Radare2: It source codes is available here: https://github.com/radareorg/radare2
And its binary releases available here: https://github.com/radareorg/radare2/releases
Here below are documented all its commands and subcommands:
Usage: a [abdefFghoprxstc] [...] | a alias for aai - analysis information | a* same as afl*;ah*;ax* | aa[?] analyze all (fcns + bbs) (aa0 to avoid sub renaming) | a8 [hexpairs] analyze bytes | ab[b] [addr] analyze block at given address | abb [len] analyze N basic blocks in [len] (section.size by default) | ac[?] manage classes | aC[?] analyze function call | aCe[?] same as aC, but uses esil with abte to emulate the function | ad[?] analyze data trampoline (wip) | ad [from] [to] analyze data pointers to (from-to) | ae[?] [expr] analyze opcode eval expression (see ao) | af[?] analyze Functions | aF same as above, but using anal.depth=1 | ag[?] [options] draw graphs in various formats | ah[?] analysis hints (force opcode size, ...) | ai [addr] address information (show perms, stack, heap, ...) | aj same as a* but in json (aflj) | aL list all asm/anal plugins (e asm.arch=?) | an [name] [@addr] show/rename/create whatever flag/function is used at addr | ao[?] [len] analyze Opcodes (or emulate it) | aO[?] [len] Analyze N instructions in M bytes | ap find prelude for current offset | ar[?] like 'dr' but for the esil vm. (registers) | as[?] [num] analyze syscall using dbg.reg | av[?] [.] show vtables | ax[?] manage refs/xrefs (see also afx?) Usage: b[f] [arg] Get/Set block size | b 33 set block size to 33 | b eip+4 numeric argument can be an expression | b display current block size | b+3 increase blocksize by 3 | b-16 decrease blocksize by 16 | b* display current block size in r2 command | bf foo set block size to flag size | bj display block size information in JSON | bm 1M set max block size Usage: c[?dfx] [argument] # Compare | c [string] Compare a plain with escaped chars string | c* [string] Same as above, but printing r2 commands instead | c1 [addr] Compare 8 bits from current offset | c2 [value] Compare a word from a math expression | c4 [value] Compare a doubleword from a math expression | c8 [value] Compare a quadword from a math expression | cat [file] Show contents of file (see pwd, ls) | cc [at] Compares in two hexdump columns of block size | ccc [at] Same as above, but only showing different lines | ccd [at] Compares in two disasm columns of block size | ccdd [at] Compares decompiler output (e cmd.pdc=pdg|pdd) | cf [file] Compare contents of file at current seek | cg[?] [o] [file] Graphdiff current file and [file] | cu[?] [addr] @at Compare memory hexdumps of $$ and dst in unified diff | cud [addr] @at Unified diff disasm from $$ and given address | cv[1248] [hexpairs] @at Compare 1,2,4,8-byte (silent return in $?) | cV[1248] [addr] @at Compare 1,2,4,8-byte address contents (silent, return in $?) | cw[?] [us?] [...] Compare memory watchers | cx [hexpair] Compare hexpair string (use '.' as nibble wildcard) | cx* [hexpair] Compare hexpair string (output r2 commands) | cX [addr] Like 'cc' but using hexdiff output | cd [dir] chdir | cl|cls|clear Clear screen, (clear0 to goto 0, 0 only) Usage: d # Debug commands | db[?] Breakpoints commands | dbt[?] Display backtrace based on dbg.btdepth and dbg.btalgo | dc[?] Continue execution | dd[?] File descriptors (!fd in r1) | de[-sc] [perm] [rm] [e] Debug with ESIL (see de?) | dg <file> Generate a core-file (WIP) | dH [handler] Transplant process to a new handler | di[?] Show debugger backend information (See dh) | dk[?] List, send, get, set, signal handlers of child | dL[?] List or set debugger handler | dm[?] Show memory maps | do[?] Open process (reload, alias for 'oo') | doo[args] Reopen in debug mode with args (alias for 'ood') | doof[file] Reopen in debug mode from file (alias for 'oodf') | doc Close debug session | dp[?] List, attach to process or thread id | dr[?] Cpu registers | ds[?] Step, over, source line | dt[?] Display instruction traces | dw <pid> Block prompt until pid dies | dx[?] Inject and run code on target process (See gs) Usage: e [var[=value]] Evaluable vars | e?asm.bytes show description | e?? list config vars with description | e a get value of var 'a' | e a=b set var 'a' the 'b' value | e var=? print all valid values of var | e var=?? print all valid values of var with description | e.a=b same as 'e a=b' but without using a space | e,k=v,k=v,k=v comma separated k[=v] | e- reset config vars | e* dump