NAME
radare - Advanced commandline hexadecimal editor
SYNOPSIS
radare [-s seek] [-b size] [-i script] [-P project] [-l plugin]
[-e key=val] [-d program] [-fLcwxnvVuh] target-file
DESCRIPTION
radare is a commandline hexadecimal editor.
This software package contains another utilities related to the hex and
asm world. Read the 'see also' section for more information.
You can use radare as in pipes, from the shell, entering the visual mode
with the 'V' command, or just graphically using gradare or the ag command
to generate and visualize code analysis graphs from the current seek.
Most of the commands accept a '?' mark at the end to show the help for
it.
The commands are composed in the following way:
> [repeat][.!][command] [arg] @ [offset:blocksize]
These are the supported flags:
-S minlen Enters into the 'strings' mode, and defines a minimum length
required for the strings.
-s offset Start at a certain offset inside the file.
-d prg|pid Run radare in debugger mode and open the program path or
attach to pid
-b size Change the block size (default is 512, 4096 should be useful
for filesystems).
-f Set block size = file size
-i script Interprets a script of radare commands
-l plugin Links radare against the desired plugin. Read about io
plugins for more information. See -L
-P prj.rdb Define a project file for this session. The projects can be
managed with the 'P' command.
-e key=val Change the default value for an eval configuration key
variable
-L List all available plugins embedded inside radare.
-n Do not load ~/.radarerc or ./radarerc
-c Enable color. Same as -e scr.color=true
-u Unknown size. Avoid limit when seeking. Useful for devices or
attaching to processes.
-v Drops verbosity. Useful flag for scripts, to use radare in
pipe mode.
-V Show version information and exits.
-w Opens the target file in write mode. In write mode changes
are made inmediately. So take care because no commit command
exist.
-h Show help message
SHELL
The command line interface of radare have multiple commands to be
entered. Type '?' for help.
The readline extension allows you to autocomplete commands and arguments.
Numberic argument can be converted into hexadecimal or decimal bases by
using the 'tab' key. For example: $ s 10<tab> $ s 0xa
-b size (b) Change blocksize.
-c[dxf] arg
compares memory from string, offset or file contents against
current block. Outputs bindiff.
-e 0|1 (endian) Changes environment endian into little (0) or big
(1).
-f -|name (flag) This command allows you to manage flags. Flags are
bookmarks around the file. The search engine store the
results as flags. You can list flags by typing 'f' or 'flag'
without arguments. 'flag name' sets a new flag using the
current environment settings (seek, block size). By prefixing
a name with the '-' character you will be able to remove a
named flag.
i (info) Shows radare's environment information (file, endian,
count, mode, size, block size, seek, limit, ...)
m [s] [d] (m) moves 's' bytes from the current block to the 'd'
destination offset. This command requires the write mode to
be enabled. Run radare with '-w' flag or type '%WRITE_MODE 1'
into the shell.
o [file] (open) opens a file in the mode defined by the %WRITE_MODE
environment variable closing the current working file.
p[f] [n] (pa, pb, pc, pd, po, pr, ps, pu, px, pX) Prints 'n' bytes in
the 'f' print format. Available print formats are documented
in the 'print format' section.
-R arg Manipulates RDB files and data structures. Allows to store
code analysis, bindiff them, dump to memory, graph it in
cairo or dump/restore them from/to disk
r [size] (resize) Changes the size of the file by truncating or
extending the file padding zeros at the end.
s [+-]off Seeks to an absolute or relative (using the '+' or '-'
prefixes) offset. The 'off' argument can be a numeric value
or a flag name. (Read 'f' command for more information).
-y len Copies len bytes from current seek to a clipboard. Use the
'yy' command to paste it to current seek again.
-e key=val Change the default value for an eval configuration key
variable
V (Visual) Enters into the visual mode. Use the 'q' key to exit
this mode.
w[aAdfwx] str
Write a formatted string or an hexadecimal space separated
string. 'wf' is for specifying a file as contents for write.
