luca-m · October 18, 2014 14:58
diff --git a/gistfile1.txt b/gistfile1.txt
 # ----------------------------------------------------------------------
 #	Radare2 
 #		(Quick n'dirty) Cheat-Sheet
 # 													[email protected]
 # ----------------------------------------------------------------------
 # See http://radare.org/doc/html/contents.html for details
 # ----------------------------------------------------------------------


 # MISC

 ?
 	Help command, try to abuse of it (also in combination with other commands)
 ia
 	show all info (imports, exports, sections..)
 f
 	print flags (see "fs" for understanding what flags are)
 fs [symbols|imports|sections|strings|regs|maps|*]
 	select flags to print during "f" command execution
 S
 	print SECTION LIST in several ways (S? for help)
 s <address_or_label>
 	seek to specified address or label.
 	Note sS <section_num> will seek to the specified section

 # PRINT

 x
 	print EXadecimal DUMP (alias of px)
 ps
 	print string ("..abc\x11\xcc..")
 pb
 	print bitstream ("..00100101..")

 # PRINT::DISASSEMBLE

 pD <N>
 	disassemble <N> bytes
 pd
 	disassemble "b" blocks (use command b to see how many)
 pdf
 	disassemble a whole function (usefull in case "well-formed" functions)

 <disassemble_command>@<address_or_label>
 	disassembe starting from specified address 

 # SEARCH

 / <string>
 	search for string
 /w foo
 	search for wide string 'f\0o\0o\0'
 /!_
 	search for first occurrence not matching.
 /i <string>
 	ignoring case
 /e /<regex>/i
 	match regular expression
 /x <hexstr>
 	search for hex string
 /c jmp [esp]
 	SEARCH for ASM code (see search.asmstr)
 /a jmp eax
 	ASSEMBLE opcode and SEARCH its bytes
 /A
 	search for AES expanded keys
 /z <min> <max>
 	search for strings of given size
 //
 	REPEAT last SEARCH

 # PATCHING
 # Notes:	-default write mode is replace (not insert)
 # 			-launch radare with "-w" option to disable read-only mode (default)
 #			-start writing on seek position (default)
 w  <string> [@<address_or_label>]; write plain with escaped chars string

 wA '<opcode>' [@<address_or_label>]
 	WRITE ASSEMBLY using asm.arch and rsc asm
 wa <opcode>
 	write assembly using asm.arch and rasm
 wv <expr>
 	write the result of the expression.
 	Note: expression might contains label (eg. eip+34)
 wf <file>
 	write contents of file at current seek
 r <size>
 	Resize the file to <size> bytes
 	Other Example: 
 		r -10 @ 33	//strip 10 bytes at offset 33

 # PATCHING::WRITE IN BLOCK

 wo_ <hexvalue||hex_pair>@<address>[:block_size]
 	in order to emulate the effect of this self modifying code, we can 
 	modify code applying a specified operation to a chunk of bytes 
 	(wo? for help).

 # DEBUG
 # Substantially provides a common general interface to specific debuggers
 # http://radare.org/doc/html/Chapter20.html#debugging
 //TODO

 # UNDO/REDO
 # not in radare2 :(
 u
 	list all write changes
 	u 3   //undo write change at index 3
 	u -3  //redo write change at index 3

 # VISUAL MODE
 #
 V
 	starts the visual mode
 	Help output:
 		>||<    - seek aligned to block size
 		hjkl    - move around (HJKL for faster movements)
 		pP      - rotate print modes (hex,string,disass,bitstream ...)
 		/*+-[]  - change block size, [] = resize scr.cols
 		cC      - toggle cursor and colors
 		gG      - go seek to begin and end of file (0-$s)
 		d[f?]   - define function, data, code, ..
 		x       - show xrefs to seek between them
 		sS      - step / step over
 		e       - edit eval configuration variables
 		t       - track flags (browse symbols, functions..)
 		T       - browse anal info and comments
 		v       - visual code analysis menu
 		fF      - seek next/prev function/flag/hit (scr.fkey)
 		B       - toggle automatic block size
 		uU      - undo/redo seek
 		yY      - copy and paste selection
 		mK/'K   - mark/go to Key (any key)
 		M       - show mount points
 		:cmd    - run radare command
 		;[-]cmt - add/remove comment
 		.       - seek to program counter
 		z       - toggle zoom mode
 		q       - back to radare shell

