├── src ├── COVER.md ├── intro │ ├── Iaito.png │ ├── contribute.md │ ├── r2con.md │ ├── ui.md │ ├── intro.md │ └── history.md ├── config │ ├── r2pal.png │ ├── e--color.png │ ├── r2-rainbow.png │ ├── charset.md │ ├── colors.md │ └── io.md ├── visual │ ├── after.png │ ├── before.png │ ├── cursor.png │ ├── funcarg.png │ ├── select_asm.png │ ├── visualmode.png │ ├── pseudo_disable.png │ ├── pseudo_enable.png │ ├── panels_overview.png │ ├── visual_configuration_editor.md │ └── visual_assembler.md ├── analysis │ ├── analyze_one.png │ ├── handcraft_one.png │ ├── code_analysis_vv.png │ ├── code_analysis_vv2.png │ ├── vtables.md │ ├── code_analysis.md.snippets │ ├── calling_conventions.md │ └── intro.md ├── first_steps │ ├── basic_usage_01.png │ ├── basic_usage_02.png │ ├── learning_curve.png │ ├── intro.md │ └── basic_debugger_session.md ├── tools │ ├── radiff2 │ │ ├── img │ │ │ ├── true_false.png │ │ │ └── true_false2.png │ │ ├── bindiff.md │ │ ├── codediff.md │ │ └── datadiff.md │ ├── rasm2 │ │ ├── config.md │ │ └── disassemble.md │ ├── rabin2 │ │ ├── entrypoints.md │ │ ├── operations.md │ │ ├── exports.md │ │ ├── imports.md │ │ ├── symbols.md │ │ ├── strings.md │ │ ├── program_sections.md │ │ └── libraries.md │ ├── intro.md │ ├── ragg2 │ │ ├── padding.md │ │ └── encoders.md │ ├── rahash2 │ │ ├── encode.md │ │ └── intro.md │ └── rafind2 │ │ └── intro.md ├── crackmes │ ├── avatao │ │ ├── img │ │ │ ├── vmloop_ida.png │ │ │ ├── main │ │ │ │ ├── bb-0c63.png │ │ │ │ ├── bb-0ca6.png │ │ │ │ ├── bb-0cac.png │ │ │ │ ├── bb-0d1d.png │ │ │ │ ├── bb-0d34.png │ │ │ │ ├── bb-0d3d.png │ │ │ │ ├── bb-0d4d.png │ │ │ │ ├── bb-0d61.png │ │ │ │ ├── bb-0d65.png │ │ │ │ ├── bb-0d6b.png │ │ │ │ ├── bb-0d75.png │ │ │ │ ├── bb-0d80.png │ │ │ │ ├── bb-0dde.png │ │ │ │ ├── bb-0cac_meta.png │ │ │ │ ├── bb-0d6b_meta.png │ │ │ │ └── main_minimap.png │ │ │ ├── instr_A │ │ │ │ ├── bb-080d.png │ │ │ │ ├── switch-C.png │ │ │ │ ├── switch-M.png │ │ │ │ ├── switch-P.png │ │ │ │ ├── switch-values.png │ │ │ │ └── instr_A_minimap.png │ │ │ ├── instr_D │ │ │ │ └── instr_D.png │ │ │ ├── instr_I │ │ │ │ └── instr_I.png │ │ │ ├── instr_J │ │ │ │ ├── bb-09e1.png │ │ │ │ ├── bb-09e4.png │ │ │ │ ├── bb-09ef.png │ │ │ │ ├── bb-09f9.png │ │ │ │ ├── bb-09ff.png │ │ │ │ ├── bb-0a0e.png │ │ │ │ ├── bb-0a13.png │ │ │ │ ├── bb-0a1a.png │ │ │ │ └── instr_J.png │ │ │ ├── instr_P │ │ │ │ └── instr_P.png │ │ │ ├── instr_S │ │ │ │ ├── graph1.png │ │ │ │ └── graph2.png │ │ │ ├── instr_X │ │ │ │ └── instr_X.png │ │ │ └── vmloop │ │ │ │ ├── bb-0a45.png │ │ │ │ ├── bb-0a74.png │ │ │ │ ├── bb-0a80.png │ │ │ │ ├── bb-0ab6.png │ │ │ │ ├── bb-0aec.png │ │ │ │ ├── bb-0b42.png │ │ │ │ ├── bb-0b6d.png │ │ │ │ ├── bb-0bc1.png │ │ │ │ ├── bb-0be5.png │ │ │ │ ├── bb-0c04.png │ │ │ │ ├── bb-0c4d.png │ │ │ │ ├── vmloop-full.png │ │ │ │ ├── bb-0a80_full.png │ │ │ │ └── vmloop-graph-reconstructed_full.png │ │ ├── outro.md │ │ ├── intro.md │ │ ├── instructionset.md │ │ └── bytecode.md │ ├── ioli │ │ ├── IOLI-crackme.tar.gz │ │ ├── ioli_0x09.md │ │ ├── intro.md │ │ ├── ioli_0x08.md │ │ ├── ioli_0x04.md │ │ └── ioli_0x00.md │ └── intro.md ├── r2fwrev │ ├── intro.md │ ├── setup.md │ └── devices.md ├── plugins │ ├── dev-anal.md │ ├── dev-asm.md │ ├── dev-charset.md │ ├── r2pm.md │ ├── testing.md │ ├── r2js.md │ ├── dev-other.md │ ├── r2skel.md │ ├── troubles.md │ ├── intro.md │ ├── dev.md │ └── dev-bin.md ├── search │ ├── search_in_assembly.md │ ├── automation.md │ ├── backward_search.md │ ├── pattern_search.md │ ├── search_options.md │ ├── searching_crypto.md │ └── basic_searches.md ├── projects │ └── intro.md ├── debugger │ ├── getting_started.md │ ├── signals.md │ ├── windows_messages.md │ ├── files.md │ └── heap.md ├── install │ ├── intro.md │ ├── troubleshooting.md │ ├── snap.md │ └── download.md ├── scripting │ ├── r2pipe2.md │ └── r2js.md ├── r2frida │ └── intro.md ├── r2renef │ └── intro.md ├── commandline │ ├── block_size.md │ ├── sections.md │ ├── yank_paste.md │ ├── types.md │ ├── sdb.md │ └── intro.md ├── arch │ └── intro.md ├── r2wars │ └── intro.md └── emulation │ └── analysis.md ├── r2 ├── bins │ ├── ls │ └── hello_world ├── credits.sh ├── r2png │ ├── README.md │ └── package.json ├── Makefile └── r2snip.js ├── images ├── cover.jpg ├── cover.xcf ├── side.jpg ├── side.xcf ├── qrcode.png ├── back-cover.jpg ├── back-cover.xcf └── cover_small.jpg ├── pandoc ├── cover.tex ├── header.tex ├── metadata.yaml └── filter.lua ├── book_cover ├── r2_book_cover.pdf ├── r2_book_cover.png └── COUSTOMIZE.md ├── .github ├── dependabot.yml └── workflows │ ├── codeql.yml │ └── mdbook.yml ├── .gitignore ├── .proselint └── proselint │ └── config ├── book.toml ├── plugin └── Makefile ├── README.md ├── .one.markdownlint-cli2.jsonc ├── sys └── lintrefs.sh ├── CONTRIBUTING.md └── Makefile /src/COVER.md: -------------------------------------------------------------------------------- 1 | cover 2 | ![cover](../cover.jpg) 3 | cover2 4 | -------------------------------------------------------------------------------- /r2/bins/ls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/r2/bins/ls -------------------------------------------------------------------------------- /images/cover.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/cover.jpg -------------------------------------------------------------------------------- /images/cover.xcf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/cover.xcf -------------------------------------------------------------------------------- /images/side.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/side.jpg -------------------------------------------------------------------------------- /images/side.xcf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/side.xcf -------------------------------------------------------------------------------- /images/qrcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/qrcode.png -------------------------------------------------------------------------------- /r2/bins/hello_world: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/r2/bins/hello_world -------------------------------------------------------------------------------- /src/intro/Iaito.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/intro/Iaito.png -------------------------------------------------------------------------------- /images/back-cover.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/back-cover.jpg -------------------------------------------------------------------------------- /images/back-cover.xcf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/back-cover.xcf -------------------------------------------------------------------------------- /pandoc/cover.tex: -------------------------------------------------------------------------------- 1 | \includegraphics{images/cover.jpg} 2 | \thispagestyle{empty} 3 | \cleardoublepage 4 | -------------------------------------------------------------------------------- /src/config/r2pal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/config/r2pal.png -------------------------------------------------------------------------------- /src/visual/after.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/after.png -------------------------------------------------------------------------------- /src/visual/before.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/before.png -------------------------------------------------------------------------------- /src/visual/cursor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/cursor.png -------------------------------------------------------------------------------- /images/cover_small.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/images/cover_small.jpg -------------------------------------------------------------------------------- /src/config/e--color.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/config/e--color.png -------------------------------------------------------------------------------- /src/visual/funcarg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/funcarg.png -------------------------------------------------------------------------------- /src/config/r2-rainbow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/config/r2-rainbow.png -------------------------------------------------------------------------------- /src/visual/select_asm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/select_asm.png -------------------------------------------------------------------------------- /src/visual/visualmode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/visualmode.png -------------------------------------------------------------------------------- /book_cover/r2_book_cover.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/book_cover/r2_book_cover.pdf -------------------------------------------------------------------------------- /book_cover/r2_book_cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/book_cover/r2_book_cover.png -------------------------------------------------------------------------------- /src/analysis/analyze_one.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/analysis/analyze_one.png -------------------------------------------------------------------------------- /src/visual/pseudo_disable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/pseudo_disable.png -------------------------------------------------------------------------------- /src/visual/pseudo_enable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/pseudo_enable.png -------------------------------------------------------------------------------- /src/analysis/handcraft_one.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/analysis/handcraft_one.png -------------------------------------------------------------------------------- /src/visual/panels_overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/visual/panels_overview.png -------------------------------------------------------------------------------- /src/analysis/code_analysis_vv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/analysis/code_analysis_vv.png -------------------------------------------------------------------------------- /src/analysis/code_analysis_vv2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/analysis/code_analysis_vv2.png -------------------------------------------------------------------------------- /src/first_steps/basic_usage_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/first_steps/basic_usage_01.png -------------------------------------------------------------------------------- /src/first_steps/basic_usage_02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/first_steps/basic_usage_02.png -------------------------------------------------------------------------------- /src/first_steps/learning_curve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/first_steps/learning_curve.png -------------------------------------------------------------------------------- /src/tools/radiff2/img/true_false.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/tools/radiff2/img/true_false.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop_ida.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop_ida.png -------------------------------------------------------------------------------- /src/crackmes/ioli/IOLI-crackme.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/ioli/IOLI-crackme.tar.gz -------------------------------------------------------------------------------- /src/tools/radiff2/img/true_false2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/tools/radiff2/img/true_false2.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0c63.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0c63.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0ca6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0ca6.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0cac.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0cac.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d1d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d1d.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d34.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d3d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d3d.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d4d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d4d.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d61.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d61.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d65.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d65.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d6b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d6b.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d75.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d75.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d80.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d80.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0dde.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0dde.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_A/bb-080d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_A/bb-080d.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_A/switch-C.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_A/switch-C.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_A/switch-M.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_A/switch-M.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_A/switch-P.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_A/switch-P.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_D/instr_D.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_D/instr_D.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_I/instr_I.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_I/instr_I.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-09e1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-09e1.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-09e4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-09e4.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-09ef.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-09ef.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-09f9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-09f9.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-09ff.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-09ff.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-0a0e.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-0a0e.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-0a13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-0a13.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/bb-0a1a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/bb-0a1a.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_J/instr_J.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_J/instr_J.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_P/instr_P.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_P/instr_P.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_S/graph1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_S/graph1.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_S/graph2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_S/graph2.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_X/instr_X.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_X/instr_X.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0a45.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0a45.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0a74.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0a74.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0a80.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0a80.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0ab6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0ab6.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0aec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0aec.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0b42.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0b42.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0b6d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0b6d.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0bc1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0bc1.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0be5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0be5.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0c04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0c04.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0c4d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0c4d.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0cac_meta.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0cac_meta.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/bb-0d6b_meta.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/bb-0d6b_meta.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/main/main_minimap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/main/main_minimap.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/vmloop-full.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/vmloop-full.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_A/switch-values.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_A/switch-values.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/bb-0a80_full.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/bb-0a80_full.png -------------------------------------------------------------------------------- /src/crackmes/avatao/img/instr_A/instr_A_minimap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/instr_A/instr_A_minimap.png -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "monthly" 7 | -------------------------------------------------------------------------------- /src/crackmes/avatao/img/vmloop/vmloop-graph-reconstructed_full.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/radareorg/radare2-book/master/src/crackmes/avatao/img/vmloop/vmloop-graph-reconstructed_full.png -------------------------------------------------------------------------------- /r2/credits.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | git log | grep ^Author |cut -d : -f2- | cut -d '<' -f 1 | sort -u | awk 'BEGIN{N=0}{ 3 | gsub(/\n/,"",$0); if (N>0) {print ","$0; } else {print $0;} ;N++} END{print "."}' 4 | -------------------------------------------------------------------------------- /pandoc/header.tex: -------------------------------------------------------------------------------- 1 | % listing package configuration for CodeBlocks 2 | \lstset{ 3 | breaklines=true, 4 | breakatwhitespace=true, 5 | basicstyle=\footnotesize, 6 | showspaces=false, 7 | showstringspaces=false, 8 | showtabs=false, 9 | keepspaces=true, 10 | } 11 | -------------------------------------------------------------------------------- /src/crackmes/ioli/ioli_0x09.md: -------------------------------------------------------------------------------- 1 | ### IOLI 0x09 2 | 3 | Hints: crackme0x09 hides the format string (%d and %s), and nothing more than 0x08. 4 | 5 | ```console 6 | $ export LOLA=help 7 | $ ./crackme0x09 8 | IOLI Crackme Level 0x09 9 | Password: 12346 10 | Password OK! 11 | ``` 12 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.swo 3 | *.un~ 4 | publish.sh 5 | book/ 6 | _book/ 7 | _book/* 8 | .*.swp 9 | .*.swo 10 | *.un~ 11 | *.snippets 12 | *.orig 13 | *.rej 14 | *.bak 15 | *.log 16 | node_modules/ 17 | gmi/ 18 | r2book.md 19 | r2book.pdf 20 | r2book.epub 21 | r2book.texi 22 | r2book.info* 23 | r2book-gmi.tar.gz 24 | -------------------------------------------------------------------------------- /src/tools/radiff2/bindiff.md: -------------------------------------------------------------------------------- 1 | ## Binary Diffing 2 | 3 | radiff2 is also able to compare binaries by checking the differences between the output of `rabin2`. This is, the symbols, libraries, strings, etc. 4 | 5 | The relevant flags for this feature are: 6 | 7 | * -A/-AA analy 8 | * -i [ifscm] -> compare imports, fields, symbols, classes,.. 9 | -------------------------------------------------------------------------------- /pandoc/metadata.yaml: -------------------------------------------------------------------------------- 1 | # Pandoc metadata file 2 | title: The Official Radare2 Book 3 | lang: en-US 4 | author: 5 | - pancake 6 | keywords: 7 | - book 8 | - reverse-engineering 9 | - radare2 10 | - reversing 11 | - radare 12 | 13 | cover-image: images/cover.jpg 14 | toc: true 15 | toc-depth: 5 16 | papersize: a5 17 | geometry: 18 | - margin=1.5cm 19 | -------------------------------------------------------------------------------- /.proselint/proselint/config: -------------------------------------------------------------------------------- 1 | { 2 | "checks": { 3 | "annotations.misc": false, 4 | "hyperbole.misc": false, 5 | "redundancy.misc": false, 6 | "redundancy.ras_syndrome": false, 7 | "typography.exclamation": false, 8 | "typography.symbols": false, 9 | "weasel_words.misc": false, 10 | "weasel_words.very": false 11 | } 12 | } -------------------------------------------------------------------------------- /r2/r2png/README.md: -------------------------------------------------------------------------------- 1 | r2png 2 | ===== 3 | 4 | This program accepts a file and a list of r2 commands to be executed 5 | and generates a PNG image to be included in the book. 6 | 7 | The reason to do that is to ease the requirement to maintain screenshots. 8 | 9 | Current Limitations 10 | ------------------- 11 | * No color supported 12 | * No visual mode screenshots 13 | * Prompt is always shown 14 | -------------------------------------------------------------------------------- /r2/r2png/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "r2png", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "dependencies": { 7 | "r2pipe-promise": "^1.4.1", 8 | "text2png": "^2.3.0" 9 | }, 10 | "devDependencies": { 11 | "semistandard": "*" 12 | }, 13 | "scripts": { 14 | "test": "echo \"Error: no test specified\" && exit 1" 15 | }, 16 | "author": "", 17 | "license": "MIT" 18 | } 19 | -------------------------------------------------------------------------------- /src/tools/rasm2/config.md: -------------------------------------------------------------------------------- 1 | ### Disassembler Configuration 2 | 3 | The assembler and disassembler have many small switches to tweak the output. 4 | 5 | Those configurations are available through the `e` command. Here there are the most common ones: 6 | 7 | * asm.bytes - show/hide bytes 8 | * asm.offset - show/hide offset 9 | * asm.lines - show/hide lines 10 | * asm.ucase - show disasm in uppercase 11 | * ... 12 | 13 | Use the `e??asm.` for more details. 14 | -------------------------------------------------------------------------------- /src/tools/rabin2/entrypoints.md: -------------------------------------------------------------------------------- 1 | ### Code Entrypoints 2 | 3 | The `-e` option passed to rabin2 will show entrypoints for given binary. Two examples: 4 | 5 | ```console 6 | $ rabin2 -e /bin/ls 7 | [Entrypoints] 8 | vaddr=0x00005310 paddr=0x00005310 baddr=0x00000000 laddr=0x00000000 haddr=0x00000018 type=program 9 | 10 | 1 entrypoints 11 | 12 | $ rabin2 -er /bin/ls 13 | fs symbols 14 | f entry0 1 @ 0x00005310 15 | f entry0_haddr 1 @ 0x00000018 16 | s entry0 17 | ``` 18 | -------------------------------------------------------------------------------- /r2/Makefile: -------------------------------------------------------------------------------- 1 | R2PNG=node r2png/index.js 2 | R2SNIP=node r2snip.js 3 | D=../img-white/ 4 | 5 | all: r2png/node_modules 6 | $(R2SNIP) `find .. | grep -v _r2book | grep snippets$$` 7 | 8 | r2png/node_modules: 9 | mkdir -p r2png/node_modules 10 | cd r2png ; npm i 11 | 12 | test: 13 | mkdir -p $(D)/configuration 14 | #$(R2PNG) bins/ls 'e??~color' > $(D)/config/e--color.png 15 | $(R2PNG) - 'hello world' > a.png 16 | #$(R2PNG) bins/ls 'pd 1 @ 0x00404894' > output.png 17 | 18 | 19 | -------------------------------------------------------------------------------- /src/crackmes/avatao/outro.md: -------------------------------------------------------------------------------- 1 | ### .outro 2 | 3 | Well, what can I say? Such VM, much reverse! :) 4 | 5 | What started out as a simple writeup for a simple crackme, became a rather 6 | lengthy writeup/r2 tutorial, so kudos if you've read through it. I hope you 7 | enjoyed it (I know I did), and maybe even learnt something from it. I've surely 8 | learnt a lot about r2 during the process, and I've even contributed some small 9 | patches, and got a few ideas of more possible improvements. 10 | -------------------------------------------------------------------------------- /src/visual/visual_configuration_editor.md: -------------------------------------------------------------------------------- 1 | ## Visual Configuration Editor 2 | 3 | `Ve` or `e` in visual mode allows you to edit radare2 configuration visually. 4 | For example, if you want to change the assembly display just select `asm` in the list and choose your assembly display flavor. 5 | 6 | ![First Select asm](select_asm.png) 7 | 8 | Example switch to pseudo disassembly: 9 | 10 | ![Pseudo disassembly disabled](pseudo_disable.png) 11 | 12 | ![Pseudo disassembly enabled](pseudo_enable.png) 13 | -------------------------------------------------------------------------------- /pandoc/filter.lua: -------------------------------------------------------------------------------- 1 | -- Fix gemini:// links 2 | -- Requiered until this PR gets merged 3 | -- https://github.com/jgm/pandoc/pull/9968 4 | function Link(el) 5 | protopos = string.find(el.target, "/gemini://") 6 | if protopos then 7 | el.target = string.sub(el.target, protopos + 1); 8 | end 9 | return el 10 | end 11 | 12 | -- Parse all allowed raw HTML code for markdownlint MD033 13 | function RawInline(raw) 14 | if raw.format == 'html' and raw.text == '
