Provided by: radare2_6.0.7+ds-1_amd64 
NAME
ESIL — Evaluable Strings Intermediate Language
SYNOPSIS
ESIL (Evaluable Strings Intermediate Language) provides an abstract, stack-based format for representing
CPU instruction semantics across various architectures, facilitating instruction emulation for analysis
and debugging within the radare2 framework.
DESCRIPTION
Evaluable Strings Intermediate Language (ESIL) adopts a Forth-like syntax, offering a method to describe
and emulate the behavior of machine instructions in a platform-agnostic manner. It is particularly useful
in reverse engineering, allowing for cross-architecture binary analysis and exploitation through radare2.
At its core, ESIL is a stack-based language where operations manipulate values on a stack. Each CPU
instruction gets translated into an ESIL expression that models its behavior. This abstraction layer
allows radare2 to emulate code execution without actually running it, making it invaluable for analyzing
untrusted binaries or understanding complex code flows.
SYNTAX
ESIL expressions use a series of operands and operations, manipulating values on an internal stack. These
expressions are executed within an ESIL virtual machine (VM), enabling the simulation of CPU
instructions' effects on registers and memory.
The basic components of ESIL syntax are:
• Uppercase words are special keywords that operate on the ESIL VM (e.g., POP, DUP, TRAP)
• Lowercase words are register names that can be used for reading or writing through operations
• Words starting with $ represent internal variables of the VM that are readonly (e.g., $z for zero
flag)
• Numbers can be in base 10 or hexadecimal (with 0x prefix)
• Operations are separated by commas
• Results are pushed onto the stack or written to registers/memory
The rest of keywords can be added or removed via ESIL or architecture plugins, but this document
describes the common and standard ESIL commands.
USING ESIL IN RADARE2
Radare2 provides several ways to work with ESIL:
• The 'e asm.esil=true' option displays ESIL expressions alongside assembly instructions
• The 'e emu.str=true' option enables string emulation during analysis
• The 'ae' command family provides ways to evaluate and debug ESIL expressions
• Visual mode offers ESIL debugging capabilities through VdE command
These features allow users to inspect register states, memory modifications, and operation flow without
actually executing the binary code on the CPU.
ESIL COMMANDS
Radare2 leverages ESIL for detailed emulation of instruction execution, enabling users to step through
instructions, inspect changes to registers and memory, and evaluate conditional logic in a controlled
environment.
Here are the most commonly used ESIL-related commands:
ae [expr]
Evaluate an ESIL expression. Note that some expressions contain special characters that can be
evaluated by the radare2 shell, so it's better to prefix the command with a single quote ' to
skip that parsing.
aei Initialize the ESIL VM state (required before emulation)
aeim Initialize ESIL VM stack memory
aeip Initialize ESIL program counter to current offset
aer Show or modify ESIL registers
aes ESIL Step: execute a single step in ESIL emulation
aeso ESIL Step Over: perform a step over call instructions in ESIL emulation
aesu [addr]
ESIL Step Until: continue ESIL execution until a specified address is reached
aev [expr]
Enter the interactive visual debugger to debug and emulate an ESIL expression
Typical workflow for ESIL emulation:
aei # Initialize ESIL VM state
aeim # Initialize memory for ESIL VM
aeip # Set program counter to current address
aes # Start stepping through instructions
ESIL OPERATION CATEGORIES
The comma-separated words in an ESIL expression can be grouped into different categories:
Internal flags
Prefixed with '$', they represent internal states of the ESIL VM and are used to perform
conditional operations:
• $z - Zero flag: Set when result is zero
• $c - Carry flag: Set when operation produces a carry
• $b - Borrow flag: Set when operation requires a borrow
• $p - Parity flag: Set when result has even parity
• $s - Sign flag: Set when result is negative
• $o - Overflow flag: Set when result overflows
• $$ - Current address being executed
• $ds, $jt, $js - Used for delay slots and jump targeting
Assignment operations
Pop value and destination from stack and perform assignment:
• = : Strong assignment (updates flags)
• := : Weak assignment (no flag updates)