 # ASSEMBLE

 rasm2 "<asm-instruction>[;asm-instruction>]"
 	Obtain the opcode of the specified intruction list.
	# ----------------------------------------------------------------------
	# Radare2
	# (Quick n'dirty) Cheat-Sheet
	# [email protected]
	# ----------------------------------------------------------------------
	# See http://radare.org/doc/html/contents.html for details
	# ----------------------------------------------------------------------


	# MISC

	?
	Help command, try to abuse of it (also in combination with other commands)
	ia
	show all info (imports, exports, sections..)
	f
	print flags (see "fs" for understanding what flags are)
	fs [symbols\|imports\|sections\|strings\|regs\|maps\|*]
	select flags to print during "f" command execution
	S
	print SECTION LIST in several ways (S? for help)
	s <address_or_label>
	seek to specified address or label.
	Note sS <section_num> will seek to the specified section

	# PRINT

	x
	print EXadecimal DUMP (alias of px)
	ps
	print string ("..abc\x11\xcc..")
	pb
	print bitstream ("..00100101..")

	# PRINT::DISASSEMBLE

	pD <N>
	disassemble <N> bytes
	pd
	disassemble "b" blocks (use command b to see how many)
	pdf
	disassemble a whole function (usefull in case "well-formed" functions)

	<disassemble_command>@<address_or_label>
	disassembe starting from specified address

	# SEARCH

	/ <string>
	search for string
	/w foo
	search for wide string 'f\0o\0o\0'
	/!_
	search for first occurrence not matching.
	/i <string>
	ignoring case
	/e /<regex>/i
	match regular expression
	/x <hexstr>
	search for hex string
	/c jmp [esp]
	SEARCH for ASM code (see search.asmstr)
	/a jmp eax
	ASSEMBLE opcode and SEARCH its bytes
	/A
	search for AES expanded keys
	/z <min> <max>
	search for strings of given size
	//
	REPEAT last SEARCH

	# PATCHING
	# Notes: -default write mode is replace (not insert)
	# -launch radare with "-w" option to disable read-only mode (default)
	# -start writing on seek position (default)
	w <string> [@<address_or_label>]; write plain with escaped chars string

	wA '<opcode>' [@<address_or_label>]
	WRITE ASSEMBLY using asm.arch and rsc asm
	wa <opcode>
	write assembly using asm.arch and rasm
	wv <expr>
	write the result of the expression.
	Note: expression might contains label (eg. eip+34)
	wf <file>
	write contents of file at current seek
	r <size>
	Resize the file to <size> bytes
	Other Example:
	r -10 @ 33 //strip 10 bytes at offset 33

	# PATCHING::WRITE IN BLOCK

	wo_ <hexvalue\|\|hex_pair>@<address>[:block_size]
	in order to emulate the effect of this self modifying code, we can
	modify code applying a specified operation to a chunk of bytes
	(wo? for help).

	# DEBUG
	# Substantially provides a common general interface to specific debuggers
	# http://radare.org/doc/html/Chapter20.html#debugging
	//TODO

	# UNDO/REDO
	# not in radare2 :(
	u
	list all write changes
	u 3 //undo write change at index 3
	u -3 //redo write change at index 3

	# VISUAL MODE
	#
	V
	starts the visual mode
	Help output:
	>\|\|< - seek aligned to block size
	hjkl - move around (HJKL for faster movements)
	pP - rotate print modes (hex,string,disass,bitstream ...)
	/*+-[] - change block size, [] = resize scr.cols
	cC - toggle cursor and colors
	gG - go seek to begin and end of file (0-$s)
	d[f?] - define function, data, code, ..
	x - show xrefs to seek between them
	sS - step / step over
	e - edit eval configuration variables
	t - track flags (browse symbols, functions..)
	T - browse anal info and comments
	v - visual code analysis menu
	fF - seek next/prev function/flag/hit (scr.fkey)
	B - toggle automatic block size
	uU - undo/redo seek
	yY - copy and paste selection
	mK/'K - mark/go to Key (any key)
	M - show mount points
	:cmd - run radare command
	;[-]cmt - add/remove comment
	. - seek to program counter
	z - toggle zoom mode
	q - back to radare shell

	# ASSEMBLE

	rasm2 "<asm-instruction>[;asm-instruction>]"
	Obtain the opcode of the specified intruction list.