' then 15 | return pandoc.LineBreak() 16 | end 17 | return raw 18 | end 19 | -------------------------------------------------------------------------------- /src/r2fwrev/intro.md: -------------------------------------------------------------------------------- 1 | # Firmware reversing 2 | 3 | Once we get a flash dump in our hands it usually requires so many different steps and workflows compared to normal userland programs that we are used to work on. 4 | 5 | This chapter will guide you through the necessary steps to understand how to configure your environment, load the required files, analyze and emulate it the very beginning. 6 | 7 | As long as these tasks require a lot of steps and tend to be tedious it is important to have some good habits and understand all the concepts before get your hands deep down. 8 | -------------------------------------------------------------------------------- /book.toml: -------------------------------------------------------------------------------- 1 | # mdBook configuration file 2 | 3 | [book] 4 | title = "The Official Radare2 Book" 5 | author = "pancake " 6 | description = "The Official Radare2 Book" 7 | language = "en" 8 | 9 | [build] 10 | create-missing = false 11 | 12 | [output.html] 13 | default-theme = "light" 14 | preferred-dark-theme = "ayu" 15 | git-repository-url = "https://github.com/radareorg/radare2-book" 16 | edit-url-template = "https://github.com/radareorg/radare2-book/edit/master/{path}" 17 | site-url = "/" 18 | 19 | [output.html.search] 20 | limit-results = 15 21 | -------------------------------------------------------------------------------- /src/crackmes/avatao/intro.md: -------------------------------------------------------------------------------- 1 | ## Avatao R3v3rs3 4 2 | 3 | After a few years of missing out on wargames at 4 | [Hacktivity](https://hacktivity.com), this year I've finally found the time to 5 | begin, and almost finish (yeah, I'm quite embarrassed about that unfinished 6 | webhack :) ) one of them. There were 3 different games at the conf, and I've 7 | chosen the one that was provided by [avatao](https://avatao.com). It consisted 8 | of 8 challenges, most of them being basic web hacking stuff, one sandbox escape, 9 | one simple buffer overflow exploitation, and there were two reverse engineering 10 | exercises too. You can find these challenges on . 11 | -------------------------------------------------------------------------------- /plugin/Makefile: -------------------------------------------------------------------------------- 1 | EXT_SO=$(shell r2 -H R2_LIBEXT) 2 | R2_USER_PLUGINS=$(shell r2 -H R2_USER_PLUGINS) 3 | R2_CFLAGS=$(shell pkg-config --cflags r_core) 4 | R2_LDFLAGS=$(shell pkg-config --libs r_core) 5 | 6 | R2BOOK_HOME=$(shell cd ../src; pwd) 7 | 8 | CFLAGS+=-DR2BOOK_HOME=\"$(R2BOOK_HOME)\" 9 | CFLAGS+=-g -fPIC 10 | 11 | # CFLAGS+=-fsanitize=address 12 | 13 | all: 14 | $(CC) $(CFLAGS) $(R2_CFLAGS) $(R2_LDFLAGS) \ 15 | core_r2book.c -shared -o core_r2book.$(EXT_SO) 16 | $(MAKE) install 17 | 18 | user-install install: 19 | mkdir -p $(R2_USER_PLUGINS) 20 | cp *.$(EXT_SO) $(R2_USER_PLUGINS) 21 | 22 | uninstall user-uninstall: 23 | rm -f $(R2_USER_PLUGINS)/core_r2book.$(EXT_SO) 24 | -------------------------------------------------------------------------------- /src/intro/contribute.md: -------------------------------------------------------------------------------- 1 | ## Contribute! 2 | 3 | If you want to contribute to the Radare2 book, you can do it at the [Github repository](https://github.com/radareorg/radare2-book). 4 | 5 | Suggested contributions include: 6 | 7 | * Crackme writeups 8 | * CTF writeups 9 | * Explain how to use Radare2 10 | * Documentation to help developers 11 | * Conference presentations/workshops using Radare2 12 | * Missing content from the Radare1 book updated to Radare2 13 | 14 | Please get permission to port any content you do not own/did not create before you put it in the Radare2 book. 15 | 16 | See for general help on contributing to radare2. 17 | -------------------------------------------------------------------------------- /src/plugins/dev-anal.md: -------------------------------------------------------------------------------- 1 | ## Analysis plugins (deprecated) 2 | 3 | This page previously showed how to write separate r_anal plugins for opcode analysis and ESIL uplift. That separation has been removed: r_anal and r_asm were merged into the r_arch plugin interface. 4 | 5 | For new architecture work, please: 6 | 7 | * Implement analysis, ESIL uplift and opcode handling inside an r_arch plugin. 8 | * Use `r2skel` to scaffold a new plugin project and follow the r_arch template. 9 | * Migrate any existing r_anal plugin logic into the corresponding r_arch plugin. 10 | 11 | The old examples and Makefile snippets referencing `r_anal` or `r_asm` are obsolete and retained here for historical reasons only. Prefer the r_arch approach for all new development. 12 | -------------------------------------------------------------------------------- /src/tools/intro.md: -------------------------------------------------------------------------------- 1 | # Tooling 2 | 3 | Radare2 is not just the only tool provided by the radare2 project. The rest of chapters in this book are focused on explaining the use of the radare2 tool, this chapter will focus on explaining all the other companion tools that are shipped inside the radare2 project. 4 | 5 | All the functionalities provided by the different APIs and plugins have also different tools to allow to use them from the commandline and integrate them with shellscripts easily. 6 | 7 | Thanks to the ortogonal design of the framework it is possible to do all the things that r2 is able from different places: 8 | 9 | * These companion tools 10 | * Native library APIs 11 | * The r2 shell 12 | * Using the high level R2Papi 13 | * Scripting with r2pipe/r2js 14 | -------------------------------------------------------------------------------- /src/plugins/dev-asm.md: -------------------------------------------------------------------------------- 1 | ## Arch Plugins (deprecated pages) 2 | 3 | This page contained historical examples showing how to implement separate r_asm (disassembly) plugins. Since the r_asm and r_anal interfaces were merged into the unified r_arch API, these separate examples are obsolete. 4 | 5 | For implementing new architectures (disassembly, analysis and ESIL uplift), please: 6 | 7 | * Use the r_arch plugin interface (r_asm and r_anal are merged into r_arch). 8 | * Scaffold a project with `r2skel` and choose the architecture/plugin template to get a working skeleton. 9 | * Check existing r_arch plugins in the main radare2 tree or radare2-extras for reference implementations. 10 | 11 | If you need to migrate an old asm/anal plugin, port its logic into an r_arch plugin and use the new r_arch pkg-config flags for compilation. 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # r2book 2 | 3 | [![mdbook](https://github.com/radareorg/radare2-book/actions/workflows/mdbook.yml/badge.svg)](https://github.com/radareorg/radare2-book/actions/workflows/mdbook.yml) 4 | [![CI document uploads](https://github.com/radareorg/radare2-book/actions/workflows/ci.yml/badge.svg)](https://github.com/radareorg/radare2-book/actions/workflows/ci.yml) 5 | 6 | This book is an updated version maintained by the community of the original radare1 book written by pancake. 7 | 8 | Please contribute by updating and improving the contents. 9 | 10 | * [Github](https://github.com/radareorg/radare2-book) 11 | * [Read it Online](https://book.rada.re/) 12 | 13 | Read the [CONTRIBUTING.md](https://github.com/radareorg/radare2-book/blob/master/CONTRIBUTING.md) guidelines before submitting a pull request to the github repository. 14 | 15 | Thanks! 16 | -------------------------------------------------------------------------------- /src/config/charset.md: -------------------------------------------------------------------------------- 1 | ## Charset 2 | 3 | Sometimes, a binary can contain custom characters in another charsets than ascii. It is as example the case of the gameboy. The gameboy has his own custom charset for each game. To select as example a custom charset corresponding to the game pokemon red and blue of the gameboy, do: 4 | 5 | ``` 6 | e cfg.charset=pokered; 7 | ``` 8 | 9 | You can now do commands such as `ps` and `w` with custom charset. 10 | 11 | Sadly, as you can imagine, very often the charset will be missing. There can not be as many plugin as there are games for gameboy. If the charset does not exists yet, fell free to write it. See the chapters `plugins` and then `charset``to read about charsets. 12 | 13 | It works of course for each architecture. Not only the gameboy. 14 | 15 | You can also use visual mode with the custom charset for single char encodings. 16 | -------------------------------------------------------------------------------- /src/search/search_in_assembly.md: -------------------------------------------------------------------------------- 1 | ## Assembler Search 2 | 3 | If you want to search for a certain assembler opcodes, you can use `/a` commands. 4 | 5 | The command `/ad/ jmp [esp]` searches for the specified category of assembly mnemonic: 6 | 7 | ```console 8 | [0x00404888]> /ad/ jmp qword [rdx] 9 | f hit_0 @ 0x0040e50d # 2: jmp qword [rdx] 10 | f hit_1 @ 0x00418dbb # 2: jmp qword [rdx] 11 | f hit_2 @ 0x00418fcb # 3: jmp qword [rdx] 12 | f hit_3 @ 0x004196ab # 6: jmp qword [rdx] 13 | f hit_4 @ 0x00419bf3 # 3: jmp qword [rdx] 14 | f hit_5 @ 0x00419c1b # 3: jmp qword [rdx] 15 | f hit_6 @ 0x00419c43 # 3: jmp qword [rdx] 16 | ``` 17 | 18 | The command `/a jmp eax` assembles a string to machine code, and then searches for the resulting bytes: 19 | 20 | ```console 21 | [0x00404888]> /a jmp eax 22 | hits: 1 23 | 0x004048e7 hit3_0 ffe00f1f8000000000b8 24 | ``` 25 | -------------------------------------------------------------------------------- /src/visual/visual_assembler.md: -------------------------------------------------------------------------------- 1 | ## Visual Assembler 2 | 3 | You can use Visual Mode to assemble code pressing the `A` key inside the `V`isual mode (or just type `VA` from the shell). Note that the cursor mode also plays well with the visual assembler, use it to point to the instruction that you want to patch insted of just scrolling up and down changing the seek. 4 | 5 | For example let's replace the `push` by a `jmp`: 6 | 7 | ![Before](before.png) 8 | 9 | Notice the preview of the disassembly and arrows: 10 | 11 | ![After](after.png) 12 | 13 | In order to patch the file you must open it in read-write mode (`r2 -w`), but if you are inside radare2, you can reopen the file in rw mode with `oo+`. 14 | 15 | You can also use the cache mode: `e io.cache = true` and `wc?`. 16 | 17 | **Note** that when you are debugging, patching the memory won't modify the files in disk. 18 | -------------------------------------------------------------------------------- /src/projects/intro.md: -------------------------------------------------------------------------------- 1 | # Introduction to Projects 2 | 3 | When working on a binary analysis, there are scenarios where you need to continuously work on a single or a set of binaries over a long period of time. This could be due to the complexity of the binaries or the amount of time required for in-depth analysis. 4 | 5 | In such cases, you often want to store and keep track of your progress, such as comments, function names, and other metadata, so you don’t have to redo or reanalyze the same information every time you reload the binary. 6 | 7 | This chapter will explore how to handle these needs efficiently by introducing Radare2 projects. We will also discuss the challenges and limitations inherent in this process. Although managing projects may seem straightforward, it is one of the more difficult issues to address, and it's essential to understand why before delving into solutions. 8 | -------------------------------------------------------------------------------- /src/plugins/dev-charset.md: -------------------------------------------------------------------------------- 1 | ## Charset Plugins 2 | 3 | 1. Create a file in `radare2/libr/util/d/yourfile.sdb.txt`. The extension .sdb.txt is important. 4 | 2. Edit the file `radare2/libr/util/charset.c`. 5 | -add `extern SdbGperf gperf_latin_1_ISO_8859_1_western_european;`. 6 | -then add your variable `&gperf_latin_1_ISO_8859_1_western_european,` in `static const SdbGperf *gperfs[]` 7 | 3. Update the Makefile: `radare2/libr/util/Makefile`: 8 | -Add `OBJS+=d/latin_1_ISO_8859_1_western_european.o` 9 | 4. Update the Makefile `radare2/libr/util/d/Makefile` to add your file name with not .sdb and not .txt in `FILES=latin_1_ISO_8859_1_western_european` 10 | 5. Update the unit tests of `radare2/test/db/cmd/charset` 11 | 12 | Congratulation! You can now type the command: 13 | 14 | ``` 15 | e cfg.charset=latin_1_ISO_8859_1_western_european; 16 | ``` 17 | 18 | If you have any issue with this tutorial you can check out the example at . 19 | -------------------------------------------------------------------------------- /src/debugger/getting_started.md: -------------------------------------------------------------------------------- 1 | ## Getting Started 2 | 3 | ### Small session in radare2 debugger 4 | 5 | * `r2 -d /bin/ls`: Opens radare2 with file `/bin/ls` in debugger mode using the radare2 native debugger, but does not run the program. You’ll see a prompt (radare2) - all examples are from this prompt. 6 | 7 | * `db flag`: place a breakpoint at flag, where flag can be either an address or a function name 8 | 9 | * `db - flag`: remove the breakpoint at flag, where flag can be either an address or a function name 10 | 11 | * `db`: show list of breakpoint 12 | 13 | * `dc`: run the program 14 | 15 | * `dr`: Show registers state 16 | 17 | * `drr`: Show registers references (telescoping) (like peda) 18 | 19 | * `ds`: Step into instruction 20 | 21 | * `dso`: Step over instruction 22 | 23 | * `dbt`: Display backtrace 24 | 25 | * `dm`: Show memory maps 26 | 27 | * `dk `: Send KILL signal to child 28 | 29 | * `ood`: reopen in debug mode 30 | 31 | * `ood arg1 arg2`: reopen in debug mode with arg1 and arg2 32 | -------------------------------------------------------------------------------- /src/tools/rabin2/operations.md: -------------------------------------------------------------------------------- 1 | ### Operations 2 | 3 | rabin2 allows you to do some modifications/extraction operations on a file. You do so with **-O** option 4 | and one of the predefined strings to specify the required operation. All the possible strings are: 5 | 6 | ```console 7 | $ rabin2 -O h 8 | Operation string: 9 | Change Entrypoint: e/0x8048000 10 | Dump Symbols: d/s/1024 11 | Dump Section: d/S/.text 12 | Resize Section: r/.data/1024 13 | Remove RPATH: R 14 | Add Library: a/l/libfoo.dylib 15 | Change Permissions: p/.data/rwx 16 | Show LDID entitlements: C 17 | ``` 18 | 19 | Let's run some examples. 20 | 21 | Change the entry point to 0x8041111 of _somefile.bin_: 22 | 23 | ``` $rabin2 e/0x8041111 somefile.bin ``` 24 | 25 | Set permissions rwx (instead of the default rw) on the .bss segment of _somefile.bin_: 26 | 27 | ```$rabin2 p/.bss/rwx somefile.bin``` 28 | 29 | Dump a given section (_.text_) of the file (_somefile.bin_) as a hexadecimal stream: 30 | 31 | ```$rabin2 d/S/.text somefile.bin``` 32 | -------------------------------------------------------------------------------- /src/tools/rabin2/exports.md: -------------------------------------------------------------------------------- 1 | ### Exports 2 | 3 | Rabin2 is able to find exports. For example: 4 | 5 | ```console 6 | $ rabin2 -E /usr/lib/libr_bin.so | head 7 | [Exports] 8 | 9 | nth paddr vaddr bind type size lib name 10 | ----------------------------------------------------- 11 | 210 0x000ae1f0 0x000ae1f0 GLOBAL FUNC 200 r_bin_java_print_exceptions_attr_summary 12 | 211 0x000afc90 0x000afc90 GLOBAL FUNC 135 r_bin_java_get_args 13 | 212 0x000b18e0 0x000b18e0 GLOBAL FUNC 35 r_bin_java_get_item_desc_from_bin_cp_list 14 | 213 0x00022d90 0x00022d90 GLOBAL FUNC 204 r_bin_class_add_method 15 | 214 0x000ae600 0x000ae600 GLOBAL FUNC 175 r_bin_java_print_fieldref_cp_summary 16 | 215 0x000ad880 0x000ad880 GLOBAL FUNC 144 r_bin_java_print_constant_value_attr_summary 17 | 216 0x000b7330 0x000b7330 GLOBAL FUNC 679 r_bin_java_print_element_value_summary 18 | 217 0x000af170 0x000af170 GLOBAL FUNC 65 r_bin_java_create_method_fq_str 19 | 218 0x00079b00 0x00079b00 GLOBAL FUNC 15 LZ4_createStreamDecode 20 | ``` 21 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | push: 5 | branches: [ "master" ] 6 | pull_request: 7 | branches: [ "master" ] 8 | schedule: 9 | - cron: "0 19 * * 4" 10 | 11 | jobs: 12 | analyze: 13 | name: Analyze 14 | runs-on: ubuntu-latest 15 | permissions: 16 | actions: read 17 | contents: read 18 | security-events: write 19 | 20 | strategy: 21 | fail-fast: false 22 | matrix: 23 | language: [ javascript ] 24 | 25 | steps: 26 | - name: Checkout 27 | uses: actions/checkout@v6 28 | 29 | - name: Initialize CodeQL 30 | uses: github/codeql-action/init@v4 31 | with: 32 | languages: ${{ matrix.language }} 33 | queries: +security-and-quality 34 | 35 | - name: Autobuild 36 | uses: github/codeql-action/autobuild@v4 37 | 38 | - name: Perform CodeQL Analysis 39 | uses: github/codeql-action/analyze@v4 40 | with: 41 | category: "/language:${{ matrix.language }}" 42 | -------------------------------------------------------------------------------- /src/crackmes/intro.md: -------------------------------------------------------------------------------- 1 | # Crackmes 2 | 3 | Reverse engineering is a crucial skill in today's digital landscape, and one of the best ways to hone this skill is by participating in crackme challenges. A crackme (short for "crack me" challenge) is a piece of software or firmware that has been intentionally obfuscated or encrypted, making it difficult to reverse engineer without the correct key or password. 4 | 5 | In this chapter, we will explore how to use radare2 to defeat various crackmes and uncover their secrets. We will cover tutorials on how to analyze and disassemble different types of crackmes, including those that use encryption, compression, and other forms of obfuscation. 6 | 7 | By following along with these tutorials, you will gain a deeper understanding of the reverse engineering process and develop the skills needed to tackle even the most challenging crackmes. Whether you're a beginner or an experienced reverser, this chapter is designed to provide you with the tools and knowledge necessary to take on any crackme that comes your way. 8 | 9 | So let's get started! 10 | -------------------------------------------------------------------------------- /src/search/automation.md: -------------------------------------------------------------------------------- 1 | ## Search Automation 2 | 3 | The `cmd.hit` configuration variable is used to define a radare2 command to be executed when a matching entry is found by the search engine. If you want to run several commands, separate them with `;`. Alternatively, you can arrange them in a separate script, and then invoke it as a whole with `. script-file-name` command. 4 | For example: 5 | 6 | ```console 7 | [0x00404888]> e cmd.hit = p8 8 8 | [0x00404888]> / lib 9 | Searching 3 bytes from 0x00400000 to 0x0041ae08: 6c 69 62 10 | hits: 9 11 | 0x00400239 hit4_0 "lib64/ld-linux-x86-64.so.2" 12 | 31ed4989d15e4889 13 | 0x00400f19 hit4_1 "libselinux.so.1" 14 | 31ed4989d15e4889 15 | 0x00400fae hit4_2 "librt.so.1" 16 | 31ed4989d15e4889 17 | 0x00400fc7 hit4_3 "libacl.so.1" 18 | 31ed4989d15e4889 19 | 0x00401004 hit4_4 "libc.so.6" 20 | 31ed4989d15e4889 21 | 0x004013ce hit4_5 "libc_start_main" 22 | 31ed4989d15e4889 23 | 0x00416542 hit4_6 "libs/" 24 | 31ed4989d15e4889 25 | 0x00417160 hit4_7 "lib/xstrtol.c" 26 | 31ed4989d15e4889 27 | 0x00417578 hit4_8 "lib" 28 | 31ed4989d15e4889 29 | ``` 30 | -------------------------------------------------------------------------------- /src/plugins/r2pm.md: -------------------------------------------------------------------------------- 1 | ## Packaging your plugins 2 | 3 | As explained in more detail in the [package manager](../tools/r2pm/intro.md) chapter, it is recommended to use our tooling to make your plugin available for everyone. 4 | 5 | All the current packages are located in the [radare2-pm](https://github.com/radareorg/radare2-pm) repository, check some of the already existing ones for inspiration as you will see how easy it's format is: 6 | 7 | ```sh 8 | R2PM_BEGIN 9 | 10 | R2PM_GIT "https://github.com/user/mycpu" 11 | R2PM_DESC "[r2-arch] MYCPU disassembler and analyzer plugins" 12 | 13 | R2PM_INSTALL() { 14 | ${MAKE} clean 15 | ${MAKE} all || exit 1 16 | ${MAKE} install R2PM_PLUGDIR="${R2PM_PLUGDIR}" 17 | } 18 | 19 | R2PM_UNINSTALL() { 20 | rm -f "${R2PM_PLUGDIR}/asm_mycpu."* 21 | rm -f "${R2PM_PLUGDIR}/anal_mycpu."* 22 | } 23 | 24 | R2PM_END 25 | ``` 26 | 27 | Add your package in the `/db` directory of radare2-pm repository and send a pull request when it's ready to be shared. 28 | 29 | ```console 30 | $ r2pm -H R2PM_DBDIR 31 | /Users/pancake/.local/share/radare2/r2pm/git/radare2-pm/db 32 | $ 33 | ``` 34 | -------------------------------------------------------------------------------- /src/intro/r2con.md: -------------------------------------------------------------------------------- 1 | ## r2con 2 | 3 | Starting in 2016 we organized the first public and international congress about radare. 4 | 5 | Highlighting all aspects of radare2, this congress brings the oportunity to everyone to learn more about manual and automated reverse engineering, static and dynamic analysis, fuzzing, forensics, exploiting, unpacking, malware, ... this congress allows everyone to understand how to use r2 and how to extend it for your own purposes, it will also serve as an excuse for all developers to meet and discuss design and implementation tips for the future of the project. 6 | 7 | The congress was started as a 2 days filled with trainings and presentations. 8 | 9 | * 10 | 11 | Other rules and aspects that make r2con a special conference: 12 | 13 | * Chill ambient with beers and sunny weather 14 | * All presentations are recorded and published (some trainings too) 15 | * Located in Barcelona, organized the 2nd week of September 16 | * Small event, started with 50 attendeeds, reached it's top with 300 17 | * r2wars and crackme competitions 18 | * Vegan meals 19 | * Chiptune party 20 | -------------------------------------------------------------------------------- /src/plugins/testing.md: -------------------------------------------------------------------------------- 1 | ## Testing the plugin 2 | 3 | This plugin is used by rasm2 and r2. You can verify that the plugin is properly loaded with this command: 4 | 5 | ```console 6 | $ rasm2 -L | grep mycpu 7 | _d mycpu My CPU disassembler (LGPL3) 8 | ``` 9 | 10 | Let's open an empty file using the 'mycpu' arch and write some random code there. 11 | 12 | ```console 13 | $ r2 - 14 | -- I endians swap 15 | [0x00000000]> e asm.arch=mycpu 16 | [0x00000000]> woR 17 | [0x00000000]> pd 10 18 | 0x00000000 888e mov r8, 14 19 | 0x00000002 b2a5 ifnot r10, r5 20 | 0x00000004 3f67 ret 21 | 0x00000006 7ef6 bl r15, r6 22 | 0x00000008 2701 xor r0, 1 23 | 0x0000000a 9826 mov r2, 6 24 | 0x0000000c 478d xor r8, 13 25 | 0x0000000e 6b6b store r6, 11 26 | 0x00000010 1382 add r8, r2 27 | 0x00000012 7f15 ret 28 | ``` 29 | 30 | Yay! it works.. and the mandatory oneliner too! 31 | 32 | ```console 33 | $ r2 -nqamycpu -cwoR -cpd' 10' - 34 | ``` 35 | -------------------------------------------------------------------------------- /book_cover/COUSTOMIZE.md: -------------------------------------------------------------------------------- 1 | # Print on demand Radare2 Book Cover 2 | 3 | This folder contains a cover design for the Radare2 book. 4 | 5 | ## Cover Details 6 | 7 | - **File:** `r2_book_cover.pdf` 8 | - **Book Format:** A5 9 | - **Spine Width:** 21mm 10 | (Designed for 414 pages using 80g paper) 11 | 12 | ## Customization Guidelines 13 | 14 | If you are using a different paper weight or page count: 15 | - You **must adjust the `cover_spine` layer** in the r2_book_cover.svg file to reflect the new spine width. 16 | 17 | If you are using a different book format or want to make graphical changes: 18 | - Be sure to **maintain the bleed margin**. 19 | - **Do not print across the full visible area**; some space must remain outside the printable region to account for trimming. 20 | 21 | ## Page Layout Guide 22 | 23 | - The **red area** (in the `page_layout` layer) indicates the **bleed margin**. 24 | - The **green area** shows the **printable region**. 25 | - Before exporting the final PDF, make sure to hide the `page_layout` layer. 26 | 27 | ![Cover Layout Guide](r2_book_cover.png) 28 | 29 | --- 30 | 31 | Always verify your final dimensions with your print provider before printing. 32 | 33 | -------------------------------------------------------------------------------- /src/analysis/vtables.md: -------------------------------------------------------------------------------- 1 | ## Virtual Tables 2 | 3 | There is a basic support of virtual tables parsing (RTTI and others). 4 | The most important thing before you start to perform such kind of analysis 5 | is to check if the `anal.cpp.abi` option is set correctly, and change if needed. 6 | 7 | All commands to work with virtual tables are located in the `av` namespace. 8 | Currently, the support is very basic, allowing you only to inspect 9 | parsed tables. 10 | 11 | ``` 12 | |Usage: av[?jr*] C++ vtables and RTTI 13 | | av search for vtables in data sections and show results 14 | | avj like av, but as json 15 | | av* like av, but as r2 commands 16 | | avr[j@addr] try to parse RTTI at vtable addr (see anal.cpp.abi) 17 | | avra[j] search for vtables and try to parse RTTI at each of them 18 | ``` 19 | 20 | The main commands here are `av` and `avr`. `av` lists all virtual tables 21 | found when r2 opened the file. If you are not happy with the result 22 | you may want to try to parse virtual table at a particular address with 23 | `avr` command. `avra` performs the search and parsing of all virtual 24 | tables in the binary, like r2 does during the file opening. 25 | -------------------------------------------------------------------------------- /src/intro/ui.md: -------------------------------------------------------------------------------- 1 | ## User Interfaces 2 | 3 | Radare2 has seen many different user interfaces being developed over the years. 4 | 5 | Maintaining a GUI is far from the scope of developing the core machinery of a reverse engineering toolkit; It is preferred to have a separate project and community, allowing both projects to collaborate and improve alongside each other. This allows individual developers to focus entirely on implementing a CLI or GUI feature instead of trying to juggle both graphical implementation and the low-level logic of the core CLI. 6 | 7 | In the past, there have been at least 5 different native user interfaces (ragui, r2gui, gradare, r2net, bokken) but none of them got enough maintenance power to take off and they all died. 8 | 9 | ### Iaito 10 | 11 | The current main radare2 GUI is Iaito. It is written in C++ using Qt and was originally authored by Hugo Teso. 12 | 13 | * Download: [https://github.com/radareorg/iaito](https://github.com/radareorg/iaito) 14 | 15 | ![Iaito screenshot](Iaito.png) 16 | 17 | ### WebUI 18 | 19 | In addition, r2 includes an embedded webserver with a basic HTML/JS interface. Add `-c=H` to your command-line flags to automatically start the webserver and open it in your browser. 20 | 21 | ```console 22 | $ r2 -c=H /bin/ls 23 | ``` 24 | -------------------------------------------------------------------------------- /src/tools/rasm2/disassemble.md: -------------------------------------------------------------------------------- 1 | ### Disassembler 2 | 3 | Disassembling is the inverse action of assembling. Rasm2 takes hexpair as an input (but can also take a file in binary form) and show the human readable form. 4 | 5 | To do this we can use the `-d` option of rasm2 like this: 6 | 7 | ```console 8 | $ rasm2 -a x86 -b 32 -d '90' 9 | nop 10 | ``` 11 | 12 | or for java: 13 | 14 | ```console 15 | $ rasm2 -a java 'nop' 16 | 00 17 | 18 | Rasm2 also have the `-D` flag to show the disassembly like `-d` does, but includes offset and bytes. 19 | 20 | In radare2 there are many commands to perform a disassembly from a specific place in memory. 21 | 22 | ```console 23 | $ rasm2 -a x86 -b 32 'mov eax, 33' 24 | b821000000 25 | 26 | $ echo 'push eax;nop;nop' | rasm2 -f - 27 | 509090 28 | ``` 29 | 30 | You might be interested in trying if you want different outputs for later parsing with your scripts, or just grep to find what you are looking for: 31 | 32 | #### pd N 33 | 34 | Disassemble N instructions 35 | 36 | #### pD N 37 | 38 | Disassemble N bytes 39 | 40 | #### pda 41 | 42 | Disassemble all instructions (seeking 1 byte, or the minimum alignment instruction size), which can be useful for ROP 43 | 44 | #### pi, pI 45 | 46 | Same as `pd` and `pD`, but using a simpler output. 