | 118 | - Use LoRA for memory-efficient fine-tuning on large models 119 | - Adjust batch size based on GPU memory 120 | - Use gradient checkpointing for very large models 121 | - Monitor training with TensorBoard (logs saved to output_dir) 122 | 123 | ## Project Organization Suggestions 124 | 125 | The current project structure could be improved: 126 | 127 | ### Recommended Structure 128 | ``` 129 | r2ai-model/ 130 | ├── data/ 131 | │ ├── radare2/ 132 | │ │ ├── sources/ # Raw data files 133 | │ │ ├── processed/ # Intermediate processed data 134 | │ │ └── final/ # Final datasets 135 | │ └── scripts/ # Data processing scripts 136 | ├── training/ 137 | │ ├── configs/ # Multiple config files for different setups 138 | │ ├── scripts/ # Training utilities 139 | │ └── models/ # Saved model checkpoints 140 | ├── evaluation/ # Model evaluation scripts 141 | ├── inference/ # Inference and deployment scripts 142 | └── docs/ # Documentation 143 | ``` 144 | 145 | ### Improvements 146 | 1. **Modularize dataset generation**: Separate LLM calls from data processing 147 | 2. **Add data validation**: Quality checks for generated datasets 148 | 3. **Version control for datasets**: Track dataset versions and changes 149 | 4. **Experiment tracking**: Log hyperparameters and results 150 | 5. **CI/CD pipeline**: Automated testing and deployment 151 | 6. **Model registry**: Store and version trained models 152 | 153 | ## Contributing 154 | 155 | 1. Test changes on both Linux and Mac platforms 156 | 2. Update documentation for any configuration changes 157 | 3. Add validation for new configuration options 158 | 4. Ensure backward compatibility with existing configs 159 | 160 | ## License 161 | 162 | This project follows the same license as the parent Radare2 project. -------------------------------------------------------------------------------- /data/radare2/Attic/radaregpt.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | What command shows all functions in the binary? afl 3 | How can I analyze all the functions in a binary? aa 4 | How do I list all sections in the binary? iS 5 | What command disassembles 10 instructions at the current address? pd 10 6 | How can I get the architecture and OS info of the binary? i 7 | How do I see all imports in the binary? ii 8 | What command lists all the strings in the binary? iz 9 | How can I seek to the entry point of the binary? s entry0 10 | How do I display the control flow graph for the current function? agf 11 | What command disassembles the current function? pdf 12 | How do I find functions that contain the "main" symbol? /c main 13 | How can I print a hexdump of 64 bytes at the current address? px 64 14 | What command loads a script file in radare2? . scriptfile 15 | How can I display information on libraries required by the binary? il 16 | How do I start debugging a binary in radare2? ood binaryfile 17 | What command executes a single instruction in debugging mode? ds 18 | How do I set a breakpoint at a specific address? db address 19 | How can I continue execution until the next breakpoint? dc 20 | What command quits radare2? q 21 | How can I list all symbols in the binary? is 22 | What command searches for a specific hex pattern? /x hexpattern 23 | How do I show all segments in the binary? iS 24 | What command sets the architecture to x86? e asm.arch=x86 25 | How can I display registers in debugging mode? dr 26 | How do I show a hexdump of the entire data segment? px @ data 27 | What command lists all flag space names? f* 28 | How can I view all comments in the current function? CC* 29 | How do I show the current instruction pointer? dr?PC 30 | What command lists all classes and fields (r2frida)? :ic 31 | How do I display the disassembly in visual mode? V 32 | How can I see the list of commands in the shell? ? 33 | What command shows detailed memory mappings? dm 34 | How do I find the calling convention of the binary? e anal.cc 35 | How can I get an ASCII view of the bytes at the current address? pxa 36 | What command sets the analysis depth to a specific value? e anal.depth=value 37 | How do I follow conditional jumps in the analysis? e anal.jmp.cref=true 38 | What command sets the value for the data segment register? e anal.ds=value 39 | How can I analyze the jump tables in the binary? e anal.jmp.tbl=true 40 | How do I run a specific script when radare2 starts? r2 -i scriptfile 41 | What command displays all functions with their offsets? aflj 42 | How do I display flags in JSON format? fj 43 | How can I print zero-terminated strings in memory? pz 44 | What command shows all exported functions? iE 45 | How do I show the list of imports with JSON output? iij 46 | What command saves the current radare2 session? Ps 47 | How do I restore a radare2 session from a project file? Po 48 | How can I convert hexadecimal to ASCII? pxa 49 | What command prints the offset as hexadecimal? pxh 50 | How do I seek to a specific offset within the binary? s offset 51 | What command changes the endianess of the disassembly? e asm.endian 52 | How can I remove all breakpoints in the debugger? db- 53 | What command prints the current stack pointer? dr?SP 54 | How do I change the maximum block size for disassembly? e asm.bytes=64 55 | What command sets a comment at the current location? CC comment 56 | How do I display an ASCII art graph of the current function? ag 57 | What command disassembles a function in radare2? pdf 58 | How can I show the list of current registers? dr 59 | What command clears all flags in radare2? f-* 60 | How do I specify a calling convention for system calls? e anal.syscc 61 | What command prints a fortune message in radare2? fo 62 | How can I change the verbosity of analysis warnings? e anal.verbose=true 63 | What command lists all string references? axt 64 | How do I specify a temporary file size limit? e io.cache.size 65 | What command runs ESIL emulation? ae 66 | How can I quit the radare2 shell? q 67 | What command prints binary bytes as instructions? pi 68 | How do I create a new flag in radare2? f flagname 69 | What command removes a specific flag? f- flagname 70 | How can I add a visual comment at a specific address? CC address 71 | What command displays hex values in pairs? p8 72 | How do I load a binary file in radare2? r2 filename 73 | What command enables debugging with ESIL? ae 74 | How can I set an alias for a specific command? e cmd.alias 75 | What command writes a value to memory at a given address? wv value @ address 76 | How do I execute a command with system permissions? ! command 77 | What command prints a list of all segments? iSS 78 | How can I seek to the end of the binary? s $ 79 | What command shows the list of variables in the binary? av 80 | How do I seek to a specific symbol in radare2? s sym.symbolname 81 | What command prints 32-bit values in little endian? pd 82 | How can I dump memory to a file? wtf dumpfile 83 | What command allows you to resize a file in radare2? r resize 84 | How do I add a note to the current address? CC note 85 | What command views all API symbols in the binary? ie 86 | How can I show metadata of a file? file filedata 87 | What command shows a list of currently used plugins? L 88 | How do I list all available commands for help? ? 89 | What command adds a format flag to memory? Cf 90 | How can I initialize the binary analysis engine? aa 91 | What command maps a new file region in memory? om 92 | How do I write to a specific offset? wv value 93 | What command creates a new project? Po projectname 94 | How can I retrieve the number of functions? afl? 95 | What command runs a predefined set of commands? ~ 96 | How do I execute a system shell command in radare2? ! shellcommand 97 | What command enables byte disassembly? pd -------------------------------------------------------------------------------- /generate-dataset.py: -------------------------------------------------------------------------------- 1 | import openai 2 | import pandas as pd 3 | import time 4 | from tqdm import tqdm 5 | import random 6 | import os 7 | import json 8 | 9 | from datetime import datetime 10 | today = datetime.now().strftime("%Y-%m-%d") 11 | model = "gpt-4o" 12 | # model = "claude-3-5-sonnet-20241022" 13 | # model = "claude-3-opus-20240229" 14 | # max_tokens = 4095 15 | max_tokens = 16000 16 | temperature = 0.7 17 | top_p = 0.9 18 | 19 | # Configure OpenAI client - you can set custom base_url and model via environment variables 20 | client = openai.OpenAI( 21 | api_key=os.getenv("OPENAI_API_KEY"), 22 | base_url=os.getenv("OPENAI_BASE_URL", "https://api.openai.com/v1") 23 | ) 24 | def generate_pair(messages): 25 | commands = open("data/radare2/sources/all_commands.txt", "r").read() 26 | fortunes = open("data/radare2/sources/fortunes.tips", "r").read() 27 | prompt = f"""You're a helpful assistant who is extremely knowledgeable about the reverse engineering, malware analysis and security space in general. 28 | You're a pro at using radare2 for many different tasks. Your job is to enumerate all possible ways someone could use radare2 to answer a question. 29 | You should come up with a variety of different questions that utilize a variety of different commands. 30 | The radare2_command should be valid and be able to be run. 31 | 32 | 33 | {commands} 34 | 35 | 36 | 37 | {fortunes} 38 | 39 | 40 | 41 | [{{"q": "", "a": ""}}, ...] 42 | 43 | 44 | 45 | {json.dumps(examples())} 46 | 47 | 48 | Datetime: {datetime.now().strftime("%Y-%m-%d %H:%M:%S")} 49 | """ 50 | text = "" 51 | 52 | try: 53 | response = client.chat.completions.create( 54 | model=model, 55 | messages=[{"role": "system", "content": prompt}, *messages], 56 | max_tokens=max_tokens, 57 | temperature=temperature, 58 | top_p=top_p 59 | ) 60 | # Parse response 61 | text = response.choices[0].message.content 62 | messages.append({"role": "assistant", "content": text}) 63 | data = json.loads(text.replace("```json", "").replace("```", "")) 64 | if(len(data) > 0): 65 | print(data) 66 | return data 67 | except Exception as e: 68 | print('text:', text) 69 | print(f"Error generating pair: {e}") 70 | return [] 71 | 72 | def generate_dataset(file_path, num_examples=1000, messages=[], category=None): 73 | """Generate multiple examples and save to CSV""" 74 | 75 | data = [] 76 | pbar = tqdm(total=num_examples, desc=f"Generating examples for {category}") 77 | lines = generate_pair(messages) 78 | while len(data) < num_examples: 79 | lines = generate_pair(messages) 80 | 81 | if lines and len(lines) > 0: 82 | data.extend(lines) 83 | pbar.update(len(lines)) 84 | 85 | # Sleep to respect rate limits 86 | time.sleep(0.5) 87 | messages.append({"role": "user", "content": "generate more"}) 88 | print(data) 89 | pbar.close() 90 | 91 | # Convert to DataFrame and save 92 | df = pd.DataFrame(data) 93 | 94 | # Ensure the 'q' and 'a' columns are properly formatted 95 | df['q'] = df['q'].apply(lambda x: x if x else "") 96 | df['a'] = df['a'].apply(lambda x: x if x else "") 97 | 98 | # Save both train and validation sets 99 | # train_size = int(len(df) * 0.95) 100 | 101 | df_train = df 102 | # df_val = df[train_size:] 103 | 104 | df_train.to_csv(file_path, sep='\t', index=False) 105 | # df_val.to_csv(f'data/pending/{today}_radare2_val.tsv', sep='\t', index=False) 106 | 107 | print(f"Generated {len(df)} examples") 108 | print(f"Training examples: {len(df_train)}") 109 | # print(f"Validation examples: {len(df_val)}") 110 | 111 | # Display some examples 112 | print("\nSample examples:") 113 | for _, row in df.head(3).iterrows(): 114 | print("\nQ:", row['q']) 115 | print("A:", row['a']) 116 | print("-" * 50) 117 | return df 118 | 119 | def validate_dataset(file_path='data/radare2/radare2_train.tsv'): 120 | """Validate the generated dataset""" 121 | df = pd.read_csv(file_path, sep='\t') 122 | 123 | # Basic validation 124 | print("\nDataset Statistics:") 125 | print(f"Total examples: {len(df)}") 126 | print(f"Average question length: {df['q'].str.len().mean():.1f} characters") 127 | print(f"Average answer length: {df['a'].str.len().mean():.1f} characters") 128 | print(f"Null values: {df.isnull().sum().sum()}") 129 | 130 | # Check for duplicates 131 | duplicates = df.duplicated().sum() 132 | print(f"Duplicate entries: {duplicates}") 133 | 134 | # read data/radare2_ok.tsv and convert to json array 135 | def examples(): 136 | df = pd.read_csv('data/radare2/radare2_ok.tsv', sep='\t') 137 | return df.sample(n=10).to_dict('records') 138 | 139 | if __name__ == "__main__": 140 | # categories = ["malware", "forensics", "crypto", "general", "vulnerability", "exploit", "reverse engineering", "binary analysis", "binary patching", "debugging"] 141 | categories = ["crypto", "general", "vulnerability", "exploit", "reverse engineering", "binary analysis", "binary patching", "debugging"] 142 | num_examples = 100 143 | for category in categories: 144 | messages = [{"role": "user", "content": f"""generate {num_examples} examples that would be applicable to this category: {category}. Respond in JSON format: [{{"q": "", "a": ""}}, ...] and NOTHING ELSE."""}] 145 | file_path = f'data/radare2/pending/{today}-{category.replace(" ", "_")}-{model.replace("/", ":")}-top_p-{top_p}-temp-{temperature}.tsv' 146 | generate_dataset(file_path=file_path, num_examples=num_examples, messages=messages, category=category) # Generate 1500 examples (1425 train, 75 val) 147 | validate_dataset(file_path=file_path) 148 | -------------------------------------------------------------------------------- /data/radare2/Attic/o1-preview.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How can I disassemble the function at address 0x401000? pdf @ 0x401000 3 | I want to search for the string "password" in the binary. / password 4 | How can I list all functions in the binary? afl 5 | I need to set a breakpoint at address 0x400123. db 0x400123 6 | How do I step over the next instruction during debugging? dso 7 | How can I view the hexdump of 64 bytes at the current position? px 64 8 | I want to write the value 0x90 at address 0x400500. wx 90 @ 0x400500 9 | How can I analyze all functions in the binary? aa 10 | I want to see the list of strings in the binary. iz 11 | How can I display the registers while debugging? dr 12 | How do I search for the opcode "mov eax, ebx"? /a mov eax, ebx 13 | I need to analyze the function at address 0x401500. af @ 0x401500 14 | How can I write the string "Hello" at the current position? w Hello 15 | How can I display information about the opened file? i 16 | How do I open a file called "test.bin" in radare2? o test.bin 17 | I want to find all references to the function named 'main'. axt sym.main 18 | How can I list all imports of the binary? ii 19 | How do I assemble the instruction "nop" at the current position? wa nop 20 | I need to set the block size to 128 bytes. b 128 21 | How can I show all flags in the binary? f 22 | How do I rename the function at address 0x401000 to "my_func"? afn my_func @ 0x401000 23 | I want to dump the disassembly of the current function into a file. pdf > function.asm 24 | How can I view the call graph of the binary? agC 25 | I need to find the base address of the binary. iI 26 | How can I search for the hexadecimal pattern "DE AD BE EF"? /x deadbeef 27 | How do I display the entropy of the file? p=e 28 | I want to see the comments at the current address. CC. 29 | How can I set a flag at address 0x400123 called "my_flag"? f my_flag @ 0x400123 30 | How do I display the stack trace? dbt 31 | How can I dump the hexadecimal values of the next 256 bytes into a file? px 256 > dump.hex 32 | I want to list all cross-references to address 0x401000. axt @ 0x401000 33 | How do I change the architecture to x86? e asm.arch = x86 34 | How can I evaluate the expression 0x400 + 0x200? ?v 0x400 + 0x200 35 | I need to see the help for the 'af' command. af? 36 | How can I print the value of the EAX register? dr eax 37 | I want to view the content of memory at address 0x500000. px @ 0x500000 38 | How do I search for sections with high entropy? /s 39 | How can I list all breakpoints I've set? db 40 | I need to continue execution until the next syscall. dcs 41 | How can I list all the threads of the process? dp 42 | How do I see the comments in the disassembly view? e asm.comments = true 43 | I want to analyze the current function. af 44 | How can I rename a flag from 'flag.old' to 'flag.new'? fr flag.old flag.new 45 | I need to change the endianness to big endian. e cfg.bigendian = true 46 | How do I continue execution until the function 'main' is called? dcu main 47 | How can I show the function calls from the current function? agc 48 | I want to see the usage of the 'px' command. px? 49 | How can I search for a wide string "hello"? /w hello 50 | How do I list all plugins available in radare2? L 51 | I need to disassemble 10 instructions. pd 10 52 | How can I enable the instruction cache? e io.cache = true 53 | I want to quit radare2. q 54 | How do I mark the current offset for later use? f my_mark 55 | How can I return to the offset I previously marked? s my_mark 56 | I need to write assembly instructions into the binary. wa [instruction] 57 | How do I undo the last seek operation? s- 58 | How can I see the data types in the binary? ts 59 | I want to dump all the strings into a file. iz > strings.txt 60 | How do I compare two files? cmp file1 file2 61 | How can I open the visual mode? V 62 | I need to print the call stack. dbt 63 | How do I generate shellcode for a 'nop' instruction? g nop 64 | How can I set a hardware breakpoint on write at address 0x400800? dbw 0x400800 65 | I want to see the value of a memory address in decimal. ?v [addr] 66 | How do I list all the sections in the binary? iS 67 | How can I disable color output in radare2? e scr.color = false 68 | I need to list all the variables in the current function. afv 69 | How can I set a comment at the current address? CC [comment text] 70 | I want to load types from a C header file. to [header.h] 71 | How do I step into the next instruction during debugging? dsi 72 | I need to display the current function in graph view. VV 73 | How can I search for code that accesses the EAX register? pd 100 ~ eax 74 | How do I set the variable 'foo' to value 'bar'? e foo = bar 75 | I need to see what commands I've run in radare2. ! 76 | How can I find functions that call 'main'? axf sym.main 77 | How do I list all the symbols in the binary? is 78 | I want to view the hexadecimal representation of the next 64 bytes. p8 64 79 | How can I open a shell within radare2? sh 80 | How do I define a structure type in radare2? td struct myStruct { int a; char b; } 81 | I need to save the current project. Ps 82 | How do I enable debug mode on the current file? ood 83 | How can I see if a function never returns? tn @ [function address] 84 | How can I set a variable to a specific type? afvt [varname] [new_type] 85 | I want to see the exports of the binary. iE 86 | How do I search for a string ignoring case? /i [string] 87 | How can I create a new flag space? fs+ [flagspace_name] 88 | I need to load a radare2 plugin. L [pluginname] 89 | How do I check the entropy of data at address 0x4000? p=e @ 0x4000 90 | How can I print the immediate value of the current instruction? ao~val 91 | I want to see the environment variables used by radare2. en 92 | How do I display the timestamp as a human-readable date? pt 93 | How can I set an alias for a function? fa [name] [alias] 94 | How can I disassemble the next 20 bytes as ARM code? e asm.arch = arm; pd 20 95 | I need help understanding the 'axt' command. axt? 96 | How do I set a breakpoint that triggers on a syscall? dbs 97 | How can I list all the classes in an Objective-C binary? ic 98 | I want to find dead code in the binary. aae 99 | How do I perform a basic automatic analysis? aaa 100 | How can I find and list all magic headers in the binary? /m 101 | I need to calculate the SHA256 hash of the current block. ph sha256 -------------------------------------------------------------------------------- /data/radare2/pending/2024-10-28-general-openai:gpt-4o-top_p-0.9-temp-0.7.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How can I list all the environment variables within radare2? % 3 | How do I execute a command on a remote server via r_io_system? =! cmd 4 | How do I open a file at a specific address? o [file] [addr] 5 | How can I change the block size to 64 bytes? b 64 6 | I want to list all functions found in the binary. What command should I use? afl 7 | How can I list all the sections in the binary? iS 8 | What command do I use to show the current seek position? s 9 | How can I disassemble the next 10 instructions? pd 10 10 | How do I display the hexadecimal dump of the current block? px 11 | How can I search for a specific string in the binary? / foo 12 | What command will list all the imports in the binary? ii 13 | How can I see all the comments in the binary? CC 14 | How do I rename a function at the current offset? afn 15 | How can I display the entropy of the current block? p=e 16 | How do I set a breakpoint at the entry point of the binary? db entry0 17 | How can I view the list of all available radare2 commands? ? 