├── old ├── README.md └── radare2_rc.tex ├── .gitignore ├── README.md ├── Makefile ├── r2style.sty ├── .github └── workflows │ └── ci.yml ├── rax2-cheatsheet.tex ├── radare2-cheatsheet.tex └── r2frida-cheatsheet.tex /old/README.md: -------------------------------------------------------------------------------- 1 | # Old RefCards 2 | 3 | This directory contains old reference cards 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.vrb 2 | *.aux 3 | *.log 4 | *.nav 5 | *.out 6 | *.sbn 7 | *.toc 8 | *.pdf 9 | *.dvi 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # radare2 cheatsheets 2 | 3 | [![CI](https://github.com/radareorg/radare2-cheatsheets/actions/workflows/ci.yml/badge.svg)](https://github.com/radareorg/radare2-cheatsheets/actions/workflows/ci.yml) 4 | 5 | + [Download PDFs](https://github.com/radareorg/radare2-cheatsheets/releases) 6 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | R2=radare2-cheatsheet 2 | RAX2=rax2-cheatsheet 3 | R2FRIDA=r2frida-cheatsheet 4 | 5 | TEX2DVI=latex 6 | TEX2PDF=pdflatex 7 | 8 | all: r2pdf rax2pdf r2fridapdf 9 | 10 | r2pdf: 11 | $(TEX2PDF) --enable-pipes --shell-escape $(R2).tex 12 | $(TEX2DVI) $(R2).tex 13 | 14 | rax2pdf: 15 | $(TEX2PDF) --enable-pipes --shell-escape $(RAX2).tex 16 | $(TEX2DVI) $(RAX2).tex 17 | 18 | r2fridapdf: 19 | $(TEX2PDF) --enable-pipes --shell-escape $(R2FRIDA).tex 20 | $(TEX2DVI) $(R2FRIDA).tex 21 | 22 | clean: 23 | rm -rf *.vrb *.aux *.log *.nav *.out *.sbn *.toc 24 | 25 | cleanall: clean 26 | rm -rf *.pdf 27 | -------------------------------------------------------------------------------- /r2style.sty: -------------------------------------------------------------------------------- 1 | \usepackage[utf8]{inputenc} 2 | \usepackage[ 3 | a4paper, 4 | foot=10pt, 5 | left=45pt, 6 | right=45pt, 7 | top=30pt, 8 | bottom=30pt, 9 | landscape 10 | ]{geometry} 11 | \usepackage[dvipsnames]{xcolor} 12 | \usepackage{multicol} 13 | \usepackage{fancyhdr} 14 | \usepackage[yyyymmdd]{datetime} 15 | \usepackage[ colorlinks=false, hidelinks]{hyperref} 16 | 17 | \renewcommand{\dateseparator}{-} 18 | \renewcommand{\dots}{\ \dotfill{}\ } 19 | \newcommand{\cmd}[2]{{\color{MidnightBlue}{\tt #1}}{\color{lightgray}~\dotfill{}~}#2\\} 20 | \newcommand{\itemcmd}[2]{\item[--]{\color{MidnightBlue}{\tt #1}}{\color{lightgray}~\dotfill{}~}#2} 21 | \DeclareTextFontCommand{\ttc}{\color{MidnightBlue}\ttfamily} 22 | \setlength{\columnsep}{20pt} 23 | 24 | \fancypagestyle{r2fancy} { 25 | \fancyhf{} 26 | \renewcommand{\headrulewidth}{0pt} 27 | \fancyfoot[R]{\footnotesize{\tt {\color{gray} \today}}} 28 | \fancyfoot[L]{\footnotesize{\tt \href{http://radare.org}{radare.org}}} 29 | } 30 | 31 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | pull_request: 8 | 9 | jobs: 10 | build-radare2-pdf: 11 | name: build-radare2-pdf 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Checkout 15 | uses: actions/checkout@v4 16 | - name: Compile LaTeX document 17 | uses: xu-cheng/latex-action@v3 18 | with: 19 | root_file: radare2-cheatsheet.tex 20 | - name: Upload PDF file 21 | uses: actions/upload-artifact@v4 22 | with: 23 | name: