Description
Radare2 is a portable reversing framework that can…
-
Disassemble (and assemble for) many different architectures
-
Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbg, windbg)
-
Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku
-
Perform forensics on filesystems and data carving
-
Be scripted in Python, Javascript, Go and more
-
Support collaborative analysis using the embedded webserver
-
Visualize data structures of several file types
-
Patch programs to uncover new features or fix vulnerabilities
-
Use powerful analysis capabilities to speed up reversing
-
Aid in software exploitation
Usage
Syntax
radare2 [-dDwntLqv] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] [-s addr] [-B blocksize] [-c cmd] [-e k=v] file|-
Options
-0 Print \x00 after init and every command -a [arch] set asm.arch -A run 'aa' command to analyze all referenced code -b [bits] set asm.bits -B [baddr] set base address for PIE binaries -c 'cmd..' execute radare command -C file is host:port (alias for -c+=http://%s/cmd/) -d use 'file' as a program to debug -D [backend] enable debug mode (e cfg.debug=true) -e k=v evaluate config var -f block size = file size -h, -hh show help message, -hh for long -i [file] run script file -k [kernel] set asm.os variable for asm and anal -l [lib] load plugin file -L list supported IO plugins -m [addr] map file at given address -n, -nn do not load RBin info (-nn only load bin structures) -N do not load user settings and scripts -q quiet mode (no prompt) and quit after -i -p [prj] set project file -P [file] apply rapatch file and quit -s [addr] initial seek -S start r2 in sandbox mode -t load rabin2 info in thread -v, -V show radare2 version (-V show lib versions) -w open file in write mode -z, -zz do not load strings or load them even in raw
Example
cyborg@cyborg:~/Downloads$ r2 STATIC.ELF -- Bindings are mostly powered by tears. Radare2 [0x00000000]> af [0x00000000]> pz @ [30] 0x00000000 80e9 2e48 fe40 680c ab61 04e7 1388 5403 ...H.@h..a....T. 0x00000010 0000 6440 0074 8800 6840 736f 402d 6206 ..d@.t..[email protected]@-b. 0x00000020 65ec e371 04d4 2d74 0066 6d00 6270 007d e..q..-t.fm.bp.} 0x00000030 6670 005f 0062 2d2d 0066 7417 0461 88ba fp._.b--.ft..a.. 0x00000040 6124 6624 736d 6161 7362 618b 6271 7466 a$f$smaasba.bqtf 0x00000050 7024 8024 6565 176d 7400 4077 9704 0010 p$.$ee.mt.@w.... 0x00000060 802d 7162 400d 7524 6974 406e 6c63 7307 .-qb@.[email protected] 0x00000070 6273 6940 7201 72e3 0061 8001 0000 fa65 [email protected].a.....e 0x00000080 7200 6f7a 2400 3381 7231 7240 6869 6124 [email protected]$ 0x00000090 fa6d 6c61 2465 7313 4004 6e24 6773 6374 .mla$es.@.n$gsct 0x000000a0 670b e071 6f6c 6a61 0574 3661 002f 2f00 g..qolja.t6a.//. 