47 | -------------------------------------------------------------------------------- /src/tools/ragg2/padding.md: -------------------------------------------------------------------------------- 1 | ### Padding and Patching 2 | 3 | Ragg2, a tool in the radare2 suite, offers various options for padding and patching the generated bufferoutput. These options allow users to modify or extend the generated code in specific ways. 4 | 5 | * Appending Data: 6 | * Append hex bytes (-B) 7 | * Append file contents (-C) 8 | * Append 32-bit or 64-bit numbers (-n, -N) 9 | * Append strings (-S) 10 | 11 | * Patching Existing Data: 12 | * Patch dword or qword at a given offset (-d, -D) 13 | * Patch hex pairs at a given offset (-w) 14 | 15 | * Adding Padding: 16 | * Add padding after compilation (-p) 17 | * Options include NOP, trap instructions, or specific byte sequences 18 | 19 | From `ragg2 -h`: 20 | 21 | ``` 22 | -B [hexpairs] append some hexpair bytes 23 | -C [file] append contents of file 24 | -d [off:dword] patch dword (4 bytes) at given offset 25 | -D [off:qword] patch qword (8 bytes) at given offset 26 | -n [dword] append 32bit number (4 bytes) 27 | -N [dword] append 64bit number (8 bytes) 28 | -p [padding] add padding after compilation (padding=n10s32) 29 | ntas : begin nop, trap, 'a', sequence 30 | NTAS : same as above, but at the end 31 | -S [string] append a string 32 | -w [off:hex] patch hexpairs at given offset 33 | ``` 34 | -------------------------------------------------------------------------------- /src/install/intro.md: -------------------------------------------------------------------------------- 1 | # Installation 2 | 3 | Radare2 is available for a wide range of target operating systems and architectures, making it a versatile tool for reverse engineering tasks. 4 | 5 | Whether you are using Windows, Linux, macOS, or even mobile or embedded operating systems, radare2 can be installed and utilized effectively. This chapter provides a comprehensive guide on how to get radare2 up and running on your system, covering various methods from downloading and installing binary distributions to compiling the software from source code. This flexibility ensures that users can tailor the installation process to their specific needs and system configurations. 6 | 7 | To install radare2, users can choose from several options. One straightforward method is to download precompiled binary distributions, which are available for many platforms and can be installed quickly with minimal setup. 8 | 9 | But usually the recommended way to install is by compiling it from the git repository, the upstream branch is always stable and ready to use for everyone. 10 | 11 | The chapter also delves into specific configuration options and post-installation setup to optimize radare2 for different use cases, ensuring that you have a fully functional and efficient reverse engineering environment which is key to follow up with the rest of contents in the book. 12 | -------------------------------------------------------------------------------- /src/search/backward_search.md: -------------------------------------------------------------------------------- 1 | ## Searching Backwards 2 | 3 | Sometimes you want to find a keyword backwards. This is, before the current offset, to do this you can seek back and search forward by adding some search.from/to restrictions, or use the `/b` command. 4 | 5 | ```console 6 | [0x100001200]> / nop 7 | 0x100004b15 hit0_0 .STUWabcdefghiklmnopqrstuvwxbin/ls. 8 | 0x100004f50 hit0_1 .STUWabcdefghiklmnopqrstuwx1] [file . 9 | [0x100001200]> /b nop 10 | [0x100001200]> s 0x100004f50p 11 | [0x100004f50]> /b nop 12 | 0x100004b15 hit2_0 .STUWabcdefghiklmnopqrstuvwxbin/ls. 13 | [0x100004f50]> 14 | ``` 15 | 16 | Note that `/b` is doing the same as `/`, but backward, so what if we want to use `/x` backward? We can use `/bx`, and the same goes for other search subcommands: 17 | 18 | ```console 19 | [0x100001200]> /x 90 20 | 0x100001a23 hit1_0 90 21 | 0x10000248f hit1_1 90 22 | 0x1000027b2 hit1_2 90 23 | 0x100002b2e hit1_3 90 24 | 0x1000032b8 hit1_4 90 25 | 0x100003454 hit1_5 90 26 | 0x100003468 hit1_6 90 27 | 0x10000355b hit1_7 90 28 | 0x100003647 hit1_8 90 29 | 0x1000037ac hit1_9 90 30 | 0x10000389c hit1_10 90 31 | 0x100003c5c hit1_11 90 32 | 33 | [0x100001200]> /bx 90 34 | [0x100001200]> s 0x10000355b 35 | [0x10000355b]> /bx 90 36 | 0x100003468 hit3_0 90 37 | 0x100003454 hit3_1 90 38 | 0x1000032b8 hit3_2 90 39 | 0x100002b2e hit3_3 90 40 | 0x1000027b2 hit3_4 90 41 | 0x10000248f hit3_5 90 42 | 0x100001a23 hit3_6 90 43 | [0x10000355b]> 44 | ``` 45 | -------------------------------------------------------------------------------- /src/tools/rabin2/imports.md: -------------------------------------------------------------------------------- 1 | ### Imports 2 | 3 | Rabin2 is able to find imported objects by an executable, as well as their offsets in its PLT. This information is useful, for example, to understand what external function is invoked by `call` instruction. Pass `-i` flag to rabin2 to get a list of imports. An example: 4 | 5 | ```console 6 | $ rabin2 -i /bin/ls 7 | [Imports] 8 | nth vaddr bind type lib name 9 | ------------------------------------- 10 | 1 0x000032e0 GLOBAL FUNC __ctype_toupper_loc 11 | 2 0x000032f0 GLOBAL FUNC getenv 12 | 3 0x00003300 GLOBAL FUNC sigprocmask 13 | 4 0x00003310 GLOBAL FUNC __snprintf_chk 14 | 5 0x00003320 GLOBAL FUNC raise 15 | 6 0x00000000 GLOBAL FUNC free 16 | 7 0x00003330 GLOBAL FUNC abort 17 | 8 0x00003340 GLOBAL FUNC __errno_location 18 | 9 0x00003350 GLOBAL FUNC strncmp 19 | 10 0x00000000 WEAK NOTYPE _ITM_deregisterTMCloneTable 20 | 11 0x00003360 GLOBAL FUNC localtime_r 21 | 12 0x00003370 GLOBAL FUNC _exit 22 | 13 0x00003380 GLOBAL FUNC strcpy 23 | 14 0x00003390 GLOBAL FUNC __fpending 24 | 15 0x000033a0 GLOBAL FUNC isatty 25 | 16 0x000033b0 GLOBAL FUNC sigaction 26 | 17 0x000033c0 GLOBAL FUNC iswcntrl 27 | 18 0x000033d0 GLOBAL FUNC wcswidth 28 | 19 0x000033e0 GLOBAL FUNC localeconv 29 | 20 0x000033f0 GLOBAL FUNC mbstowcs 30 | 21 0x00003400 GLOBAL FUNC readlink 31 | ... 32 | 33 | ``` 34 | -------------------------------------------------------------------------------- /src/debugger/signals.md: -------------------------------------------------------------------------------- 1 | ## Signals 2 | 3 | You can send signals to the target process, or change the behaviour of the the debugger and signal handler associated with the `dk` command. 4 | 5 | ```console 6 | [0x00000000]> dk? 7 | Usage: dk Signal commands 8 | | dk list all signal handlers of child process 9 | | dk send KILL signal to child 10 | | dk =1 set signal handler for in child 11 | | dk? name/signum resolver 12 | | dko[?] reset skip or cont options for given signal 13 | | dko [|skip|cont] on signal SKIP handler or CONT into 14 | | dkj list all signal handlers in JSON 15 | [0x00000000]> 16 | ``` 17 | 18 | To change the behaviour of the r2 debugger when the target process receives a specific signal use the `dko` command. Note that radare2 handles signals in a portable way, so the Windows exceptions will be used instead of the signal unix syscalls. 19 | 20 | These are the list of signals with their associated numbers: 21 | 22 | ```console 23 | [0x00000000]> dk 24 | 32 SIGRTMIN 30 SIGPWR 14 SIGALRM 31 SIGSYS 15 SIGTERM 16 SIGSTKFLT 25 | 17 SIGCHLD 10 SIGUSR1 11 SIGSEGV 12 SIGUSR2 13 SIGPIPE 18 SIGCONT 26 | 19 SIGSTOP 27 SIGPROF 26 SIGVTALRM 25 SIGXFSZ 24 SIGXCPU 23 SIGURG 27 | 22 SIGTTOU 5 SIGTRAP 21 SIGTTIN 4 SIGILL 20 SIGTSTP 7 SIGBUS 6 SIGABRT 28 | 1 SIGHUP 3 SIGQUIT 2 SIGINT 29 SIGLOST 28 SIGWINCH 9 SIGKILL 8 SIGFPE 29 | ``` 30 | -------------------------------------------------------------------------------- /src/crackmes/avatao/instructionset.md: -------------------------------------------------------------------------------- 1 | ### .instructionset 2 | 3 | We've now reversed all the VM instructions, and have a full understanding about 4 | how it works. Here is the VM's instruction set: 5 | 6 | | Instruction | 1st arg | 2nd arg | What does it do? | 7 | | ----------- | ------- | ------- | ---------------- | 8 | | "A" | "M" | arg2 | \*sym.current_memory_ptr += arg2 | 9 | | | "P" | arg2 | sym.current_memory_ptr += arg2 | 10 | | | "C" | arg2 | sym.written_by_instr_C += arg2 | 11 | | "S" | "M" | arg2 | \*sym.current_memory_ptr -= arg2 | 12 | | | "P" | arg2 | sym.current_memory_ptr -= arg2 | 13 | | | "C" | arg2 | sym.written_by_instr_C -= arg2 | 14 | | "I" | arg1 | n/a | instr_A(arg1, 1) | 15 | | "D" | arg1 | n/a | instr_S(arg1, 1) | 16 | | "P" | arg1 | n/a | \*sym.current_memory_ptr = arg1; instr_I("P") | 17 | | "X" | arg1 | n/a | \*sym.current_memory_ptr ^= arg1 | 18 | | "J" | arg1 | n/a | arg1_and_0x3f = arg1 & 0x3f;
if (arg1 & 0x40 != 0)
  arg1_and_0x3f \*= -1
if (arg1 >= 0) return arg1_and_0x3f;
else if (\*sym.written_by_instr_C != 0) {
  if (arg1_and_0x3f < 0)
    ++\*sym.good_if_ne_zero;
  return arg1_and_0x3f;
} else return 2; | 19 | | "C" | arg1 | n/a | \*sym.written_by_instr_C = arg1 | 20 | | "R" | arg1 | n/a | return(arg1) | 21 | -------------------------------------------------------------------------------- /src/tools/rabin2/symbols.md: -------------------------------------------------------------------------------- 1 | ### Symbols and Exports 2 | 3 | With rabin2, the generated symbols list format is similar to the imports list. Use the `-s` option to get it: 4 | 5 | ```console 6 | $ rabin2 -s /bin/ls | head 7 | [Symbols] 8 | 9 | nth paddr vaddr bind type size lib name 10 | ------------------------------------------------------ 11 | 110 0x000150a0 0x000150a0 GLOBAL FUNC 56 _obstack_allocated_p 12 | 111 0x0001f600 0x0021f600 GLOBAL OBJ 8 program_name 13 | 112 0x0001f620 0x0021f620 GLOBAL OBJ 8 stderr 14 | 113 0x00014f90 0x00014f90 GLOBAL FUNC 21 _obstack_begin_1 15 | 114 0x0001f600 0x0021f600 WEAK OBJ 8 program_invocation_name 16 | 115 0x0001f5c0 0x0021f5c0 GLOBAL OBJ 8 alloc_failed_handler 17 | 116 0x0001f5f8 0x0021f5f8 GLOBAL OBJ 8 optarg 18 | 117 0x0001f5e8 0x0021f5e8 GLOBAL OBJ 8 stdout 19 | 118 0x0001f5e0 0x0021f5e0 GLOBAL OBJ 8 program_short_name 20 | ``` 21 | 22 | With the `-sr` option rabin2 produces a radare2 script instead. It can later be passed to the core to automatically flag all symbols and to define corresponding byte ranges as functions and data blocks. 23 | 24 | ```console 25 | $ rabin2 -sr /bin/ls | head 26 | fs symbols 27 | f sym.obstack_allocated_p 56 0x000150a0 28 | f sym.program_invocation_name 8 0x0021f600 29 | f sym.stderr 8 0x0021f620 30 | f sym.obstack_begin_1 21 0x00014f90 31 | f sym.program_invocation_name 8 0x0021f600 32 | f sym.obstack_alloc_failed_handler 8 0x0021f5c0 33 | f sym.optarg 8 0x0021f5f8 34 | f sym.stdout 8 0x0021f5e8 35 | f sym.program_invocation_short_name 8 0x0021f5e0 36 | ``` 37 | -------------------------------------------------------------------------------- /src/plugins/r2js.md: -------------------------------------------------------------------------------- 1 | ## R2JS Plugins 2 | 3 | The javascript runtime embedded in radare2 provides a way to implement different types of plugins. 4 | 5 | Check out the `r2skel` project for more examples, but we will cover the basics now. 6 | 7 | ```js 8 | (function () { 9 | r2.unload("core", "mycore"); 10 | r2.plugin("core", function () { 11 | console.log("==> The 'mycore' plugin has been instantiated. Type 'mycore' to test it"); 12 | function coreCall(cmd) { 13 | if (cmd.startsWith("mycore")) { 14 | console.log("Hello From My Core!"); 15 | return true; 16 | } 17 | return false; 18 | } 19 | return { 20 | "name": "mycore", 21 | "license": "MIT", 22 | "desc": "simple core plugin in typescript for radare2", 23 | "call": coreCall, 24 | }; 25 | }); 26 | })(); 27 | ``` 28 | 29 | Some notes on this code: 30 | 31 | * The whole code is wrapped inside an anonymous function call, this way we don't polute the global scope. 32 | * Use r2.unload() and r2.plugin() to unload and register new plugins 33 | * Register a plugin by passing the plugin type and a function 34 | * The initialization function returns a object describing it 35 | 36 | This code runs inside radare2, this means that it will be _fast_, and by fast I mean faster than Python, r2pipe and will be closer to the `C` plugins. Not just for running, but also for loading, because the js runtime is already there, use r2js plugins if possible if you care about performance. 37 | 38 | You can find other plugin examples in the examples directory in radare2. 39 | -------------------------------------------------------------------------------- /src/plugins/dev-other.md: -------------------------------------------------------------------------------- 1 | ## Debugger plugins 2 | 3 | * Adding the debugger registers profile into the shlr/gdb/src/core.c 4 | * Adding the registers profile and architecture support in the libr/debug/p/debug_native.c and libr/debug/p/debug_gdb.c 5 | * Add the code to apply the profiles into the function `r_debug_gdb_attach(RDebug *dbg, int pid)` 6 | 7 | If you want to add support for the gdb, you can see the register profile in the active gdb session using command `maint print registers`. 8 | 9 | ### More to come 10 | 11 | * Related article: 12 | 13 | Some commits related to "Implementing a new architecture" 14 | 15 | * Extensa: 16 | * Malbolge: 17 | * 6502: 18 | * h8300: 19 | * GBA: 20 | * CR16: && 726 21 | * XCore: 22 | * SharpLH5801: 23 | * MSP430: 24 | * HP-PA-RISC: 25 | * V810: 26 | * TMS320: 27 | -------------------------------------------------------------------------------- /src/tools/rahash2/encode.md: -------------------------------------------------------------------------------- 1 | ### Encoding with rahash2 2 | 3 | As mentioned before, this tool also provide the tooling needed to encode and decode between different encodings 4 | 5 | ```console 6 | $ rahash2 -L | grep ^e 7 | e base64 8 | e base91 9 | e punycode 10 | ``` 11 | 12 | For example, to encode a string into base64 use the following line: 13 | 14 | ```console 15 | $ rahash2 -E base64 -s hello 16 | ``` 17 | 18 | You can decode it by using the -D flag instead of -E. 19 | 20 | ### Encryption/Decryption 21 | 22 | For encrypting data check the crypto hash plugins: 23 | 24 | ```console 25 | $ rahash2 -L | grep "^c"  ✔ 26 | c aes-ecb Rijndael block cipher with Electronic Code Book mode 27 | c aes-cbc Rijndael block cipher with Cipher Block Chaining mode 28 | c aes-wrap Rijndael block cipher with Key Wrap Algorithm (RFC 3394) 29 | c blowfish Bruce Schneier's symetric-key block cipher 30 | c cps2 Capcom Play System 2 31 | c des-ecb DES with with Electronic Code Book mode 32 | c rc2 Ron Rivest's Code symmetric key encryption also known as ARC2 33 | c rc4 Rivest Cipher 4 34 | c rc6 Rivest's Cipher 6 35 | c serpent-ecb Serpent block cipher with Electronic Code Book mode 36 | c sm4-ecb ShāngMì4 block cipher with Electronic Code Book mode 37 | c xor Byte level Exclusive Or 38 | ``` 39 | 40 | Here's an example usage to encrypt a string using rahash2: 41 | 42 | ```console 43 | $ rahash2 -E xor -S s:password -s hello | hexdump -C 44 | 00000000 18 04 1f 1f 18 45 | ``` 46 | -------------------------------------------------------------------------------- /src/debugger/windows_messages.md: -------------------------------------------------------------------------------- 1 | ## Windows Messages 2 | 3 | On Windows, you can use `dbW` while debugging to set a breakpoint for the message handler of a specific window. 4 | 5 | Get a list of the current process windows with `dW` : 6 | 7 | ```console 8 | [0x7ffe885c1164]> dW 9 | .----------------------------------------------------. 10 | | Handle | PID | TID | Class Name | 11 | )----------------------------------------------------( 12 | | 0x0023038e | 9432 | 22432 | MSCTFIME UI | 13 | | 0x0029049e | 9432 | 22432 | IME | 14 | | 0x002c048a | 9432 | 22432 | Edit | 15 | | 0x000d0474 | 9432 | 22432 | msctls_statusbar32 | 16 | | 0x00070bd6 | 9432 | 22432 | Notepad | 17 | `----------------------------------------------------' 18 | ``` 19 | 20 | Set the breakpoint with a message type, together with either the window class name or its handle: 21 | 22 | ```console 23 | [0x7ffe885c1164]> dbW WM_KEYDOWN Edit 24 | Breakpoint set. 25 | ``` 26 | 27 | Or 28 | 29 | ```console 30 | [0x7ffe885c1164]> dbW WM_KEYDOWN 0x002c048a 31 | Breakpoint set. 32 | ``` 33 | 34 | If you aren't sure which window you should put a breakpoint on, use `dWi` to identify it with your mouse: 35 | 36 | ```console 37 | [0x7ffe885c1164]> dWi 38 | Move cursor to the window to be identified. Ready? y 39 | Try to get the child? y 40 | .--------------------------------------------. 41 | | Handle | PID | TID | Class Name | 42 | )--------------------------------------------( 43 | | 0x002c048a | 9432 | 22432 | Edit | 44 | `--------------------------------------------' 45 | ``` 46 | -------------------------------------------------------------------------------- /src/plugins/r2skel.md: -------------------------------------------------------------------------------- 1 | # r2skel 2 | 3 | This project ships basic skeletons to start writing projects that work with radare2. 4 | 5 | The repository have different type of plugins and scripts organized by language and cathegories depending on its functionalities. 6 | 7 | * Tool: r2, r2ai, r2frida, .. 8 | * Language: C, r2js, Node, Python, TypeScript, .. 9 | * Purpose: Plugin, Script, Bindings, Native APIs 10 | * Module: Core, Bin, Arch, Debug, .. 11 | 12 | ## Installation 13 | 14 | ```console 15 | $ r2pm -ci r2skel 16 | ``` 17 | 18 | ## Usage Example 19 | 20 | If the r2pm bindir is not in your PATH you can spawn the tool with `r2pm -r`: 21 | 22 | ```console 23 | $ r2pm -r r2skel 24 | r2skel [-lL] | [template] [new-directory] 25 | Options: 26 | -l - list all the available project templates 27 | -L - list all the languages 28 | Templates: 29 | - r2-plugin-arch-py 30 | - r2-plugin-bin-c 31 | - r2-plugin-core-c 32 | - r2-plugin-core-js 33 | - r2-plugin-core-py 34 | - r2-plugin-core-ts 35 | - r2-plugin-io-c 36 | - r2-plugin-io-js 37 | - r2-plugin-io-py 38 | - r2-plugin-parse-c 39 | - r2-plugin-parse-js 40 | - r2-program-libr-c 41 | - r2-program-libr-v 42 | - r2-script-lang-c 43 | - r2-script-lang-nim 44 | - r2-script-r2papi-ts 45 | - r2-script-r2pipe-nodejs 46 | - r2-script-r2pipe-rust 47 | - r2-script-r2pipe-swift 48 | - r2-script-r2pipe-ts 49 | - r2ai-script-cmd-py 50 | - r2frida-plugin-cmd-js 51 | $ 52 | ``` 53 | 54 | Now you are ready to create your first example: 55 | 56 | ```console 57 | $ r2pm -r r2skel r2-plugin-core-js coreplug 58 | $ cd coreplug 59 | $ make 60 | $ r2 -i coreplug.js -- 61 | [0x00000000]> coreplug 62 | ... 63 | ``` 64 | -------------------------------------------------------------------------------- /src/scripting/r2pipe2.md: -------------------------------------------------------------------------------- 1 | ## R2Pipe2 2 | 3 | The original **r2pipe** protocol is very simple, this have some advantages, but also some inconvieniences and limitations. 4 | 5 | The 2nd version aims to address these problems by extending the r2 shell with a new command: `{`. 6 | 7 | Sounds funny? Probably yes, but it works and keeps the things simple and powerful. 8 | 9 | The new `{` command (introduced in r2-5.9.x) permits to enter a JSON object right into the r2 shell, the output of the command will be another json containing not just the output of the command executed, but also some extra information that was missing in the previous version. 10 | 11 | * Command output 12 | * Return value 13 | * Return code 14 | * Error reason 15 | * Log messages 16 | 17 | As long as the JSON object can be easily extended in the future more 18 | 19 | ### R2pipe2 Example 20 | 21 | The { object takes the mandatory "cmd" parameter, but can also handle two more fields: 22 | 23 | * json: output of the command inlined as json in the resulting object 24 | * trim: remove trailing spaces in the output of the command 25 | 26 | Let's check the help: 27 | 28 | ```console 29 | [0x00000000]> {? 30 | Usage: {"cmd":"...","json":false,"trim":true} # `cmd` is required 31 | [0x00000000]> 32 | ``` 33 | 34 | For example: 35 | 36 | ```console 37 | [0x00000000]> '{"cmd":"?e hello"} 38 | {"res":"hello\n","error":false,"value":256,"code":0,"code":0} 39 | [0x00000000]> 40 | ``` 41 | 42 | ### R2pipe2 APIs 43 | 44 | As you can imagine, the new { command can be used directly from an `r2.callj` command. But r2pipe2 Python, TypeScript and R2JS implementations expose the `r2.cmd2` and `r2.cmd2j` functions to abstract this. 45 | -------------------------------------------------------------------------------- /src/crackmes/ioli/intro.md: -------------------------------------------------------------------------------- 1 | ## IOLI CrackMes 2 | 3 | The Ioli Crackmes are a series of reverse engineering exercises designed by Pau Oliva Fora for users of Radare1, this revision is up to date with the latest version of Radare2. 4 | 5 | These exercises are intended to help you learn and practice reverse engineering techniques using Radare2. Each crackme is a self-contained challenge that requires you to analyze and understand executable files, gradually building your skills as you progress. 6 | 7 | Each crackme in the series is slightly more difficult than the previous one, introducing new concepts and commands at a manageable pace. This incremental difficulty helps ease the learning process, ensuring that you gain a solid understanding of basic techniques before moving on to more complex tasks. As you advance, you will become more proficient in using Radare2 and develop a deeper understanding of reverse engineering principles. 8 | 9 | Every crackme is presented in three sections: 10 | 11 | * An introduction that explains the challenge to be solved, 12 | * Hints that provide guidance on useful commands and steps to follow 13 | * Solution section that offers a step-by-step guide to solving the challenge. 14 | 15 | This structured approach ensures that you not only learn how to solve each specific crackme but also understand the underlying concepts and methodologies, allowing you to apply these skills to other reverse engineering tasks in the future. 16 | 17 | Contents based on the [dustri](http://dustri.org/b/defeating-ioli-with-radare2.html) tutorials. 18 | 19 | The binaries are available at [mirror](https://github.com/radareorg/radare2-book/raw/master/src/crackmes/ioli/IOLI-crackme.tar.gz) 20 | -------------------------------------------------------------------------------- /.one.markdownlint-cli2.jsonc: -------------------------------------------------------------------------------- 1 | // Configuration for single markdown output for markdownlint (DavidAnson) 2 | { 3 | // Ignore files referenced by .gitignore (only valid at root) 4 | "gitignore": false, 5 | 6 | // Configure linting 7 | // https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.jsonc 8 | "config": { 9 | // Default state for all rules 10 | "default": false, 11 | 12 | // Path to configuration file to extend 13 | "extends": null, 14 | 15 | // MD001/heading-increment : Heading levels should only increment by one level at a time : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md001.md 16 | "MD001": true, 17 | 18 | // MD024/no-duplicate-heading : Multiple headings with the same content : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md024.md 19 | "MD024": { 20 | // Only check sibling headings 21 | "siblings_only": true 22 | }, 23 | 24 | // MD051/link-fragments : Link fragments should be valid : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md051.md 25 | "MD051": true, 26 | 27 | // MD052/reference-links-images : Reference links and images should use a label that is defined : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md052.md 28 | "MD052": { 29 | // Include shortcut syntax 30 | "shortcut_syntax": false 31 | }, 32 | 33 | // MD053/link-image-reference-definitions : Link and image reference definitions should be needed : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md053.md 34 | "MD053": { 35 | // Ignored definitions 36 | "ignored_definitions": [ 37 | "//" 38 | ] 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /src/intro/intro.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | This is the official book of the radare project. 4 | 5 | _This is a collaborative and community-driven project, if you want to improve the status of the documentation check out the contributing chapter and submit pull requests to the repository_ 6 | 7 | * [GitHub](https://github.com/radareorg/radare2-book) 8 | * [PDF](https://github.com/radareorg/radare2-book/releases/latest/download/r2book.pdf) 9 | * [ePUB](https://github.com/radareorg/radare2-book/releases/latest/download/r2book.epub) 10 | * [Online Html](https://book.rada.re/) - built with mdbook 11 | * [Gemini Capsule](gemini://radare.org/book) - md2gmi 12 | 13 | The minimum version of radare2 required to follow this book is r2-5.8.x, but it is recommended to always use the last release or build it from git. 14 | 15 | ## Book Editions 16 | 17 | This book was written with **Halibut** in 2009 by pancake focusing on `radare`. The initial implementation of the tooling, unfortunately the code evolved faster than the documentation did, and the book became obsolete, for historical reasons this version can be found in this webpage: 18 | 19 | * [radare1 book pdf](https://rada.re/get/radare.pdf) 20 | 21 | During 2014, Maijin reorganized and updated the contents, other contributors over the Internet also helped to get new stuff in and after some reviews the book was now readily available for the first time in PDF, ePUB and Hardcover printed versions. 22 | 23 | * [https://book.rada.re](https://book.rada.re) 24 | 25 | Unfornately, the documentation part of the project got stuck again; and 10 years later, in 2024, pancake worked back updating and polish its contents. Looking towards the 3rd edition that may be ready by the end of the same year. 26 | -------------------------------------------------------------------------------- /.github/workflows/mdbook.yml: -------------------------------------------------------------------------------- 1 | name: Publish to GitHub Pages 2 | 3 | on: 4 | # Runs on pushes targeting the master branch 5 | push: 6 | branches: 7 | - master 8 | 9 | # Allows you to run this workflow manually from the Actions tab 10 | workflow_dispatch: 11 | 12 | # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages 13 | permissions: 14 | contents: read 15 | pages: write 16 | id-token: write 17 | 18 | # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. 19 | # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. 20 | concurrency: 21 | group: "pages" 22 | cancel-in-progress: false 23 | 24 | jobs: 25 | # Build job 26 | build: 27 | runs-on: ubuntu-latest 28 | env: 29 | MDBOOK_VERSION: 0.4.40 30 | steps: 31 | - uses: actions/checkout@v6 32 | - name: Install mdBook 33 | run: curl -Ls "https://github.com/rust-lang/mdBook/releases/download/v${MDBOOK_VERSION}/mdbook-v${MDBOOK_VERSION}-x86_64-unknown-linux-gnu.tar.gz" | tar -C /usr/local/bin/ -xzf - 34 | - name: Setup Pages 35 | id: pages 36 | uses: actions/configure-pages@v5 37 | - name: Build with mdBook 38 | run: mdbook build 39 | - name: Upload artifact 40 | uses: actions/upload-pages-artifact@v4 41 | with: 42 | path: ./book 43 | 44 | # Deployment job 45 | deploy: 46 | environment: 47 | name: github-pages 48 | url: ${{ steps.deployment.outputs.page_url }} 49 | runs-on: ubuntu-latest 50 | needs: build 51 | steps: 52 | - name: Deploy to GitHub Pages 53 | id: deployment 54 | uses: actions/deploy-pages@v4 -------------------------------------------------------------------------------- /src/tools/radiff2/codediff.md: -------------------------------------------------------------------------------- 1 | ## Code Diffing 2 | 3 | This tool can be also used to compare code, which can be really handy when analyzing two shellcodes, functions or libraries, looking for changes in its code. 4 | 5 | To understand this feature we will start by using the basic delta diffing from the previous data analysis example but using the `-D` flag to display the changes in assembly instead of hexadecimal data. 6 | 7 | Note that radiff2 permits to specify the arch/bits/.. settings using these flags: 8 | 9 | ```console 10 | $ radiff2 -h | grep -e arch -e bits 11 | -a [arch] specify architecture plugin to use (x86, arm, ..) 12 | -b [bits] specify register size for arch (16 (thumb), 32, 64, ..) 