Radare2 Reverse Engineering

Radare2 (r2) is a complete framework for reverse engineering and binary analysis.

Quick Start

Open a binary for analysis:

r2 -A binary      # Open with auto-analysis
r2 -d binary      # Open in debug mode
r2 -w binary      # Open in write mode (for patching)

Essential Commands

Navigation & Analysis

Command	Description
aaa	Analyze all (functions, refs, calls)
afl	List all functions
s addr	Seek to address
s main	Seek to main function
pdf	Print disassembly of current function
pd 20	Print 20 instructions

Information Gathering

Command	Description
i	File info
ie	Entrypoints
iS	Sections
ii	Imports
iE	Exports
iz	Strings in data sections
izz	All strings in binary

Cross-References

Command	Description
axt addr	Find xrefs to address
axf addr	Find xrefs from address
afx	Xrefs in current function

Visual Modes

Command	Description
V	Visual mode
VV	Graph mode
v	Visual panels

Debugging

Command	Description
db addr	Set breakpoint
dc	Continue execution
ds	Step instruction
dso	Step over
dr	Show registers
dm	Memory maps

Searching

Command	Description
/x 9090	Search hex bytes
/ string	Search string
/R pattern	Search ROP gadgets
/c opcode	Search assembly pattern

Writing & Patching

Command	Description
wa nop	Write assembly at current position
wx 90	Write hex bytes
wao nop	Write opcode (replaces instruction)

Common Workflows

Analyze Unknown Binary

r2 -A binary
> i           # Basic info
> iS          # Check sections
> afl         # List functions
> s main      # Go to main
> pdf         # Disassemble

Find Interesting Strings

r2 binary
> izz~password    # Search for "password" in strings
> izz~flag        # Search for "flag"
> axt @@ str.*    # Find xrefs to all strings

Trace Function Calls

r2 -A binary
> afl~sym.        # List imported functions
> axt sym.strcmp  # Find where strcmp is called
> s [address]
> pdf

Patch Binary

r2 -w binary
> s 0x401000      # Seek to instruction
> pd 1            # View current instruction
> wa jmp 0x401050 # Patch with jump
> wao nop         # Or NOP it out

Debug Session

r2 -d binary
> aaa
> db main         # Break at main
> dc              # Run
> dr              # View registers
> ds              # Step
> px 32 @ rsp     # View stack

Persistent Sessions (Large Binaries)

For large binaries, avoid re-analyzing on every command. Use one of these approaches:

Option 1: r2 HTTP Server

Start r2 with HTTP server, then send commands via curl:

# Terminal 1: Start server (keeps session alive)
r2 -q -c 'aaa; =h 9090' binary

# Terminal 2+: Send commands without re-analyzing
curl -s "http://localhost:9090/cmd/afl"
curl -s "http://localhost:9090/cmd/pdf%20@%20main"
curl -s "http://localhost:9090/cmd/axt%200x401000"

Option 2: r2pipe with Persistent Process

import r2pipe
r2 = r2pipe.open("binary")
r2.cmd("aaa")  # Analyze once
# Now run many commands on same session
print(r2.cmd("afl"))
print(r2.cmd("pdf @ main"))
print(r2.cmd("izz~flag"))
# Session stays open until:
r2.quit()

Option 3: Projects (Save/Restore Analysis)

r2 binary
> aaa              # Analyze (slow)
> Ps myproject     # Save project
> q

# Later, restore instantly:
r2 -p myproject binary
> afl              # No re-analysis needed

Option 4: Named Pipe

# Create pipe and start r2
mkfifo /tmp/r2pipe
r2 -q -i /tmp/r2pipe binary &

# Send commands
echo "aaa" > /tmp/r2pipe
echo "afl" > /tmp/r2pipe

Large Binary Tips

• Use aa instead of aaa for faster initial analysis
• Limit analysis depth: e anal.depth=5
• Analyze only specific functions: af @ 0x401000
• Skip analysis entirely: r2 -n binary then analyze on-demand
• Use rabin2 for quick info without loading into r2

Non-Interactive Analysis

For one-off commands, use r2 with -q (quiet) and -c:

# List all functions
r2 -q -c 'aaa; afl' binary

# Disassemble main
r2 -q -c 'aaa; s main; pdf' binary

# Get strings containing "flag"
r2 -q -c 'izz~flag' binary

# Get imports
r2 -q -c 'ii' binary

# Analyze and output JSON
r2 -q -c 'aaa; aflj' binary | jq .

Companion Tools

rabin2 - Binary Info

rabin2 -I