radare2-cheatsheet.pdf 24 | path: radare2-cheatsheet.pdf 25 | build-r2frida-pdf: 26 | name: build-r2frida-pdf 27 | runs-on: ubuntu-latest 28 | steps: 29 | - name: Checkout 30 | uses: actions/checkout@v4 31 | - name: Compile LaTeX document 32 | uses: xu-cheng/latex-action@v3 33 | with: 34 | root_file: r2frida-cheatsheet.tex 35 | - name: Upload PDF file 36 | uses: actions/upload-artifact@v4 37 | with: 38 | name: r2frida-cheatsheet.pdf 39 | path: r2frida-cheatsheet.pdf 40 | -------------------------------------------------------------------------------- /rax2-cheatsheet.tex: -------------------------------------------------------------------------------- 1 | \documentclass[10pt]{article} 2 | \usepackage{r2style} 3 | 4 | %---------------------------------------------------------------------- 5 | 6 | \title{Rax2 Cheatsheet} 7 | \begin{document} 8 | \pagestyle{r2fancy} 9 | 10 | \begin{center} 11 | \Large{\bf Rax2 Cheatsheet} 12 | \rule{\textwidth}{0.2pt} 13 | \end{center} 14 | 15 | \begin{multicols}{3} 16 | \subsection*{Automatic Conversions} 17 | \cmd{10 > 0xa}{int -> hex} 18 | \cmd{0xa > 10}{hex -> dec} 19 | \cmd{-0xa > -10}{signed hexa} 20 | \cmd{-10 > 0xfffffffffffffff6}{signed->unsigned} 21 | \cmd{b30 > 11110b}{decimal to bitstring} 22 | \cmd{t42 > 1120t}{decimal to ternary} 23 | \cmd{222t > 0x1a}{ternary to hexa} 24 | \cmd{22dt > 8}{ternary to decimal} 25 | \cmd{101b > 0x5}{bitstring to hex} 26 | \cmd{Bx63 > 1100011b}{hex to bitstring} 27 | \cmd{1010d > 10}{binary to decimal} 28 | \cmd{3.3f > Fx40551eb8}{float to hex} 29 | \cmd{Fx40551eb8 > 3.3f}{hex to float} 30 | \cmd{35o > 0x1d}{octal to hexadecimal} 31 | \cmd{Ox35 > 065}{hexadecimal to octal} 32 | \cmd{Bx63 > 1100011b}{hexadecimal to binary} 33 | \cmd{Tx63 > 10200t}{hexadecimal to ternary} 34 | 35 | 36 | \subsection*{Base Conversions} 37 | \cmd{-k}{use base for output as the one in input} 38 | \cmd{-L}{bin to hex} 39 | \cmd{-o}{treat input as octal string (decoding?)} 40 | \cmd{-w}{signed word to hexadecimal} 41 | \cmd{-x}{output in hexpairs} 42 | \cmd{-e}{swap endian (default is host)} 43 | \cmd{-d}{output in base10} 44 | 45 | \subsection*{Output} 46 | \cmd{-j}{json friendly} 47 | \cmd{-r}{r2 commands} 48 | \cmd{-n}{append newline} 49 | \cmd{-u}{human units} 50 | 51 | \subsection*{Encoding Streams} 52 | \cmd{-E}{encode base64} 53 | \cmd{-D}{decode base64} 54 | \cmd{-F}{identify input source (py/c/js/.)} 55 | \cmd{-L}{raw bytes to bits} 56 | \cmd{-s}{hexpairs to raw output} 57 | \cmd{-S}{raw binary to hexstring} 58 | \cmd{-s}{hexstring to binary} 59 | 60 | \subsection*{Utilities} 61 | \cmd{-a}{show ascii table} 62 | \cmd{-X}{hash string} 63 | \cmd{-i}{convert to C byte array} 64 | \cmd{-c}{convert to C string} 65 | \cmd{-k}{ascii art ssh randomart} 66 | \cmd{-I}{long to IPv4} 67 | \cmd{-t}{timestring to unix ts} 68 | 69 | \subsection*{Examples} 70 | \cmd{TODO}{TODO} 71 | 72 | \end{multicols} 73 | \end{document} 74 | -------------------------------------------------------------------------------- /radare2-cheatsheet.tex: -------------------------------------------------------------------------------- 