'wa' is for assembly, etc.. See 'w?' for details. f.ex: '$ w
foo\x90' or '$ wx 90 90 90'
x [len] (x) eXamine current block. This is an alias for the 'px'
command. To be gdb friendly.
. [file] (.) Interpret a file as a radare command scripting file. A
simple example can be found in 'libexec/elf-entry-point'. You
can read 'libexec/elf-flag-header' too. This script creates a
flag for each field of an elf header.
[-+]off Alias of 'seek [+-]off'.
[<] [>] Move data block window to the previous ('<') aligned block
offset or the next one ('>').
/ str Searchs a string from the current offset until the end of
file or 'cfg.limit' if defined (see 'e' command). To enter a
hexadecimal string you can type '\x01\x02\x03...' or use the
'/x' command with hexpairs. Here's the supported arguments:
/s [string]
search for an plain ascii string (use \x## for binary
inclusion)
/w [string]
search for an wide char string ('a\x00b\x00')
/x [string]
search using hexpair format (00 33 4a f2)
/a look for expanded aes keys (victor mun~oz algorithm)
// repeat last search
You can define multiple keywords at a time and launch ranged searches:
/k# [string]
Set keyword number '#' to ascii format string (with esc.
chars). f.ex: "/k0 lib"
/m# [mask] Define a binary mask for matching with the keyword number
'#'.
/r [range] Perform a search using the keywords in the defined range.
f.ex: "/r 0-2,4"
jajaj
! cmd Runs a commandline shell program.
#[hash] Calculates the sha1, sha256, sha384, sha512, par, xor,
xorpair, hamdist, mod255, crc16, crc32, md4, md5, entropy of
the current block from the selected seek
q (quit) Quits the program.
VISUAL
Visual mode allows you to move around the data with 'hjkl' arrows. The
'0' and 'G' command are used to go at the first of the file or at the
end. 'H' 'L' keys are used to move two bytes forward or backward (double
'h', 'l'). 'J' and 'K' keys are used to seek one block forward or
backward.
< > Go seek to the previous or next offset aligned to a multiple
of the data block size (use the :b command to read the
value).
p The 'p' command allows you to circle around the different
available print mode formats (binary, hexadecimal,
disassembler, octal, url, shellcode, c array, ...)
[+-*/] The basic math ops keys are used to change the size of the
working data block. Use '+' and '-' to increase and decrease
the size by 1 byte. And '*' and '/' to add or substract one
row of bytes (screen depend).
d Change data type for the current block or selected bytes with
cursor mode. (dd = hex bytes, dc = code, ds = string)
i Enter interactive write mode (use tab to move between hex and
ascii columns)
: The double-dot sign is used to temporally enter into the
command line interface and use the desired radare shell
commands. f.e: $ Visual :!ls.
PRINT FORMAT
Print formats are used to format current working block into a certain
format. Use p? to list supported ones.
The output is affected by cfg.endian (see eval command)
A [-P] Analyze data from current seek. Tries to find memory
pointers, strings, pointers to strings, etc. Useful to see
stack contents and data structures in memory.
m [format] [-P] Formats memory contents as byte, dword, pointers,
strings, etc.. Useful to parse data structures (see 'rsc
spcc' fmi)
b [VP] Binary format
% [VP] print progress bar of the whole file marking current
seek and flag positions
B [VP] LSB steganography (take each less significat bit of each
byte to complete bytes)
o [VP] Octal format
O [VP] Zoom out view (see 'eval zoom.' fmi)
x [VP] Hexadecimal value. The view command also have (vx, vw,
vW, wq) commands for visualizing one, two, four or eight
bytes in hexadecimal (endian affected).
