Skip to content

Instantly share code, notes, and snippets.

@longld

longld/r2apropos.py-v1.6.0

Last active July 8, 2024 01:21
Show Gist options
  • Save longld/3bcdc28535237fd359be6407f1df03b2 to your computer and use it in GitHub Desktop.
Save longld/3bcdc28535237fd359be6407f1df03b2 to your computer and use it in GitHub Desktop.
Download ZIP
standalone 'apropos' command for radare2
Raw
r2apropos.py-v1.6.0
#!/usr/bin/env python
"""
Quick and dirty 'apropos' like command for radare2
Usage:
r2apropos keyword
Author: [email protected]
"""
import json
import sys
import os
import re
def green(text):
return '\x1b[32m' + text + '\x1b[0m'
def read_helpdata():
buf = open(__file__, 'r').read()
data = buf.split('BEGIN-OF-HELP')[-1].split('END-OF-HELP')[0]
return json.loads(data)
def apropros(keyword):
try:
helpdata = read_helpdata()
except:
import traceback
traceback.print_exc()
print("Failed to get help text from {}".format(__file__))
return
try:
p = re.compile(keyword, re.IGNORECASE)
except:
p = re.compile(re.escape(keyword), re.IGNORECASE)
result = []
for usage in helpdata.keys():
found = False
for line in helpdata[usage][1:]:
m = p.search(line)
if m:
if not found:
result += ['-'*40]
result += [usage]
found = True
s = line[m.start():m.end()]
line = line.replace(s, green(s))
result += [line]
if result:
print('\n'.join(result))
else:
print("No help matched '{}'".format(keyword))
if __name__ == '__main__':
try:
apropros(sys.argv[1])
except Exception as e:
print("Usage: {} keyword".format(sys.argv[0]))
# radare2 v1.6.0
"""
BEGIN-OF-HELP
{
"Usage: agn [title] [body]\t ": [
"Examples: \t ",
"agn title1 body1\t Add a node with title \\title1\\ and body \\body1\\",
"agn \\title with space\\ \\body with space\\\t Add a node with spaces in the title and in the body",
"agn title1 base64:Ym9keTE=\t Add a node with the body specified as base64",
"agn- title1\t Remove a node with title \\title1\\",
"agn? \t Show this help"
],
"Usage: i \t Get info from opened file (see rabin2's manpage)": [
"Output mode: \t ",
"'*' \t Output in radare commands",
"'j' \t Output in json",
"'q' \t Simple quiet output",
"Actions: \t ",
"i|ij \t Show info of current file (in JSON)",
"iA \t List archs",
"ia \t Show all info (imports, exports, sections..)",
"ib \t Reload the current buffer for setting of the bin (use once only)",
"ic \t List classes, methods and fields",
"iC \t Show signature info (entitlements, ...)",
"id [?]\t Debug information (source lines)",
"iD lang sym\t demangle symbolname for given language",
"ie \t Entrypoint",
"iE \t Exports (global symbols)",
"ih \t Headers (alias for iH)",
"iHH \t Verbose Headers in raw text",
"ii \t Imports",
"iI \t Binary info",
"ik [query]\t Key-value database from RBinObject",
"il \t Libraries",
"iL [plugin]\t List all RBin plugins loaded or plugin details",
"im \t Show info about predefined memory allocation",
"iM \t Show main address",
"io [file]\t Load info from file (or last opened) use bin.baddr",
"ir \t Relocs",
"iR \t Resources",
"is \t Symbols",
"iS [entropy\tsha1], Sections (choose which hash algorithm to use)",
"iV \t Display file version info",
"iz|izj \t Strings in data sections (in JSON/Base64)",
"izz \t Search for Strings in the whole binary",
"iZ \t Guess size of binary program"
],
"Usage: e [var[=value]]\t Evaluable vars": [
"e ?asm.bytes\t show description",
"e ??\t list config vars with description",
"ej \t list config vars in JSON",
"e- \t reset config vars",
"e* \t dump config vars in r commands",
"e! a\t invert the boolean value of 'a' var",
"ee var\t open editor to change the value of var",
"er [key]\t set config key as readonly. no way back",
"ec [k] [color]\t set color for given key (prompt, offset, ...)",
"et [key]\t show type of given config variable",
"ev [key]\t list config vars in verbose format",
"evj [key]\t list config vars in verbose format in JSON",
"e a\t get value of var 'a'",
"e a=b\t set var 'a' the 'b' value",
"e var=? \t print all valid values of var",
"env [k[=v]]\t get/set environment variable"
],
"Usage: o [com- ] [file] ([offset])\t": [
"o \tlist opened files",
"o= \tlist opened files (ascii-art bars)",
"o* \tlist opened files in r2 commands",
"oa [?] [addr]\tOpen bin info from the given address",
"ob [?] [lbdos] [...]\tlist open binary files backed by fd",
"oc [file]\topen core file, like relaunching r2",
"oi [-|idx]\talias for o, but using index instead of fd",
"oj [?]\tlist opened files in JSON format",
"oL \tlist all IO plugins registered",
"om [?]\tcreate, list, remove IO maps",
"on [file] 0x4000\tmap raw file at 0x4000 (no r_bin involved)",
"oo [?]\treopen current file (kill+fork in debugger)",
"oo +\treopen current file in read-write",
"ood [args]\treopen in debugger mode (with args)",
"oo[bnm] [...]\tsee oo? for help",
"op [R_LIB_EXT]\topen r2 native plugin (asm, bin, core, ..)",
"o 4\tSwitch to open file on fd 4",
"o -1\tclose file descriptor 1",
"o- *\tclose all opened files",
"o-- \tclose all files, analysis, binfiles, flags, same as !r2 --",
"o [file]\topen [file] file in read-only",
"o + [file]\topen file in read-write mode",
"o [file] 0x4000\tmap file at 0x4000"
],
"Usage: wt[a] file [size]\t Write 'size' bytes in current blok to 'file'": [
"wta [filename]\t append to 'filename'",
"wtf [filename] [size]\t write to file (see also 'wxf' and 'wf?')",
"wtf! [filename]\t write to file from current address to eof"
],
"Usage: aar\t [j*] [sz] # search and analyze xrefs": [
"aar [sz]\t analyze xrefs in current section or sz bytes of code",
"aarj [sz]\t list found xrefs in JSON format",
"aar* [sz]\t list found xrefs in radare commands format"
],
"Usage: \t List functions in verbose mode": [
" \t ",
"Table fields: \t ",
" \t ",
"address \t start address",
"size \t function size (realsize)",
"nbbs \t number of basic blocks",
"edges \t number of edges between basic blocks",
"cc \t cyclomatic complexity ( cc = edges - blocks + 2 * exit_blocks)",
"cost \t cyclomatic cost",
"min bound \t minimal address",
"range \t function size",
"max bound \t maximal address",
"calls \t number of caller functions",
"locals \t number of local variables",
"args \t number of function arguments",
"xref \t number of cross references",
"frame \t function stack size",
"name \t function name"
],
"Usage: afC[agl?]\t ": [
"afC convention\t Manually set calling convention for current function",
"afC \t Show Calling convention for the Current function",
"afCa \t Analyse function for finding the current calling convention",
"afCl \t List all available calling conventions",
"afCo path\t Open Calling Convention sdb profile from given path"
],
"Usage: \\td [...]\\\t ": [
"td [string]\t Load types from string"
],
"Usage: ar \t # Analysis Registers": [
"ar \t Show 'gpr' registers",
"ar0 \t Reset register arenas to 0",
"ara [?]\t Manage register arenas",
"ar 16\t Show 16 bit registers",
"ar 32\t Show 32 bit registers",
"ar all\t Show all bit registers",
"ar <type>\t Show all registers of given type",
"arC \t Display register profile comments",
"arr \t Show register references (telescoping)",
"ar= \t Show register values in columns",
"ar? <reg>\t Show register value",
"arb <type>\t Display hexdump of the given arena",
"arc <name>\t Conditional flag registers",
"ard <name>\t Show only different registers",
"arn <regalias>\t Get regname for pc,sp,bp,a0-3,zf,cf,of,sg",
"aro \t Show old (previous) register values",
"arp [?] <file>\t Load register profile from file",
"ars \t Stack register state",
"art \t List all register types",
"arw <hexnum>\t Set contents of the register arena",
".ar* \t Import register values as flags",
".ar- \t Unflag all registers"
],
"Usage: pz [len] \t print zoomed blocks (filesize/N)": [
"e zoom.maxsz\t max size of block",
"e zoom.from\t start address",
"e zoom.to\t end address",
"e zoom.byte\t specify how to calculate each byte",
"pzp \t number of printable chars",
"pzf \t count of flags in block",
"pzs \t strings in range",
"pz0 \t number of bytes with value '0'",
"pzF \t number of bytes with value 0xFF",
"pze \t calculate entropy and expand to 0-255 range",
"pzh \t head (first byte value); This is the default mode"
],
"Usage: p=[=bep?][qj] [nblocks] ([len]) ([offset])\t show entropy/printable chars/chars bars": [
"p= \t print bytes of current block in bars",
"p== [..]\t same subcommands as p=, but using flame column graph instead of rows",
"p= b\t same as above",
"p= c\t print number of calls per block",
"p= d\t print different bytes from block",
"p= e\t print entropy for each filesize/blocksize",
"p= F\t print number of 0xFF bytes for each filesize/blocksize",
"p= i\t print number of invalid instructions per block",
"p= j\t print number of jumps and conditional jumps in block",
"p= m\t print number of flags and marks in block",
"p= p\t print number of printable bytes for each filesize/blocksize",
"p= s\t print number of syscall and priviledged instructions",
"p= z\t print number of chars in strings in block",
"p= 0\t print number of 0x00 bytes for each filesize/blocksize"
],
"Usage: at\t [*] [addr]": [
"at \t list all traced opcode ranges",
"at- \t reset the tracing information",
"at* \t list all traced opcode offsets",
"at+ [addr] [times]\t add trace for address N times",
"at [addr]\t show trace info at address",
"ate [?]\t show esil trace logs (anal.trace)",
"att [tag]\t select trace tag (no arg unsets)",
"at% \t TODO",
"ata 0x804020 ...\t only trace given addresses",
"atr \t show traces as range commands (ar+)",
"atd \t show disassembly trace (use .atd)",
"atl \t list all traced addresses (useful for @@= `atl`)",
"atD \t show dwarf trace (at*|rsc dwarf-traces $FILE)"
],
"Usage: CC[-+!*au] [base64:..|str] @ addr\t ": [
"CC \t list all comments in human friendly form",
"CC* \t list all comments in r2 commands",
"CC. \t show comment at current offset",
"CC \t [file], show or set comment file",
"CC [text]\t append comment at current address",
"CCf \t list comments in function",
"CC+ [text]\t append comment at current address",
"CC! \t edit comment using cfg.editor (vim, ..)",
"CC- @ cmt_addr\t remove comment at given address",
"CCu good boy @ addr\t add good boy comment at given address",
"CCu base64:AA== @ addr\t add comment in base64"
],
"Usage: dmh\t # Memory map heap": [
"dmh \t List chunks in heap segment",
"dmh [malloc_state]\t List heap chunks of a particular arena",
"dmha \t List all malloc_state instances in application",
"dmhb \t Display all parsed Double linked list of main_arena's bins instance",
"dmhb [bin_num|bin_num:malloc_state]\t Display parsed double linked list of bins instance from a particular arena",
"dmhbg [bin_num]\t Display double linked list graph of main_arena's bin [Under developemnt]",
"dmhc @[chunk_addr]\t Display malloc_chunk struct for a given malloc chunk",
"dmhf \t Display all parsed fastbins of main_arena's fastbinY instance",
"dmhf [fastbin_num|fastbin_num:malloc_state]\t Display parsed single linked list in fastbinY instance from a particular arena",
"dmhg \t Display heap graph of heap segment",
"dmhg [malloc_state]\t Display heap graph of a particular arena",
"dmhi @[malloc_state]\t Display heap_info structure/structures for a given arena",
"dmhm \t List all elements of struct malloc_state of main thread (main_arena)",