Arithmetic and binary operations
Basic math operations:
• + - Addition
• - - Subtraction
• * - Multiplication
• L* - Long multiplication (128-bit result)
• / - Division
• ~/ - Signed division
• % - Modulo
• ~% - Signed modulo
• ~ - Sign extension
• & - Bitwise AND
• | - Bitwise OR
• ^ - Bitwise XOR
• ! - Logical NOT
• << - Left shift
• >> - Right shift
• <<< - Rotate left
• >>> - Rotate right
• <<<< - Arithmetic shift left
• >>>> - Arithmetic shift right
Comparison operations
Compare values and set flags:
• == - Equality comparison
• < - Less than
• <= - Less than or equal
• > - Greater than
• >= - Greater than or equal
Control flow
Conditional expressions and flow control:
• ?{ - If condition, execute next block if top of stack is non-zero
• } - End of conditional block
• }{ - Else statement
• GOTO - Jump to specified location
• BREAK - Stop execution
Memory access
Read from or write to memory:
• Reading: [1], [2], [4], [8], [16] - Read 1, 2, 4, 8, or 16 bytes
• Writing: =[1], =[2], =[4], =[8], =[16] - Write 1, 2, 4, 8, or 16 bytes
• Combined: |=[2], +=[4], &=[4], --=[2] - Read-modify-write operations
• Special: [*], =[*] - Variable size operations
Stack manipulation
Special operations to manage the ESIL stack:
• STACK - Display stack contents
• POP - Remove top value
• DUP - Duplicate top value
• NUM - Push number or register value
• SWAP - Swap top two values
• CLEAR - Empty the stack
Special operations
• () - Syscall
• $ - Hardware interrupt
• #! - Execute radare2 command
• TRAP - CPU trap
• BITS - Change bits mode
Floating point operations
• NAN - Check if value is Not-a-Number
• I2D, U2D - Convert integer to double (signed, unsigned)
• D2I - Convert double to integer
• D2F, F2D - Convert between double and float
• F==, F!=, F<, F<= - Floating point comparisons
• F+, F-, F*, F/ - Floating point arithmetic
• -F - Negate floating point value
• CEIL, FLOOR, ROUND - Rounding operations
• SQRT - Square root
UNDERSTANDING ESIL EXPRESSIONS
ESIL expressions are evaluated from left to right, with values being pushed onto or popped from a stack.
The following examples demonstrate how common CPU instructions translate to ESIL:
mov eax, 0x3
Simply assigns the value 3 to register eax:
3,eax,=
add ebx, eax
Adds the value in eax to ebx and stores the result in ebx:
eax,ebx,+=
This is equivalent to the longer form:
eax,ebx,+,ebx,=
xor eax, eax
Performs XOR on eax with itself (effectively zeroing it):
eax,eax,^=
mov byte [ebx], 0x3
Writes the value 3 to the memory address in ebx:
3,ebx,=[1]
test eax, eax
Sets flags based on eax value (primarily the zero flag):
eax,eax,&,zf,=
jz 0x123456
Jumps to address if zero flag is set:
zf,?{,0x123456,eip,=,}
VISUAL ESIL DEBUGGER
Radare2 provides a visual ESIL debugger that allows stepping through ESIL expressions to understand
exactly how they work. This is accessed through the 'aev' command or in visual mode with 'VdE'.
The visual ESIL debugger offers several advantages:
• Step-by-step execution of ESIL expressions
• Visualization of the stack after each operation
• Inspection of register and flag changes
• Memory access monitoring
• Finer-grained control than regular ESIL emulation
When using the visual ESIL debugger, you can use the following controls:
s Step forward one ESIL operation
r Reset the ESIL VM state
q Quit the debugger
This tool is particularly useful for understanding complex instructions or when debugging emulation
issues.
PRACTICAL USAGE EXAMPLES
Here are some practical ways to use ESIL in radare2 for analysis and debugging:
Basic ESIL evaluation
To evaluate a simple ESIL expression:
[0x00000000]> ae 1,1,+
2
Step-by-step emulation
To emulate a function and see register changes:
[0x00000000]> aei # Initialize ESIL VM
[0x00000000]> aeim # Initialize memory
[0x00000000]> aeip # Set PC to current address
[0x00000000]> aes # Step one instruction
[0x00000000]> aer # View registers
ESIL debugging of an expression
To debug a complex ESIL expression using the visual debugger:
[0x00000000]> aev 1,5,+,eax,=
Conditional emulation
To emulate until a condition is met:
[0x00000000]> aecu 0x4000 # Continue until address 0x4000
R2WARS
A code-wars like game implemented on top of ESIL used in the r2con conference. Players write small
programs that compete in a virtual arena, with the ESIL VM executing and evaluating their behavior.
More information: https://github.com/radareorg/r2wars
SEE ALSO
radare2(1)
WWW
https://www.radare.org/
AUTHORS
pancake <pancake@nopcode.org>
Jul 13, 2025 ESIL(7)