13 | ``` 14 | 15 | Let's test it out! 16 | 17 | ```console 18 | $ cat 1 19 | j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A 20 | $ cat 2 21 | j0X4PX0PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J 22 | ``` 23 | 24 | Wen can compare the changes as disassembly like this: 25 | 26 | ```console 27 | $ radiff2 -D 5 6 28 | push 0x30 29 | pop rax 30 | xor al, 0x30 31 | + push rax 32 | + pop rax 33 | pop rdx 34 | xor ax, 0x4f73 35 | xor ax, 0x3041 36 | push rax 37 | ``` 38 | 39 | So we can see that the second file added an extra `push rax + pop rax` which is basically a nop, and maybe this was introduced to bypass some signatures to avoid being detected. 40 | 41 | If you are looking for some more advanced bindiffing tool for code you may want to have a look at the `r2diaphora` and the zignatures features under the `z` command in the radare2 shell. 42 | 43 | It's also possible to compare the changes between two functions using the `-g` flag, but you'll need to analize both binaries using the `-A` flag, and tell the symbol name as target. 44 | -------------------------------------------------------------------------------- /src/r2frida/intro.md: -------------------------------------------------------------------------------- 1 | # r2frida 2 | 3 | r2frida is a plugin that merges the capabilities of radare2 and Frida, allowing you to inspect and manipulate running processes. It is useful for dynamic analysis and debugging, leveraging radare2's reverse engineering tools and Frida's dynamic instrumentation. 4 | 5 | With r2frida you can use short mnemonic r2 commands instead of having to type long javascript oneliners in the prompt, also those commands are executed inside the target process and are well integrated with radare2, allowing to import all the analysis information from dynamic instrumentation into your static analysis environment. 6 | 7 | Some of the most relevant features include: 8 | 9 | * Running Frida scripts with :. command 10 | * Executing snippets in C, JavaScript, or TypeScript 11 | * Attaching, spawning, or launching processes locally or remotely 12 | * Listing sections, symbols, classes, methods 13 | * Searching memory, creating hooks, and manipulating file descriptors 14 | * Supporting Dalvik, Java, ObjC, Swift, and C interfaces 15 | 16 | ## Installation 17 | 18 | Install r2frida via radare2 package manager: 19 | 20 | ```console 21 | $ r2pm -ci r2frida 22 | ``` 23 | 24 | Now you should be able to test if the system session works by running the following command: 25 | 26 | ```console 27 | $ r2 frida://0 28 | ``` 29 | 30 | If this is not working try with the `R2_DEBUG=1` environment variable set and see if there's any relevant error. Maybe the plugin is not loaded or it was not compiled for the specific version of radare2 that you are using. 31 | 32 | The URI handler of r2frida can be quite complex as it allows you to specify different ways to start a process, attaching as well as the communication channel, permitting it to connect though usb, tcp or working with local programs. 33 | -------------------------------------------------------------------------------- /sys/lintrefs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | cd $(dirname "$0")/.. 4 | 5 | posix_pushd() { 6 | if [ $# -eq 0 ]; then 7 | echo "Usage: pushd " 8 | return 1 9 | fi 10 | 11 | DIR=$1 12 | if [ ! -d "${DIR}" ]; then 13 | echo "pushd: ${DIR}: No such directory" 14 | return 1 15 | fi 16 | 17 | # Save the current directory on the stack 18 | DIR_STACK="$PWD $DIR_STACK" 19 | 20 | # Change to the new directory 21 | cd "${DIR}" || return 1 22 | 23 | # Print the new stack 24 | echo "$DIR_STACK" 25 | } 26 | 27 | # Function to pop a directory off the stack 28 | posix_popd() { 29 | if [ -z "$DIR_STACK" ]; then 30 | echo "popd: directory stack empty" 31 | return 1 32 | fi 33 | 34 | # Extract the first directory from the stack 35 | DIR=$(echo "$DIR_STACK" | awk '{print $1}') 36 | DIR_STACK=$(echo "$DIR_STACK" | cut -d' ' -f2-) 37 | 38 | # Change to the directory 39 | cd "$DIR" || return 1 40 | 41 | # Print the new stack 42 | echo "$DIR_STACK" 43 | } 44 | 45 | RV=0 46 | find_markdown_files() { 47 | (echo "$1" | grep "://") && return 48 | local D=`dirname "$1"` 49 | posix_pushd "$D" > /dev/null 50 | local F=`basename "$1"` 51 | local file="$F" 52 | 53 | echo "$PWD/$F" 54 | # Extract referenced markdown files 55 | grep -o '\[.*\](.*\.md)' "$file" | sed -n 's/.*(\(.*\.md\)).*/\1/p' | grep -v :// | while read -r ref; do 56 | if [ -f "$ref" ]; then 57 | find_markdown_files "$ref" 58 | else 59 | echo "\033[31mReferenced file '$ref' not found. From $PWD/$F\033[0m" > /dev/stderr 60 | RV=1 61 | fi 62 | done 63 | posix_popd > /dev/null 64 | } 65 | 66 | # Check if a file is provided 67 | F="$1" 68 | [ -z "$1" ] && F=src/SUMMARY.md 69 | 70 | # Start the recursive search with the provided file 71 | find_markdown_files "$F" 72 | exit $RV 73 | -------------------------------------------------------------------------------- /src/install/troubleshooting.md: -------------------------------------------------------------------------------- 1 | ## Troubleshooting 2 | 3 | Sometimes, old builds or conflicting versions can cause problems, such as tools using the wrong version of libraries, plugins not loading, or crashes with segmentation faults at startup. Here are some steps to help you resolve these issues. 4 | 5 | We will assume you have tried to build radare2 with meson and make: 6 | 7 | * your builddir doesnt contain spaces 8 | * the repository is a clean clone 9 | * you read the error messages carefully 10 | * you have at least make, gcc, git, patch working 11 | 12 | First, if you encounter issues during startup, you can use the `R2_DEBUG=1` environment variable to see detailed debugging information. This can help you understand what is going wrong during the initialization of radare2. 13 | 14 | ```sh 15 | export R2_DEBUG=1 16 | radare2 - 17 | ``` 18 | 19 | To remove old builds of radare2 from your system, you can run the make purge command. This command will remove previous installations of radare2 from various common prefix paths. 20 | 21 | ```sh 22 | ./configure --prefix=/old/r2/prefix/installation 23 | make purge 24 | ``` 25 | 26 | Additionally, you may need to remove the plugin directory from your home directory to ensure no old or incompatible plugins are causing issues. You can do this by deleting the local/share/radare2/plugins directory. 27 | 28 | ```sh 29 | rm -rf ~/.local/share/radare2/plugins 30 | ``` 31 | 32 | If you use r2pm (radare2 package manager), it is also a good idea to clear the r2pm cache to free up some disk space and remove potentially problematic cached files. You can do this by deleting the ~/.local/share/radare2/r2pm directory. 33 | 34 | ```sh 35 | rm -rf ~/.local/share/radare2/r2pm 36 | ``` 37 | 38 | By following these steps, you can clean up old installations and resolve common issues that might arise during the installation and usage of radare2. 39 | -------------------------------------------------------------------------------- /src/debugger/files.md: -------------------------------------------------------------------------------- 1 | ## Files 2 | 3 | The radare2 debugger allows the user to list and manipulate the file descriptors from the target process. 4 | 5 | This is a useful feature, which is not found in other debuggers, the functionality is similar to the lsof command line tool, but have extra subcommands to change the seek, close or duplicate them. 6 | 7 | So, at any time in the debugging session you can replace the stdio file descriptors to use network sockets created by r2, or replace a network socket connection to hijack it. 8 | 9 | This functionality is also available in r2frida by using the dd command prefixed with a backslash. In r2 you may want to see the output of dd? for proper details. 10 | 11 | ```console 12 | [0x00000000]> dd? 13 | Usage: dd Manage file descriptors for child process (* to show r2 commands) 14 | | dd[*] list file descriptors 15 | | dd[*] open file as read-only (r--); addr = use as char* for path 16 | | dd+[*] open/create file as read-write (rw-); addr = use as char* for path 17 | | dd-[*] close fd 18 | | ddt[*] close terminal fd (alias for `dd- 0`) 19 | | dds[*] [offset] seek fd to offset (no offset = seek to beginning) 20 | | ddd[*] copy oldfd to newfd with dup2 21 | | ddf[*] create pipe and write fds to (int[2])addr 22 | | ddr[*] read bytes from fd into (char*)addr 23 | | ddw[*] write bytes from (const char*)addr to fd 24 | [0x00000000]> 25 | ``` 26 | 27 | ### Tweaking descriptors 28 | 29 | The dd command will use ragg2 internally to compile a shellcode that is then injected into the target process to manipulate the file descriptors. 30 | 31 | For example if we want to open a file we can use this: 32 | 33 | `dd /bin/ls` 34 | 35 | We can also close that file with: `dd-4` 36 | -------------------------------------------------------------------------------- /src/plugins/troubles.md: -------------------------------------------------------------------------------- 1 | ## Troubleshooting 2 | 3 | It is common to have an issues when you write a plugin, especially if you do this for the first time. 4 | 5 | This is why debugging them is very important. The first step for debugging is to set an environment variable when running radare2 instance: 6 | 7 | ```console 8 | $ R2_DEBUG=yes r2 /bin/ls 9 | Loading /usr/local/lib/radare2/2.2.0-git//bin_xtr_dyldcache.so 10 | Cannot find symbol 'radare_plugin' in library '/usr/local/lib/radare2/2.2.0-git//bin_xtr_dyldcache.so' 11 | Cannot open /usr/local/lib/radare2/2.2.0-git//2.2.0-git 12 | Loading /home/user/.config/radare2/plugins/asm_mips_ks.so 13 | PLUGIN OK 0x55b205ea6070 fcn 0x7f298de08762 14 | Loading /home/user/.config/radare2/plugins/asm_sparc_ks.so 15 | PLUGIN OK 0x55b205ea6070 fcn 0x7f298de08762 16 | Cannot open /home/user/.config/radare2/plugins/pimp 17 | Cannot open /home/user/.config/radare2/plugins/yara 18 | Loading /home/user/.config/radare2/plugins/asm_arm_ks.so 19 | PLUGIN OK 0x55b205ea6070 fcn 0x7f298de08762 20 | Loading /home/user/.config/radare2/plugins/core_yara.so 21 | Module version mismatch /home/user/.config/radare2/plugins/core_yara.so (2.1.0) vs (2.2.0-git) 22 | Loading /home/user/.config/radare2/plugins/asm_ppc_ks.so 23 | PLUGIN OK 0x55b205ea6070 fcn 0x7f298de08762 24 | Loading /home/user/.config/radare2/plugins/lang_python3.so 25 | PLUGIN OK 0x55b205ea5ed0 fcn 0x7f298de08692 26 | Loading /usr/local/lib/radare2/2.2.0-git/bin_xtr_dyldcache.so 27 | Cannot find symbol 'radare_plugin' in library '/usr/local/lib/radare2/2.2.0-git/bin_xtr_dyldcache.so' 28 | Cannot open /usr/local/lib/radare2/2.2.0-git/2.2.0-git 29 | Cannot open directory '/usr/local/lib/radare2-extras/2.2.0-git' 30 | Cannot open directory '/usr/local/lib/radare2-bindings/2.2.0-git' 31 | USER CONFIG loaded from /home/user/.config/radare2/radare2rc 32 | -- In visual mode press 'c' to toggle the cursor mode. Use tab to navigate 33 | [0x00005520]> 34 | ``` 35 | -------------------------------------------------------------------------------- /src/r2fwrev/setup.md: -------------------------------------------------------------------------------- 1 | ## Project Organization 2 | 3 | The most common way to get ready with radare2 to analyze a firmware is usually to create a directory containing the firmware file, a makefile or shellscript and a directory to hold few companion files that will help us get all the stuff in place everytime we start the shell. 4 | 5 | The reason for not using projects is because usually these targets require some special setups, custom scripts, manual tries and errors and obviously not using the default autoanalysis. 6 | 7 | This way we have full control on how r2 will behave and we can always change any line of the scripts to get the right behaviour. 8 | 9 | ```console 10 | $ cat Makefile 11 | BADDR=0x8000000 12 | all: 13 | r2 -i script.r2 -m $BADDR dump.bin 14 | 15 | $ cat script.r2 16 | f entry0=0x8005320 17 | s entry0 18 | CC evertyhing starts here 19 | afr 20 | ``` 21 | 22 | ## Cpu model 23 | 24 | First of all we need to know or guess which is the target architecture the blob is suposed to be executed. 25 | 26 | As long as this file is just a raw dump there is no metadata that can be retrieved from RBin to auto configure the asm.arch and asm.cpu variables. 27 | 28 | In some cases the chip is covered with black plastic, hiding the actual model or architecture details. If looking for documentation online doesn't rings any bell we can always try for the most common options until we get a meaningful disassembly listing. 29 | 30 | The most common architectures we will find when analysing firmwares or flash dumps are: arm, thumb, tricore, v850, mips, riscv, stm8, tms320 or mcs64. 31 | 32 | You can change any of the following options inside the r2 shell after loading the file to see what's in the output of `pd` for us. 33 | 34 | ```console 35 | e asm.arch=? 36 | e asm.bits=? 37 | e asm.cpu=? 38 | e cfg.bigendian=true|false 39 | ``` 40 | 41 | For example a big endian ARM-Thumb environment can be configured like this: 42 | 43 | `$ r2 -a arm -b 16 -e cfg.bigendian=true` 44 | -------------------------------------------------------------------------------- /src/tools/rabin2/strings.md: -------------------------------------------------------------------------------- 1 | ### Strings 2 | 3 | The `-z` option is used to list readable strings found in the .rodata section of ELF binaries, or the .text section of PE files. Example: 4 | 5 | ```console 6 | $ rabin2 -z /bin/ls | head 7 | [Strings] 8 | nth paddr vaddr len size section type string 9 | ------------------------------------------------------- 10 | 000 0x000160f8 0x000160f8 11 12 (.rodata) ascii dev_ino_pop 11 | 001 0x00016188 0x00016188 10 11 (.rodata) ascii sort_files 12 | 002 0x00016193 0x00016193 6 7 (.rodata) ascii posix- 13 | 003 0x0001619a 0x0001619a 4 5 (.rodata) ascii main 14 | 004 0x00016250 0x00016250 10 11 (.rodata) ascii ?pcdb-lswd 15 | 005 0x00016260 0x00016260 65 66 (.rodata) ascii # Configuration file for dircolors, a utility to help you set the 16 | 006 0x000162a2 0x000162a2 72 73 (.rodata) ascii # LS_COLORS environment variable used by GNU ls with the --color option. 17 | 007 0x000162eb 0x000162eb 56 57 (.rodata) ascii # Copyright (C) 1996-2018 Free Software Foundation, Inc. 18 | 008 0x00016324 0x00016324 70 71 (.rodata) ascii # Copying and distribution of this file, with or without modification, 19 | 009 0x0001636b 0x0001636b 76 77 (.rodata) ascii # are permitted provided the copyright notice and this notice are preserved. 20 | ``` 21 | 22 | With the `-zr` option, this information is represented as a radare2 commands list. It can be used in a radare2 session to automatically create a flag space called "strings" pre-populated with flags for all strings found by rabin2. 23 | Furthermore, this script will mark corresponding byte ranges as strings instead of code. 24 | 25 | ```console 26 | $ rabin2 -zr /bin/ls | head 27 | fs stringsf str.dev_ino_pop 12 @ 0x000160f8 28 | Cs 12 @ 0x000160f8 29 | f str.sort_files 11 @ 0x00016188 30 | Cs 11 @ 0x00016188 31 | f str.posix 7 @ 0x00016193 32 | Cs 7 @ 0x00016193 33 | f str.main 5 @ 0x0001619a 34 | Cs 5 @ 0x0001619a 35 | f str.pcdb_lswd 11 @ 0x00016250 36 | Cs 11 @ 0x00016250 37 | ``` 38 | -------------------------------------------------------------------------------- /src/search/pattern_search.md: -------------------------------------------------------------------------------- 1 | ## Pattern Search 2 | 3 | ### Pattern Matching Search 4 | 5 | The `/p` command allows you to apply repeated pattern searches on IO backend storage. It is possible to identify repeated byte sequences without explicitly specifying them. The only command's parameter sets minimum detectable pattern length. 6 | Here is an example: 7 | 8 | ```console 9 | [0x00000000]> /p 10 10 | ``` 11 | 12 | This command output will show different patterns found and how many times each of them is encountered. 13 | 14 | It is possible to search patterns with a known difference between consecutive bytes with `/d` command. For example, the command to search all the patterns with the first and second bytes having the first bit which differs and the second and third bytes with the second bit which differs is: 15 | 16 | ```console 17 | [0x00000000]> /d 0102 18 | Searching 2 bytes in [0x0-0x400] 19 | hits: 2 20 | 0x00000118 hit2_0 9a9b9d 21 | 0x00000202 hit2_1 a4a5a7 22 | ``` 23 | 24 | ### Magic Pattern Search 25 | 26 | The `/m` command allows to search for known magic patterns helping to discover hidden filesystem, archives or other known file formats: 27 | 28 | ```console 29 | [0x00000000]> /m 30 | -- 0 120eb 31 | 0x00000000 0 hit0_0 JPEG image , JFIF standard 32 | 0x00009f64 0 hit0_1 ZIP Zip archive data, at least v2.0 to extract 33 | 0x000120d5 0 hit0_2 End of Zip archive 34 | ``` 35 | 36 | Those magic patterns a defined according to the [file command's magic pattern format](https://linux.die.net/man/5/magic). By default radare2 uses all the patterns files in the folder `libr/magic/d/default/`. Searching with all the pattern files may be long but it is possible to use a single file given as argument: 37 | 38 | ```console 39 | [0x00000000]> /m ./libr/magic/d/default/archive 40 | -- 0 120eb 41 | 0x00009f64 0 hit0_0 ZIP Zip archive data, at least v2.0 to extract 42 | 0x000120d5 0 hit0_1 End of Zip archive 43 | ``` 44 | 45 | It also allows to defined and search with custom pattern files. 46 | -------------------------------------------------------------------------------- /src/r2fwrev/devices.md: -------------------------------------------------------------------------------- 1 | ## Peripherals 2 | 3 | Buttons, screens, leds, serial ports and sensors are usually accessible through mapping their registers as part of the memory. Usually this memory can't be read or written directly because every single bit can cause a wait lock, infinite loops, undesired hardware changes, etc 4 | 5 | The Intel X86 architecture used IO ports accessible through two instructions (IN/OUT) to communicate with hardware. But all the RISC machines end up using the memory unit to make them accessible by just using peek and poke operations. 6 | 7 | This is we can find the clock timer in a dword around and we will have a different value each time we read from there. But writing in this dword won't do anything. 8 | 9 | Use flags to name each of these addresses, and you may get xrefs to them when analysing the code. 10 | 11 | ### Loading SVD files 12 | 13 | SVD stands for System View Description. It is a standardized XML-based file format that provides detailed descriptions of the registers, memory, and peripheral mappings of a microcontroller or a system-on-chip (SoC). 14 | 15 | These descriptions are crucial for reverse engineering efforts, as they allow engineers to understand how firmware interacts with the hardware at a low level, facilitating the identification of key functionality, debugging, and modification of firmware. 16 | 17 | By parsing SVD files, reverse engineers can automate the process of mapping firmware code to hardware registers, streamlining the reverse engineering process and improving accuracy. 18 | 19 | The r2svd program takes one of these XML files and creates an r2 script that sets all these flags in the right addresses. 20 | 21 | ```console 22 | $ head tc1767.pspec.r2 23 | f pin.SBCU_ID=0xF0000108 24 | f pin.SBCU_CON=0xF0000110 25 | f pin.SBCU_ECON=0xF0000120 26 | f pin.SBCU_EADD=0xF0000124 27 | f pin.SBCU_EDAT=0xF0000128 28 | f pin.SBCU_DBCNTL=0xF0000130 29 | f pin.SBCU_DBGRNT=0xF0000134 30 | f pin.SBCU_DBADR1=0xF0000138 31 | ``` 32 | 33 | Note that we can extract the ranges of memory where the peripherals are located and we should create new maps to cover them. 34 | -------------------------------------------------------------------------------- /src/analysis/code_analysis.md.snippets: -------------------------------------------------------------------------------- 1 | code_analysis_vv.png " 2 | -[ functions ]---------------- ... 3 | (a) add (x)xrefs (q)quit Visual code review (pdf) 4 | (r) rename (c)calls (g)go / (fcn) entry0 43 5 | (d) delete (v)variables (?)help | entry0 (); 6 | >* 0x00005480 43 entry0 | 0x00005480 xor ebp, ebp 7 | 0x000150f0 46 sym._obstack_allocated_p | 0x00005482 mov r9, rdx 8 | 0x00014fe0 179 sym._obstack_begin_1 | 0x00005485 pop rsi 9 | 0x00014fc0 158 sym._obstack_begin | 0x00005486 mov rdx, rsp 10 | 0x00015130 97 sym._obstack_free | 0x00005489 and rsp, 0xfffffffffffffff0 11 | 0x00015000 283 sym._obstack_newchunk | 0x0000548d push rax 12 | 0x000151a0 36 sym._obstack_memory_used | 0x0000548e push rsp 13 | 0x000033f0 6 sym.imp.__ctype_toupper_loc | 0x0000548f lea r8, [0x00015e40] 14 | 0x00003400 6 sym.imp.__uflow | 0x00005496 lea rcx, [0x00015dd0] 15 | 0x00003410 6 sym.imp.getenv | 0x0000549d lea rdi, [main] ; section..text ; 0x3ac0 ; "AWAVAUATUS\x89\xfdH\x89\xf3H\x83 16 | 0x00003420 6 sym.imp.sigprocmask | 0x000054a4 call qword [reloc.__libc_start_main] ; [0x21efc8:8]=0 17 | 0x00003430 6 sym.imp.__snprintf_chk \ 0x000054aa hlt 18 | 0x00003440 6 sym.imp.raise 19 | 0x00000000 48 sym.imp.free 20 | 0x00003450 6 sym.imp.abort 21 | 0x00003460 6 sym.imp.__errno_location 22 | 0x00003470 6 sym.imp.strncmp 23 | 0x00003480 6 sym.imp.localtime_r 24 | 0x00003490 6 sym.imp._exit 25 | 0x000034a0 6 sym.imp.strcpy 26 | 0x000034b0 6 sym.imp.__fpending 27 | 0x000034c0 6 sym.imp.isatty 28 | " 29 | -------------------------------------------------------------------------------- /src/analysis/calling_conventions.md: -------------------------------------------------------------------------------- 1 | ## Calling Conventions 2 | 3 | Radare2 uses calling conventions to help in identifying function formal arguments and return types. 4 | It is used also as a guide for basic function prototype and type propagation. 5 | 6 | ```console 7 | [0x00000000]> afc? 8 | |Usage: afc[agl?] 9 | | afc convention Manually set calling convention for current function 10 | | afc Show Calling convention for the Current function 11 | | afc=([cctype]) Select or show default calling convention 12 | | afcr[j] Show register usage for the current function 13 | | afca Analyse function for finding the current calling convention 14 | | afcf[j] [name] Prints return type function(arg1, arg2...), see afij 15 | | afck List SDB details of call loaded calling conventions 16 | | afcl List all available calling conventions 17 | | afco path Open Calling Convention sdb profile from given path 18 | | afcR Register telescoping using the calling conventions order 19 | [0x00000000]> 20 | ``` 21 | 22 | * To list all available calling conventions for current architecture using `afcl` command 23 | 24 | ```console 25 | [0x00000000]> afcl 26 | amd64 27 | ms 28 | ``` 29 | 30 | * To display function prototype of standard library functions you have `afcf` command 31 | 32 | ```console 33 | [0x00000000]> afcf printf 34 | int printf(const char *format) 35 | [0x00000000]> afcf fgets 36 | char *fgets(char *s, int size, FILE *stream) 37 | ``` 38 | 39 | All this information is loaded via sdb under `/libr/anal/d/cc-[arch]-[bits].sdb` 40 | 41 | ```c 42 | default.cc=amd64 43 | 44 | ms=cc 45 | cc.ms.name=ms 46 | cc.ms.arg1=rcx 47 | cc.ms.arg2=rdx 48 | cc.ms.arg3=r8 49 | cc.ms.arg3=r9 50 | cc.ms.argn=stack 51 | cc.ms.ret=rax 52 | ``` 53 | 54 | `cc.x.argi=rax` is used to set the ith argument of this calling convention to register name `rax` 55 | 56 | `cc.x.argn=stack` means that all the arguments (or the rest of them in case there was argi for any i as counting number) will be stored in stack from left to right 57 | 58 | `cc.x.argn=stack_rev` same as `cc.x.argn=stack` except for it means argument are passed right to left 59 | -------------------------------------------------------------------------------- /src/tools/ragg2/encoders.md: -------------------------------------------------------------------------------- 1 | ### Shellcode Encoders 2 | 3 | ragg2 offers a few ready-made shellcodes and encoders. 4 | 5 | ```console 6 | $ ragg2 -L 7 | shellcodes: 8 | exec : execute cmd=/bin/sh suid=false 9 | encoders: 10 | xor : xor encoder for shellcode 11 | ``` 12 | 13 | Using the '-i' option, one can generate specify and generate the shellcode. 14 | 15 | ```console 16 | $ ragg2 -i exec 17 | 31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05 18 | ``` 19 | 20 | Similar to the previous section, the output format(c, raw, elf etc.,) can be specified here too along with the architecture and bits. 21 | 22 | ragg2 offers an xor encoder too. The following are the relevant flags/options. 23 | 24 | ```console 25 | $ ragg2 -h 26 | -c [k=v] set configuration options 27 | -E [encoder] use specific encoder. see -L 28 | -L list all plugins (shellcodes and encoders) 29 | ``` 30 | 31 | ```console 32 | $ ragg2 -E xor -c key=32 -i exec 33 | 6a1b596a205be8ffffffffc15e4883c60d301e48ffc6e2f911e0689bf1bdb6b1f0acb7df68d7fb73747fb97277747e901b2f25 34 | ``` 35 | 36 | The same can be done with a .c or .r file output. The first one is the normal output(machine code) and the second is xor encoded. 37 | 38 | ```console 39 | $ ragg2 -a x86 -f raw code1.c 40 | eb0e66666666662e0f1f84000000000050bf01000000488d359f000000ba0d000000e81900000031ff89442404e85e00000031d289042489d059c30f1f440000897c24fc48897424f0895424ec8b5424fc895424dc488b7424f048897424d08b5424ec895424cc8b7c24dc488b7424d08b5424ccb8010000000f0548894424e0488b4424e089c1894c24c88b4424c8c3897c24fc8b7c24fc897c24ec8b7c24ecb83c0000000f0548894424f0488b4424f089c1894c24e88b4424e8c348656c6c6f20576f726c640a00 41 | 42 | $ ragg2 -E xor -c key=127 -a x86 -f raw code1.c 43 | 6ac9596a7f5be8ffffffffc15e4883c60d301e48ffc6e2f994711919191919517060fb7f7f7f7f7f2fc07e7f7f7f37f24ae07f7f7fc5727f7f7f97667f7f7f4e80f63b5b7b97217f7f7f4eadf67b5bf6af26bc70603b7f7ff6035b8337f60b5b8ff62b5b93f42b5b83f62b5ba337f40b5b8f37f60b5baff42b5b93f62b5bb3f4035ba337f40b5baff42b5bb3c77e7f7f7f707a37f63b5b9f37f43b5b9ff6bef6335bb7f43b5bb7bcf6035b83f4035b83f6035b93f4035b93c7437f7f7f707a37f63b5b8f37f43b5b8ff6bef6335b97f43b5b97bc371a1313105f28100d131b757f 44 | ``` 45 | -------------------------------------------------------------------------------- /src/analysis/intro.md: -------------------------------------------------------------------------------- 1 | # Analysis 2 | 3 | Radare2 has a very rich set of commands and configuration options to perform data and code analysis, 4 | to extract useful information from a binary, like pointers, string references, 5 | basic blocks, opcode data, jump targets, cross references and much more. 6 | These operations are handled by the `a` (analyze) command family: 7 | 8 | ``` 9 | |Usage: a[abdefFghoprxstc] [...] 10 | | aa[?] analyze all (fcns + bbs) (aa0 to avoid sub renaming) 11 | | a8 [hexpairs] analyze bytes 12 | | ab[b] [addr] analyze block at given address 13 | | abb [len] analyze N basic blocks in [len] (section.size by default) 14 | | abt [addr] find paths in the bb function graph from current offset to given address 15 | | ac [cycles] analyze which op could be executed in [cycles] 16 | | ad[?] analyze data trampoline (wip) 17 | | ad [from] [to] analyze data pointers to (from-to) 18 | | ae[?] [expr] analyze opcode eval expression (see ao) 19 | | af[?] analyze Functions 20 | | aF same as above, but using anal.depth=1 21 | | ag[?] [options] draw graphs in various formats 22 | | ah[?] analysis hints (force opcode size, ...) 23 | | ai [addr] address information (show perms, stack, heap, ...) 