"dmhm [malloc_state]\t List all malloc_state instance of a particular arena",
"dmh? \t Show map heap help"
],
"Usage: afv\t[rbs]": [
"afvr [?]\t manipulate register based arguments",
"afvb [?]\t manipulate bp based arguments/locals",
"afvs [?]\t manipulate sp based arguments/locals",
"afvR [varname]\t list addresses where vars are accessed",
"afvW [varname]\t list addresses where vars are accessed",
"afva \t analyze function arguments/locals",
"afvd name\t output r2 command for displaying the value of args/locals in the debugger",
"afvn [old_name] [new_name]\t rename argument/local",
"afvt [name] [new_type]\t change type for given argument/local"
],
"Usage: afvb\t [idx] [type] [name]": [
"afvb \t list base pointer based arguments, locals",
"afvb* \t same as afvb but in r2 commands",
"afvb [idx] [name] ([type])\t define base pointer based arguments, locals",
"afvbj \t return list of base pointer based arguments, locals in JSON format",
"afvb- [name]\t delete argument/locals at the given name",
"afvbg [idx] [addr]\t define var get reference",
"afvbs [idx] [addr]\t define var set reference"
],
"Usage: za[fF?] [args]\t # Add zignature": [
"za zigname type params\t add zignature",
"zaf [fcnname] [zigname]\t create zignature for function",
"zaF \t generate zignatures for all functions",
"za?? \t show extended help"
],
"Usage: dd \t Descriptors commands": [
"dd \t List file descriptors",
"dd <file>\t Open and map that file into the UI",
"dd- <fd>\t Close stdout fd",
"dd* \t List file descriptors (in radare commands)",
"dds <fd> <off>\t seek given fd)",
"ddd <fd1> <fd2>\t dup2 from fd1 to fd2",
"ddr <fd> <size>\t read N bytes from fd",
"ddw <fd> <hexpairs>\t write N bytes to fd"
],
"Usage: dt \t Trace commands": [
"dt \t List all traces ",
"dtd \t List all traced disassembled",
"dtc[?][addr]|([from] [to] [addr]) \t Trace call/ret",
"dtg \t Graph call/ret trace",
"dtg* \t Graph in agn/age commands. use .dtg*;aggi for visual",
"dtgi \t Interactive debug trace",
"dts [?]\t trace sessions",
"dt- \t Reset traces (instruction/calls)"
],
"Usage: w[x] [str] [<file] [<<EOF] [@addr]\t": [
"w [1248][+-][n]\tincrement/decrement byte,word..",
"w foobar\twrite string 'foobar'",
"w0 [len]\twrite 'len' bytes with value 0x00",
"w6 [de] base64/hex\twrite base64 [d]ecoded or [e]ncoded string",
"wa [?] push ebp\twrite opcode, separated by ';' (use '\\' around the command)",
"waf file\tassemble file and write bytes",
"wao [?] op\tmodify opcode (change conditional of jump. nop, etc)",
"wA [?] r 0\talter/modify opcode at current seek (see wA?)",
"wb 010203\tfill current block with cyclic hexpairs",
"wB [-]0xVALUE\tset or unset bits with given value",
"wc \tlist all write changes",
"wc [?][ir*?]\twrite cache undo/commit/reset/list (io.cache)",
"wd [off] [n]\tduplicate N bytes from offset at current seek (memcpy) (see y?)",
"we [?] [nNsxX] [arg]\textend write operations (insert instead of replace)",
"wf -|file\twrite contents of file at current offset",
"wh r2\twhereis/which shell command",
"wm f0ff\tset binary mask hexpair to be used as cyclic write mask",
"wo [?] hex\twrite in block with operation. 'wo?' fmi",
"wp [?] -|file\tapply radare patch file. See wp? fmi",
"wr 10\twrite 10 random bytes",
"ws pstring\twrite 1 byte for length and then the string",
"wt[f] [?] file [sz]\twrite to file (from current seek, blocksize or sz bytes)",
"wts host:port [sz]\t send data to remote host:port via tcp://",
"ww foobar\twrite wide string 'f\\\\x00o\\\\x00o\\\\x00b\\\\x00a\\\\x00r\\\\x00'",
"wx [?][fs] 9090\twrite two intel nops (from wxfile or wxseek)",
"wv [?] eip+34\twrite 32-64 bit value",
"wz string\twrite zero terminated string (like w + \\\\x00)"
],
"Usage: dms\t # Memory map snapshots": [
"dms \t List memory snapshots",
"dmsj \t list snapshots in JSON",
"dms* \t list snapshots in r2 commands",
"dms addr\t take snapshot with given id of map at address",
"dms -id\t delete memory snapshot",
"dmsA id\t apply memory snapshot",
"dmsC id comment\t add comment for given snapshot",
"dmsd id\t hexdiff given snapshot. See `ccc`.",
"dmsw \t snapshot of the writable maps",
"dmsa \t full snapshot of all `dm` maps",
"dmsf [file] @ addr\t read snapshot from disk",
"dmst [file] @ addr\t dump snapshot to disk"
],
"Usage: zo[zs] filename\t # Manage zignature files (see dir.zigns)": [
"zo filename\t load zinatures from sdb file",
"zoz filename\t load zinatures from gzipped sdb file",
"zos filename\t save zignatures to sdb file (merge if file exists)"
],
"Usage: dmi \t # List/Load Symbols": [
"dmi [libname] [symname]\t List symbols of target lib",
"dmi* \t List symbols of target lib in radare commands",
"dmi. \t List closest symbol to the current address"
],
"Usage: ae[idesr?] [arg]\t ESIL code emulation": [
"ae? \t show this help",
"ae?? \t show ESIL help",
"aei \t initialize ESIL VM state (aei- to deinitialize)",
"aeim [addr] [size] [name]\t initialize ESIL VM stack (aeim- remove)",
"aeip \t initialize ESIL program counter to curseek",
"ae [expr]\t evaluate ESIL expression",
"aex [hex]\t evaluate opcode expression",
"ae[aA] [f] [count]\t analyse esil accesses (regs, mem..)",
"aepc [addr]\t change esil PC to this address",
"aep [?] [addr]\t manage esil pin hooks",
"aef [addr]\t emulate function",
"aek [query]\t perform sdb query on ESIL.info",
"aek- \t resets the ESIL.info sdb instance",
"aec [?]\t continue until ^C",
"aecs [sn]\t continue until syscall number",
"aecu [addr]\t continue until address",
"aecue [esil]\t continue until esil expression match",
"aetr [esil]\t Convert an ESIL Expression to REIL",
"aes \t perform emulated debugger step",
"aeso \t step over",
"aesu [addr]\t step until given address",
"aesue [esil]\t step until esil expression match",
"aer [..]\t handle ESIL registers like 'ar' or 'dr' does"
],
"Usage: dc \t Execution continuation commands": [
"dc \t Continue execution of all children",
"dc <pid>\t Continue execution of pid",
"dc [-pid]\t Stop execution of pid",
"dca [sym] [sym].\t Continue at every hit on any given symbol",
"dcc \t Continue until call (use step into)",
"dccu \t Continue until unknown call (call reg)",
"dce \t Continue execution (pass exception to program)",
"dcf \t Continue until fork (TODO)",
"dck <signal> <pid>\t Continue sending signal to process",
"dco <num>\t Step over <num> instructions",
"dcp \t Continue until program code (mapped io section)",
"dcr \t Continue until ret (uses step over)",
"dcs [?] <num>\t Continue until syscall",
"dct <len>\t Traptrace from curseek to len, no argument to list",
"dcu [?] [..end|addr] ([end])\t Continue until address (or range)",
"/*TODO: same for only user/libs side to avoid steping into libs\t*/\n"
],
"pf: PF_USAGE_STR\t ": [
"Examples: \t ",
"pf 3xi foo bar\t 3-array of struct, each with named fields: 'foo' as hex, and 'bar' as int",
"pf B (BitFldType)arg_name`\t bitfield type",
"pf E (EnumType)arg_name`\t enum type",
"pf. obj xxdz prev next size name\t Define the obj format as xxdz",
"pf obj=xxdz prev next size name\t Same as above",
"pf iwq foo bar troll\t Print the iwq format with foo, bar, troll as the respective names for the fields",
"pf 0iwq foo bar troll\t Same as above, but considered as a union (all fields at offset 0)",
"pf. plop ? (troll)mystruct\t Use structure troll previously defined",
"pf 10xiz pointer length string\t Print a size 10 array of the xiz struct with its field names",
"pf {integer}? (bifc)\t Print integer times the following format (bifc)",
"pf [4]w[7]i\t Print an array of 4 words and then an array of 7 integers",
"pf ic...?i foo bar \\(pf xw yo foo)troll\\ yo\t Print nested anonymous structres",
"pf n2\t print signed short (2 bytes) value. Use N insted of n for printing unsigned values"
],
"Usage: de\t [-sc] [rwx] [rm] [expr]": [
"de \t list esil watchpoints",
"de-* \t delete all esil watchpoints",
"de [rwx] [rm] [addr|reg|from..to]\t stop on condition",
"dec \t continue execution until matching expression",
"des [?] [N]\t step-in N instructions with esildebug",
"desu [addr]\t esildebug until specific address"
],
"Usage: aa[0*?]\t # see also 'af' and 'afna'": [
"aa \t alias for 'af@@ sym.*;af@entry0;afva', //;.afna @@ fcn.*'",
"aa* \t analyze all flags starting with sym. (af @@ sym.*)",
"aaa [?]\t autoname functions after aa (see afna)",
"aab \t aab across io.sections.text",
"aac [len]\t analyze function calls (af @@ `pi len~call[1]`)",
"aad [len]\t analyze data references to code",
"aae [len] ([addr])\t analyze references with ESIL (optionally to address)",
"aai [j]\t show info of all analysis parameters",
"aar [?] [len]\t analyze len bytes of instructions for references",
"aan \t autoname functions that either start with fcn.* or sym.func.*",
"aas [len]\t analyze symbols (af @@= `isq~[0]`)",
"aat [len]\t analyze all consecutive functions in section",
"aaT [len]\t analyze code after trap-sleds",
"aap \t find and analyze function preludes",
"aav [sat]\t find values referencing a specific section or map",
"aau [len]\t list mem areas (larger than len bytes) not covered by functions"
],
"Usage: drx \t Hardware breakpoints commands": [
"drx \t List all (x86?) hardware breakpoints",
"drx <number> <address> <length> <perms>\t Modify hardware breakpoint",
"drx- <number>\t Clear hardware breakpoint"
],
"Usage ecH[iw-?] \t": [
"ecHi [color]\thighlight current instruction with 'color' background",
"ecHw [word] [color]\thighlight 'word ' in current instruction with 'color' background",
"ecH- \tremove all highlights on current instruction"
],
"Usage: ?V[jq] \t": [
"?V \t show version information",
"?Vj \t same as above but in JSON",
"?Vq \t quiet mode, just show the version number"
],
"Usage: dm\t # Memory maps commands": [
"dm \t List memory maps of target process",
"dm= \t List memory maps of target process (ascii-art bars)",
"dm <address> <size>\t Allocate <size> bytes at <address> (anywhere if address is -1) in child process",
"dm. \t Show map name of current address",
"dm* \t List memmaps in radare commands",
"dm- <address>\t Deallocate memory map of <address>",
"dmd [a] [file]\t Dump current (all) debug map region to a file (from-to.dmp) (see Sd)",
"dmi [addr|libname] [symname]\t List symbols of target lib",
"dmi* [addr|libname] [symname]\t List symbols of target lib in radare commands",
"dmi. \t List closest symbol to the current address",
"dmS [addr|libname] [sectname]\t List sections of target lib",
"dmS* [addr|libname] [sectname]\t List sections of target lib in radare commands",
"dmj \t List memmaps in JSON format",
"dml <file>\t Load contents of file into the current map region (see Sl)",
"dmm [?][j*]\t List modules (libraries, binaries loaded in memory)",
"dmp [?] <address> <size> <perms>\t Change page at <address> with <size>, protection <perms> (rwx)",
"dms [?] <id> <mapaddr>\t take memory snapshot",
"dms- <id> <mapaddr>\t restore memory snapshot",
"dmh \t Show map of heap",
"TODO: \t map files in process memory. (dmf file @ [addr])"
],
"Usage: drs \t Register states commands": [
"drs \t List register stack",
"drs +\t Push register state",
"drs -\t Pop register state"
],
"Usage: *<addr>[=[0x]value]\t Pointer read/write data/values": [
"* entry0=cc\t write trap in entrypoint",