1 | \documentclass[10pt]{article} 2 | \usepackage{r2style} 3 | 4 | %---------------------------------------------------------------------- 5 | 6 | \title{Radare2 Cheatsheet} 7 | \begin{document} 8 | \pagestyle{r2fancy} 9 | 10 | \begin{center} 11 | \Large{\bf Radare2 Cheatsheet} 12 | \rule{\textwidth}{0.2pt} 13 | \end{center} 14 | 15 | \begin{multicols}{3} 16 | \subsection*{Basic commands} 17 | \cmd{s}{seek to a different address} 18 | \cmd{b}{change block size} 19 | \cmd{q}{quit} 20 | \cmd{pd/px/p8}{print disasm/hexdump/bytes} 21 | \cmd{pf}{print formatted} 22 | \cmd{f name=addr}{set flag to the given address} 23 | \cmd{-j}{enter the Javascript repl} 24 | \cmd{?*{\url ~}str}{filter commands with the given string} 25 | 26 | \subsection*{Command prefixes} 27 | \cmd{.}{interpret output} 28 | \cmd{:}{execute io command} 29 | \cmd{\#}{comment} 30 | \cmd{$\char18$}{avoid evaluation of special chars} 31 | \cmd{N}{repeat n times, being {\tt N} a number} 32 | 33 | \subsection*{Command suffixes} 34 | \cmd{j}{json} 35 | \cmd{q}{quiet (simplest output)} 36 | \cmd{*}{radare2 commands} 37 | \cmd{,}{table format} 38 | \cmd{?}{help for the command} 39 | 40 | \subsection*{Command modifiers} 41 | \cmd{>}{redirect output to file or {\tt \$internalfile}} 42 | \cmd{@}{temporal seek} 43 | \cmd{@@}{repeat on every flag} 44 | 45 | \subsection*{Binary information} 46 | \cmd{ie}{entrypoint} 47 | \cmd{is/ii/iE} {symbols/imports/exports} 48 | 49 | \subsection*{Patching} 50 | \cmd{wx}{write hexpairs (\ttc{wv} for endian values)} 51 | \cmd{wa}{write assembly} 52 | \cmd{wo}{write operation in current block} 53 | \cmd{wtf}{write to file (use \ttc{wtff} for \ttc{@@})} 54 | 55 | \subsection*{Search} 56 | \cmd{/ str}{find string} 57 | \cmd{/x hexpairs}{find hexpairs} 58 | \cmd{/ad inst}{find instructions} 59 | \cmd{/m}{search for known magic headers} 60 | \cmd{w str0 @@/ str1}{write str0 on every str1} 61 | 62 | \subsection*{Analysis and xrefs} 63 | \cmd{af}{analyze function} 64 | \cmd{aa}{analyze all program (\ttc{aaa}, \ttc{aaaa}, ...)} 65 | \cmd{afn/afvn}{rename a function/variable} 66 | \cmd{afl}{list functions} 67 | \cmd{axt}{list xrefs to given address} 68 | 69 | \subsection*{Disassembly} 70 | \cmd{pdf/pdr}{disassemble function/recursive} 71 | \cmd{pdc}{pseudo-decompilation (see \ttc{pdd}/\ttc{pdg})} 72 | \cmd{pd/pi}{print disassembly/instructions} 73 | \cmd{Cd}{define as data} 74 | \cmd{CC}{add a comment in code} 75 | 76 | \subsection*{Emulation (ESIL)} 77 | \cmd{aeim}{initialize emulation registers + stack} 78 | \cmd{ae}{emulate ESIL expression} 79 | \cmd{aes}{step into (see \ttc{ds}, but also \ttc{aesu?})} 80 | \cmd{aer}{for register manipulation (see \ttc{dr})} 81 | 82 | \subsection*{Debugging} 83 | \vspace{-8px} 84 | \subsubsection*{({\tt r2 -d bin})} 85 | \cmd{db}{set/manage breakpoints} 86 | \cmd{dbt}{backtrace} 87 | \cmd{ds/dso}{single step/step over} 88 | \cmd{dr}{get/set register values (\ttc{drr} for telescoped)} 89 | \cmd{doo/ood}{restart process} 90 | 91 | \subsection*{Visual mode} 92 | \vspace{-8px} 93 | \subsubsection*{({\tt V} for visual, {\tt v} for panels, {\tt !