f [V-] Floating point value (4 first bytes)
i [V-] Integer value (4 first bytes)
l [V-] long (4 bytes)
L [V-] long long (8 bytes)
o [V-] octal value (1 byte)
s [V-] ascii string (until end of block escapping chars)
S [V-] string with printable chars until end of block
z [V-] ascii string (until \0)
Z [V-] wide ascii string (until \0 with interlaced \0)
F [-P] WINDOWS filetime format (64 bit)
t [-P] UNIX timestamp (4 bytes, probably 8 in the future)
T [-P] DOS timestamp (4 bytes)
c [-P] C array format (unsigned char buffer[ (block size) ] = {
0x90, 0x90, ... };
a [-P] Shows the current block as if it was a shellcode in
hexadecimal.
r [-P] Prints out the current data block to stdout.
u [-P] URL encoding format f.ex: '$ pu' -> %4c%69%63...
d [VP] disassemble N opcodes
D [VP] disassemble N bytes fg
DEBUGGER
The debugger supports multiple commands accessible from the io_system()
hook of the plugin. Use !help to list the available commands.
!load Reload the process into the debugger
!maps Show process memory maps (marks current with '*')
!step Perform a step on the attached process
!stepu step until user code
!stepbp emulate a step using breakpoints and code analysis
!run run the program
!attach [tid|pid]
attach to another thread or process id
!detach silent unplug
!kill [-signal] [pid]
send a signal to the process
!jmp [addr]
change the program counter of the process
!call [addr]
simulate a call (jmp + stack return address)
!regs get register values
!fpregs get floating point register values
!oregs get old register values (previous step)
!dr[rwx-] manipulate the DRX hardware registers (x86 only)
!set [reg] [val]
change the register value (eax, eflags, r0, etc..)
!fd manage the file descriptors of the child process (dup, open,
close, seek)
!bt Show backtrace
!st Show stacktrace (low level backtrace)
!cont continue util user code
!contu [addr]
continue execution until address
alloc [size]
Allocate 'size' bytes on the child process
free [address]
frees the memory previously allocated in the selected address
mmap [file] [offset]
mmaps a file into a certain offset in the child process
!contsc continue until syscall
!contfork continue until new process is created
!contuh continue until here (useful for loop analysis)
!bp [addr] set or remove a breakpoint (use !bp? for help, and prefix the
address with '-' to remove it)
!mp [rwx] [addr]
change memory page protections (useful for watchpoints and
so)
!dump [dir]
Performs a dump of all the process memory pages and register
state to disk (with no arguments it is auto-incremental)
!restore [dir]
Restores a previous dump of the process memory from disk
MOVEMENT
To move around the file you can use the hjkl in visual mode or the 'seek'
command in the command line interface.
To move around the blocks you can use the '<' '>' commands to align your
current seek to a block size multiple. Same keys for the visual mode.
You can seek to a relative offset by prefixing your offset by the '+' or
'-' characters. For example: $ seek +10
You can also use the temporal seek format for commands appending the '@'
to the end of the command
ENVIRONMENT
These values can be used from scripts launched from inside radare (!rsc
FILE path to the current working file DPID Debugged process id OFFSET
decimal value of the current seek XOFFSET same as OFFSET prefixed with 0x
EDITOR default editor to be used for /ascii/ data block edition.
OBJDUMP path to 'objdump' executable (useful for disassembling other
architectures) By default is 'objdump -m i386 --target=binary -D'
HITCMD a radare command to be executed after a search hit has been found.
PRINTCMD user command to be used to visualize the data block. This
external visor is used by the 'pU' radare command.
VISUALCMD command to be used as an IDE environment interpreting a set of
commands or a radare script. In commandline mode this command is executed
before printing the prompt. In visual mode it is a separated view.
PAGER pager to be used for disassembling.
SEE ALSO
radarerc(5), rahash(1), rabin(1), radiff(1), rsc(1), rasc(1), rasm(1),
rfile(1), rax(1), xrefs(1)
AUTHORS
pancake <@youterm.com>