# r2

## General Information

```
rabin2 -I filename
```

* Output

```
$ rabin2 -I megabeets_0x1
arch     x86
baddr    0x8048000
binsz    6220
bintype  elf
bits     32
canary   false
class    ELF32
compiler GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  Intel 80386
maxopsz  16
minopsz  1
nx       false
os       linux
pcalign  0
pic      false
relocs   true
relro    partial
rpath    NONE
sanitiz  false
static   false
stripped false
subsys   linux
va       true
```

## Run Program with R2

```
r2 ./filename
```

## Find Entrypoints

```
[0x08048370]> ie
[Entrypoints]
vaddr=0x08048370 paddr=0x00000370 haddr=0x00000018 hvaddr=0x08048018 type=program 1 entrypoints
```

* `ie` stands for info entrypoints

## Help

* If you know the general flag you want to use i.e. `i` for info you can append a `?`

```
i?
```

* This will show you all the help available to append to the `i` flag.

## Analysis

* r2 does not analyze the file by default, you need to specify the `a` flag
* To have r2 analyze the file issue `aa` or analyse all, or `aaa`

```
[0x08048370]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
```

* Can also have r2 analyze the file at start up with

```
r2 -A filename
```

## Flag Space

* After analysis radare2 associates names to interesting offsets in the file such as `sections, functions, symbols, strings`.
* All are called `flags`
* Choose a flag space using `fs flagspace` and print the flags it contains with `f`.
* Can pass multiple commands with semi colon i.e. `cmd1;cmd2;cmd3`

```
fs imports; f
[0x08048370]> fs imports; f
0x00000000 16 loc.imp.__gmon_start
0x08048320 6 sym.imp.strcmp
0x08048330 6 sym.imp.strcpy
0x08048340 6 sym.imp.puts
0x08048350 6 sym.imp.__libc_start_main
```

* Can see the strcmp, strcpy, puts etc.
* We can also list the strings flagspace

```
[0x08048370]> fs strings 
[0x08048370]> f
0x08048700 21 str..::_Megabeets_::.
0x08048715 23 str.Think_you_can_make_it
0x0804872c 10 str.Success
0x08048736 22 str.Nop__Wrong_argument.
```

## Strings

* Lets look at the strings
* `iz` - List the strings in data sections
* `izz` Search for strings in the whole binary

```
[0x08048370]> iz
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000700 0x08048700 20  21   .rodata ascii \n  .:: Megabeets ::.
1   0x00000715 0x08048715 22  23   .rodata ascii Think you can make it?
2   0x0000072c 0x0804872c 9   10   .rodata ascii Success!\n
3   0x00000736 0x08048736 21  22   .rodata ascii Nop, Wrong argument.
```

### axt Analyse X-refs to

* `axt` stands for analyse x-refs to
* Finds data or code references to this specific address
* `@@` is like a for each iterator sign used to repeat a command over a list of offsets
* `str.*` is a wildcard for all flags that start with `str.` (our strings)
* This helps to list the function name, where they are used and the reference instruction in addition to the strings
* Select the correct strings flagspace (default is `'fs *'`

## Seeking

* Seek command accepts an address or math expression as an arg.
* Expression can be math operation, flag, or memory access operations.
* We want to seek for the `main` function.
* Can find it by executing `s main`
* First we want to see what else radare2 has flagged

```
[0x08048370]> afl
0x08048370    1 33           entry0
0x08048350    1 6            sym.imp.__libc_start_main
0x080483b0    4 43           sym.deregister_tm_clones
0x080483e0    4 53           sym.register_tm_clones
0x08048420    3 30           sym.__do_global_dtors_aux
0x08048440    4 43   -> 40   entry.init0
0x080486e0    1 2            sym.__libc_csu_fini
0x080483a0    1 4            sym.__x86.get_pc_thunk.bx
0x0804846b   19 282          sym.rot13
0x080486e4    1 20           sym._fini
0x08048585    1 112          sym.beet
0x08048330    1 6            sym.imp.strcpy
0x08048320    1 6            sym.imp.strcmp
0x08048680    4 93           sym.__libc_csu_init
0x080485f5    5 127          main
0x080482ec    3 35           sym._init
0x08048340    1 6            sym.imp.puts
```

* afl stands for analyze functions list

## Disassembling

* Seek to the main function

```
s main
```

* Now disassemble it with

```
pdf
```

* Print Disassemble Function
* Prompt will change to the address of main!

## Make the Output Prettier

```
s sec.utf8=true 
e srrc.utf8.curvy=true
```

* Can add to `~/.radare2rc` to make changes permanent

## Visual Mode and Graph Mode

* Much more user-friendly
* Press `V` will bring us to the Visual Mode Screen
* Use `p/P` to change between the modes
* Nav to the disassembly view using `p`
* To go back to a specific screen press `q`

### Cross-Reference

* Use `x/X` to list the references to and from (respectively) the current offset. Use the numbers to jump to a reference

### radare2 Commands

* Use `:command` to execute r2 commands from inside Visual Mode

### Comment

* You can add a comment using `;<comment>` followed by `Enter`
* Remove it using `;-`

## Mark Offsets

```
m<key>
```

* Use this to mark a specific offset with a key of your choice, press `'<key>` to choose your key.
* This will allow you to mark important addresses you want to jump to quickly

### Quit

* Press `q` to return to r2 shell

## Visual Graphs

* radare2 has a Graph view
* You can access VG move from your shell by running `VV`
* Move up, down, R, L with `h,j,k,l` and jump to a func using `g` and the key shown next to the `jump call`

### All Credit:

<https://www.megabeets.net/a-journey-into-radare-2-part-1/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/tool-guides/r2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.