} to toggle)} 94 | \cmd{pP}{rotate modes ({\scriptsize$<$}tab{\scriptsize$>$} for submodes)} 95 | \cmd{s/S}{perform step/step over} 96 | \cmd{b}{browse (flags, config, classes, symbols, ...)} 97 | \cmd{.}{seek to entrypoint} 98 | \cmd{i/A} {insert mode for hexa/write assembly} 99 | \cmd{V\_}{hud mode to seek flags while typing} 100 | \cmd{Vd1}{visual bit editor} 101 | \cmd{n/N}{seek to next/previous {\em scr.nkey} thing} 102 | \cmd{x/X}{view xrefs/refs} 103 | \cmd{hjkl}{move cur ({\tt HJKL} for faster movement)} 104 | 105 | \subsection*{Graph} 106 | \vspace{-8px} 107 | \subsubsection*{({\tt VV} comand, {\tt agfv})} 108 | \cmd{agn/age/aggv}{custom handmade graphs} 109 | \cmd{t/f/u}{follow true/false branch, undo} 110 | 111 | \subsection*{Settings} 112 | \vspace{-8px} 113 | \subsubsection*{({\tt e} command)} 114 | \cmd{edit}{use {\em cfg.editor} with {\tt {\url ~}/.radare2rc}} 115 | \cmd{anal.hasnext}{consider code is sequential} 116 | \cmd{asm.bytes}{show/hide bytes in disasm} 117 | \cmd{asm.emu/emu.str}{emulation analysis/show strings} %FIXME?? 118 | \cmd{bin.relocs.apply}{apply relocs} 119 | \cmd{scr.color=n}{enable colors, where n = 0,1,2,3} %FIXME?? 120 | \cmd{search.in}{define search boundaries} 121 | 122 | \end{multicols} 123 | \end{document} 124 | -------------------------------------------------------------------------------- /r2frida-cheatsheet.tex: -------------------------------------------------------------------------------- 1 | \documentclass[10pt]{article} 2 | \usepackage{r2style} 3 | \usepackage{enumitem} 4 | %---------------------------------------------------------------------- 5 | 6 | \title{r2frida Cheatsheet} 7 | \begin{document} 8 | \pagestyle{r2fancy} 9 | 10 | \begin{center} 11 | \Large{\bf r2frida Cheatsheet} 12 | \rule{\textwidth}{0.2pt} 13 | \end{center} 14 | 15 | \begin{multicols}{3} 16 | \subsection*{Launching} 17 | \noindent 18 | r2frida is an IO plugin, commands start with `{\ttc:}' 19 | \begin{center} 20 | \ttc{r2 frida://action/link/device/target} 21 | \end{center} 22 | where: 23 | \begin{itemize}[itemsep=0pt, topsep=5pt, leftmargin=*] 24 | \itemcmd{action}{list $\vert$ apps $\vert$ attach $\vert$ spawn $\vert$ launch} 25 | \itemcmd{link}{local $\vert$ usb $\vert$ remote} 26 | \itemcmd{device}{{\tt \textquotesingle \textquotesingle} $\vert$ host:port $\vert$ device-id} 27 | \itemcmd{target}{pid $\vert$ app $\vert$ program $\vert$ abspath} 28 | \end{itemize} 29 | 30 | \subsection*{Target Addresses} 31 | \noindent 32 | Commands accepting an {\tt[addr]} follow this pattern: 33 | \begin{itemize}[itemsep=0pt, topsep=5pt, leftmargin=*] 34 | \itemcmd{0xabcd}{absolute address in hexadecimal} 35 | \itemcmd{symname}{symbol name from module exports} 36 | \itemcmd{objc:class}{Objective C} 37 | \itemcmd{java:class}{Java class + method} 38 | \end{itemize} 39 | 40 | \subsection*{Trace Format} 41 | \noindent 42 | The \ttc{:dtf} command create trace hooks from a simple format-string. See \ttc{:dtf?