"* entry0+10=0x804800\t write value in delta address",
"* entry0\t read byte at given address",
"TODO: last command should honor asm.bits \t "
],
"Usage: dko\t # Signal handling commands": [
"dko \t List existing signal handling",
"dko [signal]\t Clear handling for a signal",
"dko [signal] [skip|cont]\t Set handling for a signal"
],
"Usage: :[plugin] [args]\t ": [
": \t list RCore plugins",
":java \t run java plugin"
],
"Usage: f [?] [flagname]\t # Manage offset-name flags": [
"f \tlist flags (will only list flags from selected flagspaces)",
"f? flagname\tcheck if flag exists or not, See ?? and ?!",
"f. [*[*]]\tlist local per-function flags (*) as r2 commands",
"f. blah=$$+12\tset local function label named 'blah'",
"f* \tlist flags in r commands",
"f name 12 @ 33\tset flag 'name' with length 12 at offset 33",
"f name = 33\talias for 'f name @ 33' or 'f name 1 33'",
"f name 12 33 [cmt]\tsame as above + optional comment",
"f- [email protected]\tdelete local label from function at current seek (also f.-)",
"f-- \tdelete all flags and flagspaces (deinit)",
"f+ name 12 @ 33\tlike above but creates new one if doesnt exist",
"f- name\tremove flag 'name'",
"f- @addr\tremove flag at address expression",
"f. fname\tlist all local labels for the given function",
"f= [glob]\tlist range bars graphics with flag offsets and sizes",
"fa [name] [alias]\talias a flag to evaluate an expression",
"fb [addr]\tset base address for new flags",
"fb [addr] [flag*]\tmove flags matching 'flag' to relative addr",
"fc [?][name] [color]\tset color for given flag",
"fC [name] [cmt]\tset comment for given flag",
"fd addr\treturn flag+delta",
"fe- \tresets the enumerator counter",
"fe [name]\tcreate flag name.#num# enumerated flag. See fe?",
"fi [size] | [from] [to]\tshow flags in current block or range",
"fg \tbring visual mode to foreground",
"fj \tlist flags in JSON format",
"fl (@[flag]) [size]\tshow or set flag length (size)",
"fla [glob]\tautomatically compute the size of all flags matching glob",
"fm addr\tmove flag at current offset to new address",
"fn \tlist flags displaying the real name (demangled)",
"fo \tshow fortunes",
"fr [old] [[new]]\trename flag (if no new flag current seek one is used)",
"fR [?] [f] [t] [m]\trelocate all flags matching f&~m 'f'rom, 't'o, 'm'ask",
"fs [?]+-*\tmanage flagspaces",
"fS [on]\tsort flags by offset or name",
"fV [*-] [nkey] [offset]\tdump/restore visual marks (mK/'K)",
"fx [d]\tshow hexdump (or disasm) of flag:flagsize",
"fz [?][name]\tadd named flag zone -name to delete. see fz?[name]"
],
"Usage: Cvr\t [name] [comment]": [
"Cvr? \t show this help",
"Cvr \t list all register based args comments in human friendly format",
"Cvr* \t list all register based args comments in r2 format",
"Cvr- [name]\t delete comments for register based arg for that name",
"Cvr [name]\t Show comments for register based arg for that name",
"Cvr [name] [comment]\t add/append comment for the variable",
"Cvr! [name]\t edit comment using cfg editor"
],
"Usage: afb\t List basic blocks of given function": [
".afbr- \t Set breakpoint on every return address of the function",
".afbr-* \t Remove breakpoint on every return address of the function",
"afb [addr]\t list basic blocks of function",
"afb. [addr]\t show info of current basic block",
"afb+ fcn_at bbat bbsz [jump] [fail] ([type] ([diff]))\t add basic block by hand",
"afbr \t Show addresses of instructions which leave the function",
"afbj \t show basic blocks information in json",
"afbe bbfrom bbto\t add basic-block edge for switch-cases",
"afB [bits]\t define asm.bits for the given function"
],
"Usage: z[*j-aof/cs] [args]\t # Manage zignatures": [
"z \t show zignatures",
"z* \t show zignatures in radare format",
"zj \t show zignatures in json format",
"z- zignature\t delete zignature",
"z- *\t delete all zignatures",
"za [?]\t add zignature",
"zo [?]\t manage zignature files",
"zf [?]\t manage FLIRT signatures",
"z/ [?]\t search zignatures",
"zc \t check zignatures at address",
"zs [?]\t manage zignspaces"
],
"Usage: wa[of*] [arg]\t ": [
"wa nop\t write nopcode using asm.arch and asm.bits",
"wa* mov eax\t 33, show 'wx' op with hexpair bytes of assembled opcode",
"\\wa nop;nop\\ \t assemble more than one instruction (note the quotes)",
"waf foo.asm\t assemble file and write bytes",
"wao? \t show help for assembler operation on current opcode (hack)"
],
"Usage: CS [*] [+-][metaspace|addr]\t # Manage metaspaces": [
"CS \tdisplay metaspaces",
"CS *\tselect all metaspaces",
"CS metaspace\tselect metaspace or create if it doesn't exist",
"CS -metaspace\tremove metaspace",
"CS -*\tremove all metaspaces",
"CS +foo\tpush previous metaspace and set",
"CS -\tpop to the previous metaspace",
"CSr newname\trename selected metaspace"
],
"Usage: ds \t Step commands": [
"ds \t Step one instruction",
"ds <num>\t Step <num> instructions",
"dsb \t Step back one instruction",
"dsf \t Step until end of frame",
"dsi <cond>\t Continue until condition matches",
"dsl \t Step one source line",
"dsl <num>\t Step <num> source lines",
"dso <num>\t Step over <num> instructions",
"dsp \t Step into program (skip libs)",
"dss <num>\t Skip <num> step instructions",
"dsu [?]<address>\t Step until address",
"dsui [r] <instr>\t Step until an instruction that matches `instr`, use dsuir for regex match",
"dsue <esil>\t Step until esil expression matches",
"dsuf <flag>\t Step until pc == flag matching name"
],
"Usage: d\t # Debug commands": [
"db [?]\t Breakpoints commands",
"dbt [?]\t Display backtrace based on dbg.btdepth and dbg.btalgo",
"dc [?]\t Continue execution",
"dd [?]\t File descriptors (!fd in r1)",
"de [-sc] [rwx] [rm] [e]\t Debug with ESIL (see de?)",
"dg <file>\t Generate a core-file (WIP)",
"dH [handler]\t Transplant process to a new handler",
"di [?]\t Show debugger backend information (See dh)",
"dk [?]\t List, send, get, set, signal handlers of child",
"dL [handler]\t List or set debugger handler",
"dm [?]\t Show memory maps",
"do [?]\t Open process (reload, alias for 'oo')",
"doo [args]\t Reopen in debugger mode with args (alias for 'ood')",
"dp [?]\t List, attach to process or thread id",
"dr [?]\t Cpu registers",
"ds [?]\t Step, over, source line",
"dt [?]\t Display instruction traces (dtr=reset)",
"dw <pid>\t Block prompt until pid dies",
"dx [?]\t Inject and run code on target process (See gs)"
],
"Usage: sC\t Comment grep": [
"sC *\t List all comments",
"sC str\t Seek to the first comment matching 'str'"
],
"Usage: tn [-][0xaddr|symname]\t manage no-return marks": [
"tn[a] 0x3000\t stop function analysis if call/jmp to this address",
"tn[n] sym.imp.exit\t same as above but for flag/fcn names",
"tn -*\t remove all no-return references",
"tn \t list them all"
],
"Usage: b[f] [arg]\\n\t Get/Set block size": [
"b \t display current block size",
"b 33\t set block size to 33",
"b +3\t increase blocksize by 3",
"b -16\t decrease blocksize by 16",
"b eip+4\t numeric argument can be an expression",
"bf foo\t set block size to flag size",
"bm 1M\t set max block size"
],
"Examples: aec\t continue until ^c": [
"aec \t Continue until exception",
"aecs \t Continue until syscall",
"aecu [addr]\t Continue until address",
"aecue [addr]\t Continue until esil expression"
],
"USAGE ts[...] [type]\t ": [
"ts \t List all loaded structs",
"ts [type]\t Show pf format string for given struct",
"ts? \t show this help"
],
"Usage: dmm\t # Module memory maps commands": [
"dmm \t List modules of target process",
"dmm. \t List memory map of current module",
"dmmj \t List modules of target process (JSON)",
"dmm* \t List modules of target process (r2 commands)"
],
"Usage: id \t Debug information": [
"Output mode: \t ",
"'*' \t Output in radare commands",
"id \t Source lines",
"idp [file.pdb]\t Show pdb file information",
".idp* [file.pdb]\t Load pdb file information",
"idpd \t Download pdb file on remote server"
],
"Usage: wop[DO]\t len @ addr | value": [
"wopD len [@ addr]\tWrite a De Bruijn Pattern of length 'len' at address 'addr'",
"wopO value\t Finds the given value into a De Bruijn Pattern at current offset"
],
"Usage: a\t [abdefFghoprxstc] [...]": [
"ab [hexpairs]\t analyze bytes",
"abb [len]\t analyze N basic blocks in [len] (section.size by default)",
"aa [?]\t analyze all (fcns + bbs) (aa0 to avoid sub renaming)",
"ac [cycles]\t analyze which op could be executed in [cycles]",
"ad [?]\t analyze data trampoline (wip)",
"ad [from] [to]\t analyze data pointers to (from-to)",
"ae [?] [expr]\t analyze opcode eval expression (see ao)",
"af [?]\t analyze Functions",
"aF \t same as above, but using anal.depth=1",
"ag [?] [options]\t output Graphviz code",
"ah [?]\t analysis hints (force opcode size, ...)",
"ai [addr]\t address information (show perms, stack, heap, ...)",
"ao [?] [len]\t analyze Opcodes (or emulate it)",
"aO \t Analyze N instructions in M bytes",
"ar [?]\t like 'dr' but for the esil vm. (registers)",
"ap \t find prelude for current offset",
"ax [?]\t manage refs/xrefs (see also afx?)",
"as [?] [num]\t analyze syscall using dbg.reg",
"at [?] [.]\t analyze execution traces",
"av [?] [.]\t show vtables"
],
"Usage: cw \t Watcher commands": [
"cw \t List all compare watchers",
"cw addr\t List all compare watchers",
"cw addr sz cmd\t Add a memory watcher",
"cw *\t List compare watchers in r2 cmds",
"cwr [addr]\t Reset/revert watchers",
"cwu [addr]\t Update watchers"
],
"Usage: /x [hexpairs]:[binmask]\t Search in memory": [
"/x 9090cd80\t search for those bytes",
"/x 9090cd80:ffff7ff0\t search with binary mask"
],
"Usage: z/[*]\t # Search signatures (see 'e?search' for options)": [
"z/ \t search zignatures on range and flag matches",
"z/* \t search zignatures on range and output radare commands"
],
"Usage: /Rk \t Query stored ROP gadgets": [
"/Rk [nop|mov|const|arithm|arithm_ct]\t Show gadgets",
"/Rkj \t JSON output",
"/Rkq \t List Gadgets offsets"
],
"Usage: /[amx/] [arg]\t Search stuff (see 'e??search' for options)": [
"/ foo\\\\x00\t search for string 'foo\\\\0'",
"/j foo\\\\x00\t search for string 'foo\\\\0' (json output)",
"/! ff\t search for first occurrence not matching",
"/+ /bin/sh\t construct the string with chunks",
"/!x 00\t inverse hexa search (find first byte != 0x00)",
"/h [t] [hash] [len]\t find block matching this hash. See /#?",
"/a jmp eax\t assemble opcode and search its bytes",
"/A jmp\t find analyzed instructions of this type (/A? for help)",
"/b \t search backwards",
"/B \t search recognized RBin headers",
"/c jmp [esp]\t search for asm code",
"/C [ar]\t search for crypto materials",
"/d 101112\t search for a deltified sequence of bytes",
"/e /E.F/i\t match regular expression",
"/E esil-expr\t offset matching given esil expressions %%= here",
"/f file [off] [sz]\t search contents of file with offset and size",
"/i foo\t search for string 'foo' ignoring case",
"/m magicfile\t search for matching magic file (use blocksize)",
"/o \t show offset of previous instruction",
"/p patternsize\t search for pattern of given size",
"/P patternsize\t search similar blocks",
"/r[e] sym.printf\t analyze opcode reference an offset (/re for esil)",
"/R [grepopcode]\t search for matching ROP gadgets, semicolon-separated",
"/v [1248] value\t look for an `cfg.bigendian` 32bit value",
