radare2

Tips

  • Load a profile and use two terminals (redirect stdin from another terminal)

    • First, find out the the tty of the second terminal using tty . Then put that terminal to sleep, i.e. sleep 999999
    • Create a new profile file (named with a .rr ) and put the following or any other configuration options

      #!/path/to/rarun2 stdio=/dev/pts/[number]

    • Run radare2 -e dbg.profile=profile.rr2 -d binary

    • Set envrionment variable

      !/path/to/rarun2

      setenv=FOO=BAR

    Run radare2 -e dbg.profile=profile.rr2 -d binary

  • Pass user input via stdin during debugging

    #!/path/to/rarun2
    stdin=aaaa\nbbbb\ncccc....
    

    Run radare2 -e dbg.profile=profile.rr2 -d binary

  • To attach to a remote debugger, use the -D debugger_type . Example r2 -D gdb gdb://host:port

  • Use -B to set the base address

    • -B changes the base address, which is the address used by RBin to rebase all the flags , symbols, etc

    • when you want to map a file at a specific address the -B creates the map at address 0 to be in sync with the PA (physical address)

    • Use -m to map a binary at the provided address
    • -m works for bootloaders, raw firmwares and such

  • Use -hh to find paths to all environment variables being used

  • Use -n switch to load a binary in raw more. No VADDR

Help

Usage: r2 [-ACdfLMnNqStuvwzX] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
       [-s addr] [-B baddr] [-M maddr] [-c cmd] [-e k=v] file|pid|-|--|=
       -- run radare2 without opening any file
       - same as 'r2 malloc://512'
       = read file from stdin (use -i and -c to run cmds)
       -= perform !=! command to run all commands remotely
       -0 print \x00 after init and every command
       -2 close stderr file descriptor (silent warning messages)
       -a [arch] set asm.arch
       -A run 'aaa' command to analyze all referenced code
       -b [bits] set asm.bits
       -B [baddr] set base address for PIE binaries
       -c 'cmd..' execute radare command
       -C file is host:port (alias for -c+=http://%s/cmd/)
       -d debug the executable 'file' or running process 'pid'
       -D [backend] enable debug mode (e cfg.debug=true)
       -e k=v evaluate config var
       -f block size = file size
       -F [binplug] force to use that rbin plugin
       -h, -hh show help message, 
       -hh for long (show environment variables)
       -H ([var]) display variable
       -i [file] run script file
       -I [file] run script file before the file is opened
       -k [OS/kern] set asm.os (linux, macos, w32, netbsd, ...)
       -l [lib] load plugin file
       -L list supported IO plugins
       -m [addr] map file at given address (loadaddr)
       -M do not demangle symbol names
       -n, -nn do not load RBin info (-nn only load bin structures)
       -N do not load user settings and scripts
       -q quiet mode (no prompt) and quit after -i
       -Q quiet mode (no prompt) and quit faster (quickLeak=true)
       -p [prj] use project, list if no arg, load if no file
       -P [file] apply rapatch file and quit
       -r [rarun2] specify rarun2 profile to load (same as -e dbg.profile=X)
       -R [rr2rule] specify custom rarun2 directive
       -s [addr] initial seek
       -S start r2 in sandbox mode
       -t load rabin2 info in thread
       -u set bin.filter=false to get raw sym/sec/cls names
       -v, -V show radare2 version (-V show lib versions)
       -w open file in write mode
       -x open without exec-flag (asm.emu will not work), See io.exec
       -X same as -e bin.usextr=false (useful for dyldcache)
       -z, -zz do not load strings or load them even in raw

Debuggers supported

  • radare2 -L

Those that have a d in the first column support debugging

  • rw _ ar Open ar/lib files [ar|lib]://[file//path] (LGPL3)
  • rw _ bfdbg BrainFuck Debugger (bfdbg://path/to/file) (LGPL3)
  • rwd bochs Attach to a BOCHS debugger (LGPL3)
  • r_d debug Native debugger (dbg:///bin/ls dbg://1388 pidof:// waitfor://) (LGPL3) v0.2.0 pancake
  • rw _ default open local files using def_mmap:// (LGPL3)
  • rwd gdb Attach to gdbserver, 'qemu -s', gdb://localhost:1234 (LGPL3)
  • rw gprobe open gprobe connection using gprobe:// (LGPL3)
  • rw _ gzip read/write gzipped files (LGPL3)
  • rw _ http http get (http://rada.re/) (LGPL3)
  • rw _ ihex Intel HEX file (ihex://eeproms.hex) (LGPL)
  • r __ mach mach debug io (unsupported in this platform) (LGPL)
  • rw _ malloc memory allocation (malloc://1024 hex://cd8090) (LGPL3)
  • rw _ mmap open file using mmap:// (LGPL3)
  • rw _ null null-plugin (null://23) (LGPL3)
  • rw _ procpid /proc/pid/mem io (LGPL3)
  • rwd ptrace ptrace and /proc/pid/mem (if available) io (LGPL3)
  • rwd qnx Attach to QNX pdebug instance, qnx://host:1234 (LGPL3)
  • rw _ r2k kernel access API io (r2k://) (LGPL3)
  • rw _ r2pipe r2pipe io plugin (MIT)
  • rw _ r2web r2web io client (r2web://cloud.rada.re/cmd/) (LGPL3)
  • rw _ rap radare network protocol (rap://:port rap://host:port/file) (LGPL3)
  • rw _ rbuf RBuffer IO plugin: rbuf:// (LGPL)
  • rw _ self read memory from myself using 'self://' (LGPL3)
  • rw _ shm shared memory resources (shm://key) (LGPL3)
  • rw _ sparse sparse buffer allocation (sparse://1024 sparse://) (LGPL3)
  • rw _ tcp load files via TCP (listen or connect) (LGPL3)
  • rwd windbg Attach to a KD debugger (windbg://socket) (LGPL3)
  • rwd winedbg Wine-dbg io and debug.io plugin for r2 (MIT)
  • rw _ zip Open zip files [apk|ipa|zip|zipall]://[file//path] (BSD)