} 43 | \begin{itemize}[itemsep=0pt, topsep=5pt, leftmargin=*] 44 | \itemcmd{\^{}}{trace onEnter instead of onExit} 45 | \itemcmd{\%{}}{also trace the return value (onLeave)} 46 | \itemcmd{+}{show backtrace when trace is hit} 47 | \itemcmd{s}{string in place (w=wide, a=ansi)} 48 | \itemcmd{S}{pointer to string (Z=nullable string)} 49 | \itemcmd{O}{object reference (valid for java and objc)} 50 | \itemcmd{x}{hexadecimal value (i=decimal)} 51 | \itemcmd{h}{hexdump from pointer (H for ptr+length)} 52 | \end{itemize} 53 | %\columnbreak 54 | 55 | \subsection*{Configuration} 56 | \cmd{:e}{get and edit r2frida options} 57 | \cmd{:e patch.code}{fix page perms for patching code} 58 | \cmd{:e search.from/to/align}{scan restrictions} 59 | \cmd{:e hook.backtrace}{show backtrace on traces} 60 | \cmd{:e hook.verbose}{show verbose details on trace} 61 | \cmd{:e hook.time}{show timestamp in traces} 62 | \cmd{:e file.log}{store trace logs in a file} 63 | \cmd{:e want.swift}{enable experimental swift support} 64 | 65 | \subsection*{Basic Commands} 66 | \cmd{:i}{get arch/bits from target (\ttc{.i*} to load into r2)} 67 | \cmd{:ih}{parse binary headers of the current module} 68 | \cmd{:ii[*]}{list imports} 69 | \cmd{:il}{list libraries} 70 | \cmd{:is[*] lib}{list local and global symbols of lib} 71 | \cmd{:isa[*] [lib] sym}{show address of sym} 72 | \cmd{:ie}{show entrypoint} 73 | \cmd{:iE[*] lib}{same as \ttc{is}, for exported globals} 74 | \cmd{:ic class}{list Objective-C classes or methods} 75 | \cmd{:icn name}{list native methods from Java classes} 76 | \cmd{:icw}{locate ObjC classes implementations (where)} 77 | \cmd{:ip protocol}{list ObjC protocols/methods} 78 | \cmd{:fd[*j] addr}{inverse symbol resolution} 79 | 80 | \subsection*{Tracing} 81 | \cmd{:dtr addr regs}{trace given registers at addr} 82 | \cmd{:dtf addr [fmt]}{trace with format} 83 | \cmd{:dt (addr|sym)}{trace addresses or symbols} 84 | \cmd{:dtl[-*] [msg]}{debug trace log, useful to \ttc{.\textbackslash T*}} 85 | \cmd{:dt.}{trace at current offset} 86 | \cmd{:dm[.|j|*]}{show memory regions} 87 | \cmd{:dmm[.|j|*]}{show memory range (grouped maps)} 88 | \cmd{:dt-[*]}{clear all tracing} 89 | %\columnbreak 90 | 91 | \subsection*{Debugging} 92 | \cmd{:db (addr|sym)}{list or place breakpoint} 93 | \cmd{:db- (addr|sym|*)}{remove breakpoint(s)} 94 | \cmd{:dc}{continue after breakpoint or resume execution} 95 | \cmd{:dk}{send signal} 96 | \cmd{:dkr}{show the crashdump} 97 | \cmd{:d.}{start the chrome tools debugger} 98 | \cmd{:dl path}{{\tt dlopen}} 99 | \cmd{:dr}{show register values} 100 | 101 | \subsection*{Injecting} 102 | \cmd{:dxc [target] [args]}{call target symbol with args} 103 | \cmd{:dxo [sym] [args]}{call an ObjC function with args} 104 | %TODO: this command should be fixed in the future when related changes applied 105 | \cmd{:di[0,1,-1] [addr]}{replace function to return value} 106 | \cmd{:dii [addr] [num]}{replace function to return num} 107 | \cmd{:dis [addr] [str]}{replace to return a string} 108 | \cmd{:div}{replace with another function returning null} 109 | \cmd{:dif[0,1,-1] [addr]}{replace the return value} 110 | \cmd{:difi [addr] [num]}{replace return number} 111 | \cmd{:difs [addr] [str]}{replace return with given