"/V [1248] min max\t look for an `cfg.bigendian` 32bit value in range",
"/w foo\t search for wide string 'f\\\\0o\\\\0o\\\\0'",
"/wi foo\t search for wide string ignoring case 'f\\\\0o\\\\0o\\\\0'",
"/x ff..33\t search for hex string ignoring some nibbles",
"/x ff0033\t search for hex string",
"/x ff43 ffd0\t search for hexpair with mask",
"/z min max\t search for strings of given size",
"\\nConfiguration: \t (type `e??search.` for a complete list)",
"e cmd.hit = x\t command to execute on every search hit",
"e search.in = ?\t specify where to search stuff (depends on .from/.to)",
"e search.align = 4\t only catch aligned search hits",
"e search.from = 0\t start address",
"e search.to = 0\t end address",
"e search.flags = true\t if enabled store flags on keyword hits"
],
"Usage: .[r2cmd] | [file] | [!command] | [(macro)]\t # define macro or load r2, cparse or rlang file": [
". \t repeat last command backward",
". r2cmd\t interpret the output of the command as r2 commands",
".. \t repeat last command forward (same as \\\\n)",
".: 8080\t listen for commands on given tcp port",
". foo.r2\t interpret r2 script",
".- \t open cfg.editor and interpret tmp file",
".! rabin -ri $FILE\t interpret output of command",
". (foo 1 2 3)\t run macro 'foo' with args 1, 2, 3",
"./ ELF\t interpret output of command /m ELF as r. commands"
],
"Usage: g[wcilper] [arg]\t Go compile shellcodes": [
"g foo.r\t Compile r_egg source file",
"gw \t Compile and write",
"gc cmd=/bin/ls\t Set config option for shellcodes and encoders",
"gc \t List all config options",
"gl [?]\t List plugins (shellcodes, encoders)",
"gs name args\t Compile syscall name(args)",
"gi [type]\t Compile shellcode. like ragg2 -i (see gl or ragg2 -L)",
"gp padding\t Define padding for command",
"ge xor\t Specify an encoder",
"gr \t Reset r_egg",
"EVAL VARS: \t asm.arch, asm.bits, asm.os"
],
"Usage: wx[f] [arg]\t ": [
"wx 9090\t write two intel nops",
"wxf -|file\t write contents of hexpairs file here",
"wxs 9090\t write hexpairs and seek at the end"
],
"Usage: &[-|<cmd>]\t Manage tasks": [
"& \t list all running threads",
"&= \t show output of all tasks",
"&= 3\t show output of task 3",
"&j \t list all running threads (in JSON)",
"&? \t show this help",
"&+ aa\t push to the task list",
"&- 1\t delete task #1",
"& -*\t delete all threads",
"& aa\t run analysis in background",
"& &&\t run all tasks in background",
"&& \t run all pendings tasks (and join threads)",
"&&& \t run all pendings tasks until ^C",
" \t TODO: last command should honor asm.bits",
" \t WARN: this feature is very experimental. Use it with caution"
],
"Usage: afx[-cCd?] [src] [dst]\t # manage function references (see also ar?)": [
"afxc sym.main+0x38 sym.printf\t add code ref",
"afxC sym.main sym.puts\t add call ref",
"afxd sym.main str.helloworld\t add data ref",
"afx- sym.main str.helloworld\t remove reference"
],
"Usage: de\t [rwx] [reg|mem] [expr]": [],
"STAHP IT!!! \t ": [],
"Usage: ss \t # Seek silently (not recorded in the seek history)": [
"s? \t Works with all s subcommands"
],
"Usage: dcu\t Continue until address": [
"dcu address\t Continue until address",
"dcu [..tail]\t Continue until the range",
"dcu [from] [to]\t Continue until the range"
],
"Usage: agg[kid?*]\t print graph": [
"agg \t show current graph in ascii art",
"aggk \t show graph in key=value form",
"aggi \t enter interactive mode for the current graph",
"aggd \t print the current graph in GRAPHVIZ dot format",
"aggv \t run graphviz + viewer (see 'e cmd.graph')",
"agg* \t in r2 commands, to save in projects, etc"
],
"Usage: dmp\t Change page permissions": [
"dmp [addr] [size] [perms]\t Change permissions",
"dmp [perms]\t Change dbg.map permissions"
],
"Usage: dcs\t Continue until syscall": [
"dcs \t Continue until next syscall",
"dcs [str] \t Continue until next call to the 'str' syscall",
"dcs *\t trace all syscalls, a la strace"
],
"Usage: des\t [u] [arg]": [
"des [N]\t step-in N instructions with esildebug",
"desu [addr]\t esildebug until specific address"
],
"Usage: r[+-][ size]\t Resize file": [
"r \t display file size",
"r size\t expand or truncate file to given size",
"r- num\t remove num bytes, move following data down",
"r+ num\t insert num bytes, move following data up",
"rm [file]\t remove file",
"r2 [file]\t launch r2"
],
"Usage: oo[-] [arg]\t # map opened files": [
"oo \t reopen current file",
"oo+ \t reopen in read-write",
"oob \t reopen loading rbin info",
"ood \t reopen in debug mode",
"oom \t reopen in malloc://",
"oon \t reopen without loading rbin info",
"oon+ \t reopen in read-write mode without loading rbin info",
"oonn \t reopen without loading rbin info, but with header flags",
"oonn+ \t reopen in read-write mode without loading rbin info, but with"
],
"Usage: L\t [-name][ file] # see oL, iL, dL, ...": [
"L \t List all plugins loaded by RCore.lib",
"L- duk\t Unload plugin matching in filename",
"L blah.R_LIB_EXT\t Load plugin file"
],
"Usage: px[0afoswqWqQ][f]\t # Print heXadecimal": [
"px \t show hexdump",
"px/ \t same as x/ in gdb (help x)",
"px0 \t 8bit hexpair list of bytes until zero byte",
"pxa \t show annotated hexdump",
"pxA \t show op analysis color map",
"pxb \t dump bits in hexdump form",
"pxc \t show hexdump with comments",
"pxd [124]\t signed integer dump (1 byte, 2 and 4)",
"pxe \t emoji hexdump! :)",
"pxi \t HexII compact binary representation",
"pxf \t show hexdump of current function",
"pxh \t show hexadecimal half-words dump (16bit)",
"pxH \t same as above, but one per line",
"pxl \t display N lines (rows) of hexdump",
"pxo \t show octal dump",
"pxq \t show hexadecimal quad-words dump (64bit)",
"pxQ \t same as above, but one per line",
"pxr [j]\t show words with references to flags and code",
"pxs \t show hexadecimal in sparse mode",
"pxt [*.] [origin]\t show delta pointer table in r2 commands",
"pxw \t show hexadecimal words dump (32bit)",
"pxW \t same as above, but one per line"
],
"Usage: ?[?[?]] expression \t ": [
"? eip-0x804800\t show hex and dec result for this math expr",
"?: \t list core cmd plugins",
"?* [cmd]?*\t Recursive help for the given cmd",
"?! [cmd]\t ? != 0",
"?+ [cmd]\t ? > 0",
"?- [cmd]\t ? < 0",
"?= eip-0x804800\t hex and dec result for this math expr",
"?$ \t show value all the variables ($)",
"?? \t show value of operation",
"?? [cmd]\t ? == 0 run command when math matches",
"?B [elem]\t show range boundaries like 'e?search.in",
"?P paddr\t get virtual address for given physical one",
"?S addr\t return section name of given address",
"?T \t show loading times",
"?V \t show library version of r_core",
"?X num|expr\t returns the hexadecimal value numeric expr",
"?_ hudfile\t load hud menu with given file",
"?b [num]\t show binary value of number",
"?b64[-] [str]\t encode/decode in base64",
"?d[.] opcode\t describe opcode for asm.arch",
"?e[ngc] string\t echo string, optionally without trailing newline (nonl, gotoxy, column)",
"?f [num] [str]\t map each bit of the number as flag string index",
"?h [str]\t calculate hash for given string",
"?i [ynmkp] arg\t prompt for number or Yes,No,Msg,Key,Path and store in $$?",
"?ik \t press any key input dialog",
"?im message\t show message centered in screen",
"?in prompt\t noyes input prompt",
"?iy prompt\t yesno input prompt",
"?l str\t returns the length of string",
"?o num\t get octal value",
"?O [id]\t List mnemonics for current asm.arch / asm.bits",
"?p vaddr\t get physical address for given virtual address",
"?r [from] [to]\t generate random number between from-to",
"?s from to step\t sequence of numbers from to by steps",
"?t cmd\t returns the time to run a command",
"?u num\t get value in human units (KB, MB, GB, TB)",
"?v eip-0x804800\t show hex value of math expr",
"?vi rsp-rbp\t show decimal value of math expr",
"?w addr\t show what's in this address (like pxr/pxq does)",
"?x +num\t like ?v, but in hexpairs honoring cfg.bigendian",
"?x str\t returns the hexpair of number or string",
"?x -hexst\t convert hexpair into raw string with newline",
"?y [str]\t show contents of yank buffer, or set with string"
],
"Usage: afn[sa]\t Analyze function names": [
"afn [name]\t rename the function",
"afna \t construct a function name for the current offset",
"afns \t list all strings associated with the current function"
],
"Usage: pi[bdefrj] [num]\t ": [
"pib \t print instructions of basic block",
"pid \t alias for pdi\n",
"pif \t print instructions of function\n",
"pij \t print N instructions in JSON\n",
"pie \t print offset + esil expression",
"pir \t like 'pdr' but with 'pI' output"
],
"%var =value\t Alias for 'env' command": [
"* [?] off[=[0x]value]\t Pointer read/write data/values (see ?v, wx, wv)",
"(macro arg0 arg1) \t Manage scripting macros",
". [?] [-|(m)|f|!sh|cmd]\t Define macro or load r2, cparse or rlang file",
"= [?] [cmd]\t Send/Listen for Remote Commands (rap://, http://, <fd>)",
"/ [?]\t Search for bytes, regexps, patterns, ..",
"! [?] [cmd]\t Run given command as in system(3)",
"a [?]\t Analysis commands",
"b [?]\t Display or change the block size",
"c [?] [arg]\t Compare block with given data",
"C [?]\t Code metadata (comments, format, hints, ..)",
"d [?]\t Debugger commands",
"e [?] [a[=b]]\t List/get/set config evaluable vars",
"f [?] [name][sz][at]\t Add flag at current address",
"g [?] [arg]\t Generate shellcodes with r_egg",
"i [?] [file]\t Get info about opened file from r_bin",
"k [?] [sdb-query]\t Run sdb-query. see k? for help, 'k *', 'k **' ...",
"L [?] [-] [plugin]\t list, unload load r2 plugins",
"m [?]\t Mountpoints commands",
"o [?] [file] ([offset])\t Open file at optional address",
"p [?] [len]\t Print current block with format and length",
"P [?]\t Project management utilities",
"q [?] [ret]\t Quit program with a return value",
"r [?] [len]\t Resize file",
"s [?] [addr]\t Seek to address (also for '0x', '0x1' == 's 0x1')",
"S [?]\t Io section manipulation information",
"t [?]\t Types, noreturn, signatures, C parser and more",
"T [?] [-] [num|msg]\t Text log utility",
"u [?]\t uname/undo seek/write",
"V \t Enter visual mode (V! = panels, VV = fcngraph, VVV = callgraph)",
"w [?] [str]\t Multiple write operations",
"x [?] [len]\t Alias for 'px' (print hexadecimal)",
"y [?] [len] [[[@]addr\t Yank/paste bytes from/to memory",
"z [?]\t Zignatures management",
"?[??] [expr]\t Help or evaluate math expression",
"?$? \t Show available '$' variables and aliases",
"?@? \t Misc help for '@' (seek), '~' (grep) (see ~??)",
"?:? \t List and manage core plugins"
],
"Usage: T\t [-][ num|msg]": [
"T \t List all Text log messages",
"T message\t Add new log message",
"T 123\t List log from 123",
"T 10 3\t List 3 log messages starting from 10",
"T* \t List in radare commands",
"T- \t Delete all logs",
"T- 123\t Delete logs before 123",
"Tl \t Get last log message id",
"Tj \t List in json format",
"Tm [idx]\t Display log messages without index",
"Ts \t List files in current directory (see pwd, cd)",
"TT \t Enter into the text log chat console"
],
"Examples: ESIL\t examples and documentation": [
"+ =\t A+=B => B,A,+=",
"+ \t A=A+B => B,A,+,A,=",
"++ \t increment, 2,A,++ == 3 (see rsi,--=[1], ... )",
"-- \t decrement, 2,A,-- == 1",
"* =\t A*=B => B,A,*=",
"/ =\t A/=B => B,A,/=",
"% =\t A%=B => B,A,%=",