18 | What command allows me to save the current session as a project? Ps 19 | How do I analyze the binary to find all functions? aa 20 | How can I print the ASCII table within radare2? ?a 21 | How do I start a TCP server on port 9090? =t9090 22 | How can I list all plugins available in radare2? L 23 | How do I calculate the MD5 hash of the current block? ph md5 24 | How can I convert the current block to a base64 encoded string? p6e 25 | How do I seek to a specific address in the binary? s 0x400000 26 | How can I assemble an opcode at the current offset? wa 27 | How do I display all function names in the binary? afln 28 | How can I list all debug registers? drx 29 | How do I display the call graph of the current function? agc 30 | How can I start a web server on port 8080? =h8080 31 | How do I list all threads of the current process? dpt 32 | How can I display the pseudo C code of the current function? pdc 33 | How do I print the current block as a C byte array? pc 34 | How can I display the binary info in JSON format? ij 35 | How do I enable color output in radare2? e scr.color=3 36 | How can I quit radare2 without saving the session? q! 37 | How do I set the architecture to x86? e asm.arch=x86 38 | How can I show all the flags in the binary? f 39 | How do I list all the classes in the binary? ic 40 | How can I display the relocations in the binary? ir 41 | How do I add a new flag at a specific address? f @ 42 | How can I display the function signature at the current offset? afs 43 | How do I search for all references to a specific address? /r 44 | How can I display the list of all segments in the binary? iSS 45 | How do I execute a shell command from within radare2? ! 46 | How can I display the list of all imports in JSON format? iij 47 | How do I show the current configuration variables? e 48 | How can I display the last 10 lines of a file? tail 10 49 | How do I write a nop instruction at the current offset? wa nop 50 | How can I display the current register values? dr 51 | How do I set a comment at the current offset? CC 52 | How can I search for an opcode in the binary? /a 53 | How do I list all the symbols in the binary? is 54 | How can I export the disassembly to a file? pd > disassembly.txt 55 | How do I change the endianness to little? e cfg.bigendian=false 56 | How can I view the history of commands executed? ! 57 | How do I create a new session server? =l 58 | How can I show the value of the instruction pointer? dr PC 59 | How do I find all functions calling a specific function? axf 60 | How can I calculate the CRC32 of the current block? ph crc32 61 | How do I list all the exports in the binary? iE 62 | How can I disassemble a function and print it as JSON? pdfj 63 | How do I revert the last seek operation? s- 64 | How can I display the help for a specific command? ? 65 | How do I enable tracing of the child process? dte 66 | How can I list all the basic blocks in the current function? afb 67 | How do I execute the same command on multiple addresses? @@ 68 | How can I start a gdb server on port 4444? =g 4444 69 | How do I list all the memory maps of the process? dm 70 | How can I show the list of all open files? o 71 | How do I search for ROP gadgets in the binary? /R 72 | How can I show the current instruction in ESIL? pie 73 | How do I display the size of the binary? iS 74 | How can I calculate the number of printable characters in the block? p=p 75 | How do I set the block size to the size of the file? b=s 76 | How can I display the list of all segments? iSS 77 | How do I show the current flagspace? fs 78 | How can I disable all breakpoints? db-* 79 | How do I list all the sections in the binary as JSON? iSj 80 | How can I enable ESIL emulation? aei 81 | How do I show the current configuration in JSON? ej 82 | How can I list all the libraries used by the binary? il 83 | How do I calculate the SHA1 hash of the current block? ph sha1 84 | How can I set a temporary seek to an address? @ 85 | How do I find all the xrefs to the current function? axf 86 | How can I remove a flag at the current offset? f- 87 | How do I display the list of all types in the binary? t 88 | How can I show the path to the executable being debugged? dpe 89 | How do I list all the commands used in the current session? !! 90 | How can I show the call trace? dt 91 | How do I display the list of all imports in a table? ii, 92 | How can I show the current architecture? e asm.arch 93 | How do I list all the available interpreters? #! 94 | How can I display the size of a specific section? iSS
95 | How do I display the comments in JSON format? CCj 96 | How can I list all the signatures in the binary? zs 97 | How do I show the list of all relocations as JSON? irj 98 | How can I display the program header information? iH 99 | How do I change the instruction syntax to AT&T? e asm.syntax=att 100 | How can I save the current state of the registers? dr > registers.txt 101 | How do I calculate the SHA256 hash of the current block? ph sha256 102 | How can I view the sections of the binary in JSON format? iSj 103 | How do I set the architecture to ARM? e asm.arch=arm 104 | -------------------------------------------------------------------------------- /data/radare2/pending/quotes.txt: -------------------------------------------------------------------------------- 1 | the author of radare2 is named pancake, also known as Sergi Alvarez 2 | reopen the file in read-write mode use the `oo+` command 3 | pancake was born in Catalonia, Sergi Alvarez, r2 author is from Barcelona 4 | to run a script use the -i commandline flag. Some cmdline flags are also accessible from the r2 shell. 5 | you can also use `. ...` to load a script or plugin 6 | ESIL stands for Evaluable Strings Intermediate Language and it's used by radare2 to emulate native code 7 | the `pd` command is used to disassemble N instructions 8 | use the `px` command prints the hexdump 9 | to recursively parse in hexadecimal the current memory consuming dwords and qwords use the `pxr` command 10 | to quit radare2 use the `q` command 11 | iaito is the official GUI of radare2 12 | iaito is written in C++ and depends on QT5 or QT6 13 | the git repository of radare2 is https://github.com/radareorg/radare2 14 | use the pz command to print zero-terminated strings 15 | the -w commandline flag will open the file in read-write mode 16 | the -n commandline flag avoids parsing the file headers 17 | use the `i` command to get information from the binary 18 | `il` command shows the list of libraries the program needs 19 | `ii` shows the imports 20 | `is` shows the symbols, you can use the `is.` command to get the symbol name for the current offset 21 | $$ name is an alias for the current offset 22 | to install radare2 you just need to run sys/install.sh after cloning the repository 23 | the command to disassemble 10 instructions in radare2 is `pd 10` 24 | if you want to disassemble 32 bytes use `pD 32` (note pd and pD refer to instructions or bytes) 25 | radare2 can be configured 26 | the startup script for radare2 is named `~/.radare2rc`. This file is used also to define the initial configuration options. 27 | to change any configuration use the `e` command or the `-e` commandline flag 28 | cli and cmdline are aliases for commandline 29 | to analyze the program use the aa command, note that there's also aaa, aaaa and aaaaa, which perform more and deeper analysis actions. 30 | to seek, move or change the current in radare2 use the `s` command. 31 | relative seeks can be done with `s+` and `s-` appending the number 32 | you can set the default configuration options in the `~/.radare2rc` file 33 | to disassemble the function you can use the `pdf` or `pdr` commands. 34 | to get the control flow graph of the current function in ascii art use the `agf` command. 35 | the ?E command will show r2clippy saying the given message 36 | this program count with an amazing amount of $(aflc) functions 37 | the current opened file name is "$(o.)" 38 | This program imports the following symbols from external libraries: "$(iiq)" 39 | the list of libraries the program links to are: "$(ilq)" 40 | r2 is an alias for radare2 41 | disasm is an alias for disassemble or disassembly 42 | the command in r2 to write the current block or an specific amount of bytes to a file is `wtf`, and stands for write-to-file 43 | to get the value of a register use the `dr?rax` where `rax` is the register name 44 | to get the current regstate debugger register values are: "$(dr)" 45 | this is the information of the current program architecture, target operating system and endian: "$(iq)" 46 | to perform a single step in the ESIL emulator or the debugger use the `ds` command. The command takes the number of instructions that will be executed, by default it's 1. For example `ds 32` is the same as `32ds` 47 | radare2 commands can be prefixed with a number, in that case the command after the decimals is executed many times 48 | if the command starts with "0x", it is the same as seeking there. 49 | the current value of the program counter $(dr?PC) 50 | to display the hexpair string of the bytes in the current offset use `p8` 51 | the first 32 bytes in the current offset are: $(p8 32) 52 | to step into 10 instructions use the `ds 10` command. 53 | step over won't go into calls, it will execute until is useful when you don't want to go into calls 54 | radare started in 2006 as simple, but advanced hexadecimal editor 55 | r2frida is a plugin for radare2 that to instrument and trace function calls on live processes using Frida 56 | r2frida commands start with the `:` character. For example `:ic` list the classes 57 | the `ic` commnd list the classes, methods and fields. radare2 can parse java, kotlin, swift, objc, c++ 58 | use the `wtf` command to write-to-file and the `wff` to write-from-file. think like dump and slurp 59 | r2pipe example script: ```js\nconst msg = r2.cmd("?E Hello World");\nconsole.log(msg);\n``` 60 | the r2pipe js API provides a .cmd() and .cmdj() methods that execute a command of radare2 and return the string in plain text or parsing the JSON oou 61 | Use `r2.cmdj()` when you want to parse the output of the command as if it was JSON. This is useful to get structured information from r2. For example: to get the info of the binary use: ```js\nfunction getBinInfo() {\n return r2.cmdj("ij")\n}\n```` neer2pipe js API provides a .cmd() and .cmdj() methods that execute a command of radare2 and return the string in plain text or parsing the JSON oou 62 | the radare project started the year 2006 by pancake and it was designed as a tool for forensics analysis 63 | the first purpose of radare was to recover some deleted files from an HFS partition on an old macppc, the tool accessed the disk in raw and searched for known strings and dumped the results as separte files to disk. 64 | the real name of pancake is Sergi Alvarez, he is a Catalan hacker and free software activist who developed many other opensource software, like r2frida, applesign, the 0xFFFF Nokia Flasher, ACR the autotools replacement, and many more 65 | the author of radius2 is Alkali. radius2 is a fast binary emulation and symbolic execution written in Rust and based on radare2's ESIL 66 | The `eco` command is used to change the color theme in radare2. 67 | To list all the available color themes run `eco` without any argument. But you can change the current one by passing it as argument. 68 | To edit the radare2rc file use the `ed` command. This script will be executed at startup time and can be ignored by using the `r2 -n` flag 69 | ACR stands for AutoConfReplacement, and it is a minimalistic implementation of the GNU autoconf tool developed by pancake and used in radare2 as well as in other projects. 70 | To perform a step into the next instruction in the radare2 debugger use the `ds` command. To step over use `dso`. 71 | -------------------------------------------------------------------------------- /data/radare2/sources/fortunes.tips: -------------------------------------------------------------------------------- 1 | Tweak the disassembly output with `e asm.` 2 | Add custom Have you setup your ~/.radare2rc today? 3 | In visual mode press 'c' to toggle the cursor mode. Use tab to navigate 4 | You can mark an offset in visual mode with the cursor and the ',' key. Later press '.' to go back 5 | You can debug a program from the graph view ('ag') using standard radare2 commands 6 | Use the '[' and ']' keys in visual mode to adjust the screen width 7 | Select your architecture with: 'e asm.arch=' or r2 -a from the shell 8 | Move between your search hits in visual mode using the 'n' and 'N' keys 9 | Save your projects with 'Ps ' and restore then with 'Po ' 10 | Enable asm.trace to see the tracing information inside the disassembly 11 | Change the registers of the child process in this way: 'dr eax=0x333' 12 | Check your IO plugins with 'r2 -L' 13 | Change the size of the file with the 'r' (resize) command 14 | Calculate current basic block checksum with the ph command (ph md5, ph crc32, ..) 15 | Use +,-,*,/ to change the size of the block 16 | Change the block size with 'b '. In visual mode you can also enter radare2 command pressing the ':' key (like vi does) 17 | If you want to open the file in read-write mode, invoke r2 with '-w' 18 | Print the contents of the current block with the 'p' command 19 | Command layout is: @. For example: 3x20@0x33 will show 3 hexdumps of 20 bytes at 0x33 20 | You can 'copy/paste' bytes using the cursor in visual mode 'c' and using the 'y' and 'Y' keys 21 | Move around the bytes with h,j,k,l! Arrow keys are neither portable nor efficient 22 | Seek at relative offsets with 's +' or 's -' 23 | Invert the block bytes using the 'I' key in visual mode 24 | Switch between print modes using the 'p' and 'P' keys in visual mode 25 | Add comments using the ';' key in visual mode or the 'CC' command from the radare2 shell 26 | Assemble opcodes with the 'a' and 'A' keys in visual mode, which are bindings to the 'wa' and 'wA' commands 27 | Find expanded AES keys in memory with '/ca' 28 | Find wide-char strings with the '/w ' command 29 | Enable ascii-art jump lines in disassembly by setting 'e asm.lines=true'. asm.lines.out and asm.linestyle may interest you as well 30 | Control the signal handlers of the child process with the 'dk' command 31 | Get a free shell with 'ragg2 -i exec -x' 32 | Interpret radare2 scripts with '. '. Similar to the bash source alias command. 33 | Most of commands accept '?' as a suffix. Use it to understand how they work :) 34 | Find hexpairs with '/x a0 cc 33' 35 | Step through your seek history with the commands 'u' (undo) and 'U' (redo) 36 | Use hasher to calculate hashes of portion blocks of a file 37 | Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file 38 | Use 'zoom.byte=printable' in zoom mode ('z' in Visual mode) to find strings 39 | Add colors to your screen with 'e scr.color=X' where 1 is 16 colors, 2 is 256 colors and 3 is 16M colors 40 | Move the comments to the right changing their margin with asm.cmt.margin 41 | Execute a command on the visual prompt with cmd.vprompt 42 | Reduce the delta where flag resolving by address is used with cfg.delta 43 | Disable these messages with 'e cfg.fortunes = false' in your ~/.radare2rc 44 | Change your fortune types with 'e cfg.fortunes.type = fun,tips,nsfw' in your ~/.radare2rc 45 | Show offsets in graphs with 'e graph.offset = true' 46 | Execute a command every time a breakpoint is hit with 'e cmd.bp = !my-program' 47 | Disassemble in intel syntax with 'e asm.syntax = intel'. 48 | Change the UID of the debugged process with child.uid (requires root) 49 | Enhance your graphs by increasing the size of the block and graph.depth eval variable. 50 | Control the height of the terminal on serial consoles with e scr.height 51 | Emulate the base address of a file with e file.baddr. 52 | Bindiff two files with '$ radiff2 /bin/true /bin/false' 53 | Execute commands on a temporary offset by appending '@ offset' to your command. 54 | Temporally drop the verbosity prefixing the commands with ':' 55 | Change the graph block definition with graph.callblocks, graph.jmpblocks, graph.flagblocks 56 | Use the 'id' command to see the source line related to the current seek 57 | Analyze socket connections with the socket plugin: 'radare2 socket://www.foo.com:80'. Use 'w' to send data 58 | To debug a program, you can call r2 with 'dbg://' or '-d ' 59 | Use 'e' and 't' in Visual mode to edit configuration and track flags. 60 | Use 'rabin2 -ris' to get the import/export symbols of any binary. 61 | Remember to maintain your ~/.radare_history 62 | Enable the PAGER with 'e scr.pager=less -R' 63 | Use 'e asm.offset=true' to show offsets in 16bit segment addressing mode. 64 | The '?' command can be used to evaluate math expressions. Like this: '? (0x34+22)*4' 65 | Set 'e bin.dbginfo=true' to load debug information at startup. 66 | Rename a function using the 'afn @ ' command. 67 | You can redefine descriptive commands in the hud file and using the 'V_' command. 68 | Pass '-j' to rabin2 to get the information of the binary in JSON format. 69 | Use rarun2 to launch your programs with a predefined environment. 70 | You are probably using an old version of r2, go checkout the git! 71 | Run your own r2 scripts in awk using the r2awk program. 72 | Use '-e bin.strings=false' to disable automatic string search when loading the binary. 73 | The unix-like reverse engineering framework. 74 | This code was intentionally left blank, try 'e asm.arch = ws' 75 | Thanks for using radare2! 76 | give | and > a try piping and redirection 77 | Run .dmm* to load the flags of the symbols of all modules loaded in the debugger 78 | Use V or v to enter visual or visual panels modes respectively 79 | Toggle between disasm and graph with the space key 80 | The more 'a' you add after 'aa' the more analysis steps are executed. 81 | Review all the subcommands of aa to see better ways to analyze your targets. 82 | Use /m to carve for known magic headers. speedup with search. 83 | You can use registers in math expressions. For example: 'wx 1234 @ esp - 2' 84 | For HTTP authentication 'e http.auth = 1', 'e http.authfile = ' 85 | Tip: do 'r2pm -i r2premium; echo "e cfg.fortunes.type = nsfw" >> ~/.radare2rc' for a premium r2 experience 86 | Use the `:` command To run the io plugin cmd callback, many io plugins provide useful features, find them out! 87 | Change asm.var.summary variable to 0 to display all local variables and argument types and names 88 | -------------------------------------------------------------------------------- /data/radare2/pending/2024-10-28-debugging-openai:gpt-4o-top_p-0.9-temp-0.7.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How can I set a breakpoint at address 0x401000? db 0x401000 3 | How can I continue execution until the next breakpoint? dc 4 | What command lists all current breakpoints? db 5 | How do I remove a breakpoint at address 0x401000? db- 0x401000 6 | How can I step through one instruction? ds 7 | How can I view the current CPU registers? dr 8 | What command shows the backtrace of the current execution? dbt 9 | How can I attach to a running process with PID 1234? dpa 1234 10 | How do I detach from the current process? dp- 11 | How can I list all threads of the current process? dpt 12 | What command can be used to step over the current instruction? dso 13 | How do I disable a breakpoint at address 0x401000? dbd 0x401000 14 | How can I enable a previously disabled breakpoint at address 0x401000? dbe 0x401000 15 | What command allows you to continue until a specific address? dcu 0x401000 16 | How can I execute a command when a breakpoint is hit at address 0x401000? dbc 0x401000 17 | How can I add a watchpoint on memory access at address 0x401000? dbw 0x401000 rw 18 | How can I print the current instruction pointer? dr PC 19 | What command shows the list of file descriptors? dd 20 | How can I send a signal to the debugged process? dk 21 | How do I display the memory maps of the debugged process? dm 22 | What command allows you to continue until a return instruction? dcr 23 | How can I modify the value of a CPU register? dr = 24 | How can I continue execution after a breakpoint? dc 25 | How can I list all loaded modules in the debugged process? dmm 26 | How can I view the list of loaded libraries? dml 27 | What command is used to reopen the current file in debug mode? ood 28 | How do I list all signals and their handlers? dk 29 | How can I set a hardware breakpoint at address 0x401000? dbH 0x401000 30 | What command is used to block until a process with PID 1234 exits? dw 1234 31 | How can I trace all executed instructions? dtr 32 | How do I continue until a specified syscall is reached? dcs 33 | How can I disable all breakpoints? db-* 34 | What command is used to open a process for debugging? do 35 | How can I print the values of all registers in JSON format? drj 36 | What command allows you to step back through instructions? dsb 37 | How can I continue until a specific function is called? dcc 38 | How do I list the memory snapshots? dms 39 | What command shows the list of all attachable processes? dpl 40 | How can I step over a syscall? dso 41 | How can I continue until the next program code is executed? dcp 42 | How can I print a list of all memory regions? dm 43 | How can I generate a core dump of the current process? dg 44 | How can I enable a breakpoint trace? dbte 45 | How do I continue until a conditional jump is reached? dcu 46 | What command allows you to continue execution until a fork occurs? dcf 47 | How can I modify the permissions of a memory page? dmp 48 | How can I create a new thread? dptn 49 | What command is used to continue execution until an exception occurs? dce 50 | How can I change the debug handler? dh 51 | How can I execute code in the child process? dx 52 | How can I list all traced instructions? dt 53 | How can I print the current backtrace in JSON format? dbtj 54 | How can I create a snapshot of the current memory state? dms. 55 | What command can be used to remove a breakpoint by index? dbi- 56 | How can I perform a syscall injection? dxs [args] 57 | How can I attach to the next forked process? dpc 58 | How can I print the backtrace with local variables? dbtv 59 | How can I continue execution until a specific module is loaded? dmm 60 | How can I list all debugger handlers? dL 61 | How can I reset all breakpoints? db-* 62 | How can I open a core file for debugging? oc 63 | How can I execute a shell command when a breakpoint is hit? dbc 64 | How do I list all the traced disassembled instructions? dtd 65 | How can I change the current debugged process? dp= 66 | How can I continue execution until the next call instruction? dcc 67 | How do I continue execution until a specified address is reached? dcu