string} 112 | %TODO: this command should be fixed in the future when related changes applied 113 | \cmd{:dir function}{revert to previous implementation} 114 | \cmd{:dd}{list file descriptors} 115 | \cmd{:dl lib}{{\tt dlopen} the given library} 116 | \cmd{:dlf [path]}{load a framework (ObjC only)} 117 | \cmd{:dl2 lib [main]}{inject a library} 118 | \cmd{:. \hspace{-5pt}script.js}{run script} 119 | \cmd{:eval code.js}{evaluate script in the agent} 120 | 121 | \subsection*{Searching} 122 | \cmd{:/[x][j] pattern}{find hex/str in \ttc{search.in=?}} 123 | \cmd{:/w[j] string}{search wide string} 124 | \cmd{:/v[1248][j] value}{find \ttc{e cfg.bigendian} value} 125 | \cmd{:env [k[=v]]}{get/set environment variable} 126 | \cmd{:e[?] \hspace{-8pt}[a[=b]]}{list/get/set config evaluable variables} 127 | 128 | \end{multicols} 129 | \end{document} 130 | -------------------------------------------------------------------------------- /old/radare2_rc.tex: -------------------------------------------------------------------------------- 1 | 2 | % Radare2 Quick Reference Card 3 | % Copyright (c) 2014 Thanat0s 4 | % TeX Format 5 | 6 | 7 | % Note: Comment the following line (\input outopt.tex) if you want 8 | % to generate yourself the card, either in DVI or PDF format. 9 | % Uncomment the three next lines for PDF generation. 10 | % Command for DVI : tex radare2_rc.tex 11 | % Command for PDF : pdftex radare2_rc.tex 12 | 13 | % \input outopt.tex 14 | 15 | % \pdfoutput=1 16 | \pdfpageheight=21cm 17 | \pdfpagewidth=29.7cm 18 | 19 | % Font definitions 20 | \font\bigbf=cmbx12 21 | \font\smallrm=cmr8 22 | \font\smalltt=cmtt8 23 | \font\tinyit=cmmi5 24 | 25 | \def\\{\hfil\break} 26 | 27 | \def\title#1{\hfil{\bf #1}\hfil\par\vskip 2pt\hrule} 28 | \def\cm#1#2{{\tt#1} \dotfill {#2}\par} 29 | \def\cmlong#1#2{{\tt#1}\\{}\indent{~~~}#2\par} 30 | \def\cn#1{\hfill$\lfloor$ #1\par} 31 | \def\sect#1{\vskip 0.7cm {\it#1\/}\par} 32 | 33 | % Characters definitions 34 | \def\bs{$\backslash$} 35 | \def\backspace{$\leftarrow$} 36 | \def\ctrl{{\rm\char94}\kern-1pt} 37 | \def\enter{$\hookleftarrow$} 38 | \def\or{\thinspace{\tinyit{or}}\thinspace} 39 | \def\key#1{$\langle${\rm{\it#1\/}}$\rangle$} 40 | \def\rapos{\char125} 41 | \def\lapos{\char123} 42 | \def\bt{\`{}} 43 | \def\plus{$+$} 44 | \def\lbracket{\char123} 45 | \def\rbracket{\char125} 46 | \def\tild{\char126} 47 | \def\hat{\char94} 48 | \def\percent{\char37} 49 | \def\dollar{\char36} 50 | \def\atsign{\char64} 51 | \def\andsign{\char38} 52 | \def\vertbar{\char124} 53 | \def\placeholder{\lt{}\char43\char43\gt{}} 54 | \def\brplaceholder{\lbracket{}\placeholder\rbracket{}} 55 | 56 | % Three columns definitions 57 | \parindent 0pt 58 | \nopagenumbers 59 | \hoffset=-1.56cm 60 | \voffset=-1.54cm 61 | \newdimen\fullhsize 62 | \fullhsize=27.9cm 63 | \hsize=8.5cm 64 | \vsize=19cm 65 | \def\fullline{\hbox to\fullhsize} 66 | \let\lr=L 67 | \newbox\leftcolumn 68 | \newbox\midcolumn 69 | \output={ 70 | \if L\lr 71 | \global\setbox\leftcolumn=\columnbox 72 | \global\let\lr=M 73 | \else\if M\lr 74 | \global\setbox\midcolumn=\columnbox 75 | \global\let\lr=R 