config vars in r commands | e!a invert the boolean value of 'a' var | ec [k] [color] set color for given key (prompt, offset, ...) | eevar open editor to change the value of var | ed open editor to change the ~/.radare2rc | ej list config vars in JSON | env [k[=v]] get/set environment variable | er [key] set config key as readonly. no way back | es [space] list all eval spaces [or keys] | et [key] show type of given config variable | ev [key] list config vars in verbose format | evj [key] list config vars in verbose format in JSON Usage: f [?] [flagname] # Manage offset-name flags | f list flags (will only list flags from selected flagspaces) | f?flagname check if flag exists or not, See ?? and ?! | f. [*[*]] list local per-function flags (*) as r2 commands | f.blah=$$+12 set local function label named 'blah' | f. fname list all local labels for the given function | f, table output for flags | f* list flags in r commands | f name 12 @ 33 set flag 'name' with length 12 at offset 33 | f name = 33 alias for 'f name @ 33' or 'f name 1 33' | f name 12 33 [cmt] same as above + optional comment | f-.blah@fcn.foo delete local label from function at current seek (also f.-) | f-- delete all flags and flagspaces (deinit) | f+name 12 @ 33 like above but creates new one if doesnt exist | f-name remove flag 'name' | f-@addr remove flag at address expression | f= [glob] list range bars graphics with flag offsets and sizes | fa [name] [alias] alias a flag to evaluate an expression | fb [addr] set base address for new flags | fb [addr] [flag*] move flags matching 'flag' to relative addr | fc[?][name] [color] set color for given flag | fC [name] [cmt] set comment for given flag | fd[?] addr return flag+delta | fe- resets the enumerator counter | fe [name] create flag name.#num# enumerated flag. See fe? | ff ([glob]) distance in bytes to reach the next flag (see sn/sp) | fi [size] | [from] [to] show flags in current block or range | fg[*] ([prefix]) construct a graph with the flag names | fj list flags in JSON format | fl (@[flag]) [size] show or set flag length (size) | fla [glob] automatically compute the size of all flags matching glob | fm addr move flag at current offset to new address | fn list flags displaying the real name (demangled) | fnj list flags displaying the real name (demangled) in JSON format | fN show real name of flag at current address | fN [[name]] [realname] set flag real name (if no flag name current seek one is used) | fo show fortunes | fO [glob] flag as ordinals (sym.* func.* method.*) | fr [[old]] [new] rename flag (if no new flag current seek one is used) | fR[?] [f] [t] [m] relocate all flags matching f&~m 'f'rom, 't'o, 'm'ask | fs[?]+-* manage flagspaces | ft[?]* flag tags, useful to find all flags matching some words | fV[*-] [nkey] [offset] dump/restore visual marks (mK/'K) | fx[d] show hexdump (or disasm) of flag:flagsize | fq list flags in quiet mode | fz[?][name] add named flag zone -name to delete. see fz?[name] Usage: g[wcilper] [arg] Go compile shellcodes | g Compile the shellcode | g foo.r Compile r_egg source file | gw Compile and write | gc cmd=/bin/ls Set config option for shellcodes and encoders | gc List all config options | gl[?] List plugins (shellcodes, encoders) | gs name args Compile syscall name(args) | gi [type] Define the shellcode type | gp padding Define padding for command | ge [encoder] [key] Specify an encoder and a key | gr Reset r_egg | gS Show the current configuration | EVAL VARS: asm.arch, asm.bits, asm.os Usage: head [file] # to list first n lines in file Usage: i Get info from opened file (see rabin2's manpage) Output mode: | '*' Output in radare commands | 'j' Output in json | 'q' Simple quiet output Actions: | i|ij Show info of current file (in JSON) | iA List archs | ia Show all info (imports, exports, sections..) | ib Reload the current buffer for setting of the bin (use once only) | ic List classes, methods and fields | icc List classes, methods and fields in Header Format | icg List classes as agn/age commands to create class hirearchy graphs | icq List classes, in quiet mode (just the classname) | icqq List classes, in quieter mode (only show non-system classnames) | iC[j] Show signature info (entitlements, ...) | id Show DWARF source lines information | idp [file.pdb] Load pdb file information | idpi [file.pdb] Show pdb file information | idpi* Show symbols from pdb as flags (prefix with dot to import) | idpd Download pdb file on remote