"& =\t and ax, bx => bx,ax,&=",
"| \t or r0, r1, r2 => r2,r1,|,r0,=",
"! =\t negate all bits",
"^ =\t xor ax, bx => bx,ax,^=",
" []\t mov eax,[eax] => eax,[],eax,=",
"= []\t mov [eax+3], 1 => 1,3,eax,+,=[]",
"= [1]\t mov byte[eax],1 => 1,eax,=[1]",
"= [8]\t mov [rax],1 => 1,rax,=[8]",
"[] \t peek from random position",
"[*] \t peek some from random position",
"= [*]\t poke some at random position",
"$ \t int 0x80 => 0x80,$",
"$$ \t simulate a hardware trap",
"== \t pops twice, compare and update esil flags",
"< \t compare for smaller",
"< =\t compare for smaller or equal",
"> \t compare for bigger",
"> =\t compare bigger for or equal",
">> =\t shr ax, bx => bx,ax,>>= # shift right",
"<< =\t shr ax, bx => bx,ax,<<= # shift left",
">>> =\t ror ax, bx => bx,ax,>>>= # rotate right",
"<<< =\t rol ax, bx => bx,ax,><<= # rotate left",
"?{ \t if popped value != 0 run the block until }",
"POP \t drops last element in the esil stack",
"DUP \t duplicate last value in stack",
"NUM \t evaluate last item in stack to number",
"PICK \t pick Nth element in stack",
"RPICK \t pick Nth element in reversed stack",
"SWAP \t swap last two values in stack",
"TRAP \t stop execution",
"BITS \t 16,BITS # change bits, useful for arm/thumb",
"TODO \t the instruction is not yet esilized",
"STACK \t show contents of stack",
"CLEAR \t clears the esil stack",
"REPEAT \t repeat n times",
"BREAK \t terminates the string parsing",
"GOTO \t jump to the Nth word popped from the stack"
],
"Usage ahi [sbodh] [@ offset]\t Define numeric base": [
"ahi [base]\t set numeric base (1, 2, 8, 10, 16)",
"ahi b\t set base to binary (1)",
"ahi d\t set base to decimal (10)",
"ahi h\t set base to hexadecimal (16)",
"ahi o\t set base to octal (8)",
"ahi i\t set base to IP address (32)",
"ahi S\t set base to syscall (80)",
"ahi s\t set base to string (2)"
],
"Usage: aftm\t ": [
"afta \t Setup memory and analyse do type matching analysis for all functions",
"aftm \t type matching analysis"
],
"Usage: afvr\t [reg] [type] [name]": [
"afvr \t list register based arguments",
"afvr* \t same as afvr but in r2 commands",
"afvr [reg] [name] ([type])\t define register arguments",
"afvrj \t return list of register arguments in JSON format",
"afvr- [name]\t delete register arguments at the given index",
"afvrg [reg] [addr]\t define argument get reference",
"afvrs [reg] [addr]\t define argument set reference"
],
"Usage: wv[size] [value]\t write value of given size": [
"wv1 234\t write one byte with this value",
"wv 0x834002\t write dword with this value",
"Supported sizes are: 1\t 2, 4, 8, "
],
"Usage: fc <flagname> [color]\t # List colors with 'ecs'": [
"fc flagname\t Get current color for given flagname",
"fc flagname color\t Set color to a flag"
],
"Usage: cu [offset]\t # Creates a unified hex patch": [
"cu $$+1 > p\t Compare current seek and +1",
"cud $$+1 > p\t Compare disasm current seek and +1",
"wu p\t Apply unified hex patch"
],
"Usage: Cvb\t [name] [comment]": [
"Cvb? \t show this help",
"Cvb \t list all base pointer args/vars comments in human friendly format",
"Cvb* \t list all base pointer args/vars comments in r2 format",
"Cvb- [name]\t delete comments for var/arg at current offset for base pointer",
"Cvb [name]\t Show comments for var/arg at current offset for base pointer",
"Cvb [name] [comment]\t add/append comment for the variable with the current name",
"Cvb! [name]\t edit comment using cfg editor"
],
"Usage: af\t ": [
"af ([name]) ([addr])\t analyze functions (start at addr or $$)",
"afr ([name]) ([addr])\t analyze functions recursively",
"af+ addr name [type] [diff]\t hand craft a function (requires afb+)",
"af- [addr]\t clean all function analysis data (or function at addr)",
"afb+ fcnA bbA sz [j] [f] ([t]( [d]))\t add bb to function @ fcnaddr",
"afb [?] [addr]\t List basic blocks of given function",
"afB 16\t set current function as thumb (change asm.bits)",
"afc[c] ([addr])@[addr]\t calculate the Cycles (afc) or Cyclomatic Complexity (afcc)",
"afC [?] type @[addr]\t set calling convention for function",
"aft [?]\t type matching, type propagation",
"aff \t re-adjust function boundaries to fit",
"afF [1|0|]\t fold/unfold/toggle",
"afi [addr|fcn.name]\t show function(s) information (verbose afl)",
"afl [?] [l*] [fcn name]\t list functions (addr, size, bbs, name) (see afll)",
"afo [fcn.name]\t show address for the function named like this",
"afm name\t merge two functions",
"afM name\t print functions map",
"afn [?] name [addr]\t rename name for function at address (change flag too)",
"afna \t suggest automatic name for current offset",
"afs [addr] [fcnsign]\t get/set function signature at current address",
"afS [stack_size]\t set stack frame size for function at current address",
"afu [addr]\t resize and analyze function from current address until addr",
"afv[bsra] ?\t manipulate args, registers and variables in function",
"afx [cCd-] src dst\t add/remove code/Call/data/string reference"
],
"Usage: drp\t # Register profile commands": [
"drp \t Show the current register profile",
"drp [regprofile-file]\t Set the current register profile",
"drp [gdb] [regprofile-file]\t Parse gdb register profile and dump an r2 profile string",
"drpi \t Show internal representation of the register profile",
"drp. \t Show the current fake size",
"drpj \t Show the current register profile (JSON)",
"drps [new fake size]\t Set the fake size"
],
"Usage: arw\t # Set contents of the register arena": [
"arw <hexnum>\t Set contents of the register arena"
],
"Usage: c[?dfx] [argument]\t # Compare": [
"c [string]\t Compare a plain with escaped chars string",
"c* [string]\t Compare a plain with escaped chars string (output r2 commands)",
"c4 [value]\t Compare a doubleword from a math expression",
"c8 [value]\t Compare a quadword from a math expression",
"cat [file]\t Show contents of file (see pwd, ls)",
"cc [at] [(at)]\t Compares in two hexdump columns of block size",
"ccc [at] [(at)]\t Same as above, but only showing different lines",
"ccd [at] [(at)]\t Compares in two disasm columns of block size",
"cf [file]\t Compare contents of file at current seek",
"cg [?] [o] [file]\t Graphdiff current file and [file]",
"cl|cls|clear \t Clear screen, (clear0 to goto 0, 0 only)",
"cu [?] [addr] @at\t Compare memory hexdumps of $$ and dst in unified diff",
"cud [addr] @at\t Unified diff disasm from $$ and given address",
"cv [1248] [addr] @at\t Compare 1,2,4,8-byte value",
"cw [?] [us?] [...]\t Compare memory watchers",
"cx [hexpair]\t Compare hexpair string (use '.' as nibble wildcard)",
"cx* [hexpair]\t Compare hexpair string (output r2 commands)",
"cX [addr]\t Like 'cc' but using hexdiff output"
],
"Usage: y[ptxy] [len] [[@]addr]\t # See wd? for memcpy, same as 'yf'.": [
"y \t show yank buffer information (srcoff len bytes)",
"y 16\t copy 16 bytes into clipboard",
"y 16 0x200\t copy 16 bytes into clipboard from 0x200",
"y 16 @ 0x200\t copy 16 bytes into clipboard from 0x200",
"yz \t copy up to blocksize zero terminated string bytes into clipboard",
"yz 16\t copy up to 16 zero terminated string bytes into clipboard",
"yz @ 0x200\t copy up to blocksize zero terminated string bytes into clipboard from 0x200",
"yz 16 @ 0x200\t copy up to 16 zero terminated string bytes into clipboard from 0x200",
"yp \t print contents of clipboard",
"yx \t print contents of clipboard in hexadecimal",
"ys \t print contents of clipboard as string",
"yt 64 0x200\t copy 64 bytes from current seek to 0x200",
"ytf file\t dump the clipboard to given file",
"yf 64 0x200\t file copy 64 bytes from 0x200 from file (opens w/ io), use -1 for all bytes",
"yfa file copy\t copy all bytes from file (opens w/ io)",
"yy 0x3344\t paste clipboard"
],
"Usage: /c [inst]\t Search for asm": [
"/c instr\t search for instruction 'instr'",
"/c/ instr\t search for instruction that matches regexp 'instr'",
"/c instr1;instr2\t search for instruction 'instr1' followed by 'instr2'",
"/c/ instr1;instr2\t search for regex instruction 'instr1' followed by regex 'instr2'",
"/cj instr\t json output",
"/c/j instr\t regex search with json output",
"/c* instr\t r2 command output"
],
"Usage: ag[?f]\t Graphviz/graph code": [
"ag [addr]\t output graphviz code (bb at addr and children)",
"ag- \t Reset the current ASCII art graph (see agn, age, agg?)",
"aga [addr]\t idem, but only addresses",
"agc [j] [addr]\t output graphviz call graph of function",
"agC [j]\t Same as agc -1. full program callgraph",
"agd [fcn name]\t output graphviz code of diffed function",
"age [?] title1 title2\t Add an edge to the current graph",
"agf [addr]\t Show ASCII art graph of given function",
"agg [?] [kdi*]\t Print graph in ASCII-Art, graphviz, k=v, r2 or visual",
"agj [addr]\t idem, but in JSON format",
"agk [addr]\t idem, but in SDB key-value format",
"agl [fcn name]\t output graphviz code using meta-data",
"agn [?] title body\t Add a node to the current graph",
"ags [addr]\t output simple graphviz call graph of function (only bb offset)",
"agt [addr]\t find paths from current offset to given address",
"agv \t Show function graph in web/png (see graph.web and cmd.graph) or agf for asciiart"
],
"Usage: wA\t [type] [value]": [
"Types \t ",
"r \t raw write value",
"v \t set value (taking care of current address)",
"d \t destination register",
"0 \t 1st src register",
"1 \t 2nd src register",
"Example: wA r 0\t # e800000000"
],
"Usage: ob\t # List open binary files backed by fd": [
"ob \t List opened binary files and objid",
"ob [fd objid]\t Switch to open binary file by fd number and objid",
"obb [fd]\t Switch to open binfile by fd number",
"obr [baddr]\t Rebase current bin object",
"ob- [fd]\t Delete binfile by fd",
"obd [objid]\t Delete binary file by objid. Do nothing if only one loaded.",
"obo [objid]\t Switch to open binary file by objid"
],
"Usage: Pn[j-?] [...]\t Project Notes": [
"Pn \t show project notes",
"Pn -\t edit notes with cfg.editor",
"Pn- \t delete notes",
"Pn- str\t delete lines matching /str/ in notes",
"Pn+ str\t append one line to the notes",
"Pnx \t run project note commands",
"Pnj \t show notes in base64",
"Pnj [base64]\t set notes in base64"
],
"Usage ec[s?] [key][[=| ]fg] [bg] \t": [
"ec \tlist all color keys",
"ec* \tsame as above, but using r2 commands",
"ecd \tset default palette",
"ecr \tset random palette",
"ecs \tshow a colorful palette",
"ecj \tshow palette in JSON",
"ecc [prefix]\tshow palette in CSS",
"eco dark|white\tload white color scheme template",
"ecp \tload previous color theme",
"ecn \tload next color theme",
"ecH [?]\thighlight word or instruction",
"ec prompt red\tchange color of prompt",
"ec prompt red blue\tchange color and background of prompt",
" \t",
"colors: \trgb:000, red, green, blue, ...",
"e scr.rgbcolor =1|0\tfor 256 color cube (boolean)",
"e scr.truecolor =1|0\tfor 256*256*256 colors (boolean)",
"$DATADIR/radare2/cons \t~/.config/radare2/cons ./"
],
"Usage: db \t # Breakpoints commands": [
"db \t List breakpoints",
"db sym.main\t Add breakpoint into sym.main",
"db <addr>\t Add breakpoint",
"db -<addr>\t Remove breakpoint",
"db. \t Show breakpoint info in current offset",
"dbj \t List breakpoints in JSON format",
"dbc <addr> <cmd>\t Run command when breakpoint is hit",