76 | \else 77 | \tripleformat 78 | \global\let\lr=L 79 | \fi\fi 80 | \ifnum\outputpenalty>-20000 81 | \else 82 | \dosupereject 83 | \fi} 84 | \def\tripleformat{ 85 | \shipout\vbox{\fullline{\box\leftcolumn\hfil\box\midcolumn\hfil\columnbox}} 86 | \advancepageno} 87 | \def\columnbox{\leftline{\pagebody}} 88 | 89 | % Card content 90 | % Header 91 | %\hrule\vskip 3pt 92 | \title{Radare2 REFERENCE CARD} 93 | 94 | \sect{Survival Guide} 95 | \cm{aa}{auto analyse} 96 | \cm{pdf@fcn{\key{Tab}}}{Disassemble function} 97 | \cm{f fcn{\key{Tab}}}{List functions} 98 | \cm{f str{\key{Tab}}}{List strings} 99 | \cm{fr [flagname] [newname]}{Rename flag} 100 | \cm{psz [offset]}{Print string} 101 | \cm{arf [flag]}{Find cross ref for a flag} 102 | 103 | \sect{Flagspaces} 104 | \cm{fs}{display flagspaces} 105 | \cm{fs *}{select all flagspace} 106 | \cm{fs [sections]}{select one flagspace} 107 | 108 | \sect{Flags} 109 | \cm{f}{list flags} 110 | \cm{fj}{display flags in json} 111 | \cm{fl}{show flag length} 112 | \cm{fx}{show hexdump of flag} 113 | \cm{fC [name] [cmt]}{set flag comment} 114 | 115 | \sect{Infos} 116 | \cm{ii}{Info on imports} 117 | \cm{iI}{Info on binary} 118 | \cm{ie}{Display entrypoint} 119 | \cm{iS}{Display sections} 120 | \cm{ir}{Display relocations} 121 | 122 | \sect{Print string} 123 | \cm{psz [offset]}{Print stringZ'} 124 | \cm{psb [offset]}{Print strings in current block} 125 | \cm{psx [offset]}{Show string with scaped chars} 126 | \cm{psp [offset]}{Print pascal string} 127 | \cm{psw [offset]}{Print wide string} 128 | 129 | \sect{Visual mode} 130 | \cm{V}{Enter visual mode} 131 | \cm{p/P}{rotate modes (hex, disasm, debug, words, buf)} 132 | \cm{c}{toggle (c)ursor} 133 | \cm{q}{back to radare shell} 134 | \cm{hjkl}{move around (or HJKL) (left-down-up-right)} 135 | \cm{Enter}{follow address of jump/call} 136 | \cm{sS}{step / step over} 137 | \cm{o}{go/seek to given offset} 138 | \cm{.}{seek to program counter} 139 | \cm{/}{in cursor mode search in current block} 140 | \cm{:cmd}{run radare command} 141 | \cm{;[-]cmt}{add/remove comment} 142 | \cm{/*+-[]}{change block size, [] = resize hex.cols} 143 | \cm{$>$||$<$}{seek aligned to block size} 144 | \cm{i/a/A}{(i)nsert hex, (a)ssemble code, visual (A)ssembler} 145 | \cm{b/B}{toggle breakpoint / automatic block size} 146 | \cm{d[f?]}{define function, data, code, ..} 147 | \cm{D}{enter visual diff mode (set diff.from/to)} 148 | \cm{e}{edit eval configuration variables} 149 | \cm{f/F}{set/unset flag} 150 | \cm{gG}{go seek to begin and end of file (0-\dollar{}s)} 151 | \cm{mK/'K}{mark/go to Key (any key)} 152 | \cm{M}{walk the mounted filesystems} 153 | \cm{n/N}{seek next/prev function/flag/hit (scr.nkey)} 154 | \cm{o}{go/seek to given offset} 155 | \cm{C}{toggle (C)olors} 156 | \cm{R}{randomize color palette (ecr)} 157 | \cm{t}{track flags (browse symbols, functions..)