24 | | an [name] [@addr] show/rename/create whatever flag/function is used at addr 25 | | ao[?] [len] analyze Opcodes (or emulate it) 26 | | aO[?] [len] Analyze N instructions in M bytes 27 | | ap find prelude for current offset 28 | | ar[?] like 'dr' but for the esil vm. (registers) 29 | | as[?] [num] analyze syscall using dbg.reg 30 | | av[?] [.] show vtables 31 | | ax[?] manage refs/xrefs (see also afx?) 32 | ``` 33 | 34 | In fact, `a` namespace is one of the biggest in radare2 tool and allows to control 35 | very different parts of the analysis: 36 | 37 | * Code flow analysis 38 | * Data references analysis 39 | * Using loaded symbols 40 | * Managing different type of graphs, like CFG and call graph 41 | * Manage variables 42 | * Manage types 43 | * Emulation using ESIL VM 44 | * Opcode introspection 45 | * Objects information, like virtual tables 46 | -------------------------------------------------------------------------------- /src/r2renef/intro.md: -------------------------------------------------------------------------------- 1 | # r2renef 2 | 3 | r2renef is an IO plugin that merges the capabilities of radare2 and Renef, allowing you to perform powerful static analysis on live Android processes. It bridges radare2's comprehensive reverse engineering toolkit with Renef's dynamic instrumentation engine for ARM64 Android applications. 4 | 5 | With r2renef you can use standard radare2 commands like `pd`, `px`, `pdf`,`w` and `s` directly on running Android processes. The plugin provides seamless integration between radare2's analysis capabilities and Renef's runtime manipulation features, enabling real-time memory inspection, function hooking, and Lua scripting. 6 | 7 | Some of the most relevant features include: 8 | 9 | * Live memory analysis: Read/write process memory through radare2 10 | * Full r2 integration: Use `px`, `pd`, `pf`,`w` commands on live processes 11 | * Renef commands: Access Renef API with `:` prefix commands 12 | * Memory operations: Dump and scan memory with `:md` and `:ms` 13 | * Hook support: Load Lua scripts (`l`), manage hooks with `:hooks` and `:unhook` 14 | * Real-time monitoring: Watch hook callbacks with `:watch` 15 | 16 | ## Installation 17 | 18 | ### Requirements 19 | 20 | * Radare2 (version 5.8.0 or newer) 21 | * Renef running on the Android device 22 | * ARM64 Android device with root access 23 | * ADB (Android Debug Bridge) 24 | 25 | ### Building from Source 26 | 27 | Clone the repository and build: 28 | 29 | ```console 30 | $ git clone https://github.com/ahmeth4n/r2renef 31 | $ cd r2renef 32 | $ make 33 | $ make install 34 | ``` 35 | 36 | Alternatively, using Meson build system: 37 | 38 | ```console 39 | $ meson setup build 40 | $ ninja -C build 41 | $ ninja -C build install 42 | ``` 43 | 44 | ### Verify Installation 45 | 46 | Check that the plugin is loaded: 47 | 48 | ```console 49 | $ r2 -L | grep renef 50 | rw_ renef Renef IO plugin for radare2 51 | ``` 52 | 53 | ## Connecting to a Process 54 | 55 | Before using r2renef, ensure Renef is running on your Android device and configure ADB port forwarding: 56 | 57 | ```console 58 | $ adb forward tcp:1907 localabstract:com.android.internal.os.RuntimeInit; 59 | ``` 60 | 61 | The URI handler supports two modes: 62 | 63 | **Spawn a new process:** 64 | 65 | ```console 66 | $ r2 renef://spawn/com.example.app 67 | ``` 68 | 69 | **Attach to running process by PID:** 70 | 71 | ```console 72 | $ r2 renef://attach/12345 73 | ``` 74 | -------------------------------------------------------------------------------- /src/commandline/block_size.md: -------------------------------------------------------------------------------- 1 | ## Block Size 2 | 3 | The block size determines how many bytes radare2 commands will process when not given an explicit size argument. You can temporarily change the block size by specifying a numeric argument to the print commands. For example `px 20`. 4 | 5 | ```console 6 | [0x00000000]> b? 7 | Usage: b[f] [arg] # Get/Set block size 8 | | b 33 set block size to 33 9 | | b eip+4 numeric argument can be an expression 10 | | b display current block size 11 | | b+3 increase blocksize by 3 12 | | b-16 decrease blocksize by 16 13 | | b* display current block size in r2 command 14 | | bf foo set block size to flag size 15 | | bj display block size information in JSON 16 | | bm 1M set max block size 17 | ``` 18 | 19 | The `b` command is used to change the block size: 20 | 21 | ```console 22 | [0x00000000]> b 0x100 # block size = 0x100 23 | [0x00000000]> b+16 # ... = 0x110 24 | [0x00000000]> b-32 # ... = 0xf0 25 | ``` 26 | 27 | The `bf` command is used to change the block size to value specified by a flag. For example, in symbols, the block size of the flag represents the size of the function. To make that work, you have to either run function analysis `af` (which is included in `aa`) or manually seek and define some functions e.g. via `Vd`. 28 | 29 | ```console 30 | [0x00000000]> bf sym.main # block size = sizeof(sym.main) 31 | [0x00000000]> pD @ sym.main # disassemble sym.main 32 | ``` 33 | 34 | You can combine two operations in a single `pdf` command. Except that `pdf` neither uses nor affects global block size. 35 | 36 | ```console 37 | [0x00000000]> pdf @ sym.main # disassemble sym.main 38 | ``` 39 | 40 | Another way around is to use special variables `$FB` and `$FS` which denote Function's Beginning and Size at the current seek. Read more about [Usable variables](../refcard/intro.md#usable-variables-in-expression). 41 | 42 | ```console 43 | [0x00000000]> s sym.main + 0x04 44 | [0x00001ec9]> pD @ $FB !$FS # disassemble current function 45 | / 211: int main (int argc, char **argv, char **envp); 46 | | 0x00001ec5 55 push rbp 47 | | 0x00001ec6 4889e5 mov rbp, rsp 48 | | 0x00001ec9 4881ecc0000000 sub rsp, 0xc0 49 | ... 50 | \ 0x00001f97 c3 ret 51 | ``` 52 | 53 | Note: don't put space after `!` size designator. See also [Command Format](../first_steps/syntax.md). 54 | -------------------------------------------------------------------------------- /src/plugins/intro.md: -------------------------------------------------------------------------------- 1 | # Plugins 2 | 3 | radare2 is implemented on top of a bunch of libraries, almost every of those 4 | libraries support plugins to extend the capabilities of the library or add 5 | support for different targets. 6 | 7 | This section aims to explain what are the plugins, how to write them and use them 8 | 9 | ## Most Famous Plugins 10 | 11 | All of them can be installed via r2pm. 12 | 13 | * [r2frida](../r2frida/intro.md) - Frida and radare2 better together 14 | * r2ghidra - use the Ghidra decompiler from radare2 15 | * r2dec - a decompiler written in JS for r2 16 | * r2yara - loading, scanning and creating Yara rules 17 | * [r2renef](../r2renef/intro.md) - use the Renef instrumentation tool from radare2 18 | 19 | ## Skeletons 20 | 21 | See [r2skel](https://github.com/radareorg/radare2-skel) 22 | 23 | ```console 24 | $ ls libr/*/p | grep : | awk -F / '{ print $2 }' 25 | anal # analysis plugins 26 | asm # assembler/disassembler plugins 27 | bin # binary format parsing plugins 28 | bp # breakpoint plugins 29 | core # core plugins (implement new commands) 30 | crypto # encrypt/decrypt/hash/... 31 | debug # debugger backends 32 | egg # shellcode encoders, etc 33 | fs # filesystems and partition tables 34 | io # io plugins 35 | lang # embedded scripting languages 36 | parse # disassembler parsing plugins 37 | reg # arch register logic 38 | ``` 39 | 40 | ## Listing plugins 41 | 42 | Some r2 tools have the `-L` flag to list all the plugins associated to the functionality. 43 | 44 | ``` 45 | rasm2 -L # list asm plugins 46 | r2 -L # list io plugins 47 | rabin2 -L # list bin plugins 48 | rahash2 -L # list hash/crypto/encoding plugins 49 | ``` 50 | 51 | There are more plugins in r2land, we can list them from inside r2, and this is 52 | done by using the `L` suffix. 53 | 54 | Those are some of the commands: 55 | 56 | ``` 57 | L # list core plugins 58 | iL # list bin plugins 59 | dL # list debug plugins 60 | mL # list fs plugins 61 | ph # print support hash algorithms 62 | ``` 63 | 64 | You can use the `?` as value to get the possible values in the associated eval vars. 65 | 66 | ``` 67 | e asm.arch=? # list assembler/disassembler plugins 68 | e anal.arch=? # list analysis plugins 69 | ``` 70 | 71 | ## Notes 72 | 73 | Note there are some inconsistencies that most likely will be fixed in the future radare2 versions. 74 | -------------------------------------------------------------------------------- /src/tools/rabin2/program_sections.md: -------------------------------------------------------------------------------- 1 | ### Sections 2 | 3 | Rabin2 called with the `-S` option gives complete information about the sections of an executable. For each section the index, offset, size, alignment, type and permissions, are shown. The next example demonstrates this: 4 | 5 | ```console 6 | $ rabin2 -S /bin/ls 7 | [Sections] 8 | 9 | nth paddr size vaddr vsize perm name 10 | ----------------------------------------------------- 11 | 00 0x00000000 0 0x00000000 0 ---- 12 | 01 0x00000238 28 0x00000238 28 -r-- .interp 13 | 02 0x00000254 32 0x00000254 32 -r-- .note.ABI_tag 14 | 03 0x00000278 176 0x00000278 176 -r-- .gnu.hash 15 | 04 0x00000328 3000 0x00000328 3000 -r-- .dynsym 16 | 05 0x00000ee0 1412 0x00000ee0 1412 -r-- .dynstr 17 | 06 0x00001464 250 0x00001464 250 -r-- .gnu.version 18 | 07 0x00001560 112 0x00001560 112 -r-- .gnu.version_r 19 | 08 0x000015d0 4944 0x000015d0 4944 -r-- .rela.dyn 20 | 09 0x00002920 2448 0x00002920 2448 -r-- .rela.plt 21 | 10 0x000032b0 23 0x000032b0 23 -r-x .init 22 | 11 0x000032d0 1648 0x000032d0 1648 -r-x .plt 23 | 12 0x00003940 24 0x00003940 24 -r-x .plt.got 24 | 13 0x00003960 73931 0x00003960 73931 -r-x .text 25 | 14 0x00015a2c 9 0x00015a2c 9 -r-x .fini 26 | 15 0x00015a40 20201 0x00015a40 20201 -r-- .rodata 27 | 16 0x0001a92c 2164 0x0001a92c 2164 -r-- .eh_frame_hdr 28 | 17 0x0001b1a0 11384 0x0001b1a0 11384 -r-- .eh_frame 29 | 18 0x0001e390 8 0x0021e390 8 -rw- .init_array 30 | 19 0x0001e398 8 0x0021e398 8 -rw- .fini_array 31 | 20 0x0001e3a0 2616 0x0021e3a0 2616 -rw- .data.rel.ro 32 | 21 0x0001edd8 480 0x0021edd8 480 -rw- .dynamic 33 | 22 0x0001efb8 56 0x0021efb8 56 -rw- .got 34 | 23 0x0001f000 840 0x0021f000 840 -rw- .got.plt 35 | 24 0x0001f360 616 0x0021f360 616 -rw- .data 36 | 25 0x0001f5c8 0 0x0021f5e0 4824 -rw- .bss 37 | 26 0x0001f5c8 232 0x00000000 232 ---- .shstrtab 38 | ``` 39 | 40 | With the `-Sr` option, rabin2 will flag the start/end of every section, and will pass the rest of information as a comment. 41 | 42 | ```console 43 | $ rabin2 -Sr /bin/ls | head 44 | fs sections 45 | "f section. 1 0x00000000" 46 | "f section..interp 1 0x000002a8" 47 | "f section..note.gnu.build_id 1 0x000002c4" 48 | "f section..note.ABI_tag 1 0x000002e8" 49 | "f section..gnu.hash 1 0x00000308" 50 | "f section..dynsym 1 0x000003b8" 51 | "f section..dynstr 1 0x00000fb8" 52 | "f section..gnu.version 1 0x00001574" 53 | "f section..gnu.version_r 1 0x00001678" 54 | ``` 55 | -------------------------------------------------------------------------------- /src/crackmes/avatao/bytecode.md: -------------------------------------------------------------------------------- 1 | ### .bytecode 2 | 3 | Well, we did the reverse engineering part, now we have to write a program for 4 | the VM with the instruction set described in the previous paragraph. Here is 5 | the program's functional specification: 6 | 7 | * the program must return "*" 8 | * _sym.memory_ has to contain the string "Such VM! MuCH reV3rse!" after 9 | execution 10 | * all 9 instructions have to be used at least once 11 | * _sym.good_if_ne_zero_ should not be zero 12 | * instr_P is not allowed to be used more than 9 times 13 | 14 | Since this document is about reversing, I'll leave the programming part to the 15 | fellow reader :) But I'm not going to leave you empty-handed, I'll give you one 16 | advice: Except for "J", all of the instructions are simple, easy to use, and it 17 | should not be a problem to construct the "Such VM! MuCH reV3rse!" using them. 18 | "J" however is a bit complicated compared to the others. One should realize that 19 | its sole purpose is to make _sym.good_if_ne_zero_ bigger than zero, which is a 20 | requirement to access the flag. In order to increment _sym.good_if_ne_zero_, 21 | three conditions should be met: 22 | 23 | * _arg1_ should be a negative number, otherwise we would return early 24 | * _sym.written_by_instr_C_ should not be 0 when "J" is called. This means that 25 | "C", "AC", or "SC" instructions should be used before calling "J". 26 | * _arg1_and_0x3f_ should be negative when checked. Since 0x3f's sign bit is 27 | zero, no matter what _arg1_ is, the result of _arg1_ & 0x3f will always be 28 | non-negative. But remember that "J" negates _arg1_and_0x3f_ if _arg1_ & 0x40 29 | is not zero. This basically means that _arg1_'s 6th bit should be 1 30 | (0x40 = 01000000b). Also, because _arg1_and_0x3f_ can't be 0 either, at least 31 | one of _arg1_'s 0th, 1st, 2nd, 3rd, 4th or 5th bits should be 1 (0x3f = 32 | 00111111b). 33 | 34 | I think this is enough information, you can go now and write that program. Or, 35 | you could just reverse engineer the quick'n'dirty one I've used during the CTF: 36 | 37 | ``` 38 | \x90\x00PSAMuAP\x01AMcAP\x01AMhAP\x01AM AP\x01AMVAP\x01AMMAP\x01AM!AP\x01AM AP\x01AMMAP\x01AMuAP\x01AMCAP\x01AMHAP\x01AM AP\x01AMrAP\x01AMeAP\x01AMVAP\x01AM3AP\x01AMrAP\x01AMsAP\x01AMeIPAM!X\x00CAJ\xc1SC\x00DCR* 39 | ``` 40 | 41 | Keep in mind though, that it was written on-the-fly, parallel to the reversing 42 | phase - for example there are parts that was written without the knowledge of 43 | all possible instructions. This means that the code is ugly and inefficient. 44 | -------------------------------------------------------------------------------- /src/crackmes/ioli/ioli_0x08.md: -------------------------------------------------------------------------------- 1 | ### IOLI 0x08 2 | 3 | we can reverse it and find it's similar to 0x07, and use the same password to solve it: 4 | 5 | ```console 6 | $ export LOLAA=help 7 | $ ./cracke0x08 8 | IOLI Crackme Level 0x08 9 | Password: 12346 10 | Password OK! 11 | ``` 12 | 13 | [dustri](https://dustri.org/b/defeating-ioli-with-radare2.html) provided a better way to check crackme0x08. 0x07 is the stripped version of 0x08. 14 | 15 | ```console 16 | $ radiff2 -A -C ./crackme0x07 ./crackme0x08 17 | ... 18 | fcn.08048360 23 0x8048360 | MATCH (1.000000) | 0x8048360 23 sym._init 19 | sym.imp.__libc_start_main 6 0x8048388 | MATCH (1.000000) | 0x8048388 6 sym.imp.__libc_start_main 20 | sym.imp.scanf 6 0x8048398 | MATCH (1.000000) | 0x8048398 6 sym.imp.scanf 21 | sym.imp.strlen 6 0x80483a8 | MATCH (1.000000) | 0x80483a8 6 sym.imp.strlen 22 | sym.imp.printf 6 0x80483b8 | MATCH (1.000000) | 0x80483b8 6 sym.imp.printf 23 | sym.imp.sscanf 6 0x80483c8 | MATCH (1.000000) | 0x80483c8 6 sym.imp.sscanf 24 | sym.imp.strncmp 6 0x80483d8 | MATCH (1.000000) | 0x80483d8 6 sym.imp.strncmp 25 | sym.imp.exit 6 0x80483e8 | MATCH (1.000000) | 0x80483e8 6 sym.imp.exit 26 | entry0 33 0x8048400 | MATCH (1.000000) | 0x8048400 33 entry0 27 | fcn.08048424 33 0x8048424 | MATCH (1.000000) | 0x8048424 33 fcn.08048424 28 | fcn.08048450 47 0x8048450 | MATCH (1.000000) | 0x8048450 47 sym.__do_global_dtors_aux 29 | fcn.08048480 50 0x8048480 | MATCH (1.000000) | 0x8048480 50 sym.frame_dummy 30 | fcn.080484b4 112 0x80484b4 | MATCH (1.000000) | 0x80484b4 112 sym.dummy 31 | fcn.08048524 30 0x8048524 | MATCH (1.000000) | 0x8048524 30 sym.che 32 | fcn.08048542 119 0x8048542 | MATCH (1.000000) | 0x8048542 119 sym.parell 33 | fcn.080485b9 118 0x80485b9 | MATCH (1.000000) | 0x80485b9 118 sym.check 34 | main 92 0x804867d | MATCH (1.000000) | 0x804867d 92 main 35 | fcn.08048755 4 0x8048755 | MATCH (1.000000) | 0x8048755 4 sym.__i686.get_pc_thunk.bx 36 | fcn.08048760 35 0x8048760 | MATCH (1.000000) | 0x8048760 35 sym.__do_global_ctors_aux 37 | fcn.0804878d 17 0x804878d | NEW (0.000000) 38 | sym.__libc_csu_init 99 0x80486e0 | NEW (0.000000) 39 | sym.__libc_csu_fini 5 0x8048750 | NEW (0.000000) 40 | sym._fini 26 0x8048784 | NEW (0.000000) 41 | ``` 42 | -------------------------------------------------------------------------------- /src/crackmes/ioli/ioli_0x04.md: -------------------------------------------------------------------------------- 1 | ### IOLI 0x04 2 | 3 | ```c 4 | [0x080483d0]> pdd@main 5 | /* r2dec pseudo code output */ 6 | /* ./crackme0x04 @ 0x8048509 */ 7 | #include 8 | 9 | int32_t main (void) { 10 | int32_t var_78h; 11 | int32_t var_4h; 12 | eax = 0; 13 | eax += 0xf; 14 | eax += 0xf; 15 | eax >>= 4; 16 | eax <<= 4; 17 | printf ("IOLI Crackme Level 0x04\n"); 18 | printf ("Password: "); 19 | eax = &var_78h; 20 | scanf (0x8048682, eax); 21 | eax = &var_78h; 22 | check (eax); 23 | eax = 0; 24 | return eax; 25 | } 26 | ``` 27 | 28 | Let's enter check. 29 | 30 | ```c 31 | #include 32 | 33 | int32_t check (char * s) { 34 | char * var_dh; 35 | uint32_t var_ch; 36 | uint32_t var_8h; 37 | int32_t var_4h; 38 | char * format; 39 | int32_t var_sp_8h; 40 | var_8h = 0; 41 | var_ch = 0; 42 | do { 43 | eax = s; 44 | eax = strlen (eax); 45 | if (var_ch >= eax) { 46 | goto label_0; 47 | } 48 | eax = var_ch; 49 | eax += s; 50 | eax = *(eax); 51 | var_dh = al; 52 | eax = &var_4h; 53 | eax = &var_dh; 54 | sscanf (eax, eax, 0x8048638); 55 | edx = var_4h; 56 | eax = &var_8h; 57 | *(eax) += edx; 58 | if (var_8h == 0xf) { 59 | printf ("Password OK!\n"); 60 | exit (0); 61 | } 62 | eax = &var_ch; 63 | *(eax)++; 64 | } while (1); 65 | label_0: 66 | printf ("Password Incorrect!\n"); 67 | return eax; 68 | } 69 | ``` 70 | 71 | manually analyze with both the assembly and pseudo code we can simply write down the C-like code to describe this function: 72 | 73 | ```c 74 | #include 75 | int32_t check(char *s) 76 | { 77 | var_ch = 0; 78 | var_8h = 0; 79 | for (var_ch = 0; var_ch < strlen(s); ++var_ch) 80 | { 81 | var_dh = s[var_ch]; 82 | sscanf(&var_dh, %d, &var_4h); // read from string[var_ch], store to var_4h 83 | var_8h += var_4h; 84 | if(var_8h == 0xf) 85 | printf("Password OK\n"); 86 | } 87 | printf("Password Incorrect!\n"); 88 | return 0; 89 | } 90 | ``` 91 | 92 | In short, it calculates the Digit Sum of a number (add a number digit by digit. for example, 96 => 9 + 6 = 15) : 93 | 94 | ```console 95 | $ ./crackme0x04 96 | IOLI Crackme Level 0x04 97 | Password: 12345 98 | Password OK! 99 | 100 | $ ./crackme0x04 101 | IOLI Crackme Level 0x04 102 | Password: 96 103 | Password OK! 104 | ``` 105 | -------------------------------------------------------------------------------- /src/config/colors.md: -------------------------------------------------------------------------------- 1 | ## Colors 2 | 3 | Console access is wrapped in API that permits to show the output of any command as ANSI, W32 Console or HTML formats. This allows radare's core to run inside environments with limited displaying capabilities, like kernels or embedded devices. It is still possible to receive data from it in your favorite format. 4 | 5 | To enable colors support by default, add a corresponding configuration option to the .radare2 configuration file: 6 | 7 | ```console 8 | $ echo 'e scr.color=1' >> ~/.radare2rc 9 | ``` 10 | 11 | Note that enabling colors is not a boolean option. Instead, it is a number because there are different color depth levels. This is: 12 | 13 | * 0: black and white 14 | * 1: 16 basic ANSI colors 15 | * 2: 256 scale colors 16 | * 3: 24bit true color 17 | 18 | The reason for having such user-defined options is because there's no standard or portable way for the terminal programs to query the console to determine the best configuration, same goes for charset encodings, so r2 allows you to choose that by hand. 19 | 20 | Usually, serial consoles may work with 0 or 1, while xterms may support up to 3. RCons will try to find the closest color scheme for your theme when you choose a different them with the `eco` command. 21 | 22 | It is possible to configure the color of almost any element of disassembly output. For *NIX terminals, r2 accepts color specification in RGB format. To change the console color palette use `ec` command. 23 | 24 | Type `ec` to get a list of all currently used colors. Type `ecs` to show a color palette to pick colors from: 25 | 26 | ![img](r2pal.png) 27 | 28 | ## Themes 29 | 30 | You can create your own color theme, but radare2 have its own predefined ones. Use the `eco` command to list or select them. 31 | 32 | After selecting one, you can compare between the color scheme of the shell and the current theme by pressing Ctrl-Shift and then right arrow key for the toggle. 33 | 34 | In visual mode use the `R` key to randomize colors or choose the next theme in the list. 35 | 36 | If you were to create your own color scheme, in radare2, running `ec*` you will see the different variables and their hex colour codes. Change them how you feel following this [example](https://www.radare.org/advent/14.html): `ec call red`. When you are done live testing, you can export your theme with `ec* > mytheme.r2` and load it `. mytheme.r2`. 37 | 38 | For a more permanent solution, themes live in `radare2/libr/cons/d` where you can copy your already made r2 theme. In `libr/cons`, run `make -C d themes.c` to prevent having to rebuild radare2 each time you tweak your theme. Restart radare2 and your theme will be live. 39 | -------------------------------------------------------------------------------- /r2/r2snip.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const path = require('path'); 3 | const snippets = process.argv.slice(2); 4 | const { spawnSync } = require('child_process'); 5 | 6 | for (let snip of snippets) { 7 | const dir = path.dirname(snip); 8 | const text = fs.readFileSync(snip); 9 | console.error('FILE', snip); 10 | parseSnippet(snip, dir, text.toString('utf8')) 11 | } 12 | 13 | function system(cmd, args) { 14 | const result = spawnSync(cmd, args, { stdio: ['ignore', 'pipe', 2]}); 15 | return result.stdout; 16 | } 17 | 18 | function mustRebuild(input, output) { 19 | try { 20 | const s = fs.statSync(output); 21 | const a = new Date(s.mtime); 22 | const i = fs.statSync(input); 23 | const b = new Date(i.mtime); 24 | if (b < a) { 25 | return true; 26 | } 27 | return false; 28 | } catch (e) { 29 | return true; 30 | } 31 | } 32 | 33 | function buildSnippetImage(input, output, mode, args) { 34 | if (!mustRebuild(input, output)) { 35 | console.error('PNG ---', output); 36 | return true; 37 | } 38 | if (mode === 'string') { 39 | console.error('PNG STR', output); 40 | const png = system("node", ['r2png/index.js', '"', ...args]); 41 | fs.writeFileSync(output, png); 42 | } else { 43 | // we need to parse the first arg to get the filename. lets use - for now 44 | console.error('PNG R2R', output); 45 | const png = system("node", ['r2png/index.js', ...args]); 46 | fs.writeFileSync(output, png); 47 | } 48 | } 49 | 50 | function parseSnippet(input, dir, text) { 51 | var filename = ''; 52 | var readMode = ''; 53 | var args = []; 54 | var comment = {}; 55 | for (let _line of text.split('\n')) { 56 | const line = _line.trim(); 57 | if (readMode) { 58 | if (line === readMode) { 59 | const mode = (readMode === '"')? 'string': 'commands'; 60 | if (mode === 'commands') { 61 | args = [comment.open, ...args]; 62 | } 63 | // console.error("RUN", filename, mode, args); 64 | buildSnippetImage(input, path.join(dir, filename), mode, args); 65 | readMode = ''; 66 | args = []; 67 | continue; 68 | } 69 | args.push(line); 70 | continue; 71 | } 72 | if (line.startsWith('//')) { 73 | const words = line.substring(2).trim().split(' '); 74 | comment[words[0]] = words[1]; 75 | } 76 | if (line.endsWith('"')) { 77 | if (line.endsWith("(\"")) { 78 | filename = line.substring(0, line.length - 2).trim(); 79 | readMode = '\")'; 80 | } else { 81 | filename = line.substring(0, line.length - 1).trim(); 82 | readMode = '\"'; 83 | } 84 | } 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /src/config/io.md: -------------------------------------------------------------------------------- 1 | ## IO Configuration 2 | 3 | The IO implementation is very complex and can be configured in many ways to serve the way the user needs. This chapter will introduce you to some of the most important configuration options under the eval. 4 | 5 | ```console 6 | [0x100003a84]> e??io. 7 | io.0xff: use this value instead of 0xff to fill unallocated areas 8 | io.aslr: disable ASLR for spawn and such 9 | io.autofd: change fd when opening a new file 10 | io.basemap: create a map at base address 0 when opening a file 11 | io.cache: change both of io.cache.{read,write} 12 | io.cache.auto: automatic cache all reads in the IO backend 13 | io.cache.nodup: do not cache duplicated cache writes 14 | io.cache.read: enable read cache for vaddr (or paddr when io.va=0) 15 | io.cache.write: enable write cache for vaddr (or paddr when io.va=0) 16 | io.exec: see !!r2 -h~-x 17 | io.ff: fill invalid buffers with 0xff instead of returning error 18 | io.mask: mask addresses before resolving as maps 19 | io.overlay: honor io overlay 20 | io.pava: use EXPERIMENTAL paddr -> vaddr address mode 21 | io.pcache: io.cache for p-level 22 | io.pcache.read: enable read-cache 23 | io.pcache.write: enable write-cache 24 | io.unalloc: check each byte if it's allocated 25 | io.unalloc.ch: char to display if byte is unallocated 26 | io.va: use virtual address layout 27 | ``` 28 | 29 | ### io.unalloc 30 | 31 | When set to true it will be showing `?` instead of 0xff in the hexdump/disasm views if there's no associated map. This causes the dump to be a bit slower, but probably more real. 32 | 33 | See `io.0xff` and `io.unalloc.ch` for reference 34 | 35 | ### io.cache 36 | 37 | Enables the cache layer for the whole memory address space. This means that you can write and patch anywhere in memory and the underlying files won't be modified. 38 | 39 | See `io.cache.read` and `io.cache.write` 40 | 41 | Note that enabling the read cache will speedup readings from slow or remote endpoints, this is handy when performing analysis via GDB, so the read data from the remote process will be read once. 42 | 43 | ### io.pcache 44 | 45 | Enables a physical layer cache associated with each map. This way it is possible to keep the correct behaviour when accessing unallocated regions or multi-map regions honoring the proper permissions, unlike `io.cache`. 46 | 47 | See `io.pcache.read` and `io.pcache.write` 48 | 49 | ### io.va 50 | 51 | When set to false, it will seek around physical addresses on the currently selected file descriptor, instead of the whole virtual address. 52 | -------------------------------------------------------------------------------- /src/commandline/sections.md: -------------------------------------------------------------------------------- 1 | ## Sections 2 | 3 | The concept of sections is tied to the information extracted from the binary. We can display this information by using the `i` command. 4 | 5 | Displaying information about sections: 6 | 7 | ```console 8 | [0x00005310]> iS 9 | [Sections] 10 | 00 0x00000000 0 0x00000000 0 ---- 11 | 01 0x00000238 28 0x00000238 28 -r-- .interp 12 | 02 0x00000254 32 0x00000254 32 -r-- .note.ABI_tag 13 | 03 0x00000278 176 0x00000278 176 -r-- .gnu.hash 14 | 04 0x00000328 3000 0x00000328 3000 -r-- .dynsym 15 | 05 0x00000ee0 1412 0x00000ee0 1412 -r-- .dynstr 16 | 06 0x00001464 250 0x00001464 250 -r-- .gnu.version 17 | 07 0x00001560 112 0x00001560 112 -r-- .gnu.version_r 18 | 08 0x000015d0 4944 0x000015d0 4944 -r-- .rela.dyn 19 | 09 0x00002920 2448 0x00002920 2448 -r-- .rela.plt 20 | 10 0x000032b0 23 0x000032b0 23 -r-x .init 21 | ... 22 | ``` 23 | 24 | As you may know, binaries have sections and maps. The sections define the contents of a portion of the file that can be mapped in memory (or not). What is mapped is defined by the segments. 25 | 26 | Before the IO refactoring done by condret, the `S` command was used to manage what we now call maps. Currently the `S` command is deprecated because `iS` and `om` should be enough. 27 | 28 | Firmware images, bootloaders and binary files usually place various sections of a binary at different addresses in memory. To represent this behavior, radare offers the `iS`. Use `iS?