Provided by: radare-gtk_1.5.2-6_amd64 bug

NAME

     radare — Advanced commandline hexadecimal editor

SYNOPSIS

     radare [-s seek] [-b size] [-i script] [-P project] [-l plugin] [-e key=val] [-d program]
            [-fLcwxnvVuh] target-file

DESCRIPTION

     radare is a commandline hexadecimal editor.

     This software package contains another utilities related to the hex and asm world. Read the
     'see also' section for more information.

     You can use radare as in pipes, from the shell, entering the visual mode with the 'V'
     command, or just graphically using gradare or the ag command to generate and visualize code
     analysis graphs from the current seek.

     Most of the commands accept a '?' mark at the end to show the help for it.

     The commands are composed in the following way:

     > [repeat][.!][command] [arg] @ [offset:blocksize]

     These are the supported flags:

     -S minlen   Enters into the 'strings' mode, and defines a minimum length required for the
                 strings.

     -s offset   Start at a certain offset inside the file.

     -d prg|pid  Run radare in debugger mode and open the program path or attach to pid

     -b size     Change the block size (default is 512, 4096 should be useful for filesystems).

     -f          Set block size = file size

     -i script   Interprets a script of radare commands

     -l plugin   Links radare against the desired plugin. Read about io plugins for more
                 information. See -L

     -P prj.rdb  Define a project file for this session. The projects can be managed with the 'P'
                 command.

     -e key=val  Change the default value for an eval configuration key variable

     -L          List all available plugins embedded inside radare.

     -n          Do not load ~/.radarerc or ./radarerc

     -c          Enable color. Same as -e scr.color=true

     -u          Unknown size. Avoid limit when seeking. Useful for devices or attaching to
                 processes.

     -v          Drops verbosity. Useful flag for scripts, to use radare in pipe mode.

     -V          Show version information and exits.

     -w          Opens the target file in write mode. In write mode changes are made inmediately.
                 So take care because no commit command exist.

     -h          Show help message

SHELL

     The command line interface of radare have multiple commands to be entered. Type '?' for
     help.

     The readline extension allows you to autocomplete commands and arguments. Numberic argument
     can be converted into hexadecimal or decimal bases by using the 'tab' key. For example: $ s
     10<tab> $ s 0xa

     -b size     (b) Change blocksize.

     -c[dxf] arg
                 compares memory from string, offset or file contents against current block.
                 Outputs bindiff.

     -e 0|1      (endian) Changes environment endian into little (0) or big (1).

     -f -|name   (flag) This command allows you to manage flags. Flags are bookmarks around the
                 file. The search engine store the results as flags. You can list flags by typing
                 'f' or 'flag' without arguments. 'flag name' sets a new flag using the current
                 environment settings (seek, block size). By prefixing a name with the '-'
                 character you will be able to remove a named flag.

     i           (info) Shows radare's environment information (file, endian, count, mode, size,
                 block size, seek, limit, ...)

     m [s] [d]   (m) moves 's' bytes from the current block to the 'd' destination offset. This
                 command requires the write mode to be enabled. Run radare with '-w' flag or type
                 '%WRITE_MODE 1' into the shell.

     o [file]    (open) opens a file in the mode defined by the %WRITE_MODE environment variable
                 closing the current working file.

     p[f] [n]    (pa, pb, pc, pd, po, pr, ps, pu, px, pX) Prints 'n' bytes in the 'f' print
                 format. Available print formats are documented in the 'print format' section.

     -R arg      Manipulates RDB files and data structures. Allows to store code analysis,
                 bindiff them, dump to memory, graph it in cairo or dump/restore them from/to
                 disk

     r [size]    (resize) Changes the size of the file by truncating or extending the file
                 padding zeros at the end.

     s [+-]off   Seeks to an absolute or relative (using the '+' or '-' prefixes) offset. The
                 'off' argument can be a numeric value or a flag name. (Read 'f' command for more
                 information).

     -y len      Copies len bytes from current seek to a clipboard. Use the 'yy' command to paste
                 it to current seek again.

     -e key=val  Change the default value for an eval configuration key variable

     V           (Visual) Enters into the visual mode. Use the 'q' key to exit this mode.

     w[aAdfwx] str
                 Write a formatted string or an hexadecimal space separated string. 'wf' is for
                 specifying a file as contents for write. 'wa' is for assembly, etc.. See 'w?'
                 for details. f.ex: '$ w foo\x90' or '$ wx 90 90 90'

     x [len]     (x) eXamine current block. This is an alias for the 'px' command. To be gdb
                 friendly.

     . [file]    (.) Interpret a file as a radare command scripting file. A simple example can be
                 found in 'libexec/elf-entry-point'. You can read 'libexec/elf-flag-header' too.
                 This script creates a flag for each field of an elf header.

     [-+]off     Alias of 'seek [+-]off'.

     [<] [>]     Move data block window to the previous ('<') aligned block offset or the next
                 one ('>').

     / str       Searchs a string from the current offset until the end of file or 'cfg.limit' if
                 defined (see 'e' command). To enter a hexadecimal string you can type
                 '\x01\x02\x03...' or use the '/x' command with hexpairs. Here's the supported
                 arguments:

     /s [string]
                 search for an plain ascii string (use \x## for binary inclusion)

     /w [string]
                 search for an wide char string ('a\x00b\x00')

     /x [string]
                 search using hexpair format (00 33 4a f2)

     /a          look for expanded aes keys (victor mun~oz algorithm)

     //          repeat last search
     You can define multiple keywords at a time and launch ranged searches:

     /k# [string]
                 Set keyword number '#' to ascii format string (with esc. chars). f.ex: "/k0 lib"

     /m# [mask]  Define a binary mask for matching with the keyword number '#'.

     /r [range]  Perform a search using the keywords in the defined range. f.ex: "/r 0-2,4"

     jajaj

     ! cmd       Runs a commandline shell program.

     #[hash]     Calculates the sha1, sha256, sha384, sha512, par, xor, xorpair, hamdist, mod255,
                 crc16, crc32, md4, md5, entropy of the current block from the selected seek

     q           (quit) Quits the program.

VISUAL

     Visual mode allows you to move around the data with 'hjkl' arrows. The '0' and 'G' command
     are used to go at the first of the file or at the end. 'H' 'L' keys are used to move two
     bytes forward or backward (double 'h', 'l'). 'J' and 'K' keys are used to seek one block
     forward or backward.

     < >         Go seek to the previous or next offset aligned to a multiple of the data block
                 size (use the :b command to read the value).

     p           The 'p' command allows you to circle around the different available print mode
                 formats (binary, hexadecimal, disassembler, octal, url, shellcode, c array, ...)

     [+-*/]      The basic math ops keys are used to change the size of the working data block.
                 Use '+' and '-' to increase and decrease the size by 1 byte. And '*' and '/' to
                 add or substract one row of bytes (screen depend).

     d           Change data type for the current block or selected bytes with cursor mode. (dd =
                 hex bytes, dc = code, ds = string)

     i           Enter interactive write mode (use tab to move between hex and ascii columns)

     :           The double-dot sign is used to temporally enter into the command line interface
                 and use the desired radare shell commands. f.e: $ Visual :!ls.

PRINT FORMAT

     Print formats are used to format current working block into a certain format. Use p? to list
     supported ones.

     The output is affected by cfg.endian (see eval command)

     A           [-P] Analyze data from current seek. Tries to find memory pointers, strings,
                 pointers to strings, etc. Useful to see stack contents and data structures in
                 memory.

     m [format]  [-P] Formats memory contents as byte, dword, pointers, strings, etc.. Useful to
                 parse data structures (see 'rsc spcc' fmi)

     b           [VP] Binary format

     %           [VP] print progress bar of the whole file marking current seek and flag
                 positions

     B           [VP] LSB steganography (take each less significat bit of each byte to complete
                 bytes)

     o           [VP] Octal format

     O           [VP] Zoom out view (see 'eval zoom.' fmi)

     x           [VP] Hexadecimal value. The view command also have (vx, vw, vW, wq) commands for
                 visualizing one, two, four or eight bytes in hexadecimal (endian affected).

     f           [V-] Floating point value (4 first bytes)

     i           [V-] Integer value (4 first bytes)

     l           [V-] long (4 bytes)

