Migration from ida, GDB or WinDBG
How to run the program using the debugger
r2 -d /bin/ls - start in debugger mode => [video]
How do I attach/detach to running process ? (gdb -p)
r2 -d <pid> - attach to process
r2 ptrace://pid - same as above, but only for io (not debugger backend hooked)
[0x7fff6ad90028]> o-225 - close fd=225 (listed in o~[1]:0)
r2 -D gdb gdb://localhost:1234 - attach to gdbserver
How to set args/environnement variable/load a specific libraries for the debugging session of radare
Use rarun2 (libpath=$PWD:/tmp/lib, arg2=hello, setenv=FOO=BAR ...) see rarun2 -h / man rarun2
How to script radare2 ?
r2 -i <scriptfile> ... - run a script after loading the file => [video]
r2 -I <scriptfile> ... - run a script before loading the file
r2 -c $@ | awk $@ - run thru awk get asm from function => [link]
[0x80480423]> . scriptfile - interpret this file => [video]
[0x80480423]> #!c - enter C repl (see #! to list all available RLang plugins) => [video], everything have to be done in a oneliner or a .c file must be passed as an argument.
To get #!python and much more, just build radare2-bindings
How to list Source code as in gdb list ?
CL @ sym.main - though the feature is highly experimental
shortcuts
| Command | IDA Pro | radare2 | r2 (visual mode) | GDB | WinDbg |
|---|---|---|---|---|---|
| Analysis | |||||
| Analysis of everything | Automatically launched when opening a binary |
aaa or -A (aaaa or -AA for even experimental analysis) |
N/A |
N/A | N/A |
| Navigation | |||||
| xref to | x |
axt |
x |
N/A | N/A |
| xref from | ctrl + j |
axf |
X |
N/A | N/A |
| xref to graph | ? | agt [offset] |
? | N/A | N/A |
| xref from graph | ? | agf [offset] |
? | N/A | N/A |
| list functions | alt + 1 |
afl;is |
t |
N/A | N/A |
| listing | alt + 2 |
pdf |
p |
N/A | N/A |
| hex mode | alt + 3 |
pxa |
P |
N/A | N/A |
| imports | alt + 6 |
ii |
:ii |
N/A | N/A |
| exports | alt + 7 |
is~FUNC |
? | N/A | N/A |
| follow jmp/call | enter |
s offset |
enter or 0-9 |
N/A | N/A |
| undo seek | esc |
s- |
u |
N/A | N/A |
| redo seek | ctrl+enter |
s+ |
U |
N/A | N/A |
| show graph | space |
agv |
V |
N/A | N/A |
| Edit | |||||
| rename | n |
afn |
dr |
N/A | N/A |
| graph view | space |
agv |
V |
N/A | N/A |
| define as data | d |
Cd [size] |
dd,db,dw,dW |
N/A | N/A |
| define as code | c |
C- [size] |
d- or du |
N/A | N/A |
| define as undefined | u |
C- [size] |
d- or du |
N/A | N/A |
| define as string | A |
Cs [size] |
ds |
N/A | N/A |
| define as struct | Alt+Q |
Cf [size] |
dF |
N/A | N/A |
| Debugger | |||||
| Start Process/ Continue execution | F9 |
dc |
F9 |
r and c |
g |
| Terminate Process | Ctrl+F2 |
dk 9 |
? | kill |
q |
| Detach | ? |
o- |
? | detach |
|
| step into | F7 |
ds |
s |
n |
t |
| step into 4 instructions | ? | ds 4 |
F7 | n 4 |
t 4 |
| step over | F8 |
dso |
S |
s |
p |
| step until a specific address | ? | dsu <addr> |
? | s |
g <addr> |
| Run until return | Ctrl+F7 |
dcr |
? | finish |
gu |
| Run until cursor | F4 |
#249 | #249 | N/A | N/A |
| Show Backtrace | ? |
dbt |
? | bt |
|
| display Register | On register Windows | dr all |
Shown in Visual mode | info registers |
r |
| display eax | On register Windows | dr?eax |
Shown in Visual mode | info registers eax |
r rax |
| display old state of all registers | ? | dro |
? | ? | ? |
| display function addr + N | ? | afi $$ - display function information of current offset ($$) |
? | ? | ? |
| display frame state | ? | pxw rbp-rsp@rsp |
? | i f |
? |
| How to step until condition is true | ? | dsi |
? | ? | ? |
| Update a register value | ? | dr rip=0x456 |
? | set $rip=0x456 |
r rip=456 |
| Disassembly | |||||
| disassembly forward | N/A | pd |
Vp |
disas |
uf, u |
| disassembly N instructions | N/A | pd X |
Vp | x/ |
u <addr> LX |
| disassembly N (backward) | N/A | pd -X |
Vp |
disas <a-o> <a> |
ub |
| Information on the bin | |||||
| Sections/regions | Menu sections |
iS or S (append j for json) |
N/A | maint info sections | !address |
| Load symbol file | |||||
| Sections/regions | pdb menu |
asm.dwarf.file, pdb.XX) |
N/A | add-symbol-file | r |
| BackTrace | |||||
| Stack Trace | N/A | dbt |
N/A | bt |
k |
| Stack Trace in Json | N/A | dbtj |
N/A | ||
| Partial Backtrace (innermost) | N/A | dbt (dbg.btdepth dbg.btalgo) |
N/A | bt |
k |
| Partial Backtrace (outermost) | N/A | dbt (dbg.btdepth dbg.btalgo) |
N/A | bt - |
|
| Stacktrace for all threads | N/A | dbt@t |
N/A | thread apply all bt |
~* k |
| Breakpoints | |||||
| Breakpoint list | Ctrl+Alt+B |
db |
? | info breakpoints |
bl |
| add breakpoint | F2 |
db [offset] |
F2 |
break |
bp |
| Threads | |||||
| Switch to thread | Thread menu |
dp |
N/A | thread <N> |
~<N>s |
| Frames | |||||
| Frame Numbers | N/A |
? |
N/A | any bt command |
kn |
| Select Frame | N/A |
? |
N/A | frame |
.frame |
| Parameters/Locals | |||||
| Display parameters | N/A |
afv |
N/A | info args |
dv /t /i /V |
| Display parameters | N/A |
afv |
N/A | info locals |
dv /t /i /V |
| Display parameters/locals in json | N/A |
afvj |
N/A | info locals |
dv /t /i /V |
| list addresses where vars are accessed(R/W) | N/A |
afvR/afvW |
N/A | ? |
? |
| Project Related | |||||
| open project | Po [file] |
? | |||
| save project | automatic | Ps [file] |
? | ||
| show project informations | Pi [file] |
? | |||
| Miscellaneous | |||||
| Dump byte char array | N/A |
pc? (json, C, char, etc.) |
Vpppp | x/ |
db |
| options | option menu | e? |
e |
||
| search | search menu | /? |
Select the zone with the cursor c then / |
s |
Equivalent of "set-follow-fork-mode" gdb command
This can be done using 2 commands:
dcf- until a fork happen- then use
dpto select what process you want to debug.
Common features
- r2 accepts FLIRT signatures
- r2 can connect to GDB, LLVM and WinDbg
- r2 can write/patch in place
- r2 have fortunes and [s]easter eggs[/s]balls of steel
- r2 can do basic loading of ELF core files from the box and MDMP (Windows minidumps)