68 | How can I continue until a syscall is encountered? dcs 69 | What command allows you to execute code and restore the state? dxr 70 | How can I show the current process ID? dpq 71 | How can I continue execution until a specific register condition? dsi 72 | How do I continue execution until an unknown call is encountered? dccu 73 | How can I continue until a specific range of addresses? dcu [from] [to] 74 | How can I kill the debugged process? dk 75 | How can I continue until the next instruction with a specific type? dso 76 | How do I list the current process and its children? dp 77 | How can I execute an egg expression in the child process? dxe 78 | How do I display the memory maps in JSON format? dmj 79 | How can I continue execution until a specific instruction is reached? dsu
80 | How can I swap the current thread? dpt= 81 | How can I execute opcodes in the child process? dx 82 | How can I list all open file descriptors in r2 commands? dd* 83 | How can I continue execution until the next syscall with a specific name? dcs 84 | How can I view the list of debugger signal handlers? dk 85 | How can I list the current thread ID? dpt. 86 | How do I continue execution until the next return instruction? dcr 87 | What command lists all the traced instructions in JSON format? dtj 88 | How can I list the current backtrace in ASCII art? dbta 89 | How do I continue execution until the next program code is reached? dcp 90 | How can I list all attached process IDs? dpl 91 | How can I continue execution until a specified range of addresses? dcu [from] [to] 92 | How do I continue execution until the next call is reached? dcc 93 | How can I list all hardware breakpoints? drx 94 | How can I step until an instruction with a specific type is reached? dsuo 95 | How can I continue execution until a specific function is called? dcc 96 | How do I continue execution until the next syscall is reached? dcs 97 | How can I execute a command at a breakpoint and continue until a condition? dbC 98 | How can I continue execution until a specific instruction with a condition? dsi 99 | How can I set a breakpoint command at an address? dbc 100 | What command lists the memory maps of the debugged process? dm 101 | How do I continue execution until a program code is encountered? dcp 102 | How can I detach from a process? dp- 103 | How can I list the current process ID? dpq 104 | -------------------------------------------------------------------------------- /data/radare2/pending/2024-10-28-crypto-openai:gpt-4o-top_p-0.9-temp-0.7.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How can I search for AES keys in the memory of the binary? /ca aes 3 | What command can I use to find public keys in the binary? /cp 4 | How can I search for a specific cryptographic hash in the binary? /h sha256 5 | How do I find GPG keys and signatures in the binary? /cg 6 | How can I find DER-encoded certificates in the binary? /cd 7 | What command lists all available hash plugins? ph 8 | How do I calculate the MD5 hash of the current block? ph md5 9 | How to calculate the SHA1 hash of a specific section? ph sha1 @ section_name 10 | What command would you use to decode base64 encoded strings? p6d 11 | How can I encode a string using base64? ?b64 12 | How can I find SM4 keys in memory? /ca sm4 13 | How do I search for a collision in a cryptographic algorithm? /cc sha256 14 | How can I find ASN1/DER private keys in the binary? /cr 15 | What command do I use to decode an ASN1 OID? pFo 16 | How do I encrypt the current block with AES? poE aes 17 | How do I decrypt the current block using a specific algorithm? poD 18 | How can I calculate the CRC32 hash of the current block? ph crc32 19 | How to perform a binary magic search to identify cryptographic libraries? /m 20 | How can I find the known constant tables from hash algorithms? /ck 21 | How do I display the entropy of the current block? p=e 22 | What command do I use to find PEM encoded certificates? /cd 23 | How do I list the cryptographic algorithms supported by radare2? Lh 24 | How can I convert a string to its hexadecimal representation? ?x 25 | What command can I use to perform a base64 encoding of a string? ?b64 26 | How do I hash a string using SHA-256? ?h sha256 27 | How can I find ASN1/DER certificates in the binary? /cd 28 | What command helps in finding Rabin Karp matching strings? /k 29 | How do I analyze all cryptographic references in a binary? /c 30 | How can I search for a wide string 'crypto' in the binary? /w crypto 31 | How do I find data encoded with base64 in the binary? /b64 32 | How can I look for cryptographic functions in the binary? /r sym.crypto 33 | What command would you use to decode a hexadecimal string? ?x- 34 | How do I calculate a SHA-512 hash of a given file? ph sha512 @ 35 | How can I search for Magic headers related to cryptography? /m 36 | How do I calculate the entropy for a section of the binary? p=e @ section_name 37 | What command allows me to search for cryptographic preambles? /p 38 | How do I encode data in hexpairs? ?x 39 | How can I search for password strings in the binary? /w password 40 | How do I decode a base64 string from the binary? p6d 41 | How can I calculate the hash of a function? ph sha256 @ sym.function_name 42 | What command can I use to scan for known cryptographic filesystems? /mm 43 | How do I encrypt a block with a key using XOR? pox 44 | How do I find signatures of cryptographic algorithms in memory? /s 45 | What command can calculate the entropy of a given function? p=e @ sym.function_name 46 | How can I list all sections of a binary that may contain crypto? iS 47 | How do I calculate the SHA-3 hash of a memory region? ph sha3 @ 48 | What command would you use to find known cryptographic protocols? /m 49 | How can I find the digital signature in a binary? /c 50 | How do I perform a search for cryptographic patterns in the binary? /p 51 | How do I calculate the Adler32 hash of a section? ph adler32 @ section_name 52 | How do I find and decode ASN1 DER data structures? /cd 53 | How do I identify magic numbers related to cryptography? /m 54 | How can I find and extract private keys from the binary? /cr 55 | How do I search for a specific string related to cryptography? /s crypto 56 | How can I calculate the Whirlpool hash of a block? ph whirlpool 57 | How do I identify cryptographic libraries loaded in memory? /m 58 | What command can be used to add entropy calculations to analysis? aep 59 | How do I check if a binary section is encrypted? p=e @ section_name 60 | How can I find cryptographic padding in the binary? /c 61 | What command helps me find base64 encoded data? /b64 62 | How do I search for cryptographic functions using ESIL? /re 63 | How can I find all cryptographic hash functions in the binary? /r hash 64 | How do I display the entropy of a given section in the binary? p=e @ section_name 65 | How can I find the presence of cryptographic constants? /ck 66 | How do I calculate the Tiger hash of the current block? ph tiger 67 | How do I search for cryptographic data using YARA rules? /y 68 | How can I find cryptographic keys in the binary? /ca 69 | What command lists all potential cryptographic functions? /r sym.crypto 70 | How do I identify binary data that matches cryptographic signatures? /m 71 | How can I find cryptographic initialization vectors in memory? /ca 72 | How do I calculate the entropy of a file to check for encryption? p=e 73 | How do I find wide strings related to cryptography? /w crypto 74 | How can I search for cryptographic constants using a mask? /x 75 | How do I decrypt a block with a given key? poD 76 | What command would you use to list all cryptographic imports? ii 77 | How can I perform a cryptographic analysis on a section? /c 78 | How do I search for ASN1 encoded data in the binary? /cd 79 | How can I find cryptographic libraries via symbols? /m 80 | How do I search for cryptographic protocols in the binary? /m 81 | How do I calculate the GOST hash of a given section? ph gost @ section_name 82 | How can I identify cryptographic algorithm implementations? /r sym.crypto 83 | What command can find cryptographic preambles in the binary? /p 84 | How do I find cryptographic hash function calls? /r sym.hash 85 | How can I search for ASN1 encoded certificates? /cd 86 | How do I calculate the SHA-256 hash of a binary header? ph sha256 @ iH 87 | How can I find and decode DER encoded data? /cd 88 | How do I search for cryptographic signatures using regex? /e 89 | How do I search for encrypted sections in the binary? p=e 90 | How can I find cryptographic algorithms in the binary? /r sym.crypto 91 | How do I search for cryptographic symbols in imports? ii 92 | How can I decode base64 encoded cryptographic data? p6d 93 | How do I find data signatures related to cryptography? /s 94 | How can I search for cryptographic function references? /r sym.crypto 95 | What command can calculate the SHA-384 hash of a block? ph sha384 96 | How do I find cryptographic libraries in the binary? /m 97 | How can I identify cryptographic functions in the binary? /r sym.crypto 98 | How do I list all cryptographic exports in the binary? iE 99 | How can I find cryptographic key expansions in memory? /ca 100 | How do I search for cryptographic routines using YARA? /y 101 | How do I find cryptographic preambles in the binary? /p 102 | -------------------------------------------------------------------------------- /data/radare2/Attic/o1-mini.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How do I open a binary file named `example.exe`? o example.exe 3 | I want to analyze all functions in the binary. aaa 4 | How do I seek to the entry point of the binary? s entry0 5 | Show me the first 100 hexadecimal bytes of the binary. px 100 6 | Disassemble 20 instructions starting from the current address. pd 20 7 | How do I list all functions found in the analysis? afl 8 | I want to see the disassembly of the `main` function. pdf @ sym.main 9 | How can I print the contents at the address stored in the `esp` register? px 200 @ esp 10 | Dump the `main` function's buffer as a C byte array to `main.c`. pc > main.c @ sym.main 11 | Replace every symbol with a NOP instruction. wx 90 @@ sym.* 12 | Grep for instructions that use the `eax` register within the first 2000 instructions. pd 2000 | grep eax 13 | Step through the debugger 10 times. 10ds 14 | Show me 20 hexadecimal bytes at the stack pointer. px 20 @ rsp 15 | Write a NOP sled to a file named `nop_sled.c`. pc > nop_sled.c 16 | How do I rename the function at address `0x080485a5` to `new_func`? afvn new_func 0x080485a5 17 | I want to set a breakpoint at the `main` function. db sym.main 18 | Continue execution in the debugger until the next breakpoint. dc 19 | Show all imported functions in JSON format. iij 20 | List all sections of the binary. iS 21 | Search for the string "password" in the binary. /c "password" 22 | How do I list all loaded types? t 23 | Define a new struct named `MyStruct` with a `char a` and `int b`. "td struct MyStruct {char a; int b;}" 24 | Cast the data at address `0x08048648` to `MyStruct` and print it. tp MyStruct @ 0x08048648 25 | Calculate the size of the string at address `0x080487cf`. ?vi 0x080487cf 26 | How do I compare two files `file1.bin` and `file2.bin`? cmp file1.bin file2.bin 27 | Show the control flow graph of the `main` function in DOT format. agc.d @ sym.main 28 | Export the list of functions to a JSON file. aflj > functions.json 29 | Find all references to the string "Hello World". axt "Hello World" 30 | How do I visualize the call graph of the binary? agc.d 31 | I want to list all virtual tables in the binary. av 32 | Search for syscall instructions in the binary. /ad/ svc 33 | Show all environment variables set by radare2. e 34 | How do I execute the shell command `ls` from within radare2? !ls 35 | Pipe the disassembly of `main` to `grep` for the `call` instruction. pdf @ sym.main | grep call 36 | How can I load FLIRT signatures from `libc.sdb`? zo libc.sdb 37 | Generate a signature for the `entry0` function. zaf entry0 entry 38 | List all currently loaded signatures in JSON format. zj 39 | Find functions that best match the `malloc` signature. zbr sym.__libc_malloc 10 40 | Display the virtual address corresponding to the physical address `0x4000`. ?P 0x4000 41 | Get the physical address for the virtual address `0x080485a5`. ?p 0x080485a5 42 | How do I view the current seek offset in hexadecimal? ?v 43 | Convert the string "test" to its hexadecimal representation. ?x "test" 44 | I want to list all loaded enums. te 45 | Add a comment "Initialize variables" at address `0x08048648`. CC "Initialize variables" @ 0x08048648 46 | Remove all comments from the binary. CC- 47 | Show the comments in JSON format. Cjj 48 | How do I list all loaded plugins? Ll 49 | Mount an ext2 filesystem located at `/dev/sdb1` to `/mnt`. m /mnt ext2 0 50 | List all current mount points. m 51 | Push the current directory onto the stack and change to `/tmp`. pushd /tmp 52 | Pop the last directory from the stack and change back to it. popd 53 | How do I list all basic block references? afjj 54 | I want to visualize the basic blocks of the `foo` function. agf.d @ sym.foo 55 | Search for the hexadecimal pattern `0x90 0x90 0x90` in the binary. /x 909090 56 | How do I decode a base64 string `SGVsbG8=` and write it to address `0x08049000`? w6e SGVsbG8= @ 0x08049000 57 | List all loaded union types. tu 58 | How can I display the stack frames in the debugger? dr 59 | Rename the symbol `fcn.08048648` to `init`. fr init fcn.08048648 60 | Show the sizes of all functions in the binary. afll 61 | How do I check the endianness of the binary? e asm.endian 62 | Set the architecture to ARM. e asm.arch=arm 63 | How do I list all imported libraries? iL 64 | Find all references to the function `printf`. axt sym.imp.printf 65 | Visualize the control flow graph of the `main` function using Graphviz. agc.d @ sym.main > cfg.dot 66 | Convert a sequence of bytes `0xDEADBEEF` into a string. ?x DEADBEEF 67 | Show all reachable functions from the `main` function. aflj | jq '.[] | select(.refs | contains("sym.main"))' 68 | How do I set the stack frame size for the current function to 0x30? afS 0x30 69 | Create a new flag named `myFlag` at address `0x08049000` with size 8. f myFlag 8 @ 0x08049000 70 | List all flags in the current flagspace. f 71 | Remove the flag named `oldFlag`. f-oldFlag 72 | How do I list all function arguments for `main`? afv @ sym.main 73 | Show the type of the variable `local_10h` in `main`. afvt local_10h 74 | How can I export all current flags to a file? fj > flags.json 75 | Import flags from a JSON file named `import_flags.json`. fj import_flags.json 76 | Show the hexadecimal value of the register `eax`. dr eax 77 | How do I visualize the string reference graph? agd.g 78 | Dump the memory from address `0x08048000` to `0x08049000` into a file named `dump.bin`. axg0x08048000 0x08049000 > dump.bin 79 | Set the calling convention of the `add` function to `cdecl`. afc cdecl @ sym.add 80 | List all available calling conventions for the current architecture. afcl 81 | Show the internal analysis hints at address `0x08048648`. ah 0x08048648 82 | Disable the automatic analysis of function arguments. e anal.vars=false 83 | How do I search for all conditional jumps in the binary? /a jmp 84 | Print a tree map graph of all functions. agtt 85 | Reload the binary after making changes. o- 86 | Show the current file's sections with their permissions. iS 87 | How do I list all register-based arguments of a function? afvr @ sym.main 88 | Execute a script named `fix_flags.r2`. . fix_flags.r2 89 | Search for hexadecimal bytes `0xCAFEBABE` in the binary. /x CAFEBABE 90 | How can I reset all analysis data and start fresh? aaa -c 91 | Visualize the call graph in an interactive ASCII art view. agc.v 92 | List all loaded debuggers. dL 93 | Change the endianness to big endian. e asm.endian=big 94 | Compare the current binary with another binary `another.exe`. cmp example.exe another.exe 95 | How do I display the stack trace in the debugger? dbt 96 | Rename a variable in the current function from `var1` to `counter`. afv=counter var1 @ sym.current_function 97 | Show all virtual table entries in the binary. av 98 | How do I list all basic block information for the function `init`? afb @ sym.init 99 | Write the disassembly of the `init` function to a file named `init.asm`. pdf @ sym.init > init.asm 100 | I want to see all strings referenced by the binary in a table format. izj > strings.json 101 | How do I visualize the data reference graph of the binary? agd.d -------------------------------------------------------------------------------- /data/radare2/pending/radare2_todo.tsv: -------------------------------------------------------------------------------- 1 | 4. **User Query:** Show me the first 100 hexadecimal bytes of the binary. 2 | **radare2 Command:** `px 100@e:io.va=0@0` # problem is that priorized fd maybe its not the bin 3 | 4 | 23. **User Query:** Cast the data at address `0x08048648` to `MyStruct` and print it. 5 | **radare2 Command:** `tp MyStruct @ 0x08048648` 6 | 7 | 80. **User Query:** Show the internal analysis hints at address `0x08048648`. 8 | **radare2 Command:** `ah 0x08048648` 9 | q,a 10 | I want to see what environment variables this program might use. How do I find those references?,axt @sym.getenv 11 | How do I look at the stack setup in the beginning of a function?,"pd 10 @sym.main~push,sub" 12 | I want to find places where the program reads files. How do I look for file operations?,axt @sym.fopen 13 | I want to look for potential format string vulnerabilities. How do I find printf calls?,axt @sym.printf 14 | How do I see what's happening right before a function returns?,pd 10 @sym.main~ret 15 | I want to find functions that don't have any callers. How can I do that?,afl!xref 16 | How can I see if this program has any anti-debugging tricks? Like checking for debuggers?,"afl~debug,ptrace" 17 | How do I find places where the program might be using passwords or encryption keys?,"iz~password,key,secret" 18 | How do I look for functions that might be handling user input?,"afl~input,read,scanf,gets" 19 | How can I find functions that look like they're doing string operations?,"afl~str,strcpy,strcat" 20 | I want to see all the places where the program might be making network connections.,axt @sym.connect 21 | How do I find functions that contain a lot of jump instructions?,"pd 100 @sym.main~jmp,je,jne" 22 | I want to look for potential buffer overflow vulnerabilities. How do I find unsafe string functions?,axt @sym.strcpy 23 | How can I see what command line options this program might accept?,"iz~-h,--help" 24 | I want to find all the error handling routines in the program. How do I search for those?,"afl~error,exception,handle" 25 | How do I see if this program uses any random number generation?,axt @sym.rand 26 | I want to see all the constant numbers used in a function. How do I find immediate values?,pd 100 @sym.main~0x 27 | How can I find where the program is loading configuration files?,"axt @sym.fopen~config,conf,ini" 28 | I want to see if there are any base64 encoded strings in the binary. How do I look?,"iz~[A-Za-z0-9+/]={0,2}" 29 | How do I find functions that might be doing logging or debugging?,"afl~log,debug,print" 30 | I want to see all the places where the program checks return values. How do I find error checks?,pd 100~cmp.