server | iD lang sym demangle symbolname for given language | ie Entrypoint | iee Show Entry and Exit (preinit, init and fini) | iE Exports (global symbols) | iE. Current export | ih Headers (alias for iH) | iHH Verbose Headers in raw text | ii Imports | iI Binary info | ik [query] Key-value database from RBinObject | il Libraries | iL [plugin] List all RBin plugins loaded or plugin details | im Show info about predefined memory allocation | iM Show main address | io [file] Load info from file (or last opened) use bin.baddr | iO[?] Perform binary operation (dump, resize, change sections, ...) | ir List the Relocations | iR List the Resources | is List the Symbols | is. Current symbol | iS [entropy,sha1] Sections (choose which hash algorithm to use) | iS. Current section | iS= Show ascii-art color bars with the section ranges | iSS List memory segments (maps with om) | it File hashes | iT File signature | iV Display file version info | iw try/catch blocks | iX Display source files used (via dwarf) | iz|izj Strings in data sections (in JSON/Base64) | izz Search for Strings in the whole binary | izzz Dump Strings from whole binary to r2 shell (for huge files) | iz- [addr] Purge string via bin.str.purge | iZ Guess size of binary program Usage: join [file1] [file2] # join the contents of the two files Usage: k[s] [key[=value]] Sdb Query | k anal/** list namespaces under anal | k anal/meta/* list kv from anal > meta namespaces | k anal/meta/meta.0x80404 get value for meta.0x80404 key | k foo show value | k foo=bar set value | k list keys | kd [file.sdb] [ns] dump namespace to disk | kj List all namespaces and sdb databases in JSON format | ko [file.sdb] [ns] open file into namespace | ks [ns] enter the sdb query shell Usage: l[es] # ls to list files, le[ss] to less a file Usage: m[-?*dgy] [...] Mountpoints management | m /mnt ext2 0 Mount ext2 fs at /mnt with delta 0 on IO | m /mnt Mount fs at /mnt with autodetect fs and current offset | m List all mountpoints in human readable format | m* Same as above, but in r2 commands | m-/ Umount given path (/) | mL List filesystem plugins (Same as Lm) | mc [file] Cat: Show the contents of the given file | md / List directory contents for path | mf[?] [o|n] Search files for given filename or for offset | mg /foo Get fs file/dir and dump it to disk | mi /foo/bar Get offset and size of given file | mj List mounted filesystems in JSON | mo /foo/bar Open given file into a malloc:// | mp msdos 0 Show partitions in msdos format at offset 0 | mp List all supported partition types | ms /mnt Open filesystem prompt at /mnt | mw [file] [data] Write data into file | my Yank contents of file into clipboard |ERROR| Invalid command 'n?' (0x6e) Usage: o [com- ] [file] ([offset]) | o [file] 0x4000 rwx map file at 0x4000 | o [file] open [file] file in read-only | o list opened files | o-1 close file descriptor 1 | o* list opened files in r2 commands | o+ [file] open file in read-write mode | o-!* close all opened files | o-- close all files, analysis, binfiles, flags, same as !r2 -- | o. show current filename (or o.q/oq to get the fd) | o: [len] open a malloc://[len] copying the bytes from current offset | o= list opened files (ascii-art bars) | oL list all IO plugins registered | oa[-] [A] [B] [filename] Specify arch and bits for given file | ob[?] [lbdos] [...] list opened binary files backed by fd | oc [file] open core file, like relaunching r2 | of [file] open file and map it at addr 0 as read-only | oi[-|idx] alias for o, but using index instead of fd | oj[?] list opened files in JSON format | om[?] create, list, remove IO maps | on [file] 0x4000 map raw file at 0x4000 (no r_bin involved) | oo[?+bcdnm] reopen current file (see oo?) (reload in rw or debugger) | op [fd] select the given fd as current file (see also ob) | oq list all open files | ox fd fdx exchange the descs of fd and fdx and keep the mapping Usage: p[=68abcdDfiImrstuxz] [arg|len] [@addr] | p[b|B|xb] [len] ([S]) bindump N bits skipping S bytes | p[iI][df] [len] print N ops/bytes (f=func) (see pi? and pdi) | p[kK] [len] print key in randomart (K is for mosaic) | p-[?][jh] [mode] bar|json|histogram blocks (mode: e?search.in) | p2 [len] 8x8 2bpp-tiles | p3 [file] print stereogram (3D) | p6[de] [len] base64 decode/encode | p8[?][j] [len] 8bit hexpair list of bytes | p=[?][bep] [N] [L] [b] show entropy/printable chars/chars bars | pa[edD] [arg] pa:assemble pa[dD]:disasm or pae: esil from hex | pA[n_ops] show