"dbC <addr> <cmd>\t Set breakpoint condition on command",
"dbd <addr>\t Disable breakpoint",
"dbe <addr>\t Enable breakpoint",
"dbs <addr>\t Toggle breakpoint",
"dbf \t Put a breakpoint into every no-return function",
"dbt [?]\t Display backtrace based on dbg.btdepth and dbg.btalgo",
"dbt* \t Display backtrace in flags",
"dbt= \t Display backtrace in one line (see dbt=s and dbt=b for sp or bp)",
"dbtj \t Display backtrace in JSON",
"dbte <addr>\t Enable Breakpoint Trace",
"dbtd <addr>\t Disable Breakpoint Trace",
"dbts <addr>\t Swap Breakpoint Trace",
"dbm <module> <offset>\t Add a breakpoint at an offset from a module's base",
"dbn [<name>]\t Show or set name for current breakpoint",
"dbi \t List breakpoint indexes",
"dbic <index> <cmd>\t Run command at breakpoint index",
"dbie <index>\t Enable breakpoint by index",
"dbid <index>\t Disable breakpoint by index",
"dbis <index>\t Swap Nth breakpoint",
"dbite <index>\t Enable breakpoint Trace by index",
"dbitd <index>\t Disable breakpoint Trace by index",
"dbits <index>\t Swap Nth breakpoint trace",
"dbh x86\t Set/list breakpoint plugin handlers",
"dbh- <name>\t Remove breakpoint plugin handler",
"drx number addr len rwx\t Modify hardware breakpoint",
"drx- number\t Clear hardware breakpoint"
],
"Usage: ate\t Show esil trace logs": [
"ate \t Esil trace log for a single instruction",
"ate [idx]\t show commands for that index log",
"ate -*\t delete all esil traces",
"atei \t esil trace log single instruction",
"atek [sdb query]\t esil trace log single instruction from sdb"
],
"Usage: ara[+-s]\t Register Arena Push/Pop/Swap": [
"ara \t show all register arenas allocated",
"ara +\t push a new register arena for each type",
"ara -\t pop last register arena",
"aras \t swap last two register arenas"
],
"USAGE tu[...] \t ": [
"tu \t List all loaded unions",
"tu? \t show this help"
],
"Usage: Cvs\t [name] [comment]": [
"Cvs? \t show this help",
"Cvs \t list all stack based args/vars comments in human friendly format",
"Cvs* \t list all stack based args/vars comments in r2 format",
"Cvs- [name]\t delete comments for stack pointer var/arg with that name",
"Cvs [name]\t Show comments for stack pointer var/arg with that name",
"Cvs [name] [comment]\t add/append comment for the variable",
"Cvs! [name]\t edit comment using cfg editor"
],
"Usage #!interpreter [<args>] [<file] [<<eof] \t": [],
"Usage: drs\t # Register states commands": [
"drs \t List register stack",
"drs+ \t Push register state",
"drs- \t Pop register state"
],
"wao [op]\t performs a modification on current opcode": [
"wao nop\t nop current opcode",
"wao jz\t make current opcode conditional (zero)",
"wao jnz\t make current opcode conditional (not zero)",
"wao ret1\t make the current opcode return 1",
"wao ret0\t make the current opcode return 0",
"wao retn\t make the current opcode return -1",
"wao un-cjmp\t remove conditional operation to branch",
"wao trap\t make the current opcode a trap",
"wao swap-cjmp\t swap conditional branch",
"NOTE: \t those operations are only implemented for x86 and arm atm., //TODO\n"
],
"Usage: age [title1] [title2]\t ": [
"Examples: \t ",
"age title1 title2\t Add an edge from the node with \\title1\\ as title to the one with title \\title2\\",
"age \\title1 with spaces\\ title2\t Add an edge from node \\title1 with spaces\\ to node \\title2\\",
"age- title1 title2\t Remove an edge from the node with \\title1\\ as title to the one with title \\title2\\",
"age? \t Show this help"
],
"Examples: aea\t show regs used in a range": [
"aea [ops]\t Show regs used in N instructions",
"aea* [ops]\t Create mem.* flags for memory accesses",
"aeaf \t Show regs used in current function",
"aear [ops]\t Show regs read in N instructions",
"aeaw [ops]\t Show regs written in N instructions",
"aean [ops]\t Show regs not written in N instructions",
"aeaj [ops]\t Show aea output in JSON format",
"aeA [len]\t Show regs used in N bytes (subcommands are the same)"
],
"Usage: ps[zpw] [N]\t Print String": [
"ps \t print string",
"pss \t print string in screen (wrap width)",
"psi \t print string inside curseek",
"psb \t print strings in current block",
"psx \t show string with escaped chars",
"psz \t print zero terminated string",
"psp \t print pascal string",
"psu \t print utf16 unicode (json)",
"psw \t print 16bit wide string",
"psW \t print 32bit wide string",
"psj \t print string in JSON format"
],
"Usage: %[name[=value]]\t Set each NAME to VALUE in the environment": [
"% \t list all environment variables",
"% SHELL\t prints SHELL value",
"% TMPDIR=/tmp\t sets TMPDIR value to \\/tmp\\"
],
"USAGE te[...] \t ": [
"te \t List all loaded enums",
"te <enum> <value>\t Show name for given enum number",
"te? \t show this help"
],
"Usage: t- <type>\t Delete type by its name": [],
"Usage \t write extend": [
"wen <num>\t insert num null bytes at current offset",
"wex <hex_bytes>\t insert bytes at current offset",
"weN <addr> <len>\t insert bytes at address",
"weX <addr> <hex_bytes>\t insert bytes at address",
"wes <addr> <dist> <block_size>\t shift a blocksize left or write in the editor"
],
"Usage: u\t uname or undo write/seek": [
"u \t show system uname",
"uw \t alias for wc (requires: e io.cache=true)",
"us \t alias for s- (seek history)"
],
"Usage: p[dD][ajbrfils] [sz] [arch] [bits]\t # Print Disassembly": [
"NOTE: len\t parameter can be negative",
"NOTE: \t Pressing ENTER on empty command will repeat last pd command and also seek to end of disassembled range.",
"pd N\t disassemble N instructions",
"pd -N\t disassemble N instructions backward",
"pD N\t disassemble N bytes",
"pda \t disassemble all possible opcodes (byte per byte)",
"pdb \t disassemble basic block",
"pdc \t pseudo disassembler output in C-like syntax",
"pdC \t show comments found in N instructions",
"pdk \t disassemble all methods of a class",
"pdj \t disassemble to json",
"pdr \t recursive disassemble across the function graph",
"pdf \t disassemble function",
"pdi \t like 'pi', with offset and bytes",
"pdl \t show instruction sizes",
"pds [?]\t disassemble summary (strings, calls, jumps, refs) (see pdsf and pdfs)",
"pdt \t disassemble the debugger traces (see atd)"
],
"Usage: afl\t List all functions": [
"afl \t list functions",
"aflj \t list functions in json",
"afll \t list functions in verbose mode",
"aflq \t list functions in quiet mode",
"aflqj \t list functions in json quiet mode",
"afls \t print sum of sizes of all functions"
],
"Usage: fs [*] [+-][flagspace|addr]\t # Manage flagspaces": [
"fs \tdisplay flagspaces",
"fs* \tdisplay flagspaces as r2 commands",
"fsj \tdisplay flagspaces in JSON",
"fs *\tselect all flagspaces",
"fs flagspace\tselect flagspace or create if it doesn't exist",
"fs -flagspace\tremove flagspace",
"fs -*\tremove all flagspaces",
"fs +foo\tpush previous flagspace and set",
"fs -\tpop to the previous flagspace",
"fs -.\tremove the current flagspace",
"fsm [addr]\tmove flags at given address to the current flagspace",
"fss \tdisplay flagspaces stack",
"fssj \tdisplay flagspaces stack in JSON",
"fss* \tdisplay flagspaces stack in r2 commands",
"fsr newname\trename selected flagspace"
],
"Usage: dk \t Signal commands": [
"dk \t List all signal handlers of child process",
"dk <signal>\t Send KILL signal to child",
"dk <signal>=1\t Set signal handler for <signal> in child",
"dk? <signal>\t Name/signum resolver",
"dko [?] <signal>\t Reset skip or cont options for given signal",
"dko <signal> [|skip|cont]\t On signal SKIP handler or CONT into",
"dkj \t List all signal handlers in JSON"
],
"Usage: k[s] [key[=value]]\t Sdb Query": [
"k foo=bar\t set value",
"k foo\t show value",
"k \t list keys",
"ko [file.sdb] [ns]\t open file into namespace",
"kd [file.sdb] [ns]\t dump namespace to disk",
"ks [ns]\t enter the sdb query shell",
"k anal/meta/*\t ist kv from anal > meta namespaces",
"k anal/**\t list namespaces under anal",
"k anal/meta/meta.0x80404\t get value for meta.0x80404 key"
],
"Usage: ao[e?] [len]\t Analyze Opcodes": [
"aoj N\t display opcode analysis information in JSON for N opcodes",
"aoe N\t display esil form for N opcodes",
"aor N\t display reil form for N opcodes",
"aos [esil]\t show sdb representation of esil expression (TODO)",
"ao 5\t display opcode analysis of 5 opcodes",
"ao* \t display opcode in r commands"
],
"Usage: [.][#]<cmd>[*] [`cmd`] [@ addr] [~grep] [|syscmd] [>[>]file] \t ": [
"0 \t alias for 's 0'",
"0x addr\t alias for 's 0x..'",
"/* \t start multiline comment",
"*/ \t end multiline comment",
". cmd\t execute output of command as r2 script",
".: 8080\t wait for commands on port 8080",
".! rabin2 -re $FILE\t run command output as r2 script",
"* \t output of command in r2 script format (CC*)",
"j \t output of command in JSON format (pdj)",
"~ ?\t count number of lines (like wc -l)",
"~ ??\t show internal grep help",
"~ ..\t internal less",
"~ {}\t json indent",
"~ {}..\t json indent and less",
"~ word\t grep for lines matching word",
"~ !word\t grep for lines NOT matching word",
"~ word[2]\t grep 3rd column of lines matching word",
"~ word:3[0]\t grep 1st column from the 4th line matching word",
"@ 0x1024\t temporary seek to this address (sym.main+3)",
"@ addr[!blocksize]\t temporary set a new blocksize",
"@a: arch[:bits]\t temporary set arch and bits",
"@b: bits\t temporary set asm.bits",
"@e: k=v\tk=v, temporary change eval vars",
"@r: reg\t tmp seek to reg value (f.ex pd@r:PC)",
"@i: nth.op\t temporary seek to the Nth relative instruction",
"@f: file\t temporary replace block with file contents",
"@o: fd\t temporary switch to another fd",
"@s: string\t same as above but from a string",
"@x: 909192\t from hex pairs string",
"@.. from to\t temporary set from and to for commands supporting ranges",
"@@= 1 2 3\t run the previous command at offsets 1, 2 and 3",
"@@ hit*\t run the command on every flag matching 'hit*'",
"@@? [ktfb..]\t show help for the iterator operator",
"@@@ [type]\t run a command on every [type] (see @@@? for help)",
"> file\t pipe output of command to file",
">> file\t append to file",
"H> file\t pipe output of command to file in HTML",
"H>> file\t append to file with the output of command in HTML",
"` pdi~push:0[0]`\t replace output of command inside the line",
"| cmd\t pipe output to command (pd|less) (.dr*)"
],
"Usage: =[:!+-=hH] [...]\t # radare remote command execution protocol": [
"\\nrap commands: \t ",
"= \t list all open connections",
"=< [fd] cmd\t send output of local command to remote fd",
"= [fd] cmd\t exec cmd at remote 'fd' (last open is default one)",
"=! cmd\t run command via r_io_system",
"=+ [proto://]host\t add host (default=rap://, tcp://, udp://)",
"=- [fd]\t remove all hosts or host 'fd'",
"== [fd]\t open remote session with host 'fd', 'q' to quit",
"=!= \t disable remote cmd mode",
"!=! \t enable remote cmd mode",
"\\nrap server: \t",
"= :port\t listen on given port using rap protocol (o rap://9999)",
"=& :port\t start rap server in background",
"= :host:port cmd\t run 'cmd' command on remote server",
"\\nhttp server: \t ",
"=h port\t listen for http connections (r2 -qc=H /bin/ls)",
"=h- \t stop background webserver",
"=h* \t restart current webserver",
"=h& port\t start http server in background)",
"=H port\t launch browser and listen for http",