*?eax 31 | How can I find functions that use a lot of stack space? Maybe they have buffer overflows.,afl~stack 32 | I want to see if this program creates any temporary files. How do I find those operations?,axt @sym.tmpfile 33 | I want to find where the program might be executing shell commands.,axt @sym.system 34 | How can I see all the comparison operations in a loop?,"pd 100 @sym.main~loop,cmp" 35 | I want to find functions that look like they're doing authentication.,"afl~auth,login,verify" 36 | How do I see what memory protection functions the program uses?,axt @sym.mprotect 37 | I want to find places where the program might be doing time-based operations.,axt @sym.time 38 | How can I see if there are any hardcoded database queries?,"iz~SELECT,INSERT,UPDATE" 39 | I want to find functions that might be handling compressed data.,"afl~compress,zip,gzip" 40 | How do I look for functions that might be doing certificate or SSL operations?,"afl~ssl,cert,tls" 41 | I want to see all the places where the program might be using environment variables.,axt @sym.getenv 42 | How can I find functions that look like they're doing data validation?,"afl~valid,check,verify" 43 | I want to see if this program creates any mutex or semaphore objects.,axt @sym.pthread_mutex_init 44 | How do I find places where the program might be doing privilege checks?,"afl~priv,admin,root" 45 | I want to see what variables a function is using. How do I look at local vars?,afv 46 | How can I find all the functions that never return to their caller?,afl~noreturn 47 | I want to see what kind of signal handlers this program sets up. How do I find those?,axt @sym.signal 48 | How do I look for possible backdoors? Like hidden commands or passwords?,"iz~backdoor,hidden,secret" 49 | I want to find all the places where the program allocates heap memory dynamically.,"axt @sym.malloc,@sym.calloc" 50 | How can I see what command line arguments a function is processing?,"pd 100 @main~argc,argv" 51 | I want to find functions that might be doing image processing or graphics.,"afl~image,pixel,draw" 52 | How do I see what shared memory operations the program uses?,axt @sym.shm 53 | I want to find places where the program might be doing bitwise operations.,"pd 100~and,or,xor,shl,shr" 54 | How can I see what thread-related functions this program uses?,"afl~thread,pthread" 55 | I want to find functions that might be implementing custom algorithms.,"afl~algorithm,hash,compute" 56 | How do I look for possible integer overflow vulnerabilities?,"pd 100~mul,imul,add" 57 | I want to see all the places where the program uses system time.,"axt @sym.time,@sym.gettimeofday" 58 | How can I find functions that might be handling keyboard input?,"afl~key,input,stdin" 59 | I want to see if this program creates any child processes or threads.,"axt @sym.fork,@sym.pthread_create" 60 | How do I find functions that might be doing data encoding/decoding?,"afl~encode,decode,convert" 61 | I want to see all the places where the program might be loading plugins.,axt @sym.dlopen 62 | How can I find functions that might be implementing state machines?,"afl~state,transition" 63 | How do I find places where the program might be doing pointer arithmetic?,pd 100~lea 64 | How do I see what functions get called right when the program starts up?,axt @sym._init 65 | I want to find all the places where data is being written to memory. How do I see mov instructions?,pd 100 @sym.main~mov 66 | How can I look for functions that might contain infinite loops?,pd 100~jmp.*0x 67 | I want to see if this program does any DNA or genomic analysis. How do I search for bio-related functions?,"afl~dna,gene,sequence" 68 | How do I find all the places where the program is doing string comparisons?,axt @sym.strcmp 69 | How can I find functions that might be implementing custom protocols?,"afl~protocol,packet,parse" 70 | I want to see all the places where the program might be doing audio processing.,"afl~audio,sound,wav" 71 | How do I find functions that might be handling Unicode strings?,"afl~unicode,utf,wchar" 72 | I want to see what kind of timer functions this program uses.,axt @sym.setitimer 73 | How can I find places where the program might be doing checksum calculations?,"afl~checksum,crc,hash" 74 | I want to see all the places where the program uses synchronization primitives.,axt @sym.pthread_mutex_lock 75 | How do I find functions that might be implementing caches?,"afl~cache,buffer,temp" 76 | How do I find all the places where the program is using memory pools? afl~pool,allocator,arena 77 | -------------------------------------------------------------------------------- /data/radare2/pending/r2gpt-advent.tsv.ignored: -------------------------------------------------------------------------------- 1 | Finding Strings What command would you use to search for the ascii string 'hello' in the binary.? / Hello 2 | Analyzing Functions Which Radare2 command is used to list all functions analyzed in the binary.? afl 3 | Finding Strings What command would you use to search for the ascii string 'hello' in the binary.? / Hello 4 | Code Coverage What command would you use to analyze all code call destinations and find additional functions.? aac 5 | Breakpoints Which Radare2 command is used to set a breakpoint at the symbol 'main'.? db sym.main 6 | Searching Patterns What command would you use to search for the hexadecimal pattern '41 42 43'.? /x 414243 7 | Searching How can you find a 4-byte value 0x90 in little-endian format. in Radare2? /v4 0x90 @ e:cfg.bigendian=false 8 | Breakpoints What command would you use to set a breakpoint at the symbol 'main'.? db sym.main 9 | Searching How can you find a 4-byte value 0x90 in little-endian format. in Radare2? /v4 0x90 @ e:cfg.bigendian=false 10 | Breakpoints What command would you use to set a breakpoint at the symbol 'main'.? db sym.main 11 | Analyzing Functions What command would you use to list all functions analyzed in the binary.? afl 12 | Scripting in Radare2 What command would you use to execute a script in radare2 non-interactively.? r2 -qi script.r2 13 | Code Coverage What command would you use to analyze all code call destinations and find additional functions.? aac 14 | Searching Patterns Explain the Radare2 command to search for the hexadecimal pattern '41 42 43'.. /x 414243 15 | Breakpoints Which Radare2 command is used to set a breakpoint at the symbol 'main'.? db sym.main 16 | Disassembling Code Which Radare2 command is used to disassemble the next 10 instructions from the current offset.? pd 10 17 | Debugging Techniques Provide the Radare2 command to continue execution until the 'main' function is reached.. dcu main 18 | Using Plugins What command would you use to install the r2frida plugin using r2pm.? r2pm -i r2frida 19 | Using Plugins How can you install the r2frida plugin using r2pm. in Radare2? r2pm -i r2frida 20 | Breakpoints Provide the Radare2 command to set a breakpoint at the symbol 'main'.. db sym.main 21 | Analyzing Functions Explain the Radare2 command to list all functions analyzed in the binary.. afl 22 | Searching Patterns Explain the Radare2 command to search for the hexadecimal pattern '41 42 43'.. /x 414243 23 | Disassembling Code What command would you use to disassemble the next 10 instructions from the current offset.? pd 10 24 | Analyzing Functions Provide the Radare2 command to list all functions analyzed in the binary.. afl 25 | Searching Patterns What command would you use to search for the hexadecimal pattern '41 42 43'.? /x 414243 26 | Examining Binary Headers What command would you use to display detailed information about the binary headers.? iI 27 | Analyzing Functions Explain the Radare2 command to list all functions analyzed in the binary.. afl 28 | Using Plugins How can you install the r2frida plugin using r2pm. in Radare2? r2pm -i r2frida 29 | Code Coverage Explain the Radare2 command to analyze all code call destinations and find additional functions.. aac 30 | Searching Patterns Explain the Radare2 command to search for the hexadecimal pattern '41 42 43'.. /x 414243 31 | Examining Binary Headers How can you display detailed information about the binary headers. in Radare2? iI 32 | Finding Strings Provide the Radare2 command to search for the ascii string 'hello' in the binary.. / Hello 33 | Searching Patterns Explain the Radare2 command to search for the hexadecimal pattern '41 42 43'.. /x 414243 34 | Disassembling Code Provide the Radare2 command to disassemble the next 10 instructions from the current offset.. pd 10 35 | Debugging Techniques What command would you use to continue execution until the 'main' function is reached.? dcu main 36 | Debugging Techniques Provide the Radare2 command to continue execution until the 'main' function is reached.. dcu main 37 | Searching How can you find a 4-byte value 0x90 in little-endian format. in Radare2? /v4 0x90 @ e:cfg.bigendian=false 38 | Using Plugins Explain the Radare2 command to install the r2frida plugin using r2pm.. r2pm -i r2frida 39 | Breakpoints Which Radare2 command is used to set a breakpoint at the symbol 'main'.? db sym.main 40 | Breakpoints Which Radare2 command is used to set a breakpoint at the symbol 'main'.? db sym.main 41 | Breakpoints What command would you use to set a breakpoint at the symbol 'main'.? db sym.main 42 | Breakpoints Explain the Radare2 command to set a breakpoint at the symbol 'main'.. db sym.main 43 | Analyzing Functions Provide the Radare2 command to list all functions analyzed in the binary.. afl 44 | Breakpoints How can you set a breakpoint at the symbol 'main'. in Radare2? db sym.main 45 | Code Coverage What command would you use to analyze all code call destinations and find additional functions.? aac 46 | Analyzing Functions What command would you use to list all functions analyzed in the binary.? afl 47 | Disassembling Code What command would you use to disassemble the next 10 instructions from the current offset.? pd 10 48 | Using Plugins Which Radare2 command is used to install the r2frida plugin using r2pm.? r2pm -i r2frida 49 | Debugging Techniques Explain the Radare2 command to continue execution until the 'main' function is reached.. dcu main 50 | Scripting in Radare2 How can you execute a script in radare2 non-interactively. in Radare2? r2 -qi script.r2 51 | Analyzing Functions Provide the Radare2 command to list all functions analyzed in the binary.. afl 52 | Scripting in Radare2 How can you execute a script in radare2 non-interactively. in Radare2? r2 -qi script.r2 53 | Using Plugins What command would you use to install the r2frida plugin using r2pm.? r2pm -i r2frida 54 | Examining Binary Headers Explain the Radare2 command to display detailed information about the binary headers.. iI 55 | Using Plugins Which Radare2 command is used to install the r2frida plugin using r2pm.? r2pm -i r2frida 56 | Breakpoints Provide the Radare2 command to set a breakpoint at the symbol 'main'.. db sym.main 57 | Searching Patterns Which Radare2 command is used to search for the hexadecimal pattern '41 42 43'.? /x 414243 58 | Searching Provide the Radare2 command to find a 4-byte value 0x90 in little-endian format.. /v4 0x90 @ e:cfg.bigendian=false 59 | Searching What command would you use to find a 4-byte value 0x90 in little-endian format.? /v4 0x90 @ e:cfg.bigendian=false 60 | Examining Binary Headers Provide the Radare2 command to display detailed information about the binary headers.. iI 61 | Finding Strings What command would you use to search for the ascii string 'hello' in the binary.? / Hello 62 | Disassembling Code Provide the Radare2 command to disassemble the next 10 instructions from the current offset.. pd 10 63 | Analyzing Functions What command would you use to list all functions analyzed in the binary.? afl 64 | Code Coverage Explain the Radare2 command to analyze all code call destinations and find additional functions.. aac 65 | Scripting in Radare2 Explain the Radare2 command to execute a script in radare2 non-interactively.. r2 -qi script.r2 66 | Examining Binary Headers Provide the Radare2 command to display detailed information about the binary headers.. iI 67 | Function Analysis How can I modify patched sections? oj+ 68 | -------------------------------------------------------------------------------- /data/radare2/pending/claude-numbers2.tsv.ignored: -------------------------------------------------------------------------------- 1 | Kernel Analysis How do I get distance between drivers? ?v $MM 2 | Kernel Analysis How do I get distance between drivers? ?v $MM 3 | Kernel Analysis How do I get distance between drivers? ?v $MM 4 | Kernel Analysis How do I calculate size of kernel section? ?v $s{.text} 5 | Kernel Analysis How do I find offset to kernel base? ?v $D-$DB 6 | Network Analysis How do I calculate packet alignment? ?v 4-($SS%4) 7 | Network Analysis How do I find size of network buffer? ?v $s{buffer} 8 | Network Analysis How do I get distance between packets? ?v $MM 9 | Network Analysis How do I calculate size of packet header? ?v $i2-$FB 10 | Network Analysis How do I find offset to packet payload? ?v $Dn-$FB 11 | Mach-O Analysis How do I calculate segment alignment? ?v 4096-($MM%4096) 12 | Mach-O Analysis How do I find size of linkedit? ?v $s{__LINKEDIT} 13 | Mach-O Analysis How do I get distance between segments? ?v $MM 14 | Mach-O Analysis How do I calculate size of commands? ?v $s{lcmds} 15 | Mach-O Analysis How do I find offset to load commands? ?v $Dn-$B 16 | ELF Analysis How do I calculate segment alignment? ?v 4096-($MM%4096) 17 | ELF Analysis How do I find size of dynamic section? ?v $s{.dynamic} 18 | ELF Analysis How do I get distance between segments? ?v $MM 19 | ELF Analysis How do I calculate size of section headers? ?v $s{shdr} 20 | ELF Analysis How do I find offset to program headers? ?v $Dn-$B 21 | Binary PE Analysis How do I calculate size of optional header? ?v $s{opthdr} 22 | PE Analysis How do I find offset to PE header? ?v $S{pe}-$B 23 | Debug Info How do I calculate debug data alignment? ?v 4-($SS%4) 24 | Debug Info How do I find size of debug symbols? ?v $SS-($S-$DB) 25 | Debug Info How do I get distance between line numbers? ?v 4*$w 26 | Debug Info How do I find offset to debug directory? ?v $Dn-$DB 27 | Symbol Analysis How do I calculate symbol alignment? ?v 4-($o%4) 28 | Symbol Analysis How do I get distance between symbols? ?v 18*$w 29 | Symbol Analysis How do I find offset to symbol table? ?v $Dn-$DB 30 | Relocation Analysis How do I calculate relocation alignment? ?v 4-($SS%4) 31 | Relocation Analysis How do I find size of relocation block? ?v $SS-($S-$DB) 32 | Relocation Analysis How do I get distance between relocations? ?v $w 33 | Relocation Analysis How do I calculate size of relocation section? ?v $s{.reloc} 34 | Relocation Analysis How do I find offset to relocation table? ?v $Dn-$DB 35 | Exception Analysis How do I find size of exception data? ?v $SS-($S-$DB) 36 | Exception Analysis How do I get distance between catch blocks? ?v $Fe-$Ff 37 | Exception Analysis How do I calculate size of exception table? ?v $s{.pdata} 38 | Exception Analysis How do I find offset to exception handler? ?v $Xn-$FB 39 | Thread Analysis How do I calculate thread stack alignment? ?v 16-($r{rsp}%16) 40 | Thread Analysis How do I find size of thread data? ?v $s{tls} 41 | Thread Analysis How do I get distance between thread locals? ?v $w 42 | Thread Analysis How do I calculate thread stack size? ?v $MM 43 | Thread Analysis How do I find offset to thread context? ?v $r{rdi} 44 | Resource Analysis How do I calculate resource alignment? ?v 8-($SS%8) 45 | Resource Analysis How do I find size of resource data? ?v $SS-($S-$DB) 46 | Resource Analysis How do I get distance between resource entries? ?v 8*$w 47 | Resource Analysis How do I calculate size of resource directory? ?v $s{.rsrc} 48 | Resource Analysis How do I find offset to resource section? ?v $S{.rsrc}-$DB 49 | Export Analysis How do I calculate export ordinal table size? ?v $w*($SS/4) 50 | Export Analysis How do I find size of export name table? ?v $SS-($S-$DB) 51 | Export Analysis How do I get distance between exported functions? ?v $Xn-$X{n-1} 52 | Export Analysis How do I calculate size of export directory? ?v $s{.edata} 53 | Export Analysis How do I find offset to export table? ?v $Dn-$DB 54 | Import Analysis How do I calculate size of import directory? ?v $s{.idata} 55 | Import Analysis How do I find offset to import table? ?v $Dn-$DB 56 | Data Analysis How do I calculate data section alignment? ?v 4096-($SS%4096) 57 | Data Analysis How do I find size of string table? ?v $e{strings_end}-$S 58 | Data Analysis How do I get distance between array elements? ?v $w 59 | Data Analysis How do I calculate size of data structure? ?v $s{struct} 60 | Data Analysis How do I find offset to global variable? ?v $Dn-$B 61 | Control Flow How do I find size of switch table? ?v $Fj-$j 62 | Control Flow How do I get distance between conditional jumps? ?v $Ja-$J{a-1} 63 | Control Flow How do I calculate size of loop body? ?v $Fe-$j 64 | Stack Analysis How do I find distance to return address? ?v $r{rbp}+8-$r{rsp} 65 | Stack Analysis How do I get size of saved registers? ?v $r{rbp}-$I1 66 | Stack Analysis How do I calculate stack frame alignment? ?v ($r{rsp}+15)&(~15) 67 | Crypto Analysis How do I find size of encryption key? ?v $s{key_data} 68 | Shell Code How do I find offset to shellcode payload? ?v $m-$FB 69 | Shell Code How do I calculate encoder stub size? ?v $Fi 70 | ROP Analysis How do I calculate ROP payload alignment? ?v 8-($r{rsp}%8) 71 | ROP Analysis How do I find size of stack pivot? ?v $Fe-$j 72 | ROP Analysis How do I get distance between gadgets? ?v $Xn-$X{n-1} 73 | ROP Analysis How do I calculate gadget chain length? ?v ($i3-$FB)*4 74 | ROP Analysis How do I find offset to ROP gadget? ?v $I1-$FB 75 | Vulnerability Analysis How do I calculate heap buffer overflow size? ?v $Dn-$m 76 | Vulnerability Analysis How do I find size of integer overflow? ?v $w 77 | Vulnerability Analysis How do I get offset to format string? ?v $m-$B 78 | Vulnerability Analysis How do I calculate size of unsafe memcpy? ?v $v 79 | Vulnerability Analysis How do I find distance to stack buffer? ?v $r{rbp}-16-$r{rsp} 80 | Anti-Debug How do I calculate checksum verification size? ?v $FS-($Fe-$Ff) 81 | Anti-Debug How do I get distance between integrity checks? ?v $Xn-$X{n-1} 82 | Anti-Debug How do I calculate size of self-modifying code? ?v $Fe-$Ff 83 | Binary Diffing How do I get distance between modified instructions? ?v $i{n}-$i{n-1} 84 | Binary Diffing How do I calculate size difference of patches? ?v $FS-($FS@$B) 85 | Binary Diffing How do I find offset between similar functions? ?v $FB-($FB@$B) 86 | Code Coverage How do I get distance between covered blocks? ?v $Fe-$Fb 87 | Code Coverage How do I find size of executed instructions? ?v $i{n}-$FB 88 | Code Coverage How do I calculate basic block coverage ratio? ?v ($Fi/$FS)*100 89 | Code Coverage How do I get size of uncovered code region? ?v $Fe-($FB+$Fi) 90 | Memory Analysis How do I calculate memory region overlap? ?v ($M+$MM)-$D 91 | Memory Analysis How do I find distance between heap chunks? ?v $Dn-$D{n-1} 92 | Memory Analysis How do I get offset to next aligned address? ?v ($$+15)&(~15) 93 | Memory Analysis How do I calculate heap chunk size? ?v $r{rax}&(~7) 94 | Function Analysis How do I get size of largest basic block? ?v $Fs 95 | Function Analysis How do I find offset to function epilogue? ?v $FE-$I1 96 | Function Analysis How do I get size of function prologue? ?v $i2-$FB 97 | Debug How do I find distance to stack canary on x86-64 bit binary when debugging? ?v $r{rbp}-8-$r{rsp} 98 | Debug How do I find distance to next breakpoint? ?v $Cn-$$ 99 | Malware Analysis How do I measure size of unpacking stub? ?v $Fe-$FB 100 | Firmware Analysis How do I calculate flash page boundaries? ?v $$-($$ % 4096) 101 | Firmware Analysis How do I find offset between two memory-mapped regions? ?v $M-$B 102 | -------------------------------------------------------------------------------- /data/radare2/pending/claude-search.txt: -------------------------------------------------------------------------------- 1 | Question Command 2 | How do I search for the string "/bin/sh" in memory? / /bin/sh 3 | How do I find all function preludes in the binary? /pp 4 | How do I search for AES encryption keys in memory? /ca aes 5 | How do I find references to a specific function at address 0x4000? /r 0x4000 6 | How do I search for cross-references to system calls? /as 7 | How do I find all write operations to a specific memory address? /rw 8 | How do I search for sequences of assembly instructions that form infinite loops? /aI 9 | How do I locate potential RSA private keys in memory? /cr 10 | How do I find all backward jumps that might indicate loops? /ab 11 | How do I search for UTF-16/wide-char strings? /w 12 | How do I find instructions that use a specific immediate value like 0x1337? /ai 0x1337 13 | How do I search for byte sequences using wildcards? /x ff..33 14 | How do I find all call references in the code? /rc 15 | How do I search for specific assembly instruction patterns case-sensitively? /ac 16 | How do I locate PGP/GPG keys and signatures in memory? /cg 17 | How do I find all graph paths between two functions? /g 18 | How do I search for specific assembly instructions backwards from current position? /b 19 | How do I find sections in the binary with similar entropy? /s 20 | How do I search for common file signatures and headers? /mb 21 | How do I find all read operations to memory? /rr 22 | How do I search for specific instruction types like arithmetic operations? /at 23 | How do I locate potential cryptographic constant tables? /ck 24 | How do I find executable memory regions? /rx 25 | How do I search for specific assembly instruction sequences? /ad 26 | How do I find all cross-references to a specific address? /ra 27 | How do I search for potential malware signatures in memory? /m 28 | How do I find instructions matching a specific CPU family? /af 29 | How do I search for specific bytes with a binary mask? /x 9090cd80:ffff7ff0 30 | How do I locate potential SSL/TLS certificates? /cd 31 | How do I find all syscalls in the analyzed code? /asq 32 | How do I search for specific immediate values within a range? /ai 0x100 0x200 33 | How do I find common magic bytes patterns? /m 34 | How do I search for strings of a specific length? /z 35 | How do I find ROP gadgets containing specific instructions? /R 36 | How do I search for specific bytes ignoring case? /i 37 | How do I find