` to get the help message. To list all created sections use `iS` (or `iSj` to get the json format). The `iS=` will show the region bars in ascii-art. 29 | 30 | You can create a new mapping using the `om` subcommand as follows: 31 | 32 | ``` 33 | om fd vaddr [size] [paddr] [rwx] [name] 34 | ``` 35 | 36 | For Example: 37 | 38 | ```console 39 | [0x0040100]> om 4 0x00000100 0x00400000 0x0001ae08 rwx test 40 | ``` 41 | 42 | You can also use `om` command to view information about mapped sections: 43 | 44 | ```console 45 | [0x00401000]> om 46 | 6 fd: 4 +0x0001ae08 0x00000100 - 0x004000ff rwx test 47 | 5 fd: 3 +0x00000000 0x00000000 - 0x0000055f r-- fmap.LOAD0 48 | 4 fd: 3 +0x00001000 0x00001000 - 0x000011e4 r-x fmap.LOAD1 49 | 3 fd: 3 +0x00002000 0x00002000 - 0x0000211f r-- fmap.LOAD2 50 | 2 fd: 3 +0x00002de8 0x00003de8 - 0x0000402f r-- fmap.LOAD3 51 | 1 fd: 4 +0x00000000 0x00004030 - 0x00004037 rw- mmap.LOAD3 52 | ``` 53 | 54 | Use `om?` to get all the possible subcommands. To list all the defined maps use `om` (or `omj` to get the json format or `om*` to get the r2 commands format). To get the ascii art view use `om=`. 55 | 56 | It is also possible to delete the mapped section using the `om-mapid` command. 57 | 58 | For Example: 59 | 60 | ```console 61 | [0x00401000]> om-6 62 | ``` 63 | -------------------------------------------------------------------------------- /src/tools/radiff2/datadiff.md: -------------------------------------------------------------------------------- 1 | ## Data Diffing 2 | 3 | Data diffing with radiff2 allows you to compare binary data between files of different sizes. This is useful for identifying differences at the byte level, regardless of file length. 4 | 5 | For example, comparing two files with `radiff2 -x` shows the differences in two column hexdump+ascii format: 6 | 7 | ```console 8 | $ cat 1 9 | hello 10 | $ cat 2 11 | hallo 12 | $ radiff2 -x 1 2 13 | offset 0 1 2 3 4 5 6 7 01234567 0 1 2 3 4 5 6 7 01234567 14 | 0x00000000! 68656c6c6f0a hello. 68616c6c6f0a hallo. 15 | ``` 16 | 17 | Also in hexII format: 18 | 19 | ```console 20 | $ radiff2 -X 1 2 21 | 0x00000000! .h.e.l.l.o0a .h.a.l.l.o0a 22 | ``` 23 | 24 | or even the unified diff format using the `-U` flag: 25 | 26 | ```console 27 | $ radiff2 -U 1 2 28 | --- /tmp/r_diff.61dd4e41da041 2024-07-22 14:07:37.682683431 +0200 29 | +++ /tmp/r_diff.61dd4e41da06b 2024-07-22 14:07:37.682683431 +0200 30 | @@ -1 +1 @@ 31 | -hello 32 | +hallo 33 | ``` 34 | 35 | Let's understand the output because in your terminal you'll see some green and red highlighting the added or removed bytes from the byte-to-byte comparison. 36 | 37 | * `!` sign after the offset explains if the block is equal or not 38 | * hexdump portion of file 1 39 | * hexdump portion of file 2 40 | 41 | When comparing files of different sizes, we will need to use the `-d` flag which performs a delta-diffing algorithm, trying to find the patterns of bytes that has been added or removed when a specific change is found. 42 | 43 | ```console 44 | $ cat 1 45 | hello 46 | $ cat 3 47 | helloworld 48 | $ radiff2 1 3 49 | INFO: File size differs 6 vs 11 50 | INFO: Buffer truncated to 6 byte(s) (5 not compared) 51 | 0x00000005 0a => 77 0x00000005 52 | $ radiff2 -d 1 3 53 | INFO: File size differs 6 vs 11 54 | 0x00000000 68656c6c6f0a => 68656c6c6f776f726c640a 0x00000000 55 | $ 56 | ``` 57 | 58 | For JSON output, use radiff2 -j -d to get detailed diff information in JSON format: 59 | 60 | ```console 61 | $ radiff2 -j -d 1 3 |jq . 62 | INFO: File size differs 6 vs 11 63 | { 64 | "files": [ 65 | { 66 | "filename": "1", 67 | "size": 6, 68 | "sha256": "5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03" 69 | }, 70 | { 71 | "filename": "3", 72 | "size": 11, 73 | "sha256": "8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d" 74 | } 75 | ], 76 | "changes": [ 77 | { 78 | "addr": 0, 79 | "from": "68656c6c6f0a", 80 | "to": "68656c6c6f776f726c640a" 81 | } 82 | ] 83 | } 84 | $ 85 | ``` 86 | 87 | These examples demonstrate how radiff2 can effectively highlight differences in files of varying lengths, providing clear insights into changes at the binary level. 88 | -------------------------------------------------------------------------------- /src/tools/rahash2/intro.md: -------------------------------------------------------------------------------- 1 | ## rahash2 2 | 3 | Versatile command-line hashing tool that is part of the radare2 framework. It's designed to compute and verify cryptographic hashes and checksums for files, strings, or even large data streams like hard disks or network traffic. 4 | 5 | Key features of rahash2 include: 6 | 7 | **Multiple algorithms** Supports a wide range of hash algorithms, including MD4, MD5, SHA1, SHA256, SHA384, SHA512, CRC16, CRC32, and more. 8 | 9 | **Flexible input** Can hash data from files, standard input, or directly from command-line strings. 10 | 11 | **Block-based hashing** Can compute hashes for specific blocks or ranges within a file, which is ideal for forensics and checksuming large data. 12 | 13 | **Incremental hashing** Supports hashing of data streams or large files in chunks, useful for processing data that doesn't fit in memory. 14 | 15 | **Hash verification** and integrity checks comparing computed and provided hash. 16 | 17 | **Multiple hash outputs at once** Can compute and display multiple hash types simultaneously for the same input. 18 | 19 | **Integration with radare2: While it's a standalone tool, it integrates well with other radare2 utilities and can be used within r2 sessions. 20 | 21 | **Customizable output** Offers various output formats, including raw bytes, hexadecimal strings, or radare2 commands. 22 | 23 | **Encryption capabilities** Besides hashing, it also supports some basic encryption and decryption operations. 24 | 25 | This is an example usage: 26 | 27 | ```console 28 | $ rahash2 -a md5 -s "hello world" 29 | ``` 30 | 31 | Note that rahash2 also permits to read from stdin in a stream, so you don't need 4GB of ram to compute the hash of a 4GB file. 32 | 33 | ### Hashing by blocks 34 | 35 | When doing forensics, it is useful to compute partial checksums. The reason for that is because you may want to split a huge file into small portions that are easier to identify by contents or regions in the disk. 36 | 37 | This will spot the same hash for blocks containing the same contents. For example, if is filled with zeros. 38 | 39 | It can also be used to find which blocks have changed between more than one sample dump. 40 | 41 | This can be useful when analyzing ram dumps from a virtual machine for example. Use this command for this: 42 | 43 | ```console 44 | $ rahash2 -B -b 1M -a sha256 /bin/ls 45 | ``` 46 | 47 | ### Hashing with rabin2 48 | 49 | The rabin2 tool parses the binary headers of the files, but it also have the ability to use the rhash plugins to compute checksum of sections in the binary. 50 | 51 | ```console 52 | $ rabin2 -K md5 -S /bin/ls 53 | ``` 54 | 55 | ### Obtaining hashes within radare2 session 56 | 57 | Hashes can also be printed within a radare2 session as explained in the [Print Section](../../commandline/print_modes.md). 58 | -------------------------------------------------------------------------------- /src/install/snap.md: -------------------------------------------------------------------------------- 1 | ## Snap releases 2 | 3 | The Snap package system is a cross-platform solution for packaging and distributing software on Linux. Snaps bundle all necessary dependencies, ensuring they work on any Linux distribution. This makes Snap an ideal choice for distributing radare2. 4 | 5 | Radare2 is distributed via Snap by building it from the continuous integration (CI) system for each release. This means every new official release is packaged and made available to Snap users automatically. While the builds are automated, they are only done for official releases, not for every git commit. This ensures that Snap users have a stable and tested version of radare2. 6 | 7 | Snap packages can run in a sandboxed environment, isolating them from the rest of the system. This enhances security and prevents conflicts with other software. Sandboxed snaps can request permissions for specific resources, but they remain contained within their sandbox, ensuring stability and security. 8 | 9 | To use radare2 Snap builds, note that they have different program names to avoid conflicts with other installations. Snap versions of radare2 programs are prefixed with `radare2.`. For example, to run the stable build, use: 10 | 11 | ```sh 12 | sudo snap install radare2 --classic 13 | radare2.radare2 /bin/ls 14 | radare2.rabin2 -z /bin/sleep 15 | ``` 16 | 17 | This way, you can maintain a stable version alongside a development version without conflicts. 18 | 19 | To allow using radare commands without this prefix, it can be solved by using shell aliases. So as an example could be something like this: 20 | 21 | ```sh 22 | alias r2='radare2.r2' 23 | alias r2agent='radare2.r2agent' 24 | alias r2frida-compile='radare2.r2frida-compile' 25 | alias r2p='radare2.r2p' 26 | alias r2pm='radare2.r2pm' 27 | alias r2r='radare2.r2r' 28 | alias rabin2='radare2.rabin2' 29 | alias radiff2='radare2.radiff2' 30 | alias rafind2='radare2.rafind2' 31 | alias ragg2='radare2.ragg2' 32 | alias rahash2='radare2.rahash2' 33 | alias rarun2='radare2.rarun2' 34 | alias rasign2='radare2.rasign2' 35 | alias rasm2='radare2.rasm2' 36 | alias ravc2='radare2.ravc2' 37 | alias rax2='radare2.rax2' 38 | alias sleighc='radare2.sleighc' 39 | alias yara='radare2.yara' 40 | alias yarac='radare2.yarac' 41 | ``` 42 | 43 | ### Iaito Snap 44 | 45 | Also **iaito**, as a radare GUI, can be installed using this packaging system. 46 | 47 | To install it is required to run the following command: 48 | 49 | ```sh 50 | sudo snap install iaito --classic 51 | ``` 52 | 53 | In the same way radare2 snap include a set of commands, iaito snap also include radare2 commands prefixed with `iaito.` (for example `iaito.r2`, `iaito.rax2`,...). 54 | This commands can be used from CLI, and allow to use the same environment as iaito GUI. 55 | But to use radare2 from CLI it is prefered to install and use the main `radare2` snap package. 56 | -------------------------------------------------------------------------------- /src/plugins/dev.md: -------------------------------------------------------------------------------- 1 | ## Implementing a new architecture 2 | 3 | radare2 splits the logic of a CPU into several modules. You should write more than one plugin to get full support for a specific arch. Let's see which are those: 4 | 5 | * `r_arch` architecture plugin (assemble, disassemble, analyze, ESIL uplift and register profiles) 6 | * `r_anal` types, code and data analysis plugins 7 | * `r_reg` registers arena definitions 8 | * `r_syscall` system calls databases 9 | * `r_debug` debugger and emulation runtimes 10 | 11 | The most basic feature you usually want to support from a specific architecture is the disassembler. You first need to read into a human readable form the bytes in there. 12 | 13 | Bear in mind that plugins can be compiled static or dynamically, this means that the arch will be embedded inside the core libraries or it will distributed as a separated shared library. 14 | 15 | To configure which plugins you want to compile use the `./configure-plugins` script which accepts the flags --shared and --static to specify them. You can also add it manually inside the `plugins.def.cfg` and then remove the `plugins.cfg` and run `./configure-plugins` again to update the `libr/config.mk` and `libr/config.h`. 16 | 17 | You may find some examples of external plugins in [radare2-extras](https://github.com/radareorg/radare2-extras) repository. 18 | 19 | ### Writing the RArch plugin 20 | 21 | Note: As of recent versions, the `r_asm` and `r_anal` plugin interfaces were merged into a unified `r_arch` API. New architectures (CPUs) and full architecture support (disassembly plus analysis/uplift) must be implemented as `r_arch` plugins. 22 | 23 | The recommended way to start a new plugin project is to use r2skel to scaffold the basic directory layout and files for an `r_arch` plugin. r2skel will create a ready-to-edit skeleton including build files and a minimal source that links against the `r_arch` API. 24 | 25 | General guidance: 26 | 27 | * Implement architecture-specific assembly/disassembly, analysis/op detection, ESIL uplift and register profile handlers inside the `r_arch` plugin. 28 | * Prefer packaging your plugin as an external repository (third-party plugin) so it can be maintained independently from the core tree. 29 | * Use pkg-config with the `r_arch` package for compile and link flags, for example: 30 | 31 | ```Makefile 32 | CFLAGS=-g -fPIC $(shell pkg-config --cflags r_arch) 33 | LDFLAGS=-shared $(shell pkg-config --libs r_arch) 34 | ``` 35 | 36 | For examples and inspiration, check existing architecture plugins in the radare2 repository and the radare2-extras collection. If you need a minimal starting point, run `r2skel` and choose the architecture/plugin template. 37 | 38 | **Deprecated**: The old separate `r_asm` (disassembler) and `r_anal` (analysis) plugin examples are obsolete and should not be used for implementing new architectures. Use `r_arch` + r2skel instead. 39 | -------------------------------------------------------------------------------- /src/commandline/yank_paste.md: -------------------------------------------------------------------------------- 1 | ## Yank/Paste 2 | 3 | Radare2 has an internal clipboard to save and write portions of memory loaded from the current io layer. 4 | 5 | This clipboard can be manipulated with the `y` command. 6 | 7 | The two basic operations are 8 | 9 | * copy (yank) 10 | * paste 11 | 12 | The yank operation will read N bytes (specified by the argument) into the clipboard. We can later use the `yy` command to paste what we read before into a file. 13 | 14 | You can yank/paste bytes in visual mode selecting them with the cursor mode (`Vc`) and then using the `y` and `Y` key bindings which are aliases for `y` and `yy` commands of the command-line interface. 15 | 16 | ```console 17 | [0x00000000]> y? 18 | Usage: y[ptxy] [len] [[@]addr] # See wd? for memcpy, same as 'yf'. 19 | | y! open cfg.editor to edit the clipboard 20 | | y 16 0x200 copy 16 bytes into clipboard from 0x200 21 | | y 16 @ 0x200 copy 16 bytes into clipboard from 0x200 22 | | y 16 copy 16 bytes into clipboard 23 | | y show yank buffer information (srcoff len bytes) 24 | | y* print in r2 commands what's been yanked 25 | | yf 64 0x200 copy file 64 bytes from 0x200 from file 26 | | yfa file copy copy all bytes from file (opens w/ io) 27 | | yfx 10203040 yank from hexpairs (same as ywx) 28 | | yj print in JSON commands what's been yanked 29 | | yp print contents of clipboard 30 | | yq print contents of clipboard in hexpairs 31 | | ys print contents of clipboard as string 32 | | yt 64 0x200 copy 64 bytes from current seek to 0x200 33 | | ytf file dump the clipboard to given file 34 | | yw hello world yank from string 35 | | ywx 10203040 yank from hexpairs (same as yfx) 36 | | yx print contents of clipboard in hexadecimal 37 | | yy 0x3344 paste clipboard 38 | | yz [len] copy nul-terminated string (up to blocksize) into clipboard 39 | ``` 40 | 41 | Sample session: 42 | 43 | ```console 44 | [0x00000000]> s 0x100 ; seek at 0x100 45 | [0x00000100]> y 100 ; yanks 100 bytes from here 46 | [0x00000200]> s 0x200 ; seek 0x200 47 | [0x00000200]> yy ; pastes 100 bytes 48 | ``` 49 | 50 | You can perform a yank and paste in a single line by just using the `yt` command (yank-to). The syntax is as follows: 51 | 52 | ```console 53 | [0x4A13B8C0]> x 54 | offset 0 1 2 3 4 5 6 7 8 9 A B 0123456789AB 55 | 0x4A13B8C0, 89e0 e839 0700 0089 c7e8 e2ff ...9........ 56 | 0x4A13B8CC, ffff 81c3 eea6 0100 8b83 08ff ............ 57 | 0x4A13B8D8, ffff 5a8d 2484 29c2 ..Z.$.). 58 | 59 | [0x4A13B8C0]> yt 8 0x4A13B8CC @ 0x4A13B8C0 60 | 61 | [0x4A13B8C0]> x 62 | offset 0 1 2 3 4 5 6 7 8 9 A B 0123456789AB 63 | 0x4A13B8C0, 89e0 e839 0700 0089 c7e8 e2ff ...9........ 64 | 0x4A13B8CC, 89e0 e839 0700 0089 8b83 08ff ...9........ 65 | 0x4A13B8D8, ffff 5a8d 2484 29c2 ..Z.$.). 66 | ``` 67 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to the radare2 book 2 | 3 | The easiest way to contribute to the book is by submitting pull requests on the project repository, this can be done directly from the github webpage by pressing the pencil button on any .md file or forking and cloning the repository like you would do with any other git project. 4 | 5 | * [radare2-book repository](https://github.com/radareorg/radare2-book) 6 | 7 | ## Requirements and Rules 8 | 9 | There are some basic rules (with its reasoning) to follow in order to contribute to the book. 10 | 11 | ### Official documentation must be written in English 12 | 13 | Despite we value the importance of human languages, even the minoritary ones we must value the fact that the contributions are rare and having multiple translations of the book won't help on having it's contents up to date. 14 | 15 | Unofficial translations or third party books are more than welcome, but in this repository we focus on having a clear and unified guide to be used for everyone, and nowadays, English is the most accessible human language towards this. 16 | 17 | ### Gender Language 18 | 19 | We don't discriminate users by it's gender, race, age or beliefs. 20 | 21 | So for example, avoid the use of gender-specific when writing instructions or explaning actions. (Use _they_ instead of _he/she_) 22 | 23 | ### AI and Language Models 24 | 25 | The debate on AI is hot these days, and as an open project we must take position on this topic. 26 | 27 | One of the reasons behind the 3rd rewrite of the book is to help language models learn about how to use the radare2 framework. Having said this, we must say that the use of AI is permitted in r2land. 28 | 29 | By providing a good context, prompt and setting the best role it is possible to use `r2ai` (or any other LLM frontend) to help contributors and maintainers to improve the quality of the contents, but keep in mind that we understand AI as a tool, not as a replacement, or a blind way to fill the contents. 30 | 31 | In other words use language models wisely. As a helper tool to better describe and organize the contents, always using those as templates for a proper review and rewrite. 32 | 33 | ### Continuous Integration 34 | 35 | There are few linting rules and CI checks, but the situation will be improved over time, patches that break the CI won't be accepted. 36 | 37 | * Check your vocabulary for typos, proper wording, etc. 38 | * Avoid the use of images (plain text is preferred) 39 | * Do not embed binary data in markdown files 40 | * Contents must be Latex, Gemini and Markdown friendly 41 | 42 | Any help towards adding more checks in the CI are more than welcome. 43 | 44 | ### Contents 45 | 46 | Suggested contributions include: 47 | 48 | * Crackme writeups 49 | * CTF writeups 50 | * Explain how to use Radare2 51 | * Documentation to help developers 52 | * Conference presentations/workshops using Radare2 53 | * Missing content from the Radare1 book updated to Radare2 54 | -------------------------------------------------------------------------------- /src/plugins/dev-bin.md: -------------------------------------------------------------------------------- 1 | ## RBin plugins 2 | 3 | ### To enable virtual addressing 4 | 5 | In `info` add `et->has_va = 1;` and `ptr->srwx` with the `R_BIN_SCN_MAP;` attribute 6 | 7 | ### Create a folder with file format name in libr/bin/format 8 | 9 | **Makefile:** 10 | 11 | ```Makefile 12 | NAME=bin_nes 13 | R2_PLUGIN_PATH=$(shell r2 -H R2_USER_PLUGINS) 14 | LIBEXT=$(shell r2 -H LIBEXT) 15 | CFLAGS=-g -fPIC $(shell pkg-config --cflags r_bin) 16 | LDFLAGS=-shared $(shell pkg-config --libs r_bin) 17 | OBJS=$(NAME).o 18 | LIB=$(NAME).$(LIBEXT) 19 | 20 | all: $(LIB) 21 | 22 | clean: 23 | rm -f $(LIB) $(OBJS) 24 | 25 | $(LIB): $(OBJS) 26 | $(CC) $(CFLAGS) $(LDFLAGS) $(OBJS) -o $(LIB) 27 | 28 | install: 29 | cp -f $(NAME).$(SO_EXT) $(R2_PLUGIN_PATH) 30 | 31 | uninstall: 32 | rm -f $(R2_PLUGIN_PATH)/$(NAME).$(SO_EXT) 33 | 34 | ``` 35 | 36 | **bin_nes.c:** 37 | 38 | ```c 39 | #include 40 | #include 41 | 42 | static bool load_buffer(RBinFile *bf, void **bin_obj, RBuffer *b, ut64 loadaddr, Sdb *sdb) { 43 | ut64 size; 44 | const ut8 *buf = r_buf_data (b, &size); 45 | r_return_val_if_fail (buf, false); 46 | *bin_obj = r_bin_internal_nes_load (buf, size); 47 | return *bin_obj != NULL; 48 | } 49 | 50 | static void destroy(RBinFile *bf) { 51 | r_bin_free_all_nes_obj (bf->o->bin_obj); 52 | bf->o->bin_obj = NULL; 53 | } 54 | 55 | static bool check_buffer(RBuffer *b) { 56 | if (!buf || length < 4) return false; 57 | return (!memcmp (buf, "\x4E\x45\x53\x1A", 4)); 58 | } 59 | 60 | static RBinInfo* info(RBinFile *arch) { 61 | RBinInfo \*ret = R_NEW0 (RBinInfo); 62 | if (!ret) return NULL; 63 | 64 | if (!arch || !arch->buf) { 65 | free (ret); 66 | return NULL; 67 | } 68 | ret->file = strdup (arch->file); 69 | ret->type = strdup ("ROM"); 70 | ret->machine = strdup ("Nintendo NES"); 71 | ret->os = strdup ("nes"); 72 | ret->arch = strdup ("6502"); 73 | ret->bits = 8; 74 | 75 | return ret; 76 | } 77 | 78 | struct r_bin_plugin_t r_bin_plugin_nes = { 79 | .name = "nes", 80 | .desc = "NES", 81 | .license = "BSD", 82 | .get_sdb = NULL, 83 | .load_buffer = &load_buffer, 84 | .destroy = &destroy, 85 | .check_buffer = &check_buffer, 86 | .baddr = NULL, 87 | .entries = NULL, 88 | .sections = NULL, 89 | .info = &info, 90 | }; 91 | 92 | #ifndef R2_PLUGIN_INCORE 93 | R_API RLibStruct radare_plugin = { 94 | .type = R_LIB_TYPE_BIN, 95 | .data = &r_bin_plugin_nes, 96 | .version = R2_VERSION 97 | }; 98 | #endif 99 | 100 | ``` 101 | 102 | ### Some Examples 103 | 104 | * XBE - 105 | * COFF - 106 | * TE - 107 | * Zimgz - 108 | * OMF - 109 | -------------------------------------------------------------------------------- /src/arch/intro.md: -------------------------------------------------------------------------------- 1 | # Disassembling 2 | 3 | Disassembling in radare is just a way to represent an array of bytes. It is handled as a special print mode within `p` command. 4 | 5 | In the old times, when the radare core was smaller, the disassembler was handled by an external rsc file. That is, radare first dumped current block into a file, and then simply called `objdump` configured to disassemble for Intel, ARM or other supported architectures. 6 | 7 | It was a working and unix friendly solution, but it was inefficient as it repeated the same expensive actions over and over, because there were no caches. As a result, scrolling was terribly slow. 8 | 9 | So there was a need to create a generic disassembler library to support multiple plugins for different architectures. We can list the current loaded plugins with 10 | 11 | ```console 12 | $ rasm2 -L 13 | ``` 14 | 15 | Or from inside radare2: 16 | 17 | ```console 18 | > e asm.arch=?? 19 | ``` 20 | 21 | This was many years before capstone appeared. So r2 was using udis86 and olly disassemblers, many gnu (from binutils). 22 | 23 | Nowadays, the disassembler support is one of the basic features of radare. It now has many options, endianness, including target architecture flavor and disassembler variants, among other things. 24 | 25 | To see the disassembly, use the `pd` command. It accepts a numeric argument to specify how many opcodes of current block you want to see. Most of the commands in radare consider the current block size as the default limit for data input. If you want to disassemble more bytes, set a new block size using the `b` command. 26 | 27 | ```console 28 | [0x00000000]> b 100 ; set block size to 100 29 | [0x00000000]> pd ; disassemble 100 bytes 30 | [0x00000000]> pd 3 ; disassemble 3 opcodes 31 | [0x00000000]> pD 30 ; disassemble 30 bytes 32 | ``` 33 | 34 | The `pD` command works like `pd` but accepts the number of input bytes as its argument, instead of the number of opcodes. 35 | 36 | The "pseudo" syntax may be somewhat easier for a human to understand than the default assembler notations. But it can become annoying if you read lots of code. To play with it: 37 | 38 | ```console 39 | [0x00405e1c]> e asm.pseudo = true 40 | [0x00405e1c]> pd 3 41 | ; JMP XREF from 0x00405dfa (fcn.00404531) 42 | 0x00405e1c 488b9424a80. rdx = [rsp+0x2a8] 43 | 0x00405e24 64483314252. rdx ^= [fs:0x28] 44 | 0x00405e2d 4889d8 rax = rbx 45 | 46 | [0x00405e1c]> e asm.syntax = intel 47 | [0x00405e1c]> pd 3 48 | ; JMP XREF from 0x00405dfa (fcn.00404531) 49 | 0x00405e1c 488b9424a80. mov rdx, [rsp+0x2a8] 50 | 0x00405e24 64483314252. xor rdx, [fs:0x28] 51 | 0x00405e2d 4889d8 mov rax, rbx 52 | 53 | [0x00405e1c]> e asm.syntax=att 54 | [0x00405e1c]> pd 3 55 | ; JMP XREF from 0x00405dfa (fcn.00404531) 56 | 0x00405e1c 488b9424a80. mov 0x2a8(%rsp), %rdx 57 | 0x00405e24 64483314252. xor %fs:0x28, %rdx 58 | 0x00405e2d 4889d8 mov %rbx, %rax 59 | ``` 60 | -------------------------------------------------------------------------------- /src/debugger/heap.md: -------------------------------------------------------------------------------- 1 | ## Heap 2 | 3 | radare2's `dm` subcommands can also display a map of the heap which is useful for those who are interested in inspecting the heap and its content. Simply execute `dmh` to show a map of the heap: 4 | 5 | ```console 6 | [0x7fae46236ca6]> dmh 7 | Malloc chunk @ 0x55a7ecbce250 [size: 0x411][allocated] 8 | Top chunk @ 0x55a7ecbce660 - [brk_start: 0x55a7ecbce000, brk_end: 0x55a7ecbef000] 9 | ``` 10 | 11 | You can also see a graph layout of the heap: 12 | 13 | ```console 14 | [0x7fae46236ca6]> dmhg 15 | Heap Layout 16 | .------------------------------------. 17 | | Malloc chunk @ 0x55a7ecbce000 | 18 | | size: 0x251 | 19 | | fd: 0x0, bk: 0x0 | 20 | `------------------------------------' 21 | | 22 | .---' 23 | | 24 | | 25 | .---------------------------------------------. 26 | | Malloc chunk @ 0x55a7ecbce250 | 27 | | size: 0x411 | 28 | | fd: 0x57202c6f6c6c6548, bk: 0xa21646c726f | 29 | `---------------------------------------------' 30 | | 31 | .---' 32 | | 33 | | 34 | .----------------------------------------------------. 35 | | Top chunk @ 0x55a7ecbce660 | 36 | | [brk_start:0x55a7ecbce000, brk_end:0x55a7ecbef000] | 37 | `----------------------------------------------------' 38 | ``` 39 | 40 | Another heap commands can be found under `dmh`, check `dmh?` for the full list. 41 | 42 | ```console 43 | [0x00000000]> dmh? 44 | |Usage: dmh # Memory map heap 45 | | dmh List chunks in heap segment 46 | | dmh [malloc_state] List heap chunks of a particular arena 47 | | dmha List all malloc_state instances in application 48 | | dmhb Display all parsed Double linked list of main_arena's bins instance 49 | | dmhb [bin_num|bin_num:malloc_state] Display parsed double linked list of bins instance from a particular arena 50 | | dmhbg [bin_num] Display double linked list graph of main_arena's bin [Under developemnt] 51 | | dmhc @[chunk_addr] Display malloc_chunk struct for a given malloc chunk 52 | | dmhf Display all parsed fastbins of main_arena's fastbinY instance 53 | | dmhf [fastbin_num|fastbin_num:malloc_state] Display parsed single linked list in fastbinY instance from a particular arena 54 | | dmhg Display heap graph of heap segment 55 | | dmhg [malloc_state] Display heap graph of a particular arena 56 | | dmhi @[malloc_state]Display heap_info structure/structures for a given arena 57 | | dmhm List all elements of struct malloc_state of main thread (main_arena) 58 | | dmhm [malloc_state] List all malloc_state instance of a particular arena 59 | | dmht Display all parsed thead cache bins of main_arena's tcache instance 60 | | dmh? Show map heap help 61 | ``` 62 | 63 | To print safe-linked lists (glibc >= 2.32) with demangled pointers, the variable `dbg.glibc.demangle` must be true. 64 | -------------------------------------------------------------------------------- /src/commandline/types.md: -------------------------------------------------------------------------------- 1 | ## Working with data types 2 | 3 | Radare2 can also work with data types. You can use standard C data types or define your own using C. Currently, there is a support for structs, unions, function signatures, and enums. 4 | 5 | ```console 6 | [0x00000000]> t? 7 | Usage: t # cparse types commands 8 | | t List all loaded types 9 | | tj List all loaded types as json 10 | | t Show type in 'pf' syntax 11 | | t* List types info in r2 commands 12 | | t- Delete types by its name 13 | | t-* Remove all types 14 | | tail [filename] Output the last part of files 15 | | tc [type.name] List all/given types in C output format 16 | | te[?] List all loaded enums 17 | | td[?] Load types from string 18 | | tf List all loaded functions signatures 19 | | tk Perform sdb query 20 | | tl[?] Show/Link type to an address 21 | | tn[?] [-][addr] manage noreturn function attributes and marks 22 | | to - Open cfg.editor to load types 23 | | to Load types from C header file 24 | | toe [type.name] Open cfg.editor to edit types 25 | | tos Load types from parsed Sdb database 26 | | tp [addr|varname] cast data at
