• Address­es with­in the mem­o­ry are ref­er­enced with @

General

Start­ing with direct­ly analysing all ref­er­enced code.

r2 -A $file
...
e emu.str = true

Start­ing with enabled debug­ger (only when I want to exe­cute the program)

r2 -AA -e dbg.follow.child=true -e dbg.forks=true -d $file
...
e emu.str = true

Fork para­me­ter:

• If the process forks, the debug­ger halts
• Type dp to see the child processes.
• Use dp=<pid> to set the new pid

Get help about pos­si­ble com­mands: Add ? to the end of a com­mand prefix.

aa?

Count lines count

... ~?

Note: bash com­mands are valid as well.

afl | wc -l

Get gen­er­al information 

ai

List all strings (like… strings)

izz

Get address from main

iM

Con­vert dec­i­mal, hex, binary, …

? 0xc0
rax2 -h

Debugging

Show the cur­rent address

s

Step 12 byte for­ward or backward

s+ 12 | s- 12

Undo the pre­vi­ous step

s-

Print cur­rent code

pd

Print code at a label

pd @main

Print only func­tion code

pdf @main

Emo­ji hex­dump for presentations

pxe

Show val­ue of all registers:

dr

Set a breakpoint

db

Restart pro­gram at the beginning

ood

Con­tin­ue

dc | dcf (dc -> follow also after forks)

Show reg­is­ter content

dr  eax

Show cur­rent vari­able from function

afvd

Visual mode

vv

Step through the program

s

Add a comment

; comment

Dissassembler

r2pm init
r2pm ‑i r2dec
r2pm ‑l
pdd?

Open questions

• If I print aflc with ‑d and with­out, it is not the same. Why?

Gen­er­al hints

• Use as pay­load some­thing like 1234567… and not some oth­er string.

https://radare.gitbooks.io/radare2book/content/