all functions that reference a specific string? /r 38 | How do I locate potential cryptographic keys in memory? /c 39 | How do I search for instruction patterns in disassembly? /ad 40 | How do I find all cross-references to imported functions? /ra 41 | How do I search for specific assembly mnemonics? /am 42 | How do I find potential stack pivots for ROP chains? /R 43 | How do I search for specific byte patterns backwards? /b 44 | How do I locate potential shellcode patterns? /x 45 | How do I find all write operations in the code? /rw 46 | How do I search for specific instruction sequences with JSON output? /adj 47 | How do I find potential format string vulnerabilities? /s 48 | How do I search for specific CPU instructions? /a 49 | How do I locate standard function prologs? /pp 50 | How do I find all memory regions with execute permissions? /rx 51 | How do I search for specific opcode patterns? /x 52 | How do I find references to specific memory addresses? /r 53 | How do I search for common cryptographic constants? /ck 54 | How do I locate potential buffer overflow targets? /s 55 | How do I find instructions using specific registers? /a 56 | How do I search for specific byte sequences in memory? /x 57 | How do I find all functions containing specific instructions? /aF 58 | How do I locate potential heap spray patterns? /s 59 | How do I search for specific instruction types in analyzed code? /at 60 | How do I find references to specific imported functions? /r 61 | How do I search for common exploit patterns? /x 62 | How do I locate potential ROP gadget entry points? /R 63 | How do I find all cross-references to data sections? /r 64 | How do I search for specific byte patterns with masks? /x 65 | How do I locate potential stack canary checks? /a 66 | How do I find all function epilogs? /a ret 67 | How do I search for specific instruction sequences quietly? /adq 68 | How do I locate potential ASLR bypass gadgets? /R 69 | How do I find all memory write operations? /rw 70 | How do I search for specific register usage patterns? /a 71 | How do I locate potential format string patterns? /s 72 | How do I find cross-references to specific data? /r 73 | How do I search for common encryption constants? /ck 74 | How do I locate potential integer overflow patterns? /s 75 | How do I find instructions accessing specific memory regions? /r 76 | How do I search for specific byte sequences case-insensitively? /i 77 | How do I locate potential use-after-free patterns? /s 78 | How do I find all function calls to a specific address? /rc 79 | How do I search for specific assembly patterns with JSON output? /aj 80 | How do I locate potential race condition patterns? /s 81 | How do I find all cross-references to specific strings? /r 82 | How do I search for common vulnerability patterns? /s 83 | How do I locate potential null pointer dereference patterns? /s 84 | How do I find instructions using specific memory addresses? /r 85 | How do I search for specific byte patterns in analyzed code? /x 86 | How do I locate potential double-free patterns? /s 87 | How do I find all references to specific functions? /r 88 | How do I search for common exploit techniques? /x 89 | How do I locate potential command injection patterns? /s 90 | How do I find instructions modifying specific registers? /a 91 | How do I search for specific instruction sequences in functions? /ad 92 | How do I locate potential buffer underflow patterns? /s 93 | How do I find all memory read operations? /rr 94 | How do I search for specific opcode patterns with masks? /x 95 | How do I locate potential type confusion patterns? /s 96 | How do I find cross-references to specific memory regions? /r 97 | How do I search for common shellcode signatures? /x 98 | How do I locate potential integer underflow patterns? /s 99 | How do I find instructions accessing stack variables? /a 100 | How do I search for specific byte sequences with wildcards? /x 101 | How do I locate potential off-by-one patterns? /s 102 | How do I find all references to specific opcodes? /r 103 | How do I search for common ROP gadget patterns? /R 104 | How do I locate potential memory leak patterns? /s 105 | How do I find instructions using specific immediate values? /ai 106 | How do I search for specific function patterns? /a 107 | How do I locate potential stack overflow patterns? /s 108 | How do I find all cross-references to system calls? /as 109 | How do I search for common vulnerability signatures? /s 110 | How do I locate potential privilege escalation patterns? /s 111 | How do I find instructions modifying control flow? /a 112 | How do I search for specific byte patterns in memory regions? /x 113 | How do I locate potential information disclosure patterns? /s 114 | How do I find cross-references to specific registers? /r 115 | How do I search for common exploit primitives? /x 116 | How do I locate potential memory corruption patterns? /s 117 | How do I find instructions using specific addressing modes? /a 118 | How do I search for specific instruction sequences in loops? /ad 119 | How do I locate potential type confusion vulnerabilities? /s 120 | How do I find all references to specific memory patterns? /r 121 | -------------------------------------------------------------------------------- /parse_usage.py: -------------------------------------------------------------------------------- 1 | import pandas as pd 2 | import datasets 3 | import openai 4 | import random 5 | import time 6 | import json 7 | import re 8 | client = openai.OpenAI() 9 | def parse_usage(): 10 | all_commands = open('data/radare2/sources/all_commands.txt').read().split('\n') 11 | usage_blocks = [] 12 | usage_block = None 13 | for line in all_commands: 14 | if len(line.strip()) == 0: 15 | usage_block = None 16 | continue 17 | 18 | if line.startswith('Usage:'): 19 | raw_text = line 20 | line = line.replace('Usage:', '').strip() 21 | usage_parts = line.split(' ') 22 | usage_block = { 23 | 'main_command': usage_parts[0], 24 | 'description': usage_parts[1].strip() if len(usage_parts) > 1 else '', 25 | 'commands': [], 26 | 'raw_text': raw_text 27 | } 28 | usage_blocks.append(usage_block) 29 | elif usage_block: 30 | usage_block['raw_text'] += '\n' + line 31 | if line.startswith('| '): 32 | line = line[2:].strip() 33 | command_parts = line.split(' ') 34 | usage_block['commands'].append({ 35 | 'command': command_parts[0], 36 | 'description': ' '.join(command_parts[1:]).strip() 37 | }) 38 | else: 39 | usage_block['description'] += ' ' + line.strip() 40 | usage_block['description'] = usage_block['description'].strip() 41 | else: 42 | print(line) 43 | 44 | flat_usage_blocks = [] 45 | 46 | for usage_block in usage_blocks: 47 | prev_command = None 48 | for command in usage_block['commands']: 49 | flat_usage_block = {} 50 | flat_usage_block['main_command'] = usage_block['main_command'] 51 | flat_usage_block['main_description'] = usage_block['description'] 52 | flat_usage_block['command'] = command['command'] 53 | if 'as above' in command['description'] and prev_command: 54 | idx = command['description'].index('as above') + 8 55 | flat_usage_block['description'] = prev_command['description'] + ' ' + command['description'][idx:] 56 | else: 57 | flat_usage_block['description'] = command['description'] 58 | flat_usage_blocks.append(flat_usage_block) 59 | prev_command = command 60 | 61 | df = pd.DataFrame(flat_usage_blocks) 62 | 63 | df.to_csv('data/radare2/sources/usage.tsv', sep='\t', index=False) 64 | for b in usage_blocks: 65 | b['commands'] = json.dumps(b['commands']) 66 | df = pd.DataFrame(usage_blocks) 67 | df.to_csv('data/radare2/sources/usage_blocks.tsv', sep='\t', index=False) 68 | # dataset = datasets.Dataset.from_list(flat_usage_blocks) 69 | # dataset.to_parquet('data/radare2/sources/usage.parquet') 70 | # dataset.to_json('data/radare2/sources/usage.jsonl', lines=True) 71 | 72 | def get_price(response): 73 | pt = response.usage.prompt_tokens 74 | ct = response.usage.completion_tokens 75 | c_pt = 2.5 / 1000000 76 | c_ct = 10 / 1000000 77 | cost = (pt * c_pt) + (ct * c_ct) 78 | return f"${cost:.3f} pt: {pt}, ct: {ct}" 79 | 80 | def create_prompts(): 81 | # df = pd.read_csv('data/radare2/sources/usage.tsv', sep='\t') 82 | df = pd.read_csv('data/radare2/sources/usage_blocks.tsv', sep='\t') 83 | 84 | batch_requests = [] 85 | for index, row in df.iterrows(): 86 | commands = json.loads(row['commands']) 87 | system_prompt = f'''You are an expert at radare2 and have been tasked with figuring out all the questions anyone could ask that could be answered by a given command. 88 | You'll be given an excerpt from the manual for the command in the format of: 89 | Usage: \t 90 | | \t 91 | | \t 92 | ... 93 | 94 | Use your knowledge of radare2 and binaries to formulate your responses targeting users not well familiar with these concepts. 95 | Focus on the given commands and their help text. 96 | If you see arguments, come up with potentially valid questions and values to use for them 97 | You must respond in the following format: 98 | 99 | 1 100 | user question 101 | user command 102 | explanation 103 | radare2 command 104 | 105 | 106 | 2 107 | ... 108 | 109 | 110 | 111 | You MUST NOT include the command or parts of it in the question. Pretend you are a less knowledgeable person trying to perform a task. 112 | You must provide responses covering all individual commands. If there are arguments, vary them. 113 | Vary the questions with different words that imply seeking information or asking to perform something 114 | 115 | Example Response: 116 | 117 | 1 118 | How to find the distance between `sym.main` and `sym.hello` 119 | distance between sym.main and sym.hello 120 | We can subtract the addresses to find the distance between them. We can use ?vi to show the decimal value of the math expression `sym.main-sym.hello`. 121 | ?vi sym.main-sym.hello 122 | 123 | ''' 124 | # user_prompt = f'''Usage: {row['main_command']}\t{row['main_description']} 125 | # | {row['command']}\t{row['description']}''' 126 | user_prompt = row['raw_text'] + '\n\n' + f"Provide {len(commands)*10} responses covering all individual commands above." 127 | request = { 128 | "custom_id": f'request-{index}', 129 | "method": 'POST', 130 | "url": '/v1/chat/completions', 131 | "body": { 132 | 'messages': [ 133 | {'role': 'system', 'content': system_prompt}, 134 | {'role': 'user', 'content': user_prompt} 135 | ], 136 | 'model': 'gpt-4o', # gpt-5-mini 137 | 'temperature': 0.5, 138 | 'top_p': 0.9, 139 | 'max_tokens': 16000 140 | } 141 | } 142 | batch_requests.append(request) 143 | dataset = datasets.Dataset.from_list(batch_requests) 144 | dataset.to_json('data/radare2/sources/usage_batch.jsonl', lines=True) 145 | 146 | # randomly pick 1 request and do completion 147 | random.shuffle(batch_requests) 148 | for request in batch_requests[:1]: 149 | print(request['body']['messages'][0]['content']) 150 | print(request['body']['messages'][1]['content']) 151 | print('-' * 50) 152 | response = openai.chat.completions.create(**request['body']) 153 | print(response.choices[0].message.content) 154 | print('-'*5, get_price(response)) 155 | 156 | 157 | def create_batch(): 158 | batch_input_file = client.files.create(file=open('data/radare2/sources/usage_batch.jsonl', 'rb'), purpose='batch') 159 | batch = client.batches.create(input_file_id=batch_input_file.id, endpoint='/v1/chat/completions', completion_window='24h', metadata={'description': 'testing'}) 160 | return batch 161 | 162 | def parse_batch_results(batch_id): 163 | while True: 164 | batch = client.batches.retrieve(batch_id) 165 | print(batch.status) 166 | match batch.status: 167 | case 'completed': 168 | break 169 | case 'expired': 170 | print('Batch expired') 171 | return 172 | case 'cancelled': 173 | print('Batch cancelled') 174 | return 175 | case 'validating': 176 | time.sleep(1) 177 | case 'failed': 178 | print('Batch failed') 179 | return 180 | case 'cancelling': 181 | print('Batch cancelling') 182 | return 183 | case 'in_progress': 184 | time.sleep(30) 185 | case 'finalizing': 186 | time.sleep(30) 187 | case _: 188 | print('Unknown batch status', batch) 189 | return 190 | output_file_id = batch.output_file_id 191 | output_file = client.files.content(output_file_id) 192 | print(output_file.text) 193 | responses = [] 194 | pattern = r'\s*(.*?)\s*(.*?)\s*(.*?)\s*(.*?)\s*(.*?)\s*' 195 | for i, line in enumerate(output_file.text.split('\n')): 196 | if len(line) == 0: 197 | continue 198 | try: 199 | res = json.loads(line) 200 | text = res['response']['body']['choices'][0]['message']['content'] 201 | matches = re.finditer(pattern, text, re.DOTALL) 202 | for match in matches: 203 | responses.append({ 204 | 'n': match.group(1).strip(), 205 | 'question': match.group(2).strip(), 206 | 'command': match.group(3).strip(), 207 | 'r2cmd': match.group(4).strip(), 208 | 'explanation': match.group(5).strip() 209 | }) 210 | except Exception as e: 211 | print(line) 212 | print('num', i, len(line)) 213 | print(e) 214 | 215 | return responses 216 | 217 | if __name__ == '__main__': 218 | parse_usage() 219 | create_prompts() 220 | # batch = create_batch() 221 | # resp = parse_batch_results(batch) 222 | # df = pd.DataFrame(resp) 223 | # df.to_csv('data/radare2/pending/every_command_per_block_gpt4o.tsv', sep='\t', index=False) 224 | -------------------------------------------------------------------------------- /data/r2frida/pending/claude2.txt: -------------------------------------------------------------------------------- 1 | # Extended R2frida Command Reference Q&A 2 | 3 | ## Basic Operations 4 | 5 | Q51: How do you run a custom frida expression? 6 | A: `: 'console.log("hello")'` 7 | 8 | Q52: How do you execute a script file? 9 | A: `:. myscript.js` 10 | 11 | Q53: How do you show the target Frida version? 12 | A: `:?V` 13 | 14 | Q54: How do you display a message from the agent? 15 | A: `:?e Message from agent` 16 | 17 | Q55: How do you show a UIAlert dialog (iOS)? 18 | A: `:?E "Title" "Message"` 19 | 20 | ## Memory Search Operations 21 | 22 | Q56: How do you search for wide strings? 23 | A: `:/w Hello` 24 | 25 | Q57: How do you search for specific byte width values? 26 | A: `:/v4 1234` 27 | 28 | Q58: How do you search hex patterns with JSON output? 29 | A: `:/xj 90909090` 30 | 31 | Q59: How do you search strings with JSON output? 32 | A: `:/j password` 33 | 34 | Q60: How do you search 8-byte values? 35 | A: `:/v8 0x1122334455667788` 36 | 37 | ## File Descriptor Operations 38 | 39 | Q61: How do you list file descriptors? 40 | A: `:dd` 41 | 42 | Q62: How do you list file descriptors in JSON format? 43 | A: `:ddj` 44 | 45 | Q63: How do you duplicate a file descriptor? 46 | A: `:ddf 3 4` 47 | 48 | Q64: How do you close a file descriptor? 49 | A: `:dd- 3` 50 | 51 | ## Function Interception 52 | 53 | Q65: How do you replace a function's return value with 1? 54 | A: `:di1 function_name` 55 | 56 | Q66: How do you replace a function's return value with 0? 57 | A: `:di0 function_name` 58 | 59 | Q67: How do you intercept with custom value? 60 | A: `:div function_name` 61 | 62 | Q68: How do you intercept after function execution? 63 | A: `:dif1 function_name` 64 | 65 | Q69: How do you intercept with string return? 66 | A: `:dis function_name` 67 | 68 | ## Signal & Process Control 69 | 70 | Q70: How do you send a signal to a process? 71 | A: `:dk 1234 SIGKILL` 72 | 73 | Q71: How do you get crash report? 74 | A: `:dkr` 75 | 76 | Q72: How do you show current process ID? 77 | A: `:dp` 78 | 79 | ## Library Management 80 | 81 | Q73: How do you load a shared library? 82 | A: `:dl libname.so` 83 | 84 | Q74: How do you load a library using newer Frida API? 85 | A: `:dl2 libname.so main` 86 | 87 | Q75: How do you load an iOS Framework? 88 | A: `:dlf /path/to/Framework.framework` 89 | 90 | Q76: How do you unload an iOS Framework? 91 | A: `:dlf- /path/to/Framework.framework` 92 | 93 | ## Memory Management 94 | 95 | Q77: How do you allocate heap memory? 96 | A: `:dma 1024` 97 | 98 | Q78: How do you allocate string in heap? 99 | A: `:dmas "Hello World"` 100 | 101 | Q79: How do you allocate wide string in heap? 102 | A: `:dmaw "Hello Wide World"` 103 | 104 | Q80: How do you list live heap allocations? 105 | A: `:dmal` 106 | 107 | Q81: How do you free heap allocation? 108 | A: `:dma- address` 109 | 110 | Q82: How do you copy memory to new allocation? 111 | A: `:dmad source_addr size` 112 | 113 | ## Memory Information 114 | 115 | Q83: How do you list heap chunks? 116 | A: `:dmh` 117 | 118 | Q84: How do you export heap chunks as r2 flags? 119 | A: `:dmh*` 120 | 121 | Q85: How do you get heap chunks in JSON? 122 | A: `:dmhj` 123 | 124 | Q86: How do you show heap allocation maps? 125 | A: `:dmhm` 126 | 127 | ## Page Permissions 128 | 129 | Q87: How do you change page permissions? 130 | A: `:dmp address size rwx` 131 | 132 | ## Thread Operations 133 | 134 | Q88: How do you list all threads? 135 | A: `:dpt` 136 | 137 | Q89: How do you show current thread registers? 138 | A: `:dr.` 139 | 140 | ## Tracing Operations 141 | 142 | Q90: How do you clear specific trace? 143 | A: `:dt- address` 144 | 145 | Q91: How do you clear all traces? 146 | A: `:dt-*` 147 | 148 | Q92: How do you trace current offset? 149 | A: `:dt.` 150 | 151 | Q93: How do you trace with format? 152 | A: `:dtf address "ix"` 153 | 154 | Q94: How do you trace all threads? 155 | A: `:dts 5` 156 | 157 | Q95: How do you trace using stalker? 158 | A: `:dtsf function_name` 159 | 160 | ## Symbol Resolution 161 | 162 | Q96: How do you get binary headers? 163 | A: `:ih` 164 | 165 | Q97: How do you list exports from library? 166 | A: `:iE libname` 167 | 168 | Q98: How do you show section at current address? 169 | A: `:iS.` 170 | 171 | Q99: How do you list segments in JSON? 172 | A: `:iSSj` 173 | 174 | ## Environment & Configuration 175 | 176 | Q100: How do you get environment variable? 177 | A: `:env VARIABLE_NAME` 178 | 179 | Q101: How do you set environment variable? 180 | A: `:env VARIABLE_NAME=value` 181 | 182 | ## Java Integration 183 | 184 | Q102: How do you run Java expression? 185 | A: `:j Java.use("android.app.Activity")` 186 | 187 | ## Swift Analysis 188 | 189 | Q103: How do you list Swift types? 190 | A: `:t ModuleName` 191 | 192 | ## Chrome Debugging 193 | 194 | Q104: How do you start Chrome debugger? 195 | A: `:d.` 196 | 197 | ## SELinux Management 198 | 199 | Q105: How do you change SELinux context? 200 | A: `:chcon /path/to/file` 201 | 202 | ## Header Analysis 203 | 204 | Q106: How do you get headers in JSON? 205 | A: `:ihj` 206 | 207 | Q107: How do you get headers as r2 commands? 208 | A: `:ih*` 209 | 210 | ## Register Operations 211 | 212 | Q108: How do you trace register values? 213 | A: `:dtr address rax rbx rcx` 214 | 215 | ## Function Headers 216 | 217 | Q109: How do you define function header? 218 | A: `:dth function_name z:str i:int v:hex` 219 | 220 | ## Logging 221 | 222 | Q110: How do you manage trace logs? 223 | A: `:dtl "log message"` 224 | 225 | Q111: How do you clear trace logs? 226 | A: `:dtl-*` 227 | 228 | ## Additional Binary Information 229 | 230 | Q112: How do you list segments at current address? 231 | A: `:iSS.` 232 | 233 | Q113: How do you get inverse symbol resolution? 234 | A: `:fd address` 235 | 236 | ## Advanced Execution 237 | 238 | Q114: How do you call target function with args? 239 | A: `:dxc function_name arg1 arg2` 240 | 241 | ## Configuration 242 | 243 | Q115: How do you list config variables? 244 | A: `:e` 245 | 246 | Q116: How do you set config variable? 247 | A: `:e var.name=value` 248 | 249 | ## Protocol Analysis (iOS) 250 | 251 | Q117: How do you list protocol methods? 252 | A: `:ip ProtocolName` 253 | 254 | ## Named Maps 255 | 256 | Q118: How do you list named squashed maps? 257 | A: `:dmm` 258 | 259 | ## Debug Logging 260 | 261 | Q119: How do you enable debug trace logging? 262 | A: `:dtl msg` 263 | 264 | Q120: How do you export debug trace logs? 265 | A: `:dtl*` 266 | 267 | ## Module Information 268 | 269 | Q121: How do you get current module info? 270 | A: `:i` 271 | 272 | Q122: How do you list sections with flags? 273 | A: `:iS*` 274 | 275 | ## Function Analysis 276 | 277 | Q123: How do you trace stalker with JSON output? 278 | A: `:dtsfj function_name` 279 | 280 | Q124: How do you trace with header definition? 281 | A: `:dth function_name x:0 y:1` 282 | 283 | ## Memory Regions 284 | 285 | Q125: How do you list memory regions as r2 commands? 286 | A: `:dm*` 287 | 288 | Q126: How do you get memory regions in JSON? 289 | A: `:dmj` 290 | 291 | ## Breakpoint Management 292 | 293 | Q127: How do you list breakpoints? 294 | A: `:dbn` 295 | 296 | Q128: How do you delete breakpoint by address? 297 | A: `:dbn -address` 298 | 299 | Q129: How do you associate command with breakpoint? 300 | A: `:dbnc address "px 32"` 301 | 302 | Q130: How do you remove all breakpoints? 303 | A: `:db-*` 304 | 305 | ## Advanced Search 306 | 307 | Q131: How do you search 16-bit values? 308 | A: `:/v2 value` 309 | 310 | Q132: How do you search 32-bit values? 311 | A: `:/v4 value` 312 | 313 | ## Symbol Operations 314 | 315 | Q133: How do you show symbol address? 316 | A: `:isa libname symbol_name` 317 | 318 | Q134: How do you list all symbols with flags? 319 | A: `:is*` 320 | 321 | ## Cycript Integration 322 | 323 | Q135: How do you evaluate Cycript code? 324 | A: `: cycript_code` 325 | 326 | ## Core Operations 327 | 328 | Q136: How do you run r2 core command? 329 | A: `:r px 32` 330 | 331 | ## Evaluation Context 332 | 333 | Q137: How do you evaluate JS in agent? 