to and print it (XXX: type can contain spaces) 27 | | tpv @ [value] Show offset formatted for given type 28 | | tpx Show value for type with specified byte sequence (XXX: type can contain spaces) 29 | | ts[?] Print loaded struct types 30 | | tu[?] Print loaded union types 31 | | tx[f?] Type xrefs 32 | | tt[?] List all loaded typedefs 33 | ``` 34 | 35 | ### Defining new types 36 | 37 | There are three different methods to define new types: 38 | 39 | 1. Defining a new type from r2 shell immediately, to do this you will use `td` command, and put the whole line between double quotes. For example: 40 | 41 | `"td struct person {int age; char *name; char *address;};"` 42 | 43 | 2. You can also use `to -` to open a text editor and write your own types in there. This is preferable when you got too many types to define. 44 | 45 | 3. Radare2 also supports loading header files using the command `to` followed by a path to the header file you want to load. 46 | 47 | You can View loaded types in r2 using `ts` for structures, `tu` for unions, `tf` for function signatures, `te` for enums. 48 | 49 | You can also cast pointers to data types and view data in there accordingly with `tp`. EX: 50 | 51 | ```console 52 | [0x00400511]> tp person = 0x7fff170a46b0 53 | age : 0x7fff170a46b0 = 20 54 | name : (*0x4005b0) 0x7fff170a46b4 = My name 55 | address : (*0x4005b8) 0x7fff170a46bc = My age 56 | [0x00400511]> 57 | ``` 58 | -------------------------------------------------------------------------------- /src/first_steps/intro.md: -------------------------------------------------------------------------------- 1 | # Using Radare2 2 | 3 | The learning curve is usually somewhat steep at the beginning. Although after an hour of using it you should easily understand how most things work, and how to combine the various tools radare offers. You are encouraged to read the rest of this book to understand how some non-trivial things work, and to ultimately improve your skills. 4 | 5 | ![learning_curve](learning_curve.png) 6 | 7 | Navigation, inspection and modification of a loaded binary file is performed using three simple actions: seek (to position), print (buffer), and alternate (write, append). 8 | 9 | The 'seek' command is abbreviated as `s` and accepts an expression as its argument. The expression can be something like `10`, `+0x25`, or `[0x100+ptr_table]`. If you are working with block-based files, you may prefer to set the block size to a required value with `b` command, and seek forward or backwards with positions aligned to it. Use `s++` and `s--` commands to navigate this way. 10 | 11 | If radare2 opens an executable file, by default it will open the file in Virtual Addressing (VA) mode and the sections will be mapped to their virtual addresses. In VA mode, seeking is based on the virtual address and the starting position is set to the entry point of the executable. Using `-n` option you can suppress this default behavior and ask radare2 to open the file in non-VA mode for you. In non-VA mode, seeking is based on the offset from the beginning of the file. 12 | 13 | The 'print' command is abbreviated as `p` and has a number of submodes — the second letter specifying a desired print mode. Frequent variants include `px` to print in hexadecimal, and `pd` for disassembling. 14 | 15 | To be allowed to write files, specify the `-w` option to radare2 when opening a file. The `w` command can be used to write strings, hexpairs (`x` subcommand), or even assembly opcodes (`a` subcommand). Examples: 16 | 17 | ```console 18 | > w hello world ; string 19 | > wx 90 90 90 90 ; hexpairs 20 | > wa jmp 0x8048140 ; assemble 21 | > wf inline.bin ; write contents of file 22 | ``` 23 | 24 | Appending a `?` to a command will show its help message, for example, `p?`. 25 | Appending `?*` will show commands starting with the given string, e.g. `p?*`. 26 | 27 | To enter visual mode, press `V`. Use `q` to quit visual mode and return to the prompt. 28 | 29 | In visual mode you can use HJKL keys to navigate (left, down, up, and right, respectively). You can use these keys in cursor mode toggled by `c` key. To select a byte range in cursor mode, hold down `SHIFT` key, and press navigation keys HJKL to mark your selection. 30 | 31 | While in visual mode, you can also overwrite bytes by pressing `i`. You can press `TAB` to switch between the hex (middle) and string (right) columns. Pressing `q` inside the hex panel returns you to visual mode. By pressing `p` or `P` you can scroll different visual mode representations. There is a second most important visual mode - curses-like panels interface, accessible with `V!` command. 32 | -------------------------------------------------------------------------------- /src/tools/rabin2/libraries.md: -------------------------------------------------------------------------------- 1 | ### List Libraries 2 | 3 | Rabin2 can list libraries used by a binary with the `-l` option: 4 | 5 | ```console 6 | $ rabin2 -l `which r2` 7 | [Linked libraries] 8 | libr_core.so 9 | libr_parse.so 10 | libr_search.so 11 | libr_cons.so 12 | libr_config.so 13 | libr_bin.so 14 | libr_debug.so 15 | libr_asm.so 16 | libr_anal.so 17 | libr_reg.so 18 | libr_bp.so 19 | libr_io.so 20 | libr_fs.so 21 | libr_arch.so 22 | libr_syscall.so 23 | libr_hash.so 24 | libr_magic.so 25 | libr_flag.so 26 | libr_egg.so 27 | libr_crypto.so 28 | libr_util.so 29 | libpthread.so.0 30 | libc.so.6 31 | 32 | 22 libraries 33 | ``` 34 | 35 | Lets check the output with `ldd` command: 36 | 37 | ```console 38 | $ ldd `which r2` 39 | linux-vdso.so.1 (0x00007fffba38e000) 40 | libr_core.so => /usr/lib64/libr_core.so (0x00007f94b4678000) 41 | libr_parse.so => /usr/lib64/libr_parse.so (0x00007f94b4425000) 42 | libr_search.so => /usr/lib64/libr_search.so (0x00007f94b421f000) 43 | libr_cons.so => /usr/lib64/libr_cons.so (0x00007f94b4000000) 44 | libr_config.so => /usr/lib64/libr_config.so (0x00007f94b3dfa000) 45 | libr_bin.so => /usr/lib64/libr_bin.so (0x00007f94b3afd000) 46 | libr_debug.so => /usr/lib64/libr_debug.so (0x00007f94b38d2000) 47 | libr_asm.so => /usr/lib64/libr_asm.so (0x00007f94b2fbd000) 48 | libr_anal.so => /usr/lib64/libr_anal.so (0x00007f94b2fbd000) 49 | libr_reg.so => /usr/lib64/libr_reg.so (0x00007f94b2db4000) 50 | libr_bp.so => /usr/lib64/libr_bp.so (0x00007f94b2baf000) 51 | libr_io.so => /usr/lib64/libr_io.so (0x00007f94b2944000) 52 | libr_fs.so => /usr/lib64/libr_fs.so (0x00007f94b270e000) 53 | libr_arch.so => /usr/lib64/libr_arch.so (0x00007f94b1c69000) 54 | libr_syscall.so => /usr/lib64/libr_syscall.so (0x00007f94b1a63000) 55 | libr_hash.so => /usr/lib64/libr_hash.so (0x00007f94b185a000) 56 | libr_magic.so => /usr/lib64/libr_magic.so (0x00007f94b164d000) 57 | libr_flag.so => /usr/lib64/libr_flag.so (0x00007f94b1446000) 58 | libr_egg.so => /usr/lib64/libr_egg.so (0x00007f94b1236000) 59 | libr_crypto.so => /usr/lib64/libr_crypto.so (0x00007f94b1016000) 60 | libr_util.so => /usr/lib64/libr_util.so (0x00007f94b0d35000) 61 | libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f94b0b15000) 62 | libc.so.6 => /lib64/libc.so.6 (0x00007f94b074d000) 63 | libr_lang.so => /usr/lib64/libr_lang.so (0x00007f94b0546000) 64 | libr_socket.so => /usr/lib64/libr_socket.so (0x00007f94b0339000) 65 | libm.so.6 => /lib64/libm.so.6 (0x00007f94affaf000) 66 | libdl.so.2 => /lib64/libdl.so.2 (0x00007f94afdab000) 67 | /lib64/ld-linux-x86-64.so.2 (0x00007f94b4c79000) 68 | libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0 (0x00007f94afb3c000) 69 | libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f94af702000) 70 | libutil.so.1 => /lib64/libutil.so.1 (0x00007f94af4ff000) 71 | libz.so.1 => /lib64/libz.so.1 (0x00007f94af2e8000) 72 | ``` 73 | 74 | If you compare the outputs of `rabin2 -l` and `ldd`, you will notice that rabin2 lists fewer libraries than `ldd`. The reason is that rabin2 does not follow and does not show dependencies of libraries. Only direct binary dependencies are shown. 75 | -------------------------------------------------------------------------------- /src/scripting/r2js.md: -------------------------------------------------------------------------------- 1 | ## r2js 2 | 3 | Radare2 ships the QuickJS ES6/javascript runtime by default starting on versions 5.8.x, having a complete and standard programming language brings a lot of possibilities and ease 4 | 5 | As long as javascript is a also a common target language for transpilation from many other languages it is possible to use this runtime for other programming languages, not just Javascript. 6 | 7 | TypeScript is probably the primary choice because it is very well integrated with Visual Studio Code (or Vim, Helix, ..) offering autocompletion and other facilities for developing your scripts. 8 | 9 | But it is also possible to use Nim, C (via Emscripten), Vlang, and many other languages. 10 | 11 | ### Scripts 12 | 13 | You can run r2js scripts like you do with any other script: 14 | 15 | * Using the `-i` flag on the system shell when launching r2. 16 | * With the `.` command inside the radare2 shell. 17 | 18 | The **rlang** plugin will be selected depending on the file extension. In this case the `qjs` rlang plugin handles the `.r2.js` extension. 19 | 20 | For example: 21 | 22 | ```console 23 | $ r2 -i foo.r2.js /bin/ls 24 | ``` 25 | 26 | If you want to go back to the shell after running the script use the `-q` flag: 27 | 28 | ```console 29 | $ r2 -qi foo.r2.js /bin/ls 30 | ``` 31 | 32 | ### The REPL 33 | 34 | To enter the `r2js` repl you can use the `-j` command or flag. 35 | 36 | ```console 37 | 0$ r2 -j 38 | QuickJS - Type "\h" for help 39 | [r2js]> 40 | ``` 41 | 42 | Same command/flag works in the r2 shell too: 43 | 44 | ```console 45 | [0x00000000]> -j 46 | QuickJS - Type "\h" for help 47 | [r2js]> 48 | ``` 49 | 50 | In this repl (read-eval-print-loop) shell you can run javascript statements, like the ones you would use in NodeJS. 51 | 52 | The `` key can be used to autocomplete expressions. 53 | 54 | ### R2Pipe.r2js 55 | 56 | The rlang plugin exposes the classic `r2.cmd` interface to interact with radare2. This means that you can run a command and get the output in response. 57 | 58 | ### R2Papi.r2js 59 | 60 | The R2Papi apis are also embedded inside the r2, this means that you can use the high level / idiomatic APIs too. 61 | 62 | If the global r2pipe instance is available through the `r2` object. The R2Papi one is available as `R`. 63 | 64 | This is an example: 65 | 66 | ```javascript 67 | var r2 = new R2Pipe(); 68 | var R = new R2Papi(r2); 69 | ``` 70 | 71 | ### R2FridaCompile 72 | 73 | Frida-tools ship a TypeScript compiler that targets ESM and generates a single file containing all the js compiled files from a TypeScript project. 74 | 75 | Radare2 supports the same esm-blob file format used by Frida, and if you don't want to depend on Python you can also use the native one distributed with the _r2frida_ plugin named `r2frida-compile`. 76 | 77 | For example: 78 | 79 | ```console 80 | $ r2frida-compile -o foo.r2.js foo.ts 81 | $ r2 -qi foo.r2.js - 82 | ``` 83 | 84 | ### TypeScript 85 | 86 | The easiest way to run typescript programs inside radare2 is by using `r2frida-compile`, but you can also use the standard `tsc`. 87 | -------------------------------------------------------------------------------- /src/install/download.md: -------------------------------------------------------------------------------- 1 | ## Downloading 2 | 3 | You can get radare from the GitHub repository: [https://github.com/radareorg/radare2](https://github.com/radareorg/radare2) 4 | 5 | Binary packages are available for a number of operating systems (Ubuntu, Maemo, Gentoo, Windows, iPhone, and so on). But you are highly encouraged to get the source and compile it yourself to better understand the dependencies, to make examples more accessible and, of course, to have the most recent version. 6 | 7 | Downloadable versions of the latest releases of Radare2 are available in [https://github.com/radareorg/radare2/releases](GitHub) itself. 8 | 9 | For distributions we aim to recommend the use of release source tarballs to build the program. But users may probably want to use the last code from **git** that's why we always mention "use r2 from git", because we don't aim to fix bugs in releases, always test your bug or problems in the last development branch `master`. 10 | 11 | The radare development repository is often more stable than the 'stable' releases. To obtain the latest version: 12 | 13 | ```console 14 | $ git clone https://github.com/radareorg/radare2.git 15 | ``` 16 | 17 | This will probably take a while, so take a coffee break and continue reading this book. 18 | 19 | To update your local copy of the repository, use `git pull` anywhere in the radare2 source code tree: 20 | 21 | ```console 22 | $ git pull 23 | ``` 24 | 25 | The most common way to get r2 updated and installed system wide is by using, but we may learn more about building 26 | 27 | ```console 28 | $ sys/install.sh 29 | ``` 30 | 31 | ### r2env 32 | 33 | r2env is a lightweight tool version managers: either clone the repo and add its `bin` to your PATH and enable shell integration, or install via pip. The simplest option: 34 | 35 | ```bash 36 | pip install r2env 37 | ``` 38 | 39 | This makes the `r2env` command available and sets up shims for `r2` / `radare2` so the active version is used automatically. 40 | 41 | Replace `` with a tag, branch, or other reference you want to install. 42 | 43 | ```bash 44 | r2env install 45 | ``` 46 | 47 | To remove a build later, use `r2env uninstall` (see the repo README for the exact syntax and any extra flags). If anything behaves unexpectedly, consult the r2env GitHub README for up-to-date flags, usage details, and platform-specific dependencies. 48 | 49 | ### Helper Scripts 50 | 51 | Take a look at the scripts in `sys/`, they are used to automate stuff related to syncing, building and installing r2 and its bindings. 52 | 53 | The most important one is `sys/install.sh`. It will pull, clean, build and symstall r2 system wide. 54 | 55 | Symstalling is the process of installing all the programs, libraries, documentation and data files using symlinks instead of copying the files. 56 | 57 | By default it will be installed in `/usr/local`, but you can specify a different prefix using the argument `--prefix`. 58 | 59 | This is useful for developers, because it permits them to just run 'make' and try changes without having to run make install again. 60 | -------------------------------------------------------------------------------- /src/r2wars/intro.md: -------------------------------------------------------------------------------- 1 | # r2wars 2 | 3 | r2wars is a game where two programs, called bots or warriors, run in a shared memory space. The goal is to make the opponent's program crash or survive until it crashes on its own. It's similar to the classic game CoreWars, but implemented using radare2 technologies. 4 | 5 | The game was originally implemented by pancake as a toy r2pipe.py script in 2016. It served as a way to identify bugs and improve the support for emulation and assembling instructions in radare2. 6 | 7 | Years later the game was reimplemented in C# by SkUaTeR and used for the r2wars competitions during r2con. Check the links below: 8 | 9 | * [r2wars for n00bs (captain banana)](https://www.youtube.com/watch?v=PB0AFBqFwGQ) 10 | * [Competing at r2con](https://www.youtube.com/watch?v=i61v8Uvxhqk) 11 | * [r2wars github repository](https://github.com/radareorg/r2wars) 12 | * [Writeup from 2019](https://anisse.astier.eu/r2wars-2019.html) 13 | 14 | ## How It Works 15 | 16 | The game takes place in a virtual memory space of 1024 bytes (from address 0 to 1023). Bots are written in assembly language for various architectures. They take turns executing one instruction at a time. A bot loses if it tries to access an invalid memory address (outside the 0-1023 range) or executes an invalid instruction. Battles also have a 4000 cycle limit to prevent endless rounds. 17 | 18 | In order to bypass `rep` tricks and make the game more competitive when mixing different CPU architectures bot turns switch depending on cycles, instead of steps. This is, memory operations are slower than register ones, branches also have a cost, etc. You must have all those restrictions in mind when developing your bots in order to win. 19 | 20 | r2wars supports multiple architectures thanks to ESIL (Evaluated Strings Intermediate Language) which translates opcodes from supported architectures a generic form that can be executed in a portable way. Supported architectures by r2wars include x86, ARM and MIPS, but technically, any other architecture supported by r2 is valid. 21 | 22 | ## Common Techniques 23 | 24 | Successful r2wars bots often use these strategies: 25 | 26 | * Self-location: Bots need to know where they are in memory to avoid overwriting themselves. 27 | * Scanning: Search for the opponent's code in memory. 28 | * Bombing: Write invalid opcodes or jump instructions to disrupt the opponent. 29 | * Replication: Copy the bot's code to other memory locations. 30 | * Decoys: Write fake code to mislead opponents. 31 | * Register storage: Store the bot's payload in registers, then push to memory and execute. 32 | 33 | ## Writing your first bot 34 | 35 | Here's a simple x86-32 bot that writes invalid opcodes across the memory space starting from the initial program counter address. 36 | 37 | ```asm 38 | call tag 39 | tag: 40 | pop esp 41 | loop: 42 | add esp, 16 43 | push 0xffffffff 44 | jmp loop 45 | ``` 46 | 47 | This bot uses the call/pop trick to find its own location in memory, then moves through memory in 16-byte increments, writes 0xffffffff (likely invalid opcodes) as it loops until it crashes by going out of bounds, hopefully 48 | -------------------------------------------------------------------------------- /src/crackmes/ioli/ioli_0x00.md: -------------------------------------------------------------------------------- 1 | ### IOLI 0x00 2 | 3 | This first challenge is designed to introduce you to the basics of reverse engineering with Radare2. The objective is to find the correct password to unlock the program. 4 | 5 | By executing the program you may see something like this: 6 | 7 | ```console 8 | $ ./crackme0x00 9 | IOLI Crackme Level 0x00 10 | Password: 1234 11 | Invalid Password! 12 | ``` 13 | 14 | #### Hints 15 | 16 | For this initial challenge, you won’t need to dive into complex disassembly. Instead, focus on searching for plaintext strings within the binary file. 17 | 18 | There are multiple ways to find the strings embedded inside a binary, which are equivalents to the GNU `strings` utility. 19 | 20 | * Check the manpage and help message of rabin2 21 | * Use `man rabin2` and `rabin2 -h` in your terminal 22 | * Load the binary with radare2 23 | * Append the question mark to the `i` and `iz` commands to find relevant 24 | * Understand the difference between `iz`, `izz` and `izzz` 25 | * Read the output of those commands and make a blind guess 26 | 27 | #### Solution 28 | 29 | As explained in the hints, the first thing to check is if the password is just plaintext inside the file. In this case, we don't need to do any disassembly, and we can just use rabin2 with the -z flag to search for strings in the binary. 30 | 31 | ```console 32 | $ rabin2 -z ./crackme0x00 33 | [Strings] 34 | nth paddr vaddr len size section type string 35 | ------------------------------------------------------- 36 | 0 0x00000568 0x08048568 24 25 .rodata ascii IOLI Crackme Level 0x00\n 37 | 1 0x00000581 0x08048581 10 11 .rodata ascii Password: 38 | 2 0x0000058f 0x0804858f 6 7 .rodata ascii 250382 39 | 3 0x00000596 0x08048596 18 19 .rodata ascii Invalid Password!\n 40 | 4 0x000005a9 0x080485a9 15 16 .rodata ascii Password OK :)\n 41 | ``` 42 | 43 | Let's understand the output of this command line by line: 44 | 45 | The first section is the header displayed when the application runs. 46 | 47 | ```console 48 | nth paddr vaddr len size section type string 49 | ------------------------------------------------------- 50 | 0 0x00000568 0x08048568 24 25 .rodata ascii IOLI Crackme Level 0x00\n 51 | ``` 52 | 53 | Next, we see the prompt for the password. 54 | 55 | ``` 56 | 1 0x00000581 0x08048581 10 11 .rodata ascii Password: 57 | ``` 58 | 59 | Then, the error message for an invalid password. 60 | 61 | ``` 62 | 3 0x00000596 0x08048596 18 19 .rodata ascii Invalid Password!\n 63 | ``` 64 | 65 | Finally, the message indicating a successful password entry. 66 | 67 | ``` 68 | 4 0x000005a9 0x080485a9 15 16 .rodata ascii Password OK :)\n 69 | ``` 70 | 71 | What about this string? It hasn’t appeared when running the application yet. 72 | 73 | ``` 74 | 2 0x0000058f 0x0804858f 6 7 .rodata ascii 250382 75 | ``` 76 | 77 | Let’s try using it as the password. 78 | 79 | ```console 80 | $ ./crackme0x00 81 | IOLI Crackme Level 0x00 82 | Password: 250382 83 | Password OK :) 84 | ``` 85 | 86 | Now we know that 250382 is the correct password, completing this crackme! 87 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | VERSION=6.0.0 2 | 3 | all: pdf epub 4 | 5 | .PHONY: all lint lint-fix epub pdf gmi texi info one one-online 6 | 7 | # CHAPTERS=$(shell find src -iname *.md) 8 | CHAPTERS=$(shell grep -Eoi '\([^\)]+' src/SUMMARY.md | sed -e 's,^.,src/,') 9 | 10 | # Global pandoc arguments 11 | PANDOC_OPTIONS+=--from markdown+rebase_relative_paths 12 | PANDOC_OPTIONS+=--metadata-file=pandoc/metadata.yaml 13 | PANDOC_OPTIONS+=--lua-filter=pandoc/filter.lua 14 | 15 | # PDF specific pandoc arguments 16 | PANDOC_PDF_OPTIONS+=--pdf-engine=xelatex 17 | PANDOC_PDF_OPTIONS+=-H pandoc/header.tex --listings 18 | ## Add a cover and hide title text page 19 | PANDOC_PDF_OPTIONS+=-B pandoc/cover.tex -V title: 20 | 21 | # MD specific pandoc arguments 22 | PANDOC_MD_OPTIONS+=--to markdown+backtick_code_blocks 23 | PANDOC_MD_OPTIONS+=--wrap=preserve 24 | 25 | # MD external paths 26 | GIT_COMMIT:=$(shell git rev-parse HEAD) 27 | URL_PREFIX:=https://github.com/radareorg/radare2-book 28 | URL_MD_PREFIX:=$(URL_PREFIX)/blob/$(GIT_COMMIT)/ 29 | URL_IMAGE_PREFIX:=$(URL_PREFIX)/raw/$(GIT_COMMIT)/ 30 | 31 | pdf: 32 | pandoc $(CHAPTERS) $(PANDOC_OPTIONS) $(PANDOC_PDF_OPTIONS) -o r2book.pdf 33 | 34 | epub: 35 | pandoc $(CHAPTERS) $(PANDOC_OPTIONS) -o r2book.epub 36 | 37 | texi: 38 | pandoc $(CHAPTERS) $(PANDOC_OPTIONS) -o r2book.texi 39 | 40 | info: texi 41 | rm -f r2book.info r2book.info.gz 42 | makeinfo --force --no-split r2book.texi 43 | gzip -9n r2book.info 44 | 45 | one: 46 | pandoc $(CHAPTERS) $(PANDOC_OPTIONS) $(PANDOC_MD_OPTIONS) -o r2book.md 47 | 48 | one-online: one 49 | sed -i -E \ 50 | -e 's,\((src/[0-9A-Za-z./_-]+.md)\),($(URL_MD_PREFIX)\1),g' \ 51 | -e 's,\(((src|images)/[0-9A-Za-z./_-]+.(png|jpg))\),($(URL_IMAGE_PREFIX)\1),g' \ 52 | r2book.md 53 | 54 | GOPATH?=$(HOME)/go 55 | GOBIN?=$(GOPATH)/bin 56 | MD2GMI?=$(GOBIN)/md2gmi 57 | 58 | gmi: 59 | @test -x $(MD2GMI) || (echo "ERROR: Missing md2gmi.\nTo install run: go install github.com/n0x1m/md2gmi@latest"; false) 60 | rm -rf gmi 61 | mkdir -p gmi 62 | for a in $(shell find src -type d) ; do b=`echo $$a |sed -e 's,src/,gmi/,'`; mkdir -p $$b ; done 63 | for a in $(shell find src -type f -name \*.md) ; do \ 64 | b=`echo $$a | sed -e 's,src/,gmi/,' -e 's,\.md,\.gmi,'` ; \ 65 | $(MD2GMI) -i $$a -o $$b; \ 66 | sed -e 's,\.md,\.gmi,' -i $$b; \ 67 | done 68 | grep -v 134 < gmi/SUMMARY.gmi | grep -v '^-' > .a.a 69 | mv .a.a gmi/SUMMARY.gmi 70 | ln -v gmi/SUMMARY.gmi gmi/index.gmi 71 | tar -czf r2book-gmi.tar.gz -C gmi . 72 | 73 | # Linting 74 | MDLINT_GLOBS='src/**/*.md' 75 | MDLINT_CONFIG=src/.markdownlint.jsonc 76 | node_modules/.bin/markdownlint-cli2: 77 | npm install --no-save markdownlint-cli2 78 | 79 | lint: node_modules/.bin/markdownlint-cli2 80 | sys/lintrefs2.sh 81 | node_modules/.bin/markdownlint-cli2 $(MDLINT_GLOBS) --config $(MDLINT_CONFIG) 82 | 83 | lint-fix: node_modules/.bin/markdownlint-cli2 84 | node_modules/.bin/markdownlint-cli2 $(MDLINT_GLOBS) --config $(MDLINT_CONFIG) --fix 85 | sys/lintrefs2.sh 86 | 87 | lint-one: node_modules/.bin/markdownlint-cli2 lint one 88 | node_modules/.bin/markdownlint-cli2 r2book.md --config .one.markdownlint-cli2.jsonc 89 | -------------------------------------------------------------------------------- /src/emulation/analysis.md: -------------------------------------------------------------------------------- 1 | ## Emulation in the Analysis Loop 2 | 3 | Aside from manual emulation, automatic emulation is also possible in the analysis loop. 4 | For example, the `aaaa` command performs the ESIL emulation stage, among others. 5 | To disable or enable ESIL analysis, set the `anal.esil` configuration variable. 6 | 7 | Furthermore, `emu.write` allows the ESIL VM to modify memory. However, enabling it 8 | might be quite dangerous, especially when analyzing malware. Regardless, it is 9 | still sometimes required, particularly when deobfuscating or unpacking code. To 10 | show the emulation process, you can set `asm.emu` variable which will show 11 | calculated register and memory values as comments in the disassembly: 12 | 13 | ```console 14 | [0x00001660]> e asm.emu=true 15 | [0x00001660]> pdf 16 | . (fcn) fcn.00001660 40 17 | | fcn.00001660 (); 18 | | ; CALL XREF from 0x00001713 (entry2.fini) 19 | | 0x00001660 lea rdi, obj.__progname ; 0x207220 ; rdi=0x207220 -> 0x464c457f 20 | | 0x00001667 push rbp ; rsp=0xfffffffffffffff8 21 | | 0x00001668 lea rax, obj.__progname ; 0x207220 ; rax=0x207220 -> 0x464c457f 22 | | 0x0000166f cmp rax, rdi ; zf=0x1 -> 0x2464c45 ; cf=0x0 ; pf=0x1 -> 0x2464c45 ; sf=0x0 ; of=0x0 23 | | 0x00001672 mov rbp, rsp ; rbp=0xfffffffffffffff8 24 | | .-< 0x00001675 je 0x1690 ; rip=0x1690 -> 0x1f0fc35d ; likely 25 | | | 0x00001677 mov rax, qword [reloc._ITM_deregisterTMCloneTable] ; [0x206fd8:8]=0 ; rax=0x0 26 | | | 0x0000167e test rax, rax ; zf=0x1 -> 0x2464c45 ; pf=0x1 -> 0x2464c45 ; sf=0x0 ; cf=0x0 ; of=0x0 27 | |.--< 0x00001681 je 0x1690 ; rip=0x1690 -> 0x1f0fc35d ; likely 28 | ||| 0x00001683 pop rbp ; rbp=0xffffffffffffffff -> 0x4c457fff ; rsp=0x0 29 | ||| 0x00001684 jmp rax ; rip=0x0 .. 30 | |``-> 0x00001690 pop rbp ; rbp=0x10102464c457f ; rsp=0x8 -> 0x464c457f 31 | ` 0x00001691 ret ; rip=0x0 ; rsp=0x10 -> 0x3e0003 32 | ``` 33 | 34 | Note the comments containing `likely`, which indicate conditional jumps likely to be taken by ESIL emulation. 35 | 36 | Apart from the basic ESIL VM setup, you can change its behavior with other options located in the `emu.` and `esil.` configuration namespaces. 37 | 38 | ## Debugging with ESIL 39 | 40 | The debugger APIs can be configured to use different backends, to communicate with a local or remote GDB server, use the native debugger, a specific virtualization or emulation engine like Unicorn or BOCHS, but there's also an ESIL backend. 