n_ops address and type | pb[?] [n] bitstream of N bits | pB[?] [n] bitstream of N bytes | pc[?][p] [len] output C (or python) format | pC[aAcdDxw] [rows] print disassembly in columns (see hex.cols and pdi) | pd[?] [sz] [a] [b] disassemble N opcodes (pd) or N bytes (pD) | pf[?][.nam] [fmt] print formatted data (pf.name, pf.name $<expr>) | pF[?][apx] print asn1, pkcs7 or x509 | pg[?][x y w h] [cmd] create new visual gadget or print it (see pg? for details) | ph[?][=|hash] ([len]) calculate hash for a block | pj[?] [len] print as indented JSON | pm[?] [magic] print libmagic data (see pm? and /m?) | po[?] hex print operation applied to block (see po?) | pp[?][sz] [len] print patterns, see pp? for more help | pq[?][is] [len] print QR code with the first Nbytes | pr[?][glx] [len] print N raw bytes (in lines or hexblocks, 'g'unzip) | ps[?][pwz] [len] print pascal/wide/zero-terminated strings | pt[?][dn] [len] print different timestamps | pu[?][w] [len] print N url encoded bytes (w=wide) | pv[?][jh] [mode] show variable/pointer/value in memory | pwd display current working directory | px[?][owq] [len] hexdump of N bytes (o=octal, w=32bit, q=64bit) | pz[?] [len] print zoom view (see pz? for help) Usage: q[!][!] [retval] | q quit program | q! force quit (no questions) | q!! force quit without saving history | q!!! force quit without freeing anything | q 1 quit with return value 1 | q a-b quit with return value a-b | q[y/n][y/n] quit, chose to kill process, chose to save project | Q same as q!! Usage: r[+-][ size] Resize file | r display file size | r size expand or truncate file to given size | r-num remove num bytes, move following data down | r+num insert num bytes, move following data up | rboldbase @ newbase rebase all flags, bin.info, breakpoints and analysis | rm [file] remove file | rh show size in human format | r2 [file] launch r2 (same for rax2, rasm2, ...) | reset reset console settings (clear --hard) Usage: s # Help for the seek commands. See ?$? to see all variables | s Print current address | s.hexoff Seek honoring a base from core->offset | s:pad Print current address with N padded zeros (defaults to 8) | s addr Seek to address | s- Undo seek | s-* Reset undo seek history | s- n Seek n bytes backward | s--[n] Seek blocksize bytes backward (/=n) | s+ Redo seek | s+ n Seek n bytes forward | s++[n] Seek blocksize bytes forward (/=n) | s[j*=!] List undo seek history (JSON, =list, *r2, !=names, s==) | s/ DATA Search for next occurrence of 'DATA' | s/x 9091 Search for next occurrence of x90x91 | sa [[+-]a] [asz] Seek asz (or bsize) aligned to addr | sb Seek aligned to bb start | sC[?] string Seek to comment matching given string | sf Seek to next function (f->addr+f->size) | sf function Seek to address of specified function | sf. Seek to the beginning of current function | sg/sG Seek begin (sg) or end (sG) of section or file | sl[?] [+-]line Seek to line | sn/sp ([nkey]) Seek to next/prev location, as specified by scr.nkey | so [N] Seek to N next opcode(s) | sr pc Seek to register | ss Seek silently (without adding an entry to the seek history) Usage: t # cparse types commands | t List all loaded types | tj List all loaded types as json | t <type> Show type in 'pf' syntax | t* List types info in r2 commands | t- <name> Delete types by its name | t-* Remove all types | tail [filename] Output the last part of files | tc [type.name] List all/given types in C output format | te[?] List all loaded enums | td[?] <string> Load types from string | tf List all loaded functions signatures | tk <sdb-query> Perform sdb query | tl[?] Show/Link type to an address | tn[?] [-][addr] manage noreturn function attributes and marks | to - Open cfg.editor to load types | to <path> Load types from C header file | toe [type.name] Open cfg.editor to edit types | tos <path> Load types from parsed Sdb database | tp <type> [addr|varname] cast data at <address> to <type> and print it (XXX: type can contain spaces) | tpv <type> @ [value] Show offset formatted for given type | tpx <type> <hexpairs> Show value for type with specified byte sequence (XXX: type can contain spaces) | ts[?] Print loaded struct types | tu[?] Print loaded union types | tx[f?] Type xrefs | tt[?] List all loaded typedefs Usage: u uname or undo write/seek | u show system uname | uw alias for wc (requires: e io.cache=true) | us alias for s- (seek history) | uc undo core commands (uc?, ucl, uc*, ..) | uniq filter rows to avoid duplicates | uname