334 | A: `:eval JavaScript.code()` 335 | 336 | ## Thread Analysis 337 | 338 | Q138: How do you trace thread for specific time? 339 | A: `:dtsj 10` 340 | 341 | ## Binary Sections 342 | 343 | Q139: How do you list sections with JSON? 344 | A: `:iSj` 345 | 346 | ## Library Analysis 347 | 348 | Q140: How do you list imports with flags? 349 | A: `:ii*` 350 | 351 | ## Advanced Interception 352 | 353 | Q141: How do you intercept with immediate value? 354 | A: `:dii function_name` 355 | 356 | Q142: How do you intercept after call with zero? 357 | A: `:dif0 function_name` 358 | 359 | ## Memory Operations 360 | 361 | Q143: How do you list heap chunks maps? 362 | A: `:dmhm` 363 | 364 | Q144: How do you copy memory to allocation? 365 | A: `:dmad source size` 366 | 367 | ## Process Information 368 | 369 | Q145: How do you get process environment? 370 | A: `:env` 371 | 372 | Q146: How do you list all environment variables? 373 | A: `:env *` 374 | 375 | ## Framework Management 376 | 377 | Q147: How do you load multiple frameworks? 378 | A: `:dlf framework1.framework framework2.framework` 379 | 380 | Q148: How do you unload multiple frameworks? 381 | A: `:dlf- framework1.framework framework2.framework` 382 | 383 | ## Debug Operations 384 | 385 | Q149: How do you trace with stalker for JSON output? 386 | A: `:dtsj 5` 387 | 388 | Q150: How do you show module sections? 389 | A: `:iS` 390 | -------------------------------------------------------------------------------- /data/radare2/Attic/radare2_train.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How do I find all functions that might be handling JSON data? afl~json,parse,stringify 3 | I want to see all places where the program is reading user input. How do I find those? axt@@=sym.gets sym.fgets sym.scanf sym.readline 4 | How can I find all the places where the program is writing to standard output? axt@@=sym.printf sym.puts sym.fputs sym.write 5 | I want to see if this program uses any compression functions. How do I search? afl~zip,compress,inflate,deflate 6 | How do I find all the places where random numbers are generated? axt@@=sym.rand sym.random sym.srand 7 | I want to see all functions that might be doing HTTP requests. How do I find those? afl~http,curl,wget,request 8 | How can I find all the places where command line arguments are processed? axt@@=sym.getopt sym.argc sym.argv 9 | I want to see all functions that might be handling XML data. How do I find those? afl~xml,parse,dom,xpath 10 | How do I find all the places where shared libraries are loaded dynamically? axt@@=sym.dlopen sym.dlsym sym.LoadLibrary 11 | I want to see all functions that might be doing database operations. How do I find those? afl~sql,database,query 12 | How can I find all the places where process IDs are being manipulated? axt@@=sym.getpid sym.fork sym.waitpid 13 | I want to see all the places where file permissions are being changed. How do I find those? axt@@=sym.chmod sym.chown sym.umask 14 | How do I find all functions that might be handling SSL/TLS operations? afl~ssl,tls,encrypt,decrypt 15 | I want to see all places where the program is doing logging. How do I find those? axt@@=sym.syslog sym.log sym.fprintf 16 | How can I find all the places where child processes are being created? axt@@=sym.fork sym.vfork sym.spawn 17 | I want to see all functions that might be handling configuration files. How do I find those? afl~config,ini,conf,parse 18 | How do I find all the places where signals are being blocked or unblocked? axt@@=sym.sigprocmask sym.sigblock sym.sigsetmask 19 | I want to see all functions that might be doing audio processing. How do I find those? afl~audio,sound,pcm,wave 20 | How can I find all the places where shared memory is being accessed? axt@@=sym.shmget sym.shmat sym.shmctl 21 | I want to see all functions that might be handling image data. How do I find those? afl~image,png,jpeg,bitmap 22 | How do I find all the places where message queues are being used? axt@@=sym.msgget sym.msgsnd sym.msgrcv 23 | I want to see all functions that might be doing Unicode conversion. How do I find those? afl~unicode,utf,wchar,iconv 24 | How can I find all the places where process priorities are being changed? axt@@=sym.nice sym.setpriority 25 | I want to see all functions that might be handling timestamps. How do I find those? afl~time,date,clock,timestamp 26 | How do I find all the places where environment variables are being accessed? axt@@=sym.getenv sym.environ 27 | How do I find all functions that might be handling mouse or keyboard input? afl~mouse,keyboard,input,event 28 | I want to see all places where the program is doing graphics operations. How do I find those? afl~draw,paint,render,canvas 29 | How can I find all the places where the program is using regular expressions? axt@@=sym.regcomp sym.regexec sym.regex 30 | I want to see all functions that might be handling PDF operations. How do I find those? afl~pdf,document,page 31 | How do I find all the places where the program is doing DNS lookups? axt@@=sym.gethostbyname sym.getaddrinfo sym.dns 32 | I want to see all functions that might be handling ZIP files. How do I find those? afl~zip,archive,compress,extract 33 | How can I find all the places where the program is using SSL certificates? afl~cert,ssl,x509,verify 34 | I want to see all functions that might be doing video processing. How do I find those? afl~video,codec,stream,frame 35 | How do I find all the places where the program is using mutexes? axt@@=sym.pthread_mutex_lock sym.pthread_mutex_unlock 36 | I want to see all functions that might be handling CSV data. How do I find those? afl~csv,parse,delimiter 37 | How can I find all the places where the program is doing memory mapping? axt@@=sym.mmap sym.munmap sym.MapViewOfFile 38 | I want to see all functions that might be handling email operations. How do I find those? afl~mail,smtp,imap,pop3 39 | How do I find all the places where the program is using semaphores? axt@@=sym.sem_wait sym.sem_post sym.semop 40 | I want to see all functions that might be doing bluetooth operations. How do I find those? afl~bluetooth,ble,rfcomm 41 | How can I find all the places where the program is handling exceptions? axt@@=sym.__cxa_throw sym.try_catch sym.except 42 | I want to see all functions that might be doing GPU operations. How do I find those? afl~gpu,cuda,opencl,shader 43 | How do I find all the places where the program is using timers? axt@@=sym.settimer sym.alarm sym.sleep 44 | I want to see all functions that might be handling USB devices. How do I find those? afl~usb,device,endpoint 45 | How can I find all the places where the program is doing IPC? axt@@=sym.pipe sym.msgget sym.shmget 46 | I want to see all functions that might be handling WebSocket operations. How do I find those? afl~websocket,ws,socket 47 | How do I find all the places where the program is doing memory allocation alignment? axt@@=sym.aligned_alloc sym.posix_memalign 48 | I want to see all functions that might be handling OAuth operations. How do I find those? afl~oauth,token,auth 49 | How can I find all the places where the program is doing Base32 encoding? afl~base32,encode,decode 50 | I want to see all functions that might be handling YAML data. How do I find those? afl~yaml,parse,serialize 51 | How do I find all the places where the program is using condition variables? axt@@=sym.pthread_cond_wait sym.pthread_cond_signal 52 | How do I find all functions that might be handling protocol buffers? afl~protobuf,serialize,message 53 | I want to see all places where the program is doing UTF-8 validation. How do I find those? afl~utf8,unicode,validate 54 | How can I find all the places where the program is doing RSA operations? afl~rsa,encrypt,decrypt,sign 55 | I want to see all functions that might be handling MQTT messages. How do I find those? afl~mqtt,publish,subscribe 56 | How do I find all the places where the program is doing memory barriers? axt@@=sym.__sync_synchronize sym.memory_barrier 57 | I want to see all functions that might be handling WebRTC operations. How do I find those? afl~webrtc,rtc,stream,peer 58 | How can I find all the places where the program is doing SHA-256 hashing? axt@@=sym.SHA256_Init sym.SHA256_Update sym.SHA256_Final 59 | I want to see all functions that might be handling GraphQL queries. How do I find those? afl~graphql,query,resolver 60 | How do I find all the places where the program is using atomic operations? axt@@=sym.__atomic_load sym.__atomic_store 61 | I want to see all functions that might be handling JWT tokens. How do I find those? afl~jwt,token,verify 62 | How can I find all the places where the program is doing LDAP queries? afl~ldap,directory,bind 63 | I want to see all functions that might be handling WebAssembly. How do I find those? afl~wasm,module,instance 64 | How do I find all the places where the program is using SIMD instructions? afl~simd,sse,avx,neon 65 | I want to see all functions that might be handling gRPC calls. How do I find those? afl~grpc,rpc,stream 66 | How can I find all the places where the program is doing elliptic curve operations? afl~ecc,ecdsa,curve 67 | I want to see all functions that might be handling Redis operations. How do I find those? afl~redis,cache,hset 68 | How do I find all the places where the program is doing zero-copy operations? afl~zerocopy,mmap,sendfile 69 | I want to see all functions that might be handling Kafka messages. How do I find those? afl~kafka,producer,consumer 70 | How can I find all the places where the program is doing DNS-over-HTTPS? afl~doh,dns,https 71 | I want to see all functions that might be handling WebSocket frames. How do I find those? afl~websocket,frame,mask 72 | How do I find all the places where the program is using spinlocks? axt@@=sym.pthread_spin_lock sym.pthread_spin_unlock 73 | I want to see all functions that might be handling OAuth2 flows. How do I find those? afl~oauth2,authorize,token 74 | How can I find all the places where the program is doing CBOR encoding? afl~cbor,encode,decode 75 | I want to see all functions that might be handling MessagePack data. How do I find those? afl~msgpack,pack,unpack 76 | How do I find all the places where the program is using hardware acceleration? afl~gpu,opencl,cuda,acc 77 | How do I find all functions that might be handling TLS certificate validation? afl~verify,certificate,x509 78 | I want to see all places where the program is doing memory fence operations. How do I find those? axt@@=sym.__sync_fence sym.atomic_fence 79 | How can I find all the places where the program is handling TOTP/2FA? afl~totp,otp,2fa,authenticator 80 | I want to see all functions that might be doing IPv6 operations. How do I find those? afl~ipv6,inet6,sockaddr_in6 81 | How do I find all the places where the program is using vectorized operations? afl~vector,simd,parallel 82 | I want to see all functions that might be handling WebAuthn/FIDO. How do I find those? afl~webauthn,fido,credential 83 | How can I find all the places where the program is doing Merkle tree operations? afl~merkle,tree,hash 84 | I want to see all functions that might be handling QUIC protocol. How do I find those? afl~quic,stream,datagram 85 | How do I find all the places where the program is using bloom filters? afl~bloom,filter,probabilistic 86 | I want to see all functions that might be handling SNI (Server Name Indication). How do I find those? afl~sni,servername,tls_ext 87 | How can I find all the places where the program is doing rate limiting? afl~ratelimit,throttle,bucket 88 | I want to see all functions that might be handling DTLS. How do I find those? afl~dtls,datagram,secure 89 | How do I find all the places where the program is using ring buffers? afl~ring,circular,buffer 90 | I want to see all functions that might be handling OCSP stapling. How do I find those? afl~ocsp,stapling,revocation 91 | How can I find all the places where the program is doing CRC checks? afl~crc,checksum,cyclic 92 | I want to see all functions that might be handling HSTS. How do I find those? afl~hsts,strict,transport 93 | How do I find all the places where the program is using read-write locks? axt@@=sym.pthread_rwlock_rdlock sym.pthread_rwlock_wrlock 94 | I want to see all functions that might be handling ALPN negotiation. How do I find those? afl~alpn,protocol,negotiation 95 | How can I find all the places where the program is doing HMAC operations? afl~hmac,mac,keyed 96 | I want to see all functions that might be handling DANE/TLSA. How do I find those? afl~dane,tlsa,dnssec 97 | -------------------------------------------------------------------------------- /data/r2frida/pending/r2gpt.txt: -------------------------------------------------------------------------------- 1 | Here are 100 questions with their respective answers and commands for performing common actions in r2frida: 2 | 3 | How do I run a JavaScript expression in Frida? 4 | Command: :eval 5 | How can I list all memory regions in the target process? 6 | Command: :dm 7 | How can I check the Frida version being used? 8 | Command: :?V 9 | How to set an environment variable in the target process? 10 | Command: :env = 11 | How do I evaluate Cycript code in Frida? 12 | Command: : 13 | How can I search for a hex string in memory? 14 | Command: :/x 15 | How do I list all imports in the target process? 16 | Command: :ii 17 | How do I place a breakpoint at a specific address? 18 | Command: :db
19 | How to show all threads in the target process? 20 | Command: :dpt 21 | How do I display registers of a specific thread? 22 | Command: :dr. 23 | How do I continue the execution after a breakpoint? 24 | Command: :dc 25 | How do I inject a library using Frida's new API? 26 | Command: :dl2 [main] 27 | How can I dump binary headers of the current module? 28 | Command: :ih 29 | How to list all libraries loaded in the process? 30 | Command: :il 31 | How can I modify the permissions of a memory page? 32 | Command: :dmp
33 | How can I run a script from within Frida? 34 | Command: :. 35 | How do I allocate memory in the target process? 36 | Command: :dma 37 | How can I see information about the target? 38 | Command: :i 39 | How to trace a function call at a specific address? 40 | Command: :dt
41 | How can I unload a framework bundle in iOS? 42 | Command: :dlf- 43 | How to trace register values at a specific address? 44 | Command: :dtr
45 | How do I evaluate a Swift expression in the target process? 46 | Command: :t 47 | How to list all Objective-C protocols in the target? 48 | Command: :ip 49 | How can I search for a value in memory based on its width? 50 | Command: :/v[1248] 51 | How do I list all sections in the target module? 52 | Command: :iS 53 | How to set an r2frida breakpoint at a function symbol? 54 | Command: :db 55 | How can I intercept and modify the return value of a function? 56 | Command: :di 57 | How do I call a target symbol with given arguments? 58 | Command: :dxc 59 | How can I export heap chunks as r2 flags? 60 | Command: :dmh* 61 | How to list Objective-C classes in the target? 62 | Command: :ic 63 | How to start the Chrome tools debugger? 64 | Command: :d. 65 | How do I allocate a wide string in the heap? 66 | Command: :dmaw 67 | How to trace all threads for a specified duration? 68 | Command: :dts 69 | How can I retrieve the target's current PID? 70 | Command: :dp 71 | How do I execute an r2 command through Frida? 72 | Command: :r 73 | How can I modify an existing breakpoint's associated command? 74 | Command: :dbnc
75 | How can I retrieve the crash report if the app crashed? 76 | Command: :dkr 77 | How to list all named squashed maps? 78 | Command: :dmm 79 | How can I list the segments in the target module? 80 | Command: :iSS 81 | How to open an UIAlert dialog in the target app? 82 | Command: :?E <message> 83 | How can I retrieve the address of a symbol in a library? 84 | Command: :isa <library> <symbol> 85 | How do I search for a pattern across all memory regions? 86 | Command: :/ <pattern> 87 | How to view all exports in a specific library? 88 | Command: :iE <lib> 89 | How can I allocate and initialize a string on the heap? 90 | Command: :dmas <string> 91 | How to trace an address or symbol using the stalker? 92 | Command: :dtsf <address|symbol> 93 | How do I list all heap allocations in JSON format? 94 | Command: :dmhj 95 | How to close a file descriptor in the target process? 96 | Command: :dd <fd> 97 | How can I find the SELinux context of a file? 98 | Command: :chcon <file> 99 | How to perform inverse symbol resolution at an address? 100 | Command: :fd <address> 101 | How can I run Objective-C methods of a specific protocol? 102 | Command: :ip <protocol> 103 | How do I inject Java code with Frida? 104 | Command: :j <java-expression> 105 | How to load a framework bundle in iOS? 106 | Command: :dlf <path> 107 | How can I duplicate a file descriptor in the target? 108 | Command: :dd <fd> <newfd> 109 | How to list all thread registers? 110 | Command: :dr 111 | How do I export heap allocations to a file? 112 | Command: :dmh* 113 | How to start a debug trace log? 114 | Command: :dtl <msg> 115 | How do I run a JavaScript function in a Java.perform block? 116 | Command: :j <js-expression> 117 | How can I parse the binary headers in JSON format? 118 | Command: :ihj 119 | How to search for a wide string in memory? 120 | Command: :/w <string> 121 | How can I modify the return value after a function call? 122 | Command: :dif <addr> 123 | How to change the SELinux context of a file in Android? 124 | Command: :chcon <file> 125 | How do I list all memory-mapped regions? 126 | Command: :dm* 127 | How can I retrieve information about memory segments? 128 | Command: :iSS 129 | How to trace all functions of a specific class? 130 | Command: :ic <class> 131 | How do I set an r2frida configuration variable? 132 | Command: :e <var>=<value> 133 | How can I clear all existing traces? 134 | Command: :dt-* 135 | How to check whether a target process is active? 136 | Command: :dp 137 | How can I show the address of the current segment? 138 | Command: :iSS. 139 | How to open a debug trace console? 140 | Command: :dtl <message> 141 | How to inject a specific SELinux context in a target process? 142 | Command: :chcon <file> 143 | How to parse binary headers of the current module? 144 | Command: :ih 145 | How can I define an Objective-C method in a protocol? 146 | Command: :ip <protocol> 147 | How to retrieve and display current threads in JSON format? 148 | Command: :dptj 149 | How to search for a pattern across all segments? 150 | Command: :/ <pattern> 151 | How can I allocate a wide string? 152 | Command: :dmaw <string> 153 | How to find symbols by export name? 154 | Command: :iE <lib> 155 | How to kill all Frida memory allocations? 156 | Command: :dma- 157 | How do I list methods in a class? 158 | Command: :ic <class> 159 | **How can I modify existing 160 | How can I retrieve the crash report if the app crashed? 161 | Command: :dkr 162 | How to list all named squashed maps? 163 | Command: :dmm 164 | How can I list the segments in the target module? 165 | Command: :iSS 166 | How to open an UIAlert dialog in the target app? 167 | Command: :?E <title> <message> 168 | How can I retrieve the address of a symbol in a library? 169 | Command: :isa <library> <symbol> 170 | How do I search for a pattern across all memory regions? 171 | Command: :/ <pattern> 172 | How to view all exports in a specific library? 173 | Command: :iE <lib> 174 | How can I allocate and initialize a string on the heap? 175 | Command: :dmas <string> 176 | How to trace an address or symbol using the stalker? 177 | Command: :dtsf <address|symbol> 178 | How do I list all heap allocations in JSON format? 179 | Command: :dmhj 180 | How to close a file descriptor in the target process? 181 | Command: :dd <fd> 182 | How can I find the SELinux context of a file? 183 | Command: :chcon <file> 184 | How to perform inverse symbol resolution at an address? 185 | Command: :fd <address> 186 | How can I run Objective-C methods of a specific protocol? 187 | Command: :ip <protocol> 188 | How do I inject Java code with Frida? 189 | Command: :j <java-expression> 190 | How to load a framework bundle in iOS? 191 | Command: :dlf <path> 192 | How can I duplicate a file descriptor in the target? 193 | Command: :dd <fd> <newfd> 194 | How to list all thread registers? 195 | Command: :dr 196 | How do I export heap allocations to a file? 197 | Command: :dmh* 198 | How to start a debug trace log? 199 | Command: :dtl <msg> 200 | How do I run a JavaScript function in a Java.perform block? 201 | Command: :j <js-expression> 202 | How can I parse the binary headers in JSON format? 203 | Command: :ihj 204 | How to search for a wide string in memory? 205 | Command: :/w <string> 206 | How can I modify the return value after a function call? 207 | Command: :dif <addr> 208 | How to change the SELinux context of a file in Android? 209 | Command: :chcon <file> 210 | How do I list all memory-mapped regions? 211 | Command: :dm* 212 | How can I retrieve information about memory segments? 213 | Command: :iSS 214 | How to trace all functions of a specific class? 215 | Command: :ic <class> 216 | How do I set an r2frida configuration variable? 217 | Command: :e <var>=<value> 218 | How can I clear all existing traces? 219 | Command: :dt-* 220 | How to check whether a target process is active? 221 | Command: :dp 222 | How can I show the address of the current segment? 223 | Command: :iSS. 224 | How to open a debug trace console? 