0x000000b0 24e3 1071 671b 6500 e304 0073 4300 7369 $..qg.e....sC.si 0x000000c0 0040 0000 6888 0067 4015 8140 1a69 6575 .@..h..g@..@.ieu 0x000000d0 7024 726b 7340 6d24 6940 7275 006d 1c72 [email protected][email protected] 0x000000e0 5424 076f 6169 6377 2488 0276 e39a 7381 T$.oaicw$..v..s. 0x000000f0 0081 7377 6906 6f74 6107 0084 0503 0554 ..swi.ota......T [0x00000000]> pc c [20] #define _BUFFER_SIZE 256 unsigned char buffer[256] = { 0x80, 0x0c, 0x00, 0x0a, 0x53, 0x54, 0x41, 0x54, 0x49, 0x43, 0x2e, 0x43, 0x50, 0x50, 0x91, 0x88, 0x1f, 0x00, 0x00, 0x00, 0x1b, 0x54, 0x43, 0x38, 0x36, 0x20, 0x42, 0x6f, 0x72, 0x6c, 0x61, 0x6e, 0x64, 0x20, 0x54, 0x75, 0x72, 0x62, 0x6f, 0x20, 0x43, 0x2b, 0x2b, 0x20, 0x33, 0x2e, 0x30, 0x30, 0x91, 0x88, 0x12, 0x00, 0x00, 0xe9, 0x90, 0x23, 0x2f, 0x47, 0x0a, 0x53, 0x54, 0x41, 0x54, 0x49, 0x43, 0x2e, 0x43, 0x50, 0x50, 0x71, 0x88, 0x12, 0x00, 0x00, 0xe9, 0x00, 0x18, 0x52, 0x18, 0x0a, 0x49, 0x4f, 0x53, 0x54, 0x52, 0x45, 0x41, 0x4d, 0x2e, 0x48, 0x17, 0x88, 0x0f, 0x00, 0x00, 0xe9, 0x00, 0x18, 0x52, 0x18, 0x07, 0x5f, 0x44, 0x45, 0x46, 0x53, 0x2e, 0x48, 0x00, 0x88, 0x0d, 0x00, 0x00, 0xe9, 0x00, 0x18, 0x52, 0x18, 0x05, 0x4d, 0x45, 0x4d, 0x2e, 0x48, 0xa6, 0x88, 0x0f, 0x00, 0x00, 0xe9, 0x00, 0x18, 0x52, 0x18, 0x07, 0x5f, 0x4e, 0x55, 0x4c, 0x4c, 0x2e, 0x48, 0xe7, 0x88, 0x0f, 0x00, 0x00, 0xe9, 0x00, 0x18, 0x52, 0x18, 0x07, 0x43, 0x4f, 0x4e, 0x49, 0x4f, 0x2e, 0x48, 0x09, 0x88, 0x06, 0x00, 0x00, 0xe5, 0x01, 0x00, 0x00, 0x8c, 0x88, 0x06, 0x00, 0x00, 0xe5, 0x01, 0x06, 0x00, 0x86, 0x88, 0x21, 0x00, 0x00, 0xe6, 0x05, 0x64, 0x61, 0x74, 0x61, 0x34, 0x18, 0x02, 0xfa, 0xff, 0x05, 0x64, 0x61, 0x74, 0x61, 0x33, 0x18, 0x02, 0xfc, 0xff, 0x05, 0x64, 0x61, 0x74, 0x61, 0x32, 0x18, 0x02, 0xfe, 0xff, 0xbc, 0x88, 0x05, 0x00, 0x00, 0xe7, 0x40, 0x00, 0x4c, 0x88, 0x05, 0x00, 0x00, 0xe7, 0x40, 0x00, 0x4c, 0x88, 0x0a, 0x00, 0x00, 0xee, 0x01, 0x00, 0x00, 0x06, 0x00, 0x3c, 0x00, 0x3d, 0x88, 0x07, 0x00, 0x00, 0xe5, 0xc0, 0x01, 0x00, 0x00, 0xcb, 0x88, 0x10, }; [0x00000000]> p2 [256] Block size 217579520 is too big Radare2 This block size is too big. Did you mean 'p2 @ [256]' instead? [0x00000000]> p2 [128] Block size 402712832 is too big Radare2 This block size is too big. Did you mean 'p2 @ [128]' instead? [0x00000000]> p2 [200][0x00000000]> / 0 Searching 1 bytes from 0x00000000 to 0x00006aee: 30 hits: 13 0x0000002e hit0_0 "0" 0x0000002f hit0_1 "0" 0x00000625 hit0_2 "0" 0x0000089b hit0_3 "0" 0x000014d7 hit0_4 "0" 0x000022d5 hit0_5 "0" 0x000022ea hit0_6 "0" 0x0000233d hit0_7 "0" 0x00002376 hit0_8 "0" 0x0000239f hit0_9 "0" 0x000028d5 hit0_10 "0" 0x000029f7 hit0_11 "0" 0x000032c4 hit0_12 "0" [0x00000000]> pr [200] � STATIC.CPP��TC86 Borland Turbo C++ 3.00����#/G STATIC.CPPq��R �RMEM.H���R_NULL.H�RCONIO.H �������!�data4��data3��data2�����@L��@L� �<=���ˈ [0x00000000]>
