Pwn helper


  • The r2pm install seems to be broken. Use this method instead

  • Clone the rarop repository rarop github

  • npm install
  • Make a sym link ln -s /path/to/rarop/bin/rarop /usr/local/bin/rarop
  • Run with rarop /path/to/binary

Rop'n'roll ยท The Official Radare Blog


  • dmh to see heap memory

Pattern generator / Offset finder

  • wop . Example: wop 100 @ eax
  • To find the length of a pattern before overwrite (white overwritten using a debruijin pattern, use wopO eip
  • Genereate raw debruijin patterns using ragg2 -P [length] -r

Pattern searches

  • Use /p [int] to search for repeated patterns. The int specifies the length of the pattern. Could be helpful in finding user input accross the binary.
  • Search for asm opcodes by using /a . Example /a jmp esp .

Online writeups

Pwning exploit400 from the Nullcon 2014 CTF with radare2

pwning with radare2 - crowell's blog

A journey into Radare 2 - Part 2: Exploitation - Megabeets