225 | Command: :dtl <message> 226 | How to inject a specific SELinux context in a target process? 227 | Command: :chcon <file> 228 | How to parse binary headers of the current module? 229 | Command: :ih 230 | How can I define an Objective-C method in a protocol? 231 | Command: :ip <protocol> 232 | How to retrieve and display current threads in JSON format? 233 | Command: :dptj 234 | How to search for a pattern across all segments? 235 | Command: :/ <pattern> 236 | How can I allocate a wide string? 237 | Command: :dmaw <string> 238 | How to find symbols by export name? 239 | Command: :iE <lib> 240 | How to kill all Frida memory allocations? 241 | Command: :dma- 242 | How do I list methods in a class? 243 | Command: :ic <class> 244 | How can I modify existing heap allocations? 245 | Command: :dma- 246 | How do I set custom heap values in Frida? 247 | Command: :dma <size> <value> 248 | How can I run a custom command through JavaScript? 249 | Command: :eval <javascript-code> 250 | How to load libraries in the target with Frida? 251 | Command: :dl <libname> 252 | How can I close a debug console? 253 | Command: :dt-* 254 | How to send custom signals to target process? 255 | Command: :dk <pid> <signal> 256 | How can I use JSON to list memory segments? 257 | Command: :iSSj 258 | How do I check if SELinux is applied to a file? 259 | Command: :chcon <file> 260 | How to list all current trace sessions? 261 | Command: :dt-* 262 | How can I display function header? 263 | Command: :dth <symbol|addr> 264 | How do I inject dynamic memory segments? 265 | Command: :dma <size> 266 | How can I trace threads dynamically? 267 | Command: :dts 268 | How do I list heap chunks dynamically? 269 | Command: :dmh 270 | How can I display thread registers in real-time? 271 | Command: :dr 272 | How do I load symbols in Frida? 273 | Command: :dl <symbol> 274 | How can I allocate dynamic values on Frida's heap? 275 | Command: :dma <size> <value> 276 | How to start SELinux in Frida? 277 | Command: :chcon <file> 278 | How can I intercept network APIs? 279 | Command: :db <network-api-address> 280 | How do I generate stack traces in Frida? 281 | Command: :dtf <address> 282 | How can I examine stack segments in real-time? 283 | Command: :dr 284 | How to map data using Frida symbols? 285 | Command: :is <symbol> 286 | -------------------------------------------------------------------------------- /data/radare2/pending/qwen-fortunes.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How do you tweak the disassembly output in radare2? Use the command `e asm.` to modify the disassembly settings. 3 | What is the command to check if you have set up your ~/.radare2rc today? There isn't a specific command to check this. You can simply open the file with `nano ~/.radare2rc` to see if it has been modified. 4 | In visual mode, what key toggles cursor mode? Press 'c' to toggle cursor mode. 5 | What key can you use to navigate using the cursor? Use the Tab key to navigate. 6 | How can you mark an offset in visual mode? Move the cursor to the desired offset and press ','. Then, press '.' to go back to the marked offset. 7 | How do you debug a program from the graph view ('ag') in radare2? Use standard radare2 commands like `dc`, `dsc`, or `ds` while in the graph view. 8 | What are the keys to adjust the screen width in visual mode? Use the '[' and ']' keys to adjust the screen width. 9 | How do you select your architecture in radare2? Use the command `e asm.arch=<arch>` or `r2 -a <arch>` from the shell. 10 | How can you move between your search hits in visual mode? Use the 'n' and 'N' keys to move between search hits. 11 | What is the command to save your projects? Use `Ps <project-filename>` to save your projects. 12 | How can you change the block size in visual mode? Use the 'b <block-size>' command or enter radare2 commands with ':' in visual mode. 13 | What command should you use to open a file in read-write mode? Use `r2 -w <path>` to open a file in read-write mode. 14 | How do you print the contents of the current block? Use the 'p' command to print the contents of the current block. 15 | What is the layout command format? The layout command format is: `<repeat><command><bytes>@<offset>`. Example: `3x20@0x33`. 16 | How do you toggle colors in visual mode? Press 'C' in visual mode to toggle colors. 17 | What command is used for copying and pasting bytes in visual mode? Use 'c' for cursor mode and 'y' and 'Y' for copying and pasting bytes. 18 | How can you move around the bytes using arrow keys? Use the keys h,j,k,l to move around the bytes. 19 | What command is used to seek at relative offsets? Use 's +<offset>' or 's -<offset>' to seek at relative offsets. 20 | How can you invert the block bytes in visual mode? Use the 'I' key to invert the block bytes in visual mode. 21 | How do you switch between print modes in visual mode? Use the 'p' and 'P' keys to switch between print modes. 22 | How can you add comments in visual mode? Use the ';' key to add comments in visual mode, or the 'CC' command from the radare2 shell. 23 | What commands are used for assembling opcodes in visual mode? Use the 'a' and 'A' keys to assemble opcodes in visual mode, which are bindings to the 'wa' and 'wA' commands. 24 | What command is used to find expanded AES keys in memory? Use the command '/ca' to find expanded AES keys in memory. 25 | How do you find wide-char strings with the '/w <string>' command? Use the command '/w <string>' to find wide-char strings. 26 | How can you enable ascii-art jump lines in disassembly? Set 'e asm.lines=true' to enable ascii-art jump lines in disassembly. Other options like 'asm.lines.out' and 'asm.linestyle' may also be interesting. 27 | How do you control the signal handlers of the child process? Use the 'dk' command to control the signal handlers of the child process. 28 | How can you get a free shell in radare2? Use the command 'ragg2 -i exec -x' to get a free shell. 29 | How do you interpret radare2 scripts with '. <path-to-script>'? Use the command '. <path-to-script>' to interpret radare2 scripts. 30 | What can you use '?' as a suffix for? '?' can be used to understand how most commands work. 31 | How do you step through your seek history with 'u' and 'U'? Use 'u' (undo) and 'U' (redo) to step through your seek history. 32 | How can you calculate hashes of portions of a file? Use the `hasher` to calculate hashes of portions of a file. 33 | How can you zoom out to see the entropy of the whole file? Use 'zoom.byte=entropy' and press 'z' in visual mode to zoom out to see the entropy of the whole file. 34 | How can you find strings in zoom mode? Use 'zoom.byte=printable' in zoom mode ('z' in Visual mode) to find strings. 35 | How do you add colors to your screen? Use the command 'e scr.color=X' where 1 is 16 colors, 2 is 256 colors, and 3 is 16M colors. 36 | How do you move the comment margin with 'asm.cmt.margin'? Use the command 'asm.cmt.margin' to move the comment margin. 37 | How can you execute a command on the visual prompt? Use cmd.vprompt to execute a command on the visual prompt. 38 | How can you reduce the delta used for flag resolving by address? Use the command 'cfg.delta' to reduce the delta used for flag resolving by address. 39 | How can you disable these messages with 'e cfg.fortunes = false'? Use the command 'e cfg.fortunes = false' to disable these messages. 40 | How can you change your fortune types? Use the command 'e cfg.fortunes.type = fun,tips,nsfw' to change your fortune types. 41 | How can you show offsets in graphs? Use the command 'e graph.offset = true' to show offsets in graphs. 42 | How can you execute a command every time a breakpoint is hit? Use the command 'e cmd.bp = !my-program' to execute a command every time a breakpoint is hit. 43 | How can you disassemble in Intel syntax? Use the command 'e asm.syntax = intel' to disassemble in Intel syntax. 44 | How can you change the UID of the debugged process? Use the command 'child.uid' to change the UID of the debugged process (requires root). 45 | How can you enhance your graphs? Increase the size of the block and graph.depth eval variable to enhance your graphs. 46 | How can you control the height of the terminal on serial consoles? Use the command 'e scr.height' to control the height of the terminal on serial consoles. 47 | How can you emulate the base address of a file? Use the command 'e file.baddr' to emulate the base address of a file. 48 | How can you bindiff two files? Use the command '$ radiff2 /bin/true /bin/false' to bindiff two files. 49 | How can you execute commands on a temporary offset? Append '@ offset' to your command to execute commands on a temporary offset. 50 | How can you drop verbosity temporarily? Prefix commands with ':' to temporarily drop verbosity. 51 | How can you change the graph block definition? Use the command 'graph.callblocks, graph.jmpblocks, graph.flagblocks' to change the graph block definition. 52 | How can you see the source line related to the current seek? Use the command 'id' to see the source line related to the current seek. 53 | How can you analyze socket connections with the socket plugin? Use the command 'radare2 socket://www.foo.com:80' to analyze socket connections. Use 'w' to send data. 54 | How can you debug a program using 'dbg://<path-to-program>'? Use the command 'dbg://<path-to-program>' to debug a program. 55 | How can you edit configuration and track flags in visual mode? Use 'e' and 't' in Visual mode to edit configuration and track flags. 56 | How can you get the import/export symbols of any binary? Use the command 'rabin2 -ris' to get the import/export symbols of any binary. 57 | How can you maintain your ~/.radare_history? Maintain your ~/.radare_history by adding the relevant commands to your history file. 58 | How can you enable the PAGER with 'e scr.pager=less -R'? Use the command 'e scr.pager=less -R' to enable the PAGER. 59 | How can you show offsets in 16-bit segment addressing mode? Use the command 'e asm.offset=true' to show offsets in 16-bit segment addressing mode. 60 | How can you evaluate math expressions in radare2? Use the command '? (0x34+22)*4' to evaluate math expressions. 61 | How can you load debug information at startup? Set 'e bin.dbginfo=true' to load debug information at startup. 62 | How can you rename a function in radare2? Use the command 'afn <newname> @ <offset>' to rename a function. 63 | How can you redefine descriptive commands? You can redefine descriptive commands in the hud file or using the 'V_' command. 64 | How can you get information of the binary in JSON format? Pass '-j' to rabin2 to get the information of the binary in JSON format. 65 | How can you launch your programs with rarun2? Use rarun2 to launch your programs with a predefined environment. 66 | How can you update to the latest version of radare2? You are probably using an old version of r2, go checkout the git! 67 | How can you run your own r2 scripts in awk? Use the r2awk program to run your own r2 scripts in awk. 68 | How can you disable automatic string search when loading the binary? Use the command '-e bin.strings=false' to disable automatic string search when loading the binary. 69 | How is radare2 described? Radare2 is a unix-like reverse engineering framework. 70 | What is the intended purpose of the blank space in the code? The code was intentionally left blank, try 'e asm.arch = ws'. 71 | What should you do if you want a premium r2 experience? Use the command 'r2pm -i r2premium; echo "e cfg.fortunes.type = nsfw" >> ~/.radare2rc' for a premium r2 experience. 72 | How can you run the io plugin cmd callback? Use the command ':' to run the io plugin cmd callback. Many io plugins provide useful features, find them out! 73 | How can you display all local variables and argument types and names? Set 'asm.var.summary' to 0 to display all local variables and argument types and names. 74 | How can you use registers in math expressions? You can use registers in math expressions, for example: 'wx 1234 @ esp - 2'. 75 | How do you enable HTTP authentication in radare2? Use the commands 'e http.auth = 1' and 'e http.authfile = <path>' to enable HTTP authentication. 76 | What is the purpose of 'e asm.lines=true'? Enable ascii-art jump lines in disassembly. This feature makes the disassembly output more readable by adding ASCII art lines that represent jumps and control flow. 77 | How can you disable the loading of debug information at startup? Set 'e bin.dbginfo=false' to disable the loading of debug information at startup. 78 | What command can be used to set 'e asm.arch=<arch>'? The command 'e asm.arch=<arch>' can be used to select the architecture for disassembly. 79 | How can you use 'ragg2' to get a free shell? Use the command 'ragg2 -i exec -x' to get a free shell using ragg2. 80 | How can you find wide-char strings with '/w <string>'? Use the command '/w <string>' to find wide-char strings in a binary. 81 | How can you analyze socket connections with radare2? Use the command 'radare2 socket://www.foo.com:80' to analyze socket connections. You can then send data using the 'w' command. 82 | What is the purpose of 'e scr.color=X'? Set 'e scr.color=X' to change the color scheme, where X can be 1, 2, or 3 for 16, 256, or 16M colors respectively. 83 | How can you switch between visual and visual panel modes? Use the 'V' or 'v' commands to switch between visual and visual panel modes respectively. 84 | How can you toggle between disasm and graph views? Use the space key to toggle between disasm and graph views. 85 | What does 'aa' command do in radare2? The 'aa' command performs automatic analysis on the binary, and the more 'a' you add after 'aa', the more analysis steps are executed. 86 | What is the purpose of 'e graph.offset=true'? This command enables the display of offsets in graphs, making it easier to understand the structure of the binary. 87 | How can you load flags of symbols from all modules in the debugger? Use the command '.dmm*' to load the flags of the symbols of all modules loaded in the debugger. 88 | What is the purpose of 'e cfg.fortunes.type = fun,tips,nsfw'? This command sets the fortune types to fun, tips, and nsfw, allowing you to choose the type of fortunes you want to receive. 89 | How can you find known magic headers in a binary? Use the command '/m' to carve for known magic headers in a binary. This can help you identify the type of data or the format of a binary section. 90 | What is the purpose of 'e asm.var.summary = 0'? This command enables the display of all local variables and argument types and names in the disassembly output. 91 | How can you use registers in math expressions in radare2? You can use registers like 'esp', 'ebp', 'eax', etc., in math expressions. For example, 'wx 1234 @ esp - 2' writes the value 1234 to the memory location two bytes below the current value of 'esp'. 92 | What is the purpose of 'e http.auth = 1' and 'e http.authfile = <path>'? These commands enable HTTP authentication for radare2 sessions. 'e http.auth = 1' enables authentication, and 'e http.authfile = <path>' specifies the path to the file containing the authentication credentials. 93 | How can you use 'ragg2' to get a free shell? Use the command 'ragg2 -i exec -x' to get a free shell using ragg2. 94 | What is the purpose of 'e asm.lines=true'? Enable ascii-art jump lines in disassembly. This feature makes the disassembly output more readable by adding ASCII art lines that represent jumps and control flow. 95 | How can you disable the loading of debug information at startup? Set 'e bin.dbginfo=false' to disable the loading of debug information at startup. -------------------------------------------------------------------------------- /data/radare2/pending/2024-10-28-binary_patching-openai:gpt-4o-top_p-0.9-temp-0.7.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How do I replace a series of instructions with a jump to another address? wa 'jmp 0x004024A0' 3 | Patch a function to skip its body and return immediately. wa ret @ sym.func 4 | Change the first instruction of the 'main' function to a NOP. wa nop @ sym.main 5 | Overwrite a specific byte at 0x004025B0 with 0x77. wx 77 @ 0x004025B0 6 | How can I insert a sequence of NOPs to bypass a check? wa nop;nop;nop;nop;nop 7 | Patch an instruction to load a constant value into a register. wa 'mov eax, 0x10' 8 | Replace a byte with 0x99 at 0x004026C0. wx 99 @ 0x004026C0 9 | How do I change a MOV instruction to a SUB? wa 'sub eax, eax' 10 | Patch a loop to jump directly to its end. wa 'jmp sym.loop_end' 11 | Overwrite the instruction at 0x004027D0 with a NOP. wa nop @ 0x004027D0 12 | Patch a call to another function at the current offset. wa 'call sym.another_func' 13 | How can I write a sequence of bytes to a specific address? wx 12345678 @ 0x004028E0 14 | Replace a conditional jump with an unconditional one. wa 'jmp' 15 | Overwrite a series of bytes with a specific pattern. wx deadbeef 16 | How do I patch a function to always return success? wa 'xor eax, eax; inc eax; ret' 17 | Change a byte at offset 0x004029F0 to 0x42. wx 42 @ 0x004029F0 18 | Patch an instruction to jump to a failure handler. wa 'jmp sym.failure_handler' 19 | How can I insert a breakpoint instruction at the start of a function? wa int3 @ sym.func_start 20 | Replace a byte at the current offset with 0x88. wx 88 21 | Overwrite the current instruction with an immediate load. wa 'mov ebx, 0x2' 22 | Patch a loop condition to be always false. wa 'jmp 0x00402A00' 23 | How do I replace a call with a return instruction? wa ret 24 | Change the first byte of a function to a NOP. wx 90 @ sym.func 25 | Patch an instruction to be a NOP at 0x00402B10. wa nop @ 0x00402B10 26 | Overwrite a call instruction to jump to a different function. wa 'jmp sym.new_func' 27 | How do I replace a jump instruction with a return? wa ret 28 | Patch a function prologue to skip initialization code. wa nop;nop;nop 29 | Change a MOV instruction to a NOP at the current offset. wa nop 30 | Overwrite the bytes at 0x00402C20 with 0x1234. wx 1234 @ 0x00402C20 31 | How can I insert a trap instruction at a specific offset? wa trap @ 0x00402D30 32 | Patch a series of NOPs to bypass security checks. wa nop;nop;nop;nop 33 | Replace a byte with 0x66 at 0x00402E40. wx 66 @ 0x00402E40 34 | How do I write a jump to a handler at the current offset? wa 'jmp sym.handler' 35 | Patch a function to immediately return an error code. wa 'mov eax, -1; ret' 36 | Overwrite an instruction to load zero into a register. wa 'mov ecx, 0' 37 | Replace a jump instruction with its opposite condition. wa 'jne' 38 | How can I write a NOP instruction at the entry of a loop? wa nop @ sym.loop_start 39 | Patch a call to a NOP at the current offset. wa nop 40 | Change a byte at offset 0x00402F50 to 0x11. wx 11 @ 0x00402F50 41 | Overwrite the first instruction of a function with a NOP. wa nop @ sym.func 42 | How do I insert a breakpoint at the end of a function? wa int3 @ sym.func_end 43 | Patch a loop to exit immediately with a jump. wa 'jmp sym.loop_exit' 44 | Replace a MOV instruction with a load of a constant value. wa 'mov edx, 0x7' 45 | How can I replace a call with a jump to another function? wa 'jmp sym.alt_func' 46 | Patch a byte at the current offset to 0x22. wx 22 47 | Overwrite a return instruction at the end of a function. wa ret @ sym.func_end 48 | How do I write a NOP at the current offset? wa nop 49 | Patch a jump instruction to point to the start of a function. wa 'jmp sym.func_start' 50 | Replace a conditional branch with a NOP. wa nop 51 | Overwrite a byte at 0x00403060 with 0x33. wx 33 @ 0x00403060 52 | How can I insert a 'ret' instruction at the start of a function? wa ret @ sym.func_start 53 | Patch an instruction to call a different function. wa 'call sym.diff_func' 54 | Change a MOV instruction to a NOP at 0x00403170. wa nop @ 0x00403170 55 | Overwrite a series of bytes with NOPs. wx 9090909090 56 | How do I replace a jump with a return instruction? wa ret 57 | Patch a function entry to do nothing and return immediately. wa ret @ sym.func_entry 58 | Replace a byte at the current offset with 0x44. wx 44 59 | Overwrite an instruction with a jump to a new address. wa 'jmp 0x00403280' 60 | How can I change a call to a jump? wa 'jmp sym.target' 61 | Patch a loop to skip its body and continue. wa 'jmp sym.loop_continue' 62 | Replace a byte at 0x00403390 with 0x99. wx 99 @ 0x00403390 63 | Overwrite a function prologue with NOPs to disable it. wa nop;nop;nop;nop 64 | How do I insert a trap instruction at the current offset? wa trap 65 | Patch a jump to point to a new handler function. wa 'jmp sym.new_handler' 66 | Change the first byte of a function to a NOP. wx 90 @ sym.func 67 | Overwrite an instruction to load a fixed value. wa 'mov eax, 0x3' 68 | How can I replace a jump with a NOP? wa nop 69 | Patch a loop to always execute its body. wa 'jmp sym.loop_body' 70 | Replace a call instruction with a return at the current offset. wa ret 71 | Overwrite a byte at 0x004034A0 with 0xAA. wx aa @ 0x004034A0 72 | How do I write a NOP instruction at the start of a function? wa nop @ sym.func_start 73 | Patch a series of instructions with a jump to a handler. wa 'jmp sym.handler' 74 | Change a MOV instruction to a load immediate. wa 'mov ebx, 0x8' 75 | Overwrite the current instruction with a NOP. wa nop 76 | How can I insert a 'hlt' instruction at a specific offset? wa hlt @ 0x004035B0 77 | Patch a function to return a success code. wa 'mov eax, 0; ret' 78 | Replace a byte with 0x55 at 