"=H& port\t launch browser and listen for http in background",
"\\ngdbserver: \t ",
"=g port file\t listen on 'port' for debugging 'file' using gdbserver"
],
"Usage: pt [dn]\t print timestamps": [
"pt \t print UNIX time (32 bit `cfg.bigendian`) Since January 1, 1970",
"ptd \t print DOS time (32 bit `cfg.bigendian`) Since January 1, 1980",
"pth \t print HFS time (32 bit `cfg.bigendian`) Since January 1, 1904",
"ptn \t print NTFS time (64 bit `cfg.bigendian`) Since January 1, 1601"
],
"Usage: do\t # Debug commands": [
"do \t Open process (reload, alias for 'oo')",
"doo [args]\t Reopen in debugger mode with args (alias for 'ood')"
],
"Usage: s \t # Seek commands": [
"s \t Print current address",
"s: pad\t Print current address with N padded zeros (defaults to 8)",
"s addr\t Seek to address",
"s- \t Undo seek",
"s- n\t Seek n bytes backward",
"s-- \t Seek blocksize bytes backward",
"s+ \t Redo seek",
"s+ n\t Seek n bytes forward",
"s++ \t Seek blocksize bytes forward",
"s[j*=!] \t List undo seek history (JSON, =list, *r2, !=names, s==)",
"s/ DATA\t Search for next occurrence of 'DATA'",
"s/x 9091\t Search for next occurrence of \\\\x90\\\\x91",
"s. hexoff\t Seek honoring a base from core->offset",
"sa [[+-]a] [asz]\t Seek asz (or bsize) aligned to addr",
"sb \t Seek aligned to bb start",
"sC [?] string\t Seek to comment matching given string",
"sf \t Seek to next function (f->addr+f->size)",
"sf function\t Seek to address of specified function",
"sg/sG \t Seek begin (sg) or end (sG) of section or file",
"sl [?] [+-]line\t Seek to line",
"sn/sp \t Seek to next/prev location, as specified by scr.nkey",
"so [N]\t Seek to N next opcode(s)",
"sr pc\t Seek to register",
"ss \t Seek silently (without adding an entry to the seek history)"
],
"Usage: sl+ or sl- or slc\t ": [
"sl [line]\t Seek to absolute line",
"sl [+-][line]\t Seek to relative line",
"slc \t Clear line cache",
"sll \t Show total number of lines"
],
"Usage: ah[lba-]\t Analysis Hints": [
"ah? \t show this help",
"ah? offset\t show hint of given offset",
"ah \t list hints in human-readable format",
"ah. \t list hints in human-readable format from current offset",
"ah- \t remove all hints",
"ah- offset [size]\t remove hints at given offset",
"ah* offset\t list hints in radare commands format",
"aha ppc 51\t set arch for a range of N bytes",
"ahb 16 @ $$\t force 16bit for current instruction",
"ahc 0x804804\t override call/jump address",
"ahf 0x804840\t override fallback address for call",
"ahi [?] 10\t define numeric base for immediates (1, 8, 10, 16, s)",
"ahs 4\t set opcode size=4",
"ahS jz\t set asm.syntax=jz for this opcode",
"aho foo a0\t33, replace opcode string",
"ahe eax+=3\t set vm analysis string"
],
"Usage: $alias[=cmd] [args...]\t Alias commands": [
"$ \t list all defined aliases",
"$* \t same as above, but using r2 commands",
"$ dis='af;pdf'\t create command - analyze to show function",
"$ test=#!pipe node /tmp/test.js\t create command - rlangpipe script",
"$ dis=\t undefine alias",
"$ dis\t execute the previously defined alias",
"$ dis?\t show commands aliased by 'analyze'"
],
"@@ \t # foreach iterator command:": [
"Repeat a command over a list of offsets \t ",
"x @@ sym.*\t run 'x' over all flags matching 'sym.' in current flagspace",
"x @@dbt[abs]\t run a command on every backtrace address, bp or sp",
"x @@.file\t \\\\ over the offsets specified in the file (one offset per line)",
"x @@=off1 off2 ..\t manual list of offsets",
"x @@/x 9090\t temporary set cmd.hit to run a command on each search result",
"x @@k sdbquery\t \\\\ on all offsets returned by that sdbquery",
"x @@t\t \\\\ on all threads (see dp)",
"x @@b\t \\\\ on all basic blocks of current function (see afb)",
"x @@i\t \\\\ on all instructions of the current function (see pdr)",
"x @@f\t \\\\ on all functions (see aflq)",
"x @@f:write\t \\\\ on all functions matching write in the name",
"x @@c:cmd\t the same as @@=`` without the backticks",
"x @@=`pdf~call[0]`\t run 'x' at every call offset of the current function"
],
"Usage: !<cmd>\t Run given command as in system(3)": [
"! \t list all historic commands",
"! ls\t execute 'ls' in shell",
"!! \t save command history to hist file",
"!! ls~txt\t print output of 'ls' and grep for 'txt'",
".! rabin2 -rpsei ${FILE}\t run each output line as a r2 cmd",
"! echo $SIZE\t display file size",
"!- \t clear history in current session",
"!-* \t clear and save empty history log",
"!=! \t enable remotecmd mode",
"=!= \t disable remotecmd mode",
"\\nEnvironment: \t ",
"R2_FILE \t file name",
"R2_OFFSET \t 10base offset 64bit value",
"R2_BYTES \t TODO: variable with bytes in curblock",
"R2_XOFFSET \t same as above, but in 16 base",
"R2_BSIZE \t block size",
"R2_ENDIAN \t 'big' or 'little'",
"R2_IOVA \t is io.va true? virtual addressing (1,0)",
"R2_DEBUG \t debug mode enabled? (1,0)",
"R2_BLOCK \t TODO: dump current block to tmp file",
"R2_SIZE \tfile size",
"R2_ARCH \t value of asm.arch",
"R2_BITS \t arch reg size (8, 16, 32, 64)",
"RABIN2_LANG \t assume this lang to demangle",
"RABIN2_DEMANGLE \t demangle or not",
"PDB_SERVER \t e pdb.server"
],
"Usage: zs[+-*] [namespace]\t # Manage zignspaces": [
"zs \t display zignspaces",
"zs zignspace\t select zignspace",
"zs *\t select all zignspaces",
"zs- zignspace\t delete zignspace",
"zs- *\t delete all zignspaces",
"zs+ zignspace\t push previous zignspace and set",
"zs- \t pop to the previous zignspace",
"zsr newname\t rename selected zignspace"
],
"Usage: ad\t [kt] [...]": [
"ad [N] [D]\t analyze N data words at D depth",
"ad4 [N] [D]\t analyze N data words at D depth (asm.bits=32)",
"ad8 [N] [D]\t analyze N data words at D depth (asm.bits=64)",
"adf \t analyze data in function (use like .adf @@=`afl~[0]`",
"adfg \t analyze data in function gaps",
"adt \t analyze data trampolines (wip)",
"adk \t analyze data kind (code, text, data, invalid, ...)"
],
"Usage: ?v [$.] \t": [
"$$ \t here (current virtual seek)",
"$? \t last comparison value",
"$alias =value\t Alias commands (simple macros)",
"$b \t block size",
"$B \t base address (aligned lowest map address)",
"$f \t jump fail address (e.g. jz 0x10 => next instruction)",
"$fl \t flag length (size) at current address (fla; pD $l @ entry0)",
"$F \t current function size",
"$FB \t begin of function",
"$Fb \t address of the current basic block",
"$Fs \t size of the current basic block",
"$FE \t end of function",
"$FS \t function size",
"$FI \t function instructions",
"$c $r\t , get width and height of terminal",
"$Cn \t get nth call of function",
"$Dn \t get nth data reference in function",
"$D \t current debug map base address ?v $D @ rsp",
"$DD \t current debug map size",
"$e \t 1 if end of block, else 0",
"$j \t jump address (e.g. jmp 0x10, jz 0x10 => 0x10)",
"$Ja \t get nth jump of function",
"$Xn \t get nth xref of function",
"$l \t opcode length",
"$m \t opcode memory reference (e.g. mov eax,[0x10] => 0x10)",
"$M \t map address (lowest map address)",
"$o \t here (current disk io offset)",
"$p \t getpid()",
"$P \t pid of children (only in debug)",
"$s \t file size",
"$S \t section offset",
"$SS \t section size",
"$v \t opcode immediate value (e.g. lui a0,0x8010 => 0x8010)",
"$w \t get word size, 4 if asm.bits=32, 8 if 64, ...",
"${ev} \t get value of eval config variable",
"$k{kv} \t get value of an sdb query value",
"RNum \t $variables usable in math expressions"
],
"Usage: pv[j][1 2\t4,8,z], , ": [
"pv \t print bytes based on asm.bits",
"pv1 \t print 1 byte in memory",
"pv2 \t print 2 bytes in memory",
"pv4 \t print 4 bytes in memory",
"pv8 \t print 8 bytes in memory",
"pvz \t print value as string (alias for ps)"
],
"Usage: dr \t Registers commands": [
"dr \t Show 'gpr' registers",
"dr <register>=<val>\t Set register value",
"dr= \t Show registers in columns",
"dr? <register>\t Show value of given register",
"dr8 [1|2|4|8] [type]\t Display hexdump of gpr arena (WIP)",
"drb [1|2|4|8] [type]\t Display hexdump of gpr arena (WIP)",
"drC \t Show register profile comments",
"drc [name]\t Related to conditional flag registers",
"drd \t Show only different registers",
"drl [j]\t List all register names",
"drn <pc>\t Get regname for pc,sp,bp,a0-3,zf,cf,of,sg",
"dro \t Show previous (old) values of registers",
"drp [?] <file>\t Load register metadata file",
"drp \t Display current register profile",
"drpi \t Display current internal representation of the register profile",
"drps \t Fake register profile size",
"drr \t Show registers references (telescoping)",
"drs [?]\t Stack register states",
"drt [?]\t Show all register types",
"drt flg\t Show flag registers",
"drt all\t Show all registers",
"drt 16\t Show 16 bit registers",
"drt 32\t Show 32 bit registers",
"drt 80\t Show 80 bit registers (long double)",
"drx [?]\t Show all debug registers",
"drx idx addr len rwx\t Modify hardware breakpoint",
"drx- number\t Clear hardware breakpoint",
"drf \tshow fpu registers (80 bit long double)",
"drm \tshow multimedia packed registers",
"drm mmx0 0 32 = 12\tset the first 32 bit word of the mmx reg to 12",
"drw <hexnum>\t Set contents of the register arena",
".dr *\t Include common register values in flags",
".dr -\t Unflag all registers"
],
"Usage: drt\t [type] [size] # debug register types": [
"drt \t List all available register types",
"drt [size]\t Show all regs in the profile of size",
"drt [type]\t Show all regs in the profile of this type",
"drt [type] [size]\t Same as above for type and size"
],
"Usage: (foo args\tcmd1,cmd2,..), Aliases": [
"(foo args ..\t..), , define a macro",
"(foo args ..\t..)(), , define and call a macro",
"(-foo) \t remove a macro",
".(foo) \t to call it",
"() \t break inside macro",
"(* \t list all defined macros",
" Argument support:\t ",
"(foo x y $0 @ $1)\t , define fun with args (x - $0, y - $1)",
".(foo 128 0x804800) \t call it with args",
" Iterations:\t ",
".(foo () $@)\t , define iterator returning iter index",
"x @@ .(foo) \t iterate over them"
],
"Usage: S[?-.*=adlr] [...]\t": [
"S \tlist sections",
"S. \tshow current section name",
"S* \tlist sections (in radare commands)",
"S= \tlist sections (ascii-art bars) (io.va to display paddr or vaddr)",
"Sa [-] [A] [B] [[off]]\tSpecify arch and bits for given section",
"Sd[a] [file]\tdump current (all) section to a file (see dmd)",
"Sl [file]\tload contents of file into current section (see dml)",
"Sf [baddr]\tAlias for S 0 0 $s $s foo mrwx",
"Sj \tlist sections in JSON (alias for iSj)",
"Sr [name]\trename section on current seek",
"S off va sz vsz name mrwx\tadd new section (if(!vsz)vsz=sz)",
"S-[id] \tremove section identified by id",
"S-. \tremove section at core->offset (can be changed with @)",
"S.-* \tremove all sections in current offset"
],
"Usage: afvs\t [idx] [type] [name]": [
"afvs \t list stack based arguments and locals",
"afvs* \t same as afvs but in r2 commands",
"afvs [idx] [name] [type]\t define stack based arguments,locals",
"afvsj \t return list of stack based arguments and locals in JSON format",
"afvs- [name]\t delete stack based argument or locals with the given name",
"afvsg [idx] [addr]\t define var get reference",
"afvss [idx] [addr]\t define var set reference"
],
"Usage: zf[dsz] filename\t # Manage FLIRT signatures": [