radare2 man page

RADARE2(1)                                   BSD General Commands Manual                                   RADARE2(1)

NAME
     radare2 — Advanced commandline hexadecimal editor, disassembler and debugger

SYNOPSIS
     radare2 [-a arch] [-b bits] [-B baddr] [-c cmd] [-e k=v] [-i file] [-I prefile] [-k kernel] [-m addr]
             [-p project] [-P patch] [-r rarun2] [-R rr2rule] [-s addr] [-0AdDwntLquvVxX] -|--|=|file

DESCRIPTION
     radare2 is a commandline hexadecimal editor.

     "r2" is the alias program name for radare2.

     This manpage is not updated yet. Feel free to contribute.

     The options are:

     --          Open radare2 on an empty file

     -           Equivalent of 'r2 malloc://512'

     -0          Print \x00 after initialization and after every command executed

     -2          Close stderr before starting RCore

     -a arch     force asm.arch (x86, ppc, arm, mips, bf, java, ...)

     -A          run 'aaa' command before prompt or patch to analyze all referenced code. Use -AA to run aaaa

     -b bits     force asm.bits (16, 32, 64)

     -B baddr    Specify the base address to be used when loading a new binary. See 'e?bin.baddr'

     -c cmd      Execute the given command before giving prompt

     -d          Start in debugger mode

     -D dbg.backend
                 Enable debug mode. Set cfg.debug=true

     -e k=v      Set configuration eval variable key=value. For example -e scr.color=false

     -f          Blocksize = file size

     -i file     Run script file. After the file is loaded

     -I file     Run script file. Before the file is loaded

     -k kernel   Select kernel (asm.os) for syscall resolution

     -l plugfile
                 Load given plugin file

     -L          List supported IO plugins.

     -m addr     map file at given address

     -M          Disable demangling

     -n          Do not perform any analysis (r_bin). Just load the raw file

     -nn         Only load the rbin structures (elf, mach0, ...)

     -N          Do not load user settings/projects from ~/.radare2rc, ~/.config/radare2/radare2rc and the scripts
                 inside .../radare2rc.d/ directory.

     -q          Quiet mode (no prompt) and quit after running the commands specified with -i or -c

     -Q          Same as q, but exiting without freeing RCore, this produces leaks at exit time, but saves some pre‐
                 cious ms to run the testsuite in fast mode.

     -p prj      Set project file

     -P file     Apply rapatch file and quit (see doc/rapatch.md for more details)

     -r rarun2   Specify dbg.profile rarun2 profile to use when spawning a program for debugging

     -R rarun2-directive
                 Specify custom rarun2 directives without having to create a rarun2 profile

     -s addr     Start seeking at this address

     -S          Enable sandboxed mode (same as -e cfg.sandbox=true)

     -t          Get binary information using a thread

     -u          Set bin.filter=false to load rbin info without filtering names

     -v          Show version information and exit (Use -qv to get just the version number)

     -V          Show radare2 library versions

     -w          Open in write mode

     -h          Show help message

     -H          Show files and environment help

     -x          Open the file map without executable permissions

     -X          Same as -e bin.usextr=false, do not use extract plugins, useful for dyldcache

SHELL
     Type '?' for help

VISUAL
     To enter visual mode use the 'V' command. Then press '?' for help

DEBUGGER
     In r2 the debugger commands are implemented under the 'd' command. Type 'd?' for help

ENVIRONMENT
      RHOMEDIR     ~/.config/radare2
      RCFILE       ~/.radare2rc (user preferences, batch script)
      MAGICPATH    /usr/lib/radare2/0.10.0-git/magic
      R_DEBUG      if defined, show error messages and crash signal
      VAPIDIR      path to extra vapi directory FILE path to the current working file.

SEE ALSO
     rahash2(1), rafind2(1), rabin2(1), radiff2(1), rasm2(1), rax2(1), ragg2(1), rarun2(1),

AUTHORS
     pancake <pancake@nopcode.org>

                                                     Aug 24, 2017