41 | 42 | ```console 43 | [0x00000000]> dL 44 | 0 --- bf LGPL3 45 | 1 --- bochs LGPL3 46 | 2 --- esil LGPL3 47 | 3 --- evm LGPL3 48 | 4 --- gdb LGPL3 49 | 5 --- io MIT 50 | 6 dbg native LGPL3 51 | 7 --- null MIT 52 | 8 --- qnx LGPL3 53 | 9 --- rap LGPL3 54 | [0x00000000]> dL esil 55 | [0x00000000]> 56 | ``` 57 | 58 | After this command, you can use any of the `d` sub-commands to change register values, step or skip instructions, set breakpoints, etc. but using the internal emulation logic of ESIL. 59 | -------------------------------------------------------------------------------- /src/search/search_options.md: -------------------------------------------------------------------------------- 1 | ## Search Options 2 | 3 | The radare2 search engine can be configured through several configuration variables, modifiable with the `e` command. 4 | 5 | ```console 6 | e cmd.hit = x ; radare2 command to execute on every search hit 7 | e search.distance = 0 ; search string distance 8 | e search.in = [foo] ; specify search boundaries. Supported values are listed under e search.in=?? 9 | e search.align = 4 ; only show search results aligned by specified boundary. 10 | e search.from = 0 ; start address 11 | e search.to = 0 ; end address 12 | e search.asmstr = 0 ; search for string instead of assembly 13 | e search.flags = true ; if enabled, create flags on hits 14 | ``` 15 | 16 | The `search.align` variable is used to limit valid search hits to certain alignment. For example, with `e search.align=4` you will see only hits found at 4-bytes aligned offsets. 17 | 18 | The `search.flags` boolean variable instructs the search engine to flag hits so that they can be referenced later. If a currently running search is interrupted with `Ctrl-C` keyboard sequence, current search position is flagged with `search_stop`. 19 | 20 | The `search.in` variable specifies search boundaries. To search entire memory, use `e search.in = dbg.maps`. The default value is `dbg.map`. 21 | 22 | Options are controlled by the `search.` variables. 23 | 24 | ```console 25 | [0x00000000]> e??search 26 | search.align: only catch aligned search hits 27 | search.chunk: chunk size for /+ (default size is asm.bits/8 28 | search.contiguous: accept contiguous/adjacent search hits 29 | search.distance: search string distance 30 | search.esilcombo: stop search after N consecutive hits 31 | search.flags: all search results are flagged, otherwise only printed 32 | search.from: search start address 33 | search.in: specify search boundaries 34 | search.kwidx: store last search index count 35 | search.maxhits: maximum number of hits (0: no limit) 36 | search.overlap: look for overlapped search hits 37 | search.prefix: prefix name in search hits label 38 | search.show: show search results 39 | search.to: search end address 40 | search.verbose: make the output of search commands verbose 41 | ``` 42 | 43 | Perhaps the most important search variable is `search.in` - it controls where 44 | your search is occurring. If you aren't finding hits you expect, check this 45 | variable first. Note the difference between `map` and `maps` - `map` will only 46 | search the map that you are currently in, while `maps` will search all memory 47 | maps, with options to narrow the search by permissions. 48 | 49 | ```console 50 | [0x00000000]> e search.in=? 51 | raw 52 | block 53 | bin.section 54 | bin.sections 55 | bin.sections.rwx 56 | bin.sections.r 57 | bin.sections.rw 58 | bin.sections.rx 59 | bin.sections.wx 60 | bin.sections.x 61 | io.map 62 | io.maps 63 | io.maps.rwx 64 | io.maps.r 65 | io.maps.rw 66 | io.maps.rx 67 | io.maps.wx 68 | io.maps.x 69 | dbg.stack 70 | dbg.heap 71 | dbg.map 72 | dbg.maps 73 | dbg.maps.rwx 74 | dbg.maps.r 75 | dbg.maps.rw 76 | dbg.maps.rx 77 | dbg.maps.wx 78 | dbg.maps.x 79 | anal.fcn 80 | anal.bb 81 | ``` 82 | -------------------------------------------------------------------------------- /src/intro/history.md: -------------------------------------------------------------------------------- 1 | ## History 2 | 3 | In 2006, Sergi Àlvarez (aka pancake) while working as a forensic analyst he decided to write a small tool to recover some deleted files from an HFS+ disk by accident. As long as using the privative software from work it was a good toy project, following the concept of a block-based hexadecimal editor interface with a very simple repl to enter commands to search for byte patterns and dump the results to disk. And have the following characteristics: 4 | 5 | * be extremely portable (unix friendly, command line, c, small) 6 | * open disk devices, this is using 64bit offsets 7 | * search for a string or hexpair 8 | * review and dump the results to disk 9 | 10 | After three years of intense development (in 2009) the project was too bloated to keep it as a monolitic tool and pancake decided to redesign the tool into a more pluggable and modular form. This way it was possible to create scripts, bindings and write plugins to add support for more architectures, debugging targets or improve the analysis capabilities by keeping the core intact. 11 | 12 | Since then, the project has evolved to provide a complete framework for analyzing binaries, while making use of basic UNIX concepts. Those concepts include the famous "everything is a file", "small programs that interact using stdin/stdout", and "keep it simple" paradigms. 13 | 14 | The need for scripting showed the fragility of the initial design: a monolithic tool made the API hard to use, and so a deep refactoring was needed. In 2009 radare2 (r2) was born as a fork of radare1. The refactor added flexibility and dynamic features. This enabled much better integration, paving the way to use r2 [from different programming languages](https://github.com/radareorg/radare2-bindings). Later on, the [r2pipe API](https://github.com/radareorg/radare2-r2pipe) allowed access to radare2 via pipes from any language, and the [r2papi](https://github.com/radareorg/radare2-r2papi) provided an idiomatic and high level interface to use r2 through r2pipe from a large list of programming languages. 15 | 16 | What started as a one-man project, with some eventual contributions, gradually evolved into a big community-based project around 2014. The number of users was growing fast, changing roles and contribution rules to ease the maintenance as much as possible. 17 | 18 | It's important to instruct users to report their issues, as well as help developers willing to contribute to understand the codebase. The whole development is managed in [radare2's GitHub](https://github.com/radareorg/radare2) and discussed in the Telegram and Discord channels. 19 | 20 | There are several side projects that provide, among other things, a graphical user interface ([Iaito](https://github.com/radareorg/iaito)), a decompiler ([r2dec](https://github.com/wargio/r2dec-js), [r2ghidra](https://github.com/radareorg/r2ghidra)), Frida integration ([r2frida](https://github.com/nowsecure/r2frida)), Yara ([r2yara](https://github.com/radareorg/r2yara)), Unicorn, Keystone, and many other projects indexed in the [r2pm](https://github.com/radareorg/radare2-pm), the radare2 package manager. 21 | 22 | Since 2016, the community gathers once a year in [r2con](https://www.radare.org/con/), a congress around radare2 that takes place in Barcelona. 23 | -------------------------------------------------------------------------------- /src/tools/rafind2/intro.md: -------------------------------------------------------------------------------- 1 | ## Rafind2 2 | 3 | Rafind2 is the command line fronted of the `r_search` library. Which allows you to search for strings, sequences of bytes with binary masks, etc 4 | 5 | ```console 6 | $ rafind2 -h 7 | Usage: rafind2 [-mXnzZhqv] [-a align] [-b sz] [-f/t from/to] [-[e|s|S] str] [-x hex] -|file|dir .. 8 | -a [align] only accept aligned hits 9 | -b [size] set block size 10 | -e [regex] search for regex matches (can be used multiple times) 11 | -f [from] start searching from address 'from' 12 | -h show this help 13 | -i identify filetype (r2 -nqcpm file) 14 | -j output in JSON 15 | -m magic search, file-type carver 16 | -M [str] set a binary mask to be applied on keywords 17 | -n do not stop on read errors 18 | -r print using radare commands 19 | -s [str] search for a specific string (can be used multiple times) 20 | -S [str] search for a specific wide string (can be used multiple times). Assumes str is UTF-8. 21 | -t [to] stop search at address 'to' 22 | -q quiet - do not show headings (filenames) above matching contents (default for searching a single file) 23 | -v print version and exit 24 | -x [hex] search for hexpair string (909090) (can be used multiple times) 25 | -X show hexdump of search results 26 | -z search for zero-terminated strings 27 | -Z show string found on each search hit 28 | ``` 29 | 30 | That's how to use it, first we'll search for "lib" inside the `/bin/ls` binary. 31 | 32 | ```console 33 | $ rafind2 -s lib /bin/ls 34 | 0x5f9 35 | 0x675 36 | 0x679 37 | ... 38 | $ 39 | ``` 40 | 41 | Note that the output is pretty minimal, and shows the offsets where the string `lib` is found. We can then use this output to feed other tools. 42 | 43 | Counting results: 44 | 45 | ```console 46 | $ rafind2 -s lib /bin/ls | wc -l 47 | ``` 48 | 49 | Displaying results with context: 50 | 51 | ```console 52 | $ export F=/bin/ls 53 | $ for a in `rafind2 -s lib $F` ; do \ 54 | r2 -ns $a -qc'x 32' $F ; done 55 | 0x000005f9 6c69 622f 6479 6c64 .. lib/dyld........ 56 | 0x00000675 6c69 622f 6c69 6275 .. lib/libutil.dyli 57 | 0x00000679 6c69 6275 7469 6c2e .. libutil.dylib... 58 | 0x00000683 6c69 6200 000c 0000 .. lib......8...... 59 | 0x000006a5 6c69 622f 6c69 626e .. lib/libncurses.5 60 | 0x000006a9 6c69 626e 6375 7273 .. libncurses.5.4.d 61 | 0x000006ba 6c69 6200 0000 0c00 .. lib.......8..... 62 | 0x000006dd 6c69 622f 6c69 6253 .. lib/libSystem.B. 63 | 0x000006e1 6c69 6253 7973 7465 .. libSystem.B.dyli 64 | 0x000006ef 6c69 6200 0000 0000 .. lib......&...... 65 | ``` 66 | 67 | rafind2 can also be used as a replacement of `file` to identify the mimetype of a file using the internal magic database of radare2. 68 | 69 | ```console 70 | $ rafind2 -i /bin/ls 71 | 0x00000000 1 Mach-O 72 | ``` 73 | 74 | Also works as a `strings` replacement, similar to what you do with rabin2 -z, but without caring about parsing headers and obeying binary sections. 75 | 76 | ```console 77 | $ rafind2 -z /bin/ls| grep http 78 | 0x000076e5 %http://www.apple.com/appleca/root.crl0\r 79 | 0x00007ae6 https://www.apple.com/appleca/0 80 | 0x00007fa9 )http://www.apple.com/certificateauthority0 81 | 0x000080ab $http://crl.apple.com/codesigning.crl0 82 | ``` 83 | -------------------------------------------------------------------------------- /src/commandline/sdb.md: -------------------------------------------------------------------------------- 1 | ## SDB 2 | 3 | SDB stands for String DataBase. It's a simple key-value database that only operates with strings created by pancake. It is used in many parts of r2 to have a disk and in-memory database which is small and fast to manage using it as a hashtable on steroids. 4 | 5 | SDB is a simple string key/value database based on djb’s cdb disk storage and supports JSON and arrays introspection. 6 | 7 | There’s also the sdbtypes: a vala library that implements several data structures on top of an sdb or a memcache instance. 8 | 9 | SDB supports: 10 | 11 | * namespaces (multiple sdb paths) 12 | * atomic database sync (never corrupted) 13 | * bindings for vala, luvit, newlisp and nodejs 14 | * commandline frontend for sdb databases 15 | * memcache client and server with sdb backend 16 | * arrays support (syntax sugar) 17 | * json parser/getter 18 | 19 | ### Usage example 20 | 21 | Let's create a database! 22 | 23 | ```console 24 | $ sdb d hello=world 25 | $ sdb d hello 26 | world 27 | ``` 28 | 29 | Using arrays: 30 | 31 | ```console 32 | $ sdb - '[]list=1,2' '[0]list' '[0]list=foo' '[]list' '[+1]list=bar' 33 | 1 34 | foo 35 | 2 36 | foo 37 | bar 38 | 2 39 | ``` 40 | 41 | Let's play with json: 42 | 43 | ```console 44 | $ sdb d g='{"foo":1,"bar":{"cow":3}}' 45 | $ sdb d g?bar.cow 46 | 3 47 | $ sdb - user='{"id":123}' user?id=99 user?id 48 | 99 49 | ``` 50 | 51 | Using the command line without any disk database: 52 | 53 | ```console 54 | $ sdb - foo=bar foo a=3 +a -a 55 | bar 56 | 4 57 | 3 58 | 59 | $ sdb - 60 | foo=bar 61 | foo 62 | bar 63 | a=3 64 | +a 65 | 4 66 | -a 67 | 3 68 | ``` 69 | 70 | Remove the database 71 | 72 | ```console 73 | $ rm -f d 74 | ``` 75 | 76 | ### So what ? 77 | 78 | So, you can now do this inside your radare2 sessions! 79 | 80 | Let's take a simple binary, and check what is already _sdbized_. 81 | 82 | ```console 83 | $ cat test.c 84 | int main(){ 85 | puts("Hello world\n"); 86 | } 87 | $ gcc test.c -o test 88 | ``` 89 | 90 | ```console 91 | $ r2 -A ./test 92 | [0x08048320]> k ** 93 | bin 94 | anal 95 | syscall 96 | debug 97 | ``` 98 | 99 | ```console 100 | [0x08048320]> k bin/** 101 | fd.6 102 | [0x08048320]> k bin/fd.6/* 103 | archs=0:0:x86:32 104 | ``` 105 | 106 | The file corresponding to the sixth file descriptor is a x86_32 binary. 107 | 108 | ```console 109 | [0x08048320]> k anal/meta/* 110 | meta.s.0x80484d0=12,SGVsbG8gd29ybGQ= 111 | [...] 112 | [0x08048320]> ?b64- SGVsbG8gd29ybGQ= 113 | Hello world 114 | ``` 115 | 116 | Strings are stored encoded in base64. 117 | 118 | --- 119 | 120 | ### More Examples 121 | 122 | List namespaces 123 | 124 | ``` 125 | k ** 126 | ``` 127 | 128 | List sub-namespaces 129 | 130 | ``` 131 | k anal/** 132 | ``` 133 | 134 | List keys 135 | 136 | ``` 137 | k * 138 | k anal/* 139 | ``` 140 | 141 | Set a key 142 | 143 | ``` 144 | k foo=bar 145 | ``` 146 | 147 | Get the value of a key 148 | 149 | ``` 150 | k foo 151 | ``` 152 | 153 | List all syscalls 154 | 155 | ``` 156 | k syscall/*~^0x 157 | ``` 158 | 159 | List all comments 160 | 161 | ``` 162 | k anal/meta/*~.C. 163 | ``` 164 | 165 | Show a comment at given offset: 166 | 167 | ``` 168 | k %anal/meta/[1]meta.C.0x100005000 169 | ``` 170 | -------------------------------------------------------------------------------- /src/search/searching_crypto.md: -------------------------------------------------------------------------------- 1 | ## Searching for Cryptography materials 2 | 3 | ### Searching expanded keys 4 | 5 | radare2 is capable of finding **expanded** keys with `/ca` command for AES and SM4 block ciphers. It searches from current seek position up to the `search.distance` limit, or until end of file is reached. You can interrupt current search by pressing `Ctrl-C`. For example, to look for AES keys in a memory dump: 6 | 7 | ```console 8 | [0x00000000]> /ca aes 9 | Searching 40 bytes in [0x0-0x1ab] 10 | hits: 1 11 | 0x000000fb hit0_0 6920e299a5202a6d656e636869746f2a 12 | ``` 13 | 14 | For AES, the output length gives you the size of the AES key used: 128, 192 or 256 bits. If you are simply looking for plaintext AES keys in your binary, `/ca` will not find them they must have been expanded by the key expansion algorithm. 15 | 16 | ### Searching private keys and certificates 17 | 18 | `/cr` command implements the search of private keys (RSA and ECC). `/cd` command implements a similar feature to search certificates. 19 | 20 | ```console 21 | [0x00000000]> /cr 22 | Searching 11 bytes in [0x0-0x15a] 23 | hits: 2 24 | 0x000000fa hit1_0 302e020100300506032b657004220420fb3d588296fed5694ff7049eafb74490bf4bc6467ee11a08... 25 | ``` 26 | 27 | ### Entropy analysis 28 | 29 | `p=e` might give some hints if high entropy sections are found trying to cover up a hardcoded secret. 30 | 31 | There is the possibility to delimit entropy sections for later use with `\s` command: 32 | 33 | ```console 34 | [0x00000000]> b 35 | 0x100 36 | [0x00000000]> b 4096 37 | [0x00000000]> /s 38 | 0x00100000 - 0x00101000 ~ 5.556094 39 | 0x014e2c88 - 0x014e3c88 ~ 0.000000 40 | 0x01434374 - 0x01435374 ~ 6.332087 41 | 0x01435374 - 0x0144c374 ~ 3.664636 42 | 0x0144c374 - 0x0144d374 ~ 1.664368 43 | 0x0144d374 - 0x0144f374 ~ 4.229199 44 | 0x0144f374 - 0x01451374 ~ 2.000000 45 | (...) 46 | [0x00000000]> /s* 47 | f entropy_section_0 0x00001000 0x00100000 48 | f entropy_section_1 0x00001000 0x014e2c88 49 | f entropy_section_2 0x00001000 0x01434374 50 | f entropy_section_3 0x00017000 0x01435374 51 | f entropy_section_4 0x00001000 0x0144c374 52 | f entropy_section_5 0x00002000 0x0144d374 53 | f entropy_section_6 0x00002000 0x0144f374 54 | ``` 55 | 56 | The blocksize is increased to 4096 bytes from the default 100 bytes so that the entropy search `/s` can work on reasonably sized chunks for entropy analysis. The sections flags can be applied with the dot operator, `./s*` and then looped through `px 32 @@ entropy*`. 57 | 58 | ### Searching data matching hash digest 59 | 60 | Sometimes it is useful to search if some data blocks in a binary match a given digest. The command `/h` implement such feature. For example running the following command: 61 | 62 | ```console 63 | [0x00000000]> /h sha256 83264abaf298b9238ca63cb2fd9ff0f41a7a1520ee2a17c56df459fc806de1d6 512 64 | INFO: Searching sha256 for 512 byte length 65 | INFO: Search in range 0x00000000 and 0x00000284 66 | INFO: Carving 132 blocks: 67 | INFO: Found at 0x64 68 | f hash.sha256.83264abaf298b9238ca63cb2fd9ff0f41a7a1520ee2a17c56df459fc806de1d6 = 0x64 69 | ``` 70 | 71 | Launches a search of 512-bytes blocks of data in the binary which SHA256 hash would results in the digest `83264abaf298b9238ca63cb2fd9ff0f41a7a1520ee2a17c56df459fc806de1d6`. If a digest is found, the offset of its location is printed. 72 | -------------------------------------------------------------------------------- /src/first_steps/basic_debugger_session.md: -------------------------------------------------------------------------------- 1 | ## Basic Debugger Session 2 | 3 | To debug a program, start radare with the `-d` option. Note that you can attach to a running process by specifying its PID, or you can start a new program by specifying its name and parameters: 4 | 5 | ```console 6 | $ pidof mc 7 | 32220 8 | $ r2 -d 32220 9 | $ r2 -d /bin/ls 10 | $ r2 -a arm -b 16 -d gdb://192.168.1.43:9090 11 | ... 12 | ``` 13 | 14 | In the second case, the debugger will fork and load the debugee `ls` program in memory. 15 | 16 | It will pause its execution early in `ld.so` dynamic linker. As a result, you will not yet see the entrypoint or any shared libraries at this point. 17 | 18 | You can override this behavior by setting another name for an entry breakpoint. To do this, add a radare command 19 | `e dbg.bep=entry` or `e dbg.bep=main` to your startup script, usually it is `~/.config/radare2/radare2rc`. 20 | 21 | Another way to continue until a specific address is by using the `dcu` command. Which means: "debug continue until" taking the address of the place to stop at. For example: 22 | 23 | ``` 24 | dcu main 25 | ``` 26 | 27 | Be warned that certain malware or other tricky programs can actually execute code before `main()` and thus you'll be unable to control them. (Like the program constructor or the tls initializers) 28 | 29 | Below is a list of most common commands used with debugger: 30 | 31 | ```console 32 | > d? ; get help on debugger commands 33 | > ds 3 ; step 3 times 34 | > db 0x8048920 ; setup a breakpoint 35 | > db -0x8048920 ; remove a breakpoint 36 | > dc ; continue process execution 37 | > dcs ; continue until syscall 38 | > dd ; manipulate file descriptors 39 | > dm ; show process maps 40 | > dmp A S rwx ; change permissions of page at A and size S 41 | > dr eax=33 ; set register value. eax = 33 42 | ``` 43 | 44 | There is another option for debugging in radare, which may be easier: using visual mode. 45 | 46 | That way you will neither need to remember many commands nor to keep program state in your mind. 47 | 48 | To enter visual debugger mode use `Vpp`: 49 | 50 | ```console 51 | [0xb7f0c8c0]> Vpp 52 | ``` 53 | 54 | The initial view after entering visual mode is a hexdump view of the current target program counter (e.g., EIP for x86). 55 | Pressing `p` will allow you to cycle through the rest of visual mode views. 56 | You can press `p` and `P` to rotate through the most commonly used print modes. 57 | Use F7 or `s` to step into and F8 or `S` to step over current instruction. 58 | With the `c` key you can toggle the cursor mode to mark a byte range selection 59 | (for example, to later overwrite them with nop). You can set breakpoints with `F2` key. 60 | 61 | In visual mode you can enter regular radare commands by prepending them with `:`. 62 | For example, to dump a one block of memory contents at ESI: 63 | 64 | ``` 65 | 66 | x @ esi 67 | ``` 68 | 69 | To get help on visual mode, press `?`. To scroll the help screen, use arrows. To 70 | exit the help view, press `q`. 71 | 72 | A frequently used command is `dr`, which is used to read or write values of the target's general purpose registers. 73 | For a more compact register value representation you might use `dr=` command. 74 | You can also manipulate the hardware and the extended/floating point registers. 75 | -------------------------------------------------------------------------------- /src/search/basic_searches.md: -------------------------------------------------------------------------------- 1 | ## Basic Search 2 | 3 | A basic search for a plain text string in a file would be something like: 4 | 5 | ```console 6 | $ r2 -q -c "/ lib" /bin/ls 7 | Searching 3 bytes from 0x00400000 to 0x0041ae08: 6c 69 62 8 | hits: 9 9 | 0x00400239 hit0_0 "lib64/ld-linux-x86-64.so.2" 10 | 0x00400f19 hit0_1 "libselinux.so.1" 11 | 0x00400fae hit0_2 "librt.so.1" 12 | 0x00400fc7 hit0_3 "libacl.so.1" 13 | 0x00401004 hit0_4 "libc.so.6" 14 | 0x004013ce hit0_5 "libc_start_main" 15 | 0x00416542 hit0_6 "libs/" 16 | 0x00417160 hit0_7 "lib/xstrtol.c" 17 | 0x00417578 hit0_8 "lib" 18 | ``` 19 | 20 | As can be seen from the output above, radare2 generates a "hit" flag for every entry found. You can then use the `ps` command to see the strings stored at the offsets marked by the flags in this group, and they will have names of the form `hit0_`: 21 | 22 | ```console 23 | [0x00404888]> / ls 24 | ... 25 | [0x00404888]> ps @ hit0_0 26 | lseek 27 | ``` 28 | 29 | You can search for wide-char strings (e.g., unicode letters) using the `/w` command: 30 | 31 | ```console 32 | [0x00000000]> /w Hello 33 | 0 results found. 34 | ``` 35 | 36 | To perform a case-insensitive search for strings use `/i`: 37 | 38 | ```console 39 | [0x0040488f]> /i Stallman 40 | Searching 8 bytes from 0x00400238 to 0x0040488f: 53 74 61 6c 6c 6d 61 6e 41 | [# ]hits: 004138 < 0x0040488f hits = 0 42 | ``` 43 | 44 | It is possible to specify hexadecimal escape sequences in the search string by prepending them with `\x`: 45 | 46 | ```console 47 | [0x00000000]> / \x7FELF 48 | ``` 49 | 50 | if, instead, you are searching for a string of hexadecimal values, you're probably better of using the `/x` command: 51 | 52 | ```console 53 | [0x00000000]> /x 7F454C46 54 | ``` 55 | 56 | If you want to mask some nibble during the search you can use the symbol **.** to allow any nibble value to match: 57 | 58 | ```console 59 | [0x00407354]> /x 80..80 60 | 0x0040d4b6 hit3_0 800080 61 | 0x0040d4c8 hit3_1 808080 62 | 0x004058a6 hit3_2 80fb80 63 | ``` 64 | 65 | You may not know some bit values of your hexadecimal pattern. Thus you may use a bit mask on your pattern. Each bit set to one in the mask indicates to search the bit value in the pattern. A bit set to zero in the mask indicates that the value of a matching value can be 0 or 1: 66 | 67 | ```console 68 | [0x00407354]> /x 808080:ff80ff 69 | 0x0040d4c8 hit4_0 808080 70 | 0x0040d7b0 hit4_1 808080 71 | 0x004058a6 hit4_2 80fb80 72 | ``` 73 | 74 | You can notice that the command `/x 808080:ff00ff` is equivalent to the command `/x 80..80`. 75 | 76 | Once the search is done, the results are stored in the `searches` flag space. 77 | 78 | ```console 79 | [0x00000000]> fs 80 | 0 0 . strings 81 | 1 0 . symbols 82 | 2 6 . searches 83 | 84 | [0x00000000]> f 85 | 0x00000135 512 hit0_0 86 | 0x00000b71 512 hit0_1 87 | 0x00000bad 512 hit0_2 88 | 0x00000bdd 512 hit0_3 89 | 0x00000bfb 512 hit0_4 90 | 0x00000f2a 512 hit0_5 91 | ``` 92 | 93 | To remove "hit" flags after you do not need them anymore, use the `f- hit*` command. 94 | 95 | Often, during long search sessions, you will need to launch the latest search more than once. You can use the `//` command to repeat the last search. 96 | 97 | ```console 98 | [0x00000f2a]> // ; repeat last search 99 | ``` 100 | -------------------------------------------------------------------------------- /src/commandline/intro.md: -------------------------------------------------------------------------------- 1 | # Commandline 2 | 3 | Most command names in radare are derived from action names. They should be easy to remember, as they are short. Actually, all commands are single letters. Subcommands or related commands are specified using the second character of the command name. For example, `/ foo` is a command to search plain string, while `/x 90 90` is used to look for hexadecimal pairs. 4 | 5 | The general format for a valid command (as explained in the [Command Format](../first_steps/syntax.md) chapter) looks like this: 6 | 7 | ``` 8 | [.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ... 9 | ``` 10 | 11 | For example, 12 | 13 | ```console 14 | > 3s +1024 ; seeks three times 1024 from the current seek 15 | ``` 16 | 17 | If a command starts with `=!`, the rest of the string is passed to the currently loaded IO plugin (a debugger, for example). Most plugins provide help messages with `=!?` or `=!help`. 18 | 19 | ```console 20 | $ r2 -d /bin/ls 21 | > =!help ; handled by the IO plugin 22 | ``` 23 | 24 | If a command starts with `!`, the POSIX `system()` C function is called to pass the command to your shell. Check `!?` for more options and usage examples. 25 | 26 | ```console 27 | > !ls ; run `ls` in the shell 28 | ``` 29 | 30 | The meaning of the arguments (iter, addr, size) depends on the specific command. As a rule of thumb, most commands take a number as an argument to specify the number of bytes to work with, instead of the currently defined block size. Some commands accept math expressions or strings. 31 | 32 | ```console 33 | > px 0x17 ; show 0x17 bytes in hexs at current seek 34 | > s base+0x33 ; seeks to flag 'base' plus 0x33 35 | > / lib ; search for 'lib' string. 36 | ``` 37 | 38 | The `@` sign is used to specify a temporary offset location or a seek position at which the command is executed, instead of current seek position. This is quite useful as you don't have to seek around all the time. 39 | 40 | ```console 41 | > p8 10 @ 0x4010 ; show 10 bytes at offset 0x4010 42 | > f patata @ 0x10 ; set 'patata' flag at offset 0x10 43 | ``` 44 | 45 | Using `@@` you can execute a single command on a list of flags matching the glob. You can think of this as a foreach operation: 46 | 47 | ```console 48 | > s 0 49 | > / lib ; search 'lib' string 50 | > p8 20 @@ hit0_* ; show 20 hexpairs at each search hit 51 | ``` 52 | 53 | The `>` operation is used to redirect the output of a command into a file (overwriting it if it already exists). 54 | 55 | ```console 56 | > pr > dump.bin ; dump 'raw' bytes of current block to file named 'dump.bin' 57 | > f > flags.txt ; dump flag list to 'flags.txt' 58 | ``` 59 | 60 | The `|` operation (pipe) is similar to what you are used to expect from it in a *NIX shell: an output of one command as input to another. 61 | 62 | ```console 63 | [0x4A13B8C0]> f | grep section | grep text 64 | 0x0805f3b0 512 section._text 65 | 0x080d24b0 512 section._text_end 66 | ``` 67 | 68 | You can pass several commands in a single line by separating them with a semicolon `;`: 69 | 70 | ```console 71 | > px ; dr 72 | ``` 73 | 74 | Using `_`, you can print the result that was obtained by the last command. 75 | 76 | ```console 77 | [0x00001060]> axt 0x00002004 78 | main 0x1181 [DATA] lea rdi, str.argv__2d_:__s 79 | [0x00001060]> _ 80 | main 0x1181 [DATA] lea rdi, str.argv__2d_:__s 81 | ``` 82 | --------------------------------------------------------------------------------