0x004036C0. wx 55 @ 0x004036C0 79 | Overwrite a call instruction with a direct jump. wa 'jmp sym.direct_jump' 80 | How do I patch a loop to break immediately? wa 'jmp sym.loop_break' 81 | Patch a conditional jump to always be taken. wa 'jmp 0x004037D0' 82 | Replace a byte at the current offset with 0x66. wx 66 83 | Overwrite an instruction to perform a NOP operation. wa nop 84 | How can I insert a breakpoint at the start of a function? wa int3 @ sym.func_start 85 | Patch a call to point to a new function. wa 'call sym.new_func' 86 | Change the first byte of a function to a NOP. wx 90 @ sym.func 87 | Overwrite a series of bytes with a specific pattern. wx cafebabe 88 | How do I replace a MOV instruction with a SUB? wa 'sub ecx, ecx' 89 | Patch a loop to skip its condition check. wa 'jmp sym.loop_skip' 90 | Replace a byte with 0x77 at 0x004038E0. wx 77 @ 0x004038E0 91 | Overwrite a function's entry point with a NOP. wa nop @ sym.func_entry 92 | How do I write a NOP instruction at the end of a function? wa nop @ sym.func_end 93 | Patch a jump to bypass a security check. wa 'jmp sym.bypass' 94 | Change a byte at offset 0x004039F0 to 0x88. wx 88 @ 0x004039F0 95 | How can I insert a sequence of NOPs to disable a function? wa nop;nop;nop;nop @ sym.func 96 | Patch a MOV instruction to load a constant value. wa 'mov edx, 0x5' 97 | Replace a byte with 0xAA at 0x00403A10. wx aa @ 0x00403A10 98 | How do I change a jump instruction to point to a new location? wa 'jmp 0x00403B20' 99 | Patch a loop to run only once. wa 'jmp sym.loop_once' 100 | Overwrite the instruction at 0x00403C30 with a NOP. wa nop @ 0x00403C30 101 | Patch a call to a function at the current offset. wa 'call sym.func' 102 | How can I write a specific sequence of bytes to an address? wx 11223344 @ 0x00403D40 103 | Replace a conditional jump with an unconditional one. wa 'jmp' 104 | Overwrite a series of bytes with a new pattern. wx deadbeef 105 | How do I patch a function to always return zero? wa 'xor eax, eax; ret' 106 | Change a byte at offset 0x00403E50 to 0x99. wx 99 @ 0x00403E50 107 | Patch an instruction to jump to an error handler. wa 'jmp sym.error_handler' 108 | How can I insert a breakpoint instruction at a specific point? wa int3 @ 0x00403F60 109 | Replace a byte at the current offset with 0x77. wx 77 110 | Overwrite the current instruction with an immediate load. wa 'mov ebx, 0x4' 111 | Patch a loop condition to always be false. wa 'jmp 0x00404070' 112 | How do I replace a call with a return instruction? wa ret 113 | Change the first byte of a function to a NOP. wx 90 @ sym.func 114 | Patch an instruction to be a NOP at 0x00404180. wa nop @ 0x00404180 115 | Overwrite a call instruction to jump to a different function. wa 'jmp sym.alt_func' 116 | How do I replace a jump instruction with a return? wa ret 117 | Patch a function prologue to skip initialization code. wa nop;nop;nop 118 | Change a MOV instruction to a NOP at the current offset. wa nop 119 | Overwrite the bytes at 0x00404290 with 0x5678. wx 5678 @ 0x00404290 120 | How can I insert a trap instruction at a specific offset? wa trap @ 0x004043A0 121 | Patch a series of NOPs to bypass security checks. wa nop;nop;nop;nop 122 | Replace a byte with 0x66 at 0x004044B0. wx 66 @ 0x004044B0 123 | How do I write a jump to a handler at the current offset? wa 'jmp sym.handler' 124 | Patch a function to immediately return an error code. wa 'mov eax, -1; ret' 125 | Overwrite an instruction to load zero into a register. wa 'mov ecx, 0' 126 | Replace a jump instruction with its opposite condition. wa 'jne' 127 | How can I write a NOP instruction at the entry of a loop? wa nop @ sym.loop_start 128 | Patch a call to a NOP at the current offset. wa nop 129 | Change a byte at offset 0x004045C0 to 0x11. wx 11 @ 0x004045C0 130 | Overwrite the first instruction of a function with a NOP. wa nop @ sym.func 131 | How do I insert a breakpoint at the end of a function? wa int3 @ sym.func_end 132 | Patch a loop to exit immediately with a jump. wa 'jmp sym.loop_exit' 133 | Replace a MOV instruction with a load of a constant value. wa 'mov edx, 0x7' 134 | How can I replace a call with a jump to another function? wa 'jmp sym.alt_func' 135 | Patch a byte at the current offset to 0x22. wx 22 136 | Overwrite a return instruction at the end of a function. wa ret @ sym.func_end 137 | How do I write a NOP at the current offset? wa nop 138 | Patch a jump instruction to point to the start of a function. wa 'jmp sym.func_start' 139 | Replace a conditional branch with a NOP. wa nop 140 | Overwrite a byte at 0x004046D0 with 0x33. wx 33 @ 0x004046D0 141 | How can I insert a 'ret' instruction at the start of a function? wa ret @ sym.func_start 142 | Patch an instruction to call a different function. wa 'call sym.diff_func' 143 | Change a MOV instruction to a NOP at 0x004047E0. wa nop @ 0x004047E0 144 | Overwrite a series of bytes with NOPs. wx 9090909090 145 | How do I replace a jump with a return instruction? wa ret 146 | Patch a function entry to do nothing and return immediately. wa ret @ sym.func_entry 147 | Replace a byte at the current offset with 0x44. wx 44 148 | Overwrite an instruction with a jump to a new address. wa 'jmp 0x004048F0' 149 | How can I change a call to a jump? wa 'jmp sym.target' 150 | Patch a loop to skip its body and continue. wa 'jmp sym.loop_continue' 151 | Replace a byte at 0x00404900 with 0x99. wx 99 @ 0x00404900 152 | Overwrite a function prologue with NOPs to disable it. wa nop;nop;nop;nop 153 | How do I insert a trap instruction at the current offset? wa trap 154 | Patch a jump to point to a new handler function. wa 'jmp sym.new_handler' 155 | Change the first byte of a function to a NOP. wx 90 @ sym.func 156 | Overwrite an instruction to load a fixed value. wa 'mov eax, 0x3' 157 | How can I replace a jump with a NOP? wa nop 158 | Patch a loop to always execute its body. wa 'jmp sym.loop_body' 159 | Replace a call instruction with a return at the current offset. wa ret 160 | Overwrite a byte at 0x00404A10 with 0xAA. wx aa @ 0x00404A10 161 | How do I write a NOP instruction at the start of a function? wa nop @ sym.func_start 162 | Patch a series of instructions with a jump to a handler. wa 'jmp sym.handler' 163 | Change a MOV instruction to a load immediate. wa 'mov ebx, 0x8' 164 | Overwrite the current instruction with a NOP. wa nop 165 | How can I insert a 'hlt' instruction at a specific offset? wa hlt @ 0x00404B20 166 | Patch a function to return a success code. wa 'mov eax, 0; ret' 167 | Replace a byte with 0x55 at 0x00404C30. wx 55 @ 0x00404C30 168 | Overwrite a call instruction with a direct jump. wa 'jmp sym.direct_jump' 169 | How do I patch a loop to break immediately? wa 'jmp sym.loop_break' 170 | Patch a conditional jump to always be taken. wa 'jmp 0x00404D40' 171 | Replace a byte at the current offset with 0x66. wx 66 172 | Overwrite an instruction to perform a NOP operation. wa nop 173 | How can I insert a breakpoint at the start of a function? wa int3 @ sym.func_start 174 | Patch a call to point to a new function. wa 'call sym.new_func' 175 | Change the first byte of a function to a NOP. wx 90 @ sym.func 176 | Overwrite a series of bytes with a specific pattern. wx cafebabe 177 | How do I replace a MOV instruction with a SUB? wa 'sub ecx, ecx' 178 | Patch a loop to skip its condition check. wa 'jmp sym.loop_skip' 179 | Replace a byte with 0x77 at 0x00404E50. wx 77 @ 0x00404E50 180 | Overwrite a function's entry point with a NOP. wa nop @ sym.func_entry 181 | -------------------------------------------------------------------------------- /data/radare2/pending/2024-10-28-forensics-openai:gpt-4o-top_p-0.9-temp-0.7.tsv: -------------------------------------------------------------------------------- 1 | q a 2 | How do I list all sections in the binary file? iS 3 | How can I extract strings from the data section of a binary? iz 4 | How do I check the entropy of the entire binary file? p=e 5 | How can I search for a specific hexadecimal pattern in the binary? /x <hexpattern> 6 | How do I list all imports from the binary? ii 7 | How can I display the file's metadata? i 8 | How do I extract the binary's entrypoint address? ie 9 | How can I compare two binary files? cmp <file1> <file2> 10 | How do I calculate the MD5 hash of the current block? ph md5 11 | How can I view the binary's headers? ih 12 | How do I search for all ROP gadgets in the binary? /R 13 | How can I identify known file signatures within the binary? /m 14 | How do I find all functions that reference a specific address? axf <address> 15 | How can I export the strings found in the binary to a file? iz > strings.txt 16 | How do I analyze and list all functions within the binary? afl 17 | How can I search for wide strings in the binary? /w <string> 18 | How do I perform a search for crypto materials within the binary? /c 19 | How can I list all the symbols in the binary? is 20 | How do I identify the architecture of the binary? iI 21 | How can I extract all the comments from the binary? CC 22 | How do I find all xrefs to a specific function? axt <function> 23 | How can I disassemble the entire binary? pd $s 24 | How do I identify and list all magic numbers in the binary? /m 25 | How can I dump the binary's imports in JSON format? iij 26 | How do I perform a search for all known file systems in the binary? /mm 27 | How can I check the binary for code obfuscation patterns? /R 28 | How do I list all the sections in a binary in JSON format? iSj 29 | How can I extract resource information from the binary? iR 30 | How do I perform an analysis to find all basic blocks in the binary? abb 31 | How can I find all cross-references to a data address? axt <data address> 32 | How do I view the dynamic symbols in the binary? id 33 | How can I view the hexadecimal representation of the binary's data? px 34 | How do I display the binary's imports using a table query? ii,[table-query] 35 | How can I find all the libraries the binary depends on? il 36 | How do I list all exported symbols in the binary? iE 37 | How can I extract all the relocation entries from the binary? ir 38 | How do I find all the known magic patterns in the binary? /m 39 | How can I search for specific assembly instructions in the binary? /a <instruction> 40 | How do I view all the segments in the binary? iS 41 | How can I list all the headers in the binary? ih 42 | How do I find all the classes and methods defined in the binary? ic 43 | How can I identify the entrypoint and main address of the binary? iM 44 | How do I extract the DWARF debug information from the binary? id 45 | How can I dump the binary's symbols in JSON format? isj 46 | How do I perform a search for all function preludes in the binary? /pp 47 | How can I list all the segments in the binary in JSON format? iSj 48 | How do I identify all the code references to a given address? axt <address> 49 | How can I list all the imports and their calling functions? iic 50 | How do I calculate the SHA1 hash of the current block? ph sha1 51 | How can I view the file's version information? iV 52 | How do I check the binary for known cryptographic keys? /ca 53 | How can I find all references to a specific symbol? /r <symbol> 54 | How do I search for all known filesystem headers in the binary? /mm 55 | How can I list all the exports in the binary using JSON format? iEj 56 | How do I view the binary's signature information? iT 57 | How can I extract the binary's version information in JSON format? iVj 58 | How do I search for all string references in the binary? /s 59 | How can I find all functions that call a specific function? axf <function> 60 | How do I identify the binary's calling conventions? afc 61 | How can I extract all the resources from a binary? iR 62 | How do I find all the functions that are called by a specific function? aflx <function> 63 | How can I export all functions in the binary to a file? afl > functions.txt 64 | How do I check the binary for potential buffer overflow patterns? /R 65 | How can I list all function signatures in the binary? afsj 66 | How do I find all the loops in the binary's functions? afCl 67 | How can I identify the binary's code obfuscation techniques? /R 68 | How do I view the binary's sections and their entropy? iS; p=e 69 | How can I extract all the comments in the binary in JSON format? CCj 70 | How do I list all the data references in a specific function? afxd <function> 71 | How can I search for a sequence of bytes in the binary? /x <bytes> 72 | How do I find all the conditionals in a specific function? afxc <function> 73 | How can I identify all the functions in the binary? afl 74 | How do I search for all magic numbers in the binary? /m 75 | How can I list all the strings in the binary using JSON format? izj 76 | How do I calculate the CRC32 hash of the current block? ph crc32 77 | How can I view all the functions with no-return attributes? afln; tnf 78 | How do I list all the imported symbols in a binary using a table query? ii,[table-query] 79 | How can I search for all file signatures in the binary? /m 80 | How do I find all the syscalls used by the binary? as 81 | How can I list all the libraries the binary imports? il 82 | How do I find all the exported functions in the binary? iE 83 | How can I identify the binary's main function address? iM 84 | How do I extract all the imported functions from the binary? ii 85 | How can I search for all the known magic headers in the binary? /mm 86 | How do I list all the global variables in the binary? avg 87 | How can I identify all the classes and methods within the binary? ic 88 | How do I search for a specific opcode sequence in the binary? /a <opcode sequence> 89 | How can I list all the functions and their relationships? aa 90 | How do I extract the binary's strings in a specific section? iz 91 | How can I calculate the hash of a specific section in the binary? ph <hash> @ <section> 92 | How do I find all the indirect calls in the binary? axtj @ sym.imp.* 93 | How can I identify the binary's entrypoint function? ie 94 | How do I extract all the comments from the binary in a specific section? CC @ <section> 95 | How can I search for all the cryptographic materials in the binary? /c 96 | How do I find all the branches in a specific function? afxb <function> 97 | How can I list all the strings in the binary's .data section? iz @ section.data 98 | How do I calculate the entropy of a specific section in the binary? p=e @ <section> 99 | How can I list all the function calls in the binary? afC 100 | How do I find all the conditional jumps in the binary? axt @ sym.imp.* 101 | How do I list all the sections and their sizes in the binary? iS,[table-query] 102 | How can I identify all the functions that reference a specific data address? axf <data address> 103 | How do I list all the class hierarchies in the binary? icg 104 | How can I find all the functions with a specific signature? afs <signature> 105 | How do I export all the strings from the binary into a CSV file? iz > strings.csv 106 | How can I identify the binary's calling convention types? tcc 107 | How do I perform a search for all binary headers in the binary? /mb 108 | How can I list all the imported functions and their addresses? iij 109 | How do I find all syscall invocations in the binary? as 110 | How can I view the binary's exported symbols with their addresses? iE 111 | How do I search for all known encryption algorithms used in the binary? /c 112 | How can I find all the functions that use specific registers? aar 113 | How do I list all the functions and their sizes in the binary? afll 114 | How can I extract all the segments from the binary? iSS 115 | How do I identify the binary's debug information if present? id 116 | How can I view all the classes and their methods in the binary? ic 117 | How do I list all the functions with their start addresses? afl 118 | How can I find all the functions that are exported? iE 119 | How do I search for all instances of a specific opcode in the binary? /a <opcode> 120 | How can I identify all the segments with executable permissions? iS 121 | How do I extract all the functions and their calling conventions? afc 122 | How can I list all the imports and their resolved addresses? ii 123 | How do I find all the functions that have a specific attribute? afla 124 | How can I view all the cross-references in the binary? ax 125 | How do I extract all the headers from the binary in JSON format? ihj 126 | How can I identify the binary's function calling conventions? afc 127 | How do I list all the exported functions with their attributes? iE 128 | How can I search for all the known cryptographic algorithms in the binary? /c 129 | How do I find all the functions with indirect calls? axfi 130 | How can I view the binary's segments and their sizes? iS 131 | How do I identify all the symbols with specific attributes? is 132 | How can I find all the functions with no-return attributes? tnf 133 | How do I list all the functions with their calling conventions? afc 134 | How can I extract all the relocations from the binary? ir 135 | How do I search for all known cryptographic keys in the binary? /ca 136 | How can I identify all the classes and their fields in the binary? ic 137 | How do I find all functions that modify specific registers? aar 138 | How can I list all the imports and their resolved symbols? ii 139 | How do I extract all the DWARF information from the binary? id 140 | How can I search for all the known magic headers in the binary? /mm 141 | How do I identify all the functions with specific attributes? afla 142 | How can I find all the functions with a specific return type? afs 143 | How do I view the binary's imports and their resolved addresses? ii 144 | How can I list all the functions and their relationships in JSON format? aflj 145 | How do I extract all the functions from the binary in JSON format? aflj 146 | How can I identify the binary's entrypoint and main functions? iM 147 | How do I search for all the known filesystem headers in the binary? /mm 148 | How can I find all the functions with specific parameter types? afs 149 | How do I list all the functions with their parameter types? afs 150 | How can I extract all the strings from the binary in JSON format? izj 151 | How do I identify all the functions with specific calling conventions? afc 152 | How can I view all the functions with specific attributes in JSON format? aflj 153 | How do I extract all the imports from the binary in JSON format? iij 154 | How can I search for all the known magic patterns in the binary? /m 155 | How do I identify all the functions with specific return types? afs 156 | How can I list all the functions with their attributes in JSON format? aflj 157 | How do I extract all the relocations from the binary in JSON format? irj 158 | How can I find all the functions with specific attributes in JSON format? aflj 159 | How do I view all the functions with specific calling conventions? afc 160 | How can I identify all the segments with specific attributes? iS 161 | How do I search for all the known cryptographic algorithms in the binary? /c 162 | How can I find all the functions with specific parameter types in JSON format? afsj 163 | How do I list all the functions with their parameter types in JSON format? afsj 164 | How can I extract all the strings from the binary in JSON format? izj 165 | How do I identify all the functions with specific calling conventions in JSON format? afcj 166 | How can I view all the functions with specific attributes in JSON format? aflj 167 | How do I extract all the imports from the binary in JSON format? iij 168 | How can I search for all the known magic patterns in the binary? /m 169 | How do I identify all the functions with specific return types in JSON format? afsj 170 | How can I list all the functions with their attributes in JSON format? aflj 171 | How do I extract all the relocations from the binary in JSON format? irj 172 | How can I find all the functions with specific attributes in JSON format? aflj 173 | How do I view all the functions with specific calling conventions in JSON format? afcj 174 | How can I identify all the segments with specific attributes in JSON format? iSj 175 | How do I search for all the known cryptographic algorithms in the binary in JSON format? /cj 176 | How can I find all the functions with specific parameter types in JSON format? afsj 177 | How do I list all the functions with their parameter types in JSON format? afsj 178 | How can I extract all the strings from the binary in JSON format? izj 179 | How do I identify all the functions with specific calling conventions in JSON format? afcj 180 | How can I view all the functions with specific attributes in JSON format? aflj 181 | How do I extract all the imports from the binary in JSON format? iij 182 | How can I search for all the known magic patterns in the binary in JSON format? /mj 183 | How do I identify all the functions with specific return types in JSON format? afsj 184 | How can I list all the functions with their attributes in JSON format? aflj 185 | How do I extract all the relocations from the binary in JSON format? irj 186 | How can I find all the functions with specific attributes in JSON format? aflj 187 | How do I view all the functions with specific calling conventions in JSON format? afcj 188 | How can I identify all the segments with specific attributes in JSON format? iSj 189 | --------------------------------------------------------------------------------