"zfd filename\t open FLIRT file and dump",
"zfs filename\t open FLIRT file and scan",
"zfz filename\t open FLIRT file and get sig commands (zfz flirt_file > zignatures.sig)"
],
"Usage: q[!][!] [retval]\t ": [
"q \tquit program",
"q! \tforce quit (no questions)",
"q!! \tforce quit without saving history",
"q 1\tquit with return value 1",
"q a-b\tquit with return value a-b",
"q[y/n][y/n] \tquit, chose to kill process, chose to save project "
],
"Usage: wo[asmdxoArl24]\t [hexpairs] @ addr[!bsize]": [
"wo[aAdlmorwx24] \t without hexpair values, clipboard is used",
"woa [val]\t += addition (f.ex: woa 0102)",
"woA [val]\t&= and",
"wod [val]\t /= divide",
"woD [algo] [key] [IV]\tdecrypt current block with given algo and key",
"woe [from to] [step] [wsz=1]\t.. create sequence",
"woE [algo] [key] [IV]\t encrypt current block with given algo and key",
"wol [val]\t<<= shift left",
"wom [val]\t *= multiply",
"woo [val]\t|= or",
"wop[DO] [arg]\tDe Bruijn Patterns",
"wor [val]\t >>= shift right",
"woR \trandom bytes (alias for 'wr $b')",
"wos [val]\t -= substraction",
"wow [val]\t == write looped value (alias for 'wb')",
"wox [val]\t^= xor (f.ex: wox 0x90)",
"wo2 [val]\t2= 2 byte endian swap",
"wo4 [val]\t 4= 4 byte endian swap"
],
"Usage: dp\t # Process commands": [
"dp \t List current pid and children",
"dp <pid>\t List children of pid",
"dp* \t List all attachable pids",
"dp= <pid>\t Select pid",
"dp- <pid>\t Detach select pid",
"dpa <pid>\t Attach and select pid",
"dpc \t Select forked pid (see dbg.forks)",
"dpc* \t Display forked pid (see dbg.forks)",
"dpe \t Show path to executable",
"dpf \t Attach to pid like file fd // HACK",
"dpk <pid> [<signal>]\t Send signal to process (default 0)",
"dpn \t Create new process (fork)",
"dptn \t Create new thread (clone)",
"dpt \t List threads of current pid",
"dpt <pid>\t List threads of process",
"dpt= <thread>\t Attach to thread"
],
"Usage: wc[ir+-*?]\t # NOTE: Uses io.cache=true": [
"wc \tlist all write changes",
"wc- [from] [to]\tremove write op at curseek or given addr",
"wc+ [addr]\tcommit change from cache to io",
"wc* \t\\\\ in radare commands",
"wcr \treset all write changes in cache",
"wci \tcommit write cache"
],
"Usage: di \t Debugger target information": [
"di \t Show debugger target information",
"di* \t Same as above, but in r2 commands",
"dij \t Same as above, but in JSON format"
],
"Usage: m[-?*dgy] [...]\t Mountpoints management": [
"m \t List all mountpoints in human readable format",
"m* \t Same as above, but in r2 commands",
"ml \t List filesystem plugins",
"m /mnt\t Mount fs at /mnt with autodetect fs and current offset",
"m /mnt ext2 0\t Mount ext2 fs at /mnt with delta 0 on IO",
"m-/ \t Umount given path (/)",
"my \t Yank contents of file into clipboard",
"mo /foo\t Get offset and size of given file",
"mg /foo\t Get contents of file/dir dumped to disk (XXX?)",
"mf [?] [o|n]\t Search files for given filename or for offset",
"md /\t List directory contents for path",
"mp \t List all supported partition types",
"mp msdos 0\t Show partitions in msdos format at offset 0",
"ms /mnt\t Open filesystem prompt at /mnt"
],
"Usage: om[-] [arg]\t # map opened files": [
"om \t list all defined IO maps",
"om -0x10000\t remove the map at given address",
"om fd addr [size]\t create new io map",
"omr fd|0xADDR ADDR\t relocate current map",
"om* \t show r2 commands to restore mapaddr"
],
"Usage: av[*j]\t analyze the .rodata section and list virtual function present": [],
"Usage: P[?osi] [file]\t Project management": [
"Pc [file]\t show project script to console",
"Pd [file]\t delete project",
"Pi [file]\t show project information",
"Pl \t list all projects",
"Pn [j]\t show project notes (Pnj for json)",
"Pn [base64]\t set notes text",
"Pn -\t edit notes with cfg.editor",
"Po [file]\t open project",
"Ps [file]\t save project",
"PS [file]\t save script file",
"P- [file]\t delete project (alias for Pd)",
"NOTE: \t See 'e??prj.'",
"NOTE: \t project are stored in ~/.config/radare2/projects"
],
"Usage: cg \t Graph code commands": [
"cg \t diff ratio among functions (columns: off-A, match-ratio, off-B)",
"cgf [fcn]\t Compare functions (curseek vs fcn)",
"cgo \t Opcode-bytes code graph diff"
],
"Usage: /C \t Search for crypto materials": [
"/Ca \t Search for AES keys",
"/Cr \t Search for private RSA keys"
],
"Usage: p[=68abcdDfiImrstuxz] [arg|len] [@addr]\t ": [
"p= [?][bep] [blks] [len] [blk]\t show entropy/printable chars/chars bars",
"p2 [len]\t 8x8 2bpp-tiles",
"p3 [file]\t print stereogram (3D)",
"p6 [de] [len]\t base64 decode/encode",
"p8 [?][j] [len]\t 8bit hexpair list of bytes",
"pa [edD] [arg]\t pa:assemble pa[dD]:disasm or pae: esil from hexpairs",
"pA [n_ops]\t show n_ops address and type",
"p [b|B|xb] [len] ([skip])\t bindump N bits skipping M",
"pb [?] [n]\t bitstream of N bits",
"pB [?] [n]\t bitstream of N bytes",
"pc [?][p] [len]\t output C (or python) format",
"pC [d] [rows]\t print disassembly in columns (see hex.cols and pdi)",
"pd [?] [sz] [a] [b]\t disassemble N opcodes (pd) or N bytes (pD)",
"pf [?][.nam] [fmt]\t print formatted data (pf.name, pf.name $<expr>)",
"ph [?][=|hash] ([len])\t calculate hash for a block",
"p [iI][df] [len]\t print N ops/bytes (f=func) (see pi? and pdi)",
"pm [?] [magic]\t print libmagic data (see pm? and /m?)",
"pr [?][glx] [len]\t print N raw bytes (in lines or hexblocks, 'g'unzip)",
"p [kK] [len]\t print key in randomart (K is for mosaic)",
"ps [?][pwz] [len]\t print pascal/wide/zero-terminated strings",
"pt [?][dn] [len]\t print different timestamps",
"pu [?][w] [len]\t print N url encoded bytes (w=wide)",
"pv [?][jh] [mode]\t show variable/pointer/value in memory",
"p- [?][jh] [mode]\t bar|json|histogram blocks (mode: e?search.in)",
"px [?][owq] [len]\t hexdump of N bytes (o=octal, w=32bit, q=64bit)",
"pz [?] [len]\t print zoom view (see pz? for help)",
"pwd \t display current working directory"
],
"Usage: as[ljk?] \t syscall name <-> number utility": [
"as \t show current syscall and arguments",
"as 4\t show syscall 4 based on asm.os and current regs/mem",
"asc[a] 4\t dump syscall info in .asm or .h",
"asf [k[=[v]]]\t list/set/unset pf function signatures (see fcnsign)",
"asj \t list of syscalls in JSON",
"asl \t list of syscalls by asm.os and asm.arch",
"asl close\t returns the syscall number for close",
"asl 4\t returns the name of the syscall number 4",
"ask [query]\t perform syscall/ queries"
],
"Usage: /R \t Search for ROP gadgets": [
"/R [filter-by-string]\t Show gadgets",
"/R/ [filter-by-regexp]\t Show gadgets [regular expression]",
"/Rl [filter-by-string]\t Show gadgets in a linear manner",
"/R/l [filter-by-regexp]\t Show gadgets in a linear manner [regular expression]",
"/Rj [filter-by-string]\t JSON output",
"/R/j [filter-by-regexp]\t JSON output [regular expression]",
"/Rk [select-by-class]\t Query stored ROP gadgets"
],
"Usage: \t ": [
"tl \t list all links in readable format",
"tl [typename]\t link a type to current address.",
"tl [typename] = [address]\t link type to given address.",
"tls [address]\t show link at given address",
"tl-* \t delete all links.",
"tl- [address]\t delete link at given address.",
"tl* \t list all links in radare2 command format",
"tl? \t print this help."
],
"Usage: dbt \t # Backtrace commands": [
"dbt \t Display backtrace based on dbg.btdepth and dbg.btalgo",
"dbt* \t Display backtrace in flags",
"dbt= \t Display backtrace in one line (see dbt=s and dbt=b for sp or bp)",
"dbtj \t Display backtrace in JSON",
"dbte <addr>\t Enable Breakpoint Trace",
"dbtd <addr>\t Disable Breakpoint Trace",
"dbts <addr>\t Swap Breakpoint Trace"
],
"Usage: C[-LCvsdfm*?][*?] [...]\t # Metadata management": [
"C* \t list meta info in r2 commands",
"C- [len] [[@]addr]\t delete metadata at given address range",
"CL [-][*] [file:line] [addr]\t show or add 'code line' information (bininfo)",
"CS [-][space]\t manage meta-spaces to filter comments, etc..",
"CC [?] [-] [comment-text] [@addr]\t add/remove comment",
"CC. [addr]\t show comment in current address",
"CC! [@addr]\t edit comment with $EDITOR",
"CCa [-at]|[at] [text] [@addr]\t add/remove comment at given address",
"CCu [comment-text] [@addr]\t add unique comment",
"Cv [bsr][?]\t add comments to args",
"Cs [?] [-] [size] [@addr]\t add string",
"Cz [@addr]\t add zero-terminated string",
"Ch [-] [size] [@addr]\t hide data",
"Cd [-] [size] [repeat] [@addr]\t hexdump data array (Cd 4 10 == dword [10])",
"Cf [?][-] [sz] [0|cnt][fmt] [a0 a1...] [@addr]\t format memory (see pf?)",
"CF [sz] [fcn-sign..] [@addr]\t function signature",
"Cm [-] [sz] [fmt..] [@addr]\t magic parse (see pm?)"
],
"Usage: dts[*]\t ": [
"dts \t List all trace sessions",
"dts+ \t Add trace session",
"dtsf [file]\t read trace sessions from disk",
"dtst [file]\t save trace sessions to disk"
],
"Usage: ax[?d-l*]\t # see also 'afx?'": [
"ax addr [at]\t add code ref pointing to addr (from curseek)",
"axc addr [at]\t add code jmp ref // unused?",
"axC addr [at]\t add code call ref",
"axg addr\t show xrefs graph to reach current function",
"axd addr [at]\t add data ref",
"axq \t list refs in quiet/human-readable format",
"axj \t list refs in json format",
"axF [flg-glob]\t find data/code references of flags",
"axt [addr]\t find data/code references to this address",
"axf [addr]\t find data/code references from this address",
"ax- [at]\t clean all refs (or refs from addr)",
"ax \t list refs",
"axk [query]\t perform sdb query",
"ax* \t output radare commands"
],
"Usage: p%%[jh] [pieces]\t bar|json|histogram blocks": [
"p- \t show ascii-art bar of metadata in file boundaries",
"p-j \t show json format",
"p-h \t show histogram analysis of metadata per block"
],
"Usage: t \t # cparse types commands": [
"t \t List all loaded types",
"t <type>\t Show type in 'pf' syntax",
"t* \t List types info in r2 commands",
"t- <name>\t Delete types by its name",
"t-* \t Remove all types",
"tb <enum> <value>\t Show matching enum bitfield for given number",
"te [?]\t List all loaded enums",
"te <enum> <value>\t Show name for given enum number",
"td [?] <string>\t Load types from string",
"tf \t List all loaded functions signatures",
"tk <sdb-query>\t Perform sdb query",
"tl [?]\t Show/Link type to an address",
"tn [?] [-][addr]\t manage noreturn function attributes and marks",
"to -\t Open cfg.editor to load types",
"to <path>\t Load types from C header file",
"tos <path>\t Load types from parsed Sdb database",
"tp <type> = <address>\t cast data at <address> to <type> and print it",
"ts [?]\t print loaded struct types",
"tu [?]\t print loaded union types"
],
"Usage: dx \t # Code injection commands": [
"dx <opcode>...\t Inject opcodes",
"dxa nop\t Assemble code and inject",
"dxe egg-expr\t compile egg expression and inject it",
"dxr <opcode>...\t Inject opcodes and restore state",
"dxs write 1\t 0x8048, 12, Syscall injection (see gs)",
"\\nExamples: \t ",
"dx 9090\t Inject two x86 nop",
"\\dxa mov eax 6;mov ebx\t0;int 0x80\\, , Inject and restore state"
],
"Usage: aep[-c]\t [...]": [
"aepc [addr]\t change program counter for esil",
"aep -[addr]\t remove pin",
"aep [name] @ [addr]\t set pin",
"aep \t list pins"
]
}
END-OF-HELP
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment