Provided by: radare-gtk_1.5.2-6_amd64
NAME
radare — Advanced commandline hexadecimal editor
SYNOPSIS
radare [-s seek] [-b size] [-i script] [-P project] [-l plugin] [-e key=val] [-d program] [-fLcwxnvVuh] target-file
DESCRIPTION
radare is a commandline hexadecimal editor. This software package contains another utilities related to the hex and asm world. Read the 'see also' section for more information. You can use radare as in pipes, from the shell, entering the visual mode with the 'V' command, or just graphically using gradare or the ag command to generate and visualize code analysis graphs from the current seek. Most of the commands accept a '?' mark at the end to show the help for it. The commands are composed in the following way: > [repeat][.!][command] [arg] @ [offset:blocksize] These are the supported flags: -S minlen Enters into the 'strings' mode, and defines a minimum length required for the strings. -s offset Start at a certain offset inside the file. -d prg|pid Run radare in debugger mode and open the program path or attach to pid -b size Change the block size (default is 512, 4096 should be useful for filesystems). -f Set block size = file size -i script Interprets a script of radare commands -l plugin Links radare against the desired plugin. Read about io plugins for more information. See -L -P prj.rdb Define a project file for this session. The projects can be managed with the 'P' command. -e key=val Change the default value for an eval configuration key variable -L List all available plugins embedded inside radare. -n Do not load ~/.radarerc or ./radarerc -c Enable color. Same as -e scr.color=true -u Unknown size. Avoid limit when seeking. Useful for devices or attaching to processes. -v Drops verbosity. Useful flag for scripts, to use radare in pipe mode. -V Show version information and exits. -w Opens the target file in write mode. In write mode changes are made inmediately. So take care because no commit command exist. -h Show help message
SHELL
The command line interface of radare have multiple commands to be entered. Type '?' for help. The readline extension allows you to autocomplete commands and arguments. Numberic argument can be converted into hexadecimal or decimal bases by using the 'tab' key. For example: $ s 10<tab> $ s 0xa -b size (b) Change blocksize. -c[dxf] arg compares memory from string, offset or file contents against current block. Outputs bindiff. -e 0|1 (endian) Changes environment endian into little (0) or big (1). -f -|name (flag) This command allows you to manage flags. Flags are bookmarks around the file. The search engine store the results as flags. You can list flags by typing 'f' or 'flag' without arguments. 'flag name' sets a new flag using the current environment settings (seek, block size). By prefixing a name with the '-' character you will be able to remove a named flag. i (info) Shows radare's environment information (file, endian, count, mode, size, block size, seek, limit, ...) m [s] [d] (m) moves 's' bytes from the current block to the 'd' destination offset. This command requires the write mode to be enabled. Run radare with '-w' flag or type '%WRITE_MODE 1' into the shell. o [file] (open) opens a file in the mode defined by the %WRITE_MODE environment variable closing the current working file. p[f] [n] (pa, pb, pc, pd, po, pr, ps, pu, px, pX) Prints 'n' bytes in the 'f' print format. Available print formats are documented in the 'print format' section. -R arg Manipulates RDB files and data structures. Allows to store code analysis, bindiff them, dump to memory, graph it in cairo or dump/restore them from/to disk r [size] (resize) Changes the size of the file by truncating or extending the file padding zeros at the end. s [+-]off Seeks to an absolute or relative (using the '+' or '-' prefixes) offset. The 'off' argument can be a numeric value or a flag name. (Read 'f' command for more information). -y len Copies len bytes from current seek to a clipboard. Use the 'yy' command to paste it to current seek again. -e key=val Change the default value for an eval configuration key variable V (Visual) Enters into the visual mode. Use the 'q' key to exit this mode. w[aAdfwx] str Write a formatted string or an hexadecimal space separated string. 'wf' is for specifying a file as contents for write. 'wa' is for assembly, etc.. See 'w?' for details. f.ex: '$ w foo\x90' or '$ wx 90 90 90' x [len] (x) eXamine current block. This is an alias for the 'px' command. To be gdb friendly. . [file] (.) Interpret a file as a radare command scripting file. A simple example can be found in 'libexec/elf-entry-point'. You can read 'libexec/elf-flag-header' too. This script creates a flag for each field of an elf header. [-+]off Alias of 'seek [+-]off'. [<] [>] Move data block window to the previous ('<') aligned block offset or the next one ('>'). / str Searchs a string from the current offset until the end of file or 'cfg.limit' if defined (see 'e' command). To enter a hexadecimal string you can type '\x01\x02\x03...' or use the '/x' command with hexpairs. Here's the supported arguments: /s [string] search for an plain ascii string (use \x## for binary inclusion) /w [string] search for an wide char string ('a\x00b\x00') /x [string] search using hexpair format (00 33 4a f2) /a look for expanded aes keys (victor mun~oz algorithm) // repeat last search You can define multiple keywords at a time and launch ranged searches: /k# [string] Set keyword number '#' to ascii format string (with esc. chars). f.ex: "/k0 lib" /m# [mask] Define a binary mask for matching with the keyword number '#'. /r [range] Perform a search using the keywords in the defined range. f.ex: "/r 0-2,4" jajaj ! cmd Runs a commandline shell program. #[hash] Calculates the sha1, sha256, sha384, sha512, par, xor, xorpair, hamdist, mod255, crc16, crc32, md4, md5, entropy of the current block from the selected seek q (quit) Quits the program.
VISUAL
Visual mode allows you to move around the data with 'hjkl' arrows. The '0' and 'G' command are used to go at the first of the file or at the end. 'H' 'L' keys are used to move two bytes forward or backward (double 'h', 'l'). 'J' and 'K' keys are used to seek one block forward or backward. < > Go seek to the previous or next offset aligned to a multiple of the data block size (use the :b command to read the value). p The 'p' command allows you to circle around the different available print mode formats (binary, hexadecimal, disassembler, octal, url, shellcode, c array, ...) [+-*/] The basic math ops keys are used to change the size of the working data block. Use '+' and '-' to increase and decrease the size by 1 byte. And '*' and '/' to add or substract one row of bytes (screen depend). d Change data type for the current block or selected bytes with cursor mode. (dd = hex bytes, dc = code, ds = string) i Enter interactive write mode (use tab to move between hex and ascii columns) : The double-dot sign is used to temporally enter into the command line interface and use the desired radare shell commands. f.e: $ Visual :!ls.
PRINT FORMAT
Print formats are used to format current working block into a certain format. Use p? to list supported ones. The output is affected by cfg.endian (see eval command) A [-P] Analyze data from current seek. Tries to find memory pointers, strings, pointers to strings, etc. Useful to see stack contents and data structures in memory. m [format] [-P] Formats memory contents as byte, dword, pointers, strings, etc.. Useful to parse data structures (see 'rsc spcc' fmi) b [VP] Binary format % [VP] print progress bar of the whole file marking current seek and flag positions B [VP] LSB steganography (take each less significat bit of each byte to complete bytes) o [VP] Octal format O [VP] Zoom out view (see 'eval zoom.' fmi) x [VP] Hexadecimal value. The view command also have (vx, vw, vW, wq) commands for visualizing one, two, four or eight bytes in hexadecimal (endian affected). f [V-] Floating point value (4 first bytes) i [V-] Integer value (4 first bytes) l [V-] long (4 bytes) L [V-] long long (8 bytes) o [V-] octal value (1 byte) s [V-] ascii string (until end of block escapping chars) S [V-] string with printable chars until end of block z [V-] ascii string (until \0) Z [V-] wide ascii string (until \0 with interlaced \0) F [-P] WINDOWS filetime format (64 bit) t [-P] UNIX timestamp (4 bytes, probably 8 in the future) T [-P] DOS timestamp (4 bytes) c [-P] C array format (unsigned char buffer[ (block size) ] = { 0x90, 0x90, ... }; a [-P] Shows the current block as if it was a shellcode in hexadecimal. r [-P] Prints out the current data block to stdout. u [-P] URL encoding format f.ex: '$ pu' -> %4c%69%63... d [VP] disassemble N opcodes D [VP] disassemble N bytes fg
DEBUGGER
The debugger supports multiple commands accessible from the io_system() hook of the plugin. Use !help to list the available commands. !load Reload the process into the debugger !maps Show process memory maps (marks current with '*') !step Perform a step on the attached process !stepu step until user code !stepbp emulate a step using breakpoints and code analysis !run run the program !attach [tid|pid] attach to another thread or process id !detach silent unplug !kill [-signal] [pid] send a signal to the process !jmp [addr] change the program counter of the process !call [addr] simulate a call (jmp + stack return address) !regs get register values !fpregs get floating point register values !oregs get old register values (previous step) !dr[rwx-] manipulate the DRX hardware registers (x86 only) !set [reg] [val] change the register value (eax, eflags, r0, etc..) !fd manage the file descriptors of the child process (dup, open, close, seek) !bt Show backtrace !st Show stacktrace (low level backtrace) !cont continue util user code !contu [addr] continue execution until address alloc [size] Allocate 'size' bytes on the child process free [address] frees the memory previously allocated in the selected address mmap [file] [offset] mmaps a file into a certain offset in the child process !contsc continue until syscall !contfork continue until new process is created !contuh continue until here (useful for loop analysis) !bp [addr] set or remove a breakpoint (use !bp? for help, and prefix the address with '-' to remove it) !mp [rwx] [addr] change memory page protections (useful for watchpoints and so) !dump [dir] Performs a dump of all the process memory pages and register state to disk (with no arguments it is auto-incremental) !restore [dir] Restores a previous dump of the process memory from disk
MOVEMENT
To move around the file you can use the hjkl in visual mode or the 'seek' command in the command line interface. To move around the blocks you can use the '<' '>' commands to align your current seek to a block size multiple. Same keys for the visual mode. You can seek to a relative offset by prefixing your offset by the '+' or '-' characters. For example: $ seek +10 You can also use the temporal seek format for commands appending the '@' to the end of the command
ENVIRONMENT
These values can be used from scripts launched from inside radare (!rsc FILE path to the current working file DPID Debugged process id OFFSET decimal value of the current seek XOFFSET same as OFFSET prefixed with 0x EDITOR default editor to be used for /ascii/ data block edition. OBJDUMP path to 'objdump' executable (useful for disassembling other architectures) By default is 'objdump -m i386 --target=binary -D' HITCMD a radare command to be executed after a search hit has been found. PRINTCMD user command to be used to visualize the data block. This external visor is used by the 'pU' radare command. VISUALCMD command to be used as an IDE environment interpreting a set of commands or a radare script. In commandline mode this command is executed before printing the prompt. In visual mode it is a separated view. PAGER pager to be used for disassembling.
SEE ALSO
radarerc(5), rahash(1), rabin(1), radiff(1), rsc(1), rasc(1), rasm(1), rfile(1), rax(1), xrefs(1)
AUTHORS
pancake <@youterm.com>