} 158 | \cm{T}{browse anal info and comments} 159 | \cm{v}{visual code analysis menu} 160 | \cm{V/W}{(V)iew graph (agv?), open (W)ebUI} 161 | \cm{uU}{undo/redo seek} 162 | \cm{x}{show xrefs to seek between them} 163 | \cm{yY}{copy and paste selection} 164 | \cm{z}{toggle zoom mode} 165 | 166 | \sect{Searching} 167 | \cm{/ foo\bs{}00}{search for string 'foo\bs{}0'} 168 | \cm{/b}{search backwards} 169 | \cm{//}{repeat last search} 170 | \cm{/w foo}{search for wide string 'f\bs{}0o\bs{}0o\bs{}0'} 171 | \cm{/wi foo}{search for wide string ignoring case} 172 | \cm{/! ff}{search for first occurrence not matching} 173 | \cm{/i foo}{search for string 'foo' ignoring case} 174 | \cm{/e /E.F/i}{match regular expression} 175 | \cm{/x a1b2c3}{search for bytes, same as {\tt/x A1 B2 C3}} 176 | \cm{/x a1..c3}{search for bytes ignoring some nibbles} 177 | \cm{/x a1b2:fff3}{search for bytes with mask} 178 | \cm{/d 101112}{search for a deltified sequence of bytes} 179 | \cm{/!x 00}{inverse hexa search (find first byte != 0x00)} 180 | \cm{/c jmp [esp]}{search for asm code (see search.asmstr)} 181 | \cm{/a jmp eax}{assemble opcode and search its bytes} 182 | \cm{/A}{search for AES expanded keys} 183 | \cm{/r sym.printf}{analyze opcode reference an offset} 184 | \cm{/R}{search for ROP gadgets} 185 | \cm{/P}{show offset of previous instruction} 186 | \cm{/m magicfile}{search for matching magic file} 187 | \cm{/p patternsize}{search for pattern of given size} 188 | \cm{/z min max}{search for strings of given size} 189 | \cm{/v[?248] num}{look for a asm.bigendian 32bit value} 190 | 191 | \sect{Saving} 192 | \cm{Po [file]}{open project} 193 | \cm{Ps [file]}{save project} 194 | \cm{Pi [file]}{show project informations} 195 | 196 | 197 | \sect{Usable variables in expression} 198 | \cm{\dollar{}\dollar{}}{here (current virtual seek)} 199 | \cm{\dollar{}o}{here (current disk io offset)} 200 | \cm{\dollar{}s}{file size} 201 | \cm{\dollar{}b}{block size} 202 | \cm{\dollar{}w}{get word size, 4 if asm.bits=32, 8 if 64} 203 | \cm{\dollar{}c,\dollar{}r}{get width and height of terminal} 204 | \cm{\dollar{}S}{section offset} 205 | \cm{\dollar{}SS}{section size} 206 | \cm{\dollar{}j}{jump address (jmp 0x10, jz 0x10 =$>$ 0x10)} 207 | \cm{\dollar{}f}{jump fail address (jz 0x10 =$>$ next instruction)} 208 | \cm{\dollar{}I}{number of instructions of current function} 209 | \cm{\dollar{}F}{current function size} 210 | \cm{\dollar{}Jn}{get nth jump of function} 211 | \cm{\dollar{}Cn}{get nth call of function} 212 | \cm{\dollar{}Dn}{get nth data reference in function} 213 | \cm{\dollar{}Xn}{get nth xref of function} 214 | \cm{\dollar{}m}{opcode memory reference (mov eax,[0x10] =$>$ 0x10)} 215 | \cm{\dollar{}l}{opcode length} 216 | \cm{\dollar{}e}{1 if end of block, else 0} 217 | \cm{\dollar{}ev}{get value of eval config variable} 218 | \cm{\dollar{}?}{last comparison value} 219 | 220 | % Footer 221 | \vfill \hrule\smallskip 222 | {\smallrm This card may be freely distributed under 223 | the terms of the GNU general public licence --- 224 | Copyright \copyright\ {\oldstyle 2014} by Thanat0s - v0.1 -} 225 | 226 | % Ending 227 | \supereject 228 | \if L\lr \else\null\vfill\eject\fi 229 | \if L\lr \else\null\vfill\eject\fi 230 | \bye 231 | 232 | % EOF 233 | --------------------------------------------------------------------------------