uname - show system information Usage: v[*i] v.test # save current layout with name test v test # load saved layout with name test vi ... # launch 'cfg.editor' Usage: w[x] [str] [<file] [<<EOF] [@addr] | w[1248][+-][n] increment/decrement byte,word.. | w foobar write string 'foobar' | w0 [len] write 'len' bytes with value 0x00 | w6[de] base64/hex write base64 [d]ecoded or [e]ncoded string | wa[?] push ebp write opcode, separated by ';' (use '"' around the command) | waf f.asm assemble file and write bytes | waF f.asm assemble file and write bytes and show 'wx' op with hexpair bytes of assembled code | wao[?] op modify opcode (change conditional of jump. nop, etc) | wA[?] r 0 alter/modify opcode at current seek (see wA?) | wb 010203 fill current block with cyclic hexpairs | wB[-]0xVALUE set or unset bits with given value | wc list all write changes | wc[?][jir+-*?] write cache undo/commit/reset/list (io.cache) | wd [off] [n] duplicate N bytes from offset at current seek (memcpy) (see y?) | we[?] [nNsxX] [arg] extend write operations (insert instead of replace) | wf[fs] -|file write contents of file at current offset | wh r2 whereis/which shell command | wm f0ff set binary mask hexpair to be used as cyclic write mask | wo[?] hex write in block with operation. 'wo?' fmi | wp[?] -|file apply radare patch file. See wp? fmi | wr 10 write 10 random bytes | ws pstring write 1 byte for length and then the string | wt[f][?] file [sz] write to file (from current seek, blocksize or sz bytes) | wts host:port [sz] send data to remote host:port via tcp:// | ww foobar write wide string 'fx00ox00ox00bx00ax00rx00' | wx[?][fs] 9090 write two intel nops (from wxfile or wxseek) | wv[?] eip+34 write 32-64 bit value honoring cfg.bigendian | wz string write zero terminated string (like w + x00) Usage: px[0afoswqWqQ][f] # Print heXadecimal | px show hexdump | px/ same as x/ in gdb (help x) | px0 8bit hexpair list of bytes until zero byte | pxa show annotated hexdump | pxA[?] show op analysis color map | pxb dump bits in hexdump form | pxc show hexdump with comments | pxd[?1248] signed integer dump (1 byte, 2 and 4) | pxe emoji hexdump! :) | pxf show hexdump of current function | pxh show hexadecimal half-words dump (16bit) | pxH same as above, but one per line | pxi HexII compact binary representation | pxl display N lines (rows) of hexdump | pxo show octal dump | pxq show hexadecimal quad-words dump (64bit) | pxQ[q] same as above, but one per line | pxr[j] show words with references to flags and code (q=quiet) | pxs show hexadecimal in sparse mode | pxt[*.] [origin] show delta pointer table in r2 commands | pxw show hexadecimal words dump (32bit) | pxW[q] same as above, but one per line (q=quiet) | pxx show N bytes of hex-less hexdump | pxX show N words of hex-less hexdump Usage: y[ptxy] [len] [[@]addr] # See wd? for memcpy, same as 'yf'. | y! open cfg.editor to edit the clipboard | y 16 0x200 copy 16 bytes into clipboard from 0x200 | y 16 @ 0x200 copy 16 bytes into clipboard from 0x200 | y 16 copy 16 bytes into clipboard | y show yank buffer information (srcoff len bytes) | y* print in r2 commands what's been yanked | yf 64 0x200 copy file 64 bytes from 0x200 from file | yfa file copy copy all bytes from file (opens w/ io) | yfx 10203040 yank from hexpairs (same as ywx) | yj print in JSON commands what's been yanked | yp print contents of clipboard | yq print contents of clipboard in hexpairs | ys print contents of clipboard as string | yt 64 0x200 copy 64 bytes from current seek to 0x200 | ytf file dump the clipboard to given file | yw hello world yank from string | ywx 10203040 yank from hexpairs (same as yfx) | yx print contents of clipboard in hexadecimal | yy 0x3344 paste clipboard | yz [len] copy nul-terminated string (up to blocksize) into clipboard Usage: z[*j-aof/cs] [args] # Manage zignatures | z show zignatures | z. find matching zignatures in current offset | z* show zignatures in radare format | zq show zignatures in quiet mode | zj show zignatures in json format | zk show zignatures in sdb format | z-zignature delete zignature | z-* delete all zignatures | za[?] add zignature | zg generate zignatures (alias for zaF) | zo[?] manage zignature files | zf[?] manage FLIRT signatures | z/[?] search zignatures | zc[?] compare current zignspace zignatures with another one | zs[?] manage zignspaces | zi show zignatures matching information
And there are also “aliases”:
You must be logged in to post a comment.