     L           [V-] long long (8 bytes)

     o           [V-] octal value (1 byte)

     s           [V-] ascii string (until end of block escapping chars)

     S           [V-] string with printable chars until end of block

     z           [V-] ascii string (until \0)

     Z           [V-] wide ascii string (until \0 with interlaced \0)

     F           [-P] WINDOWS filetime format (64 bit)

     t           [-P] UNIX timestamp (4 bytes, probably 8 in the future)

     T           [-P] DOS timestamp (4 bytes)

     c           [-P] C array format (unsigned char buffer[ (block size) ] = { 0x90, 0x90, ... };

     a           [-P] Shows the current block as if it was a shellcode in hexadecimal.

     r           [-P] Prints out the current data block to stdout.

     u           [-P] URL encoding format f.ex:  '$ pu' -> %4c%69%63...

     d           [VP] disassemble N opcodes

     D           [VP] disassemble N bytes fg

DEBUGGER

     The debugger supports multiple commands accessible from the io_system() hook of the plugin.
     Use !help to list the available commands.

     !load       Reload the process into the debugger

     !maps       Show process memory maps (marks current with '*')

     !step       Perform a step on the attached process

     !stepu      step until user code

     !stepbp     emulate a step using breakpoints and code analysis

     !run        run the program

     !attach [tid|pid]
                 attach to another thread or process id

     !detach     silent unplug

     !kill [-signal] [pid]
                 send a signal to the process

     !jmp [addr]
                 change the program counter of the process

     !call [addr]
                 simulate a call (jmp + stack return address)

     !regs       get register values

     !fpregs     get floating point register values

     !oregs      get old register values (previous step)

     !dr[rwx-]   manipulate the DRX hardware registers (x86 only)

     !set [reg] [val]
                 change the register value (eax, eflags, r0, etc..)

     !fd         manage the file descriptors of the child process (dup, open, close, seek)

     !bt         Show backtrace

     !st         Show stacktrace (low level backtrace)

     !cont       continue util user code

     !contu [addr]
                 continue execution until address

     alloc [size]
                 Allocate 'size' bytes on the child process

     free [address]
                 frees the memory previously allocated in the selected address

     mmap [file] [offset]
                 mmaps a file into a certain offset in the child process

     !contsc     continue until syscall

     !contfork   continue until new process is created

     !contuh     continue until here (useful for loop analysis)

     !bp [addr]  set or remove a breakpoint (use !bp? for help, and prefix the address with '-'
                 to remove it)

     !mp [rwx] [addr]
                 change memory page protections (useful for watchpoints and so)

     !dump [dir]
                 Performs a dump of all the process memory pages and register state to disk (with
                 no arguments it is auto-incremental)

     !restore [dir]
                 Restores a previous dump of the process memory from disk

MOVEMENT

     To move around the file you can use the hjkl in visual mode or the 'seek' command in the
     command line interface.

     To move around the blocks you can use the '<' '>' commands to align your current seek to a
     block size multiple. Same keys for the visual mode.

     You can seek to a relative offset by prefixing your offset by the '+' or '-' characters. For
     example: $ seek +10

     You can also use the temporal seek format for commands appending the '@' to the end of the
     command

ENVIRONMENT

     These values can be used from scripts launched from inside radare (!rsc FILE path to the
     current working file DPID Debugged process id OFFSET decimal value of the current seek
     XOFFSET same as OFFSET prefixed with 0x EDITOR default editor to be used for /ascii/ data
     block edition.

     OBJDUMP path to 'objdump' executable (useful for disassembling other architectures) By
     default is 'objdump -m i386 --target=binary -D'

     HITCMD a radare command to be executed after a search hit has been found.

     PRINTCMD user command to be used to visualize the data block. This external visor is used by
     the 'pU' radare command.

     VISUALCMD command to be used as an IDE environment interpreting a set of commands or a
     radare script. In commandline mode this command is executed before printing the prompt. In
     visual mode it is a separated view.

     PAGER pager to be used for disassembling.

SEE ALSO

     radarerc(5), rahash(1), rabin(1), radiff(1), rsc(1), rasc(1), rasm(1), rfile(1), rax(1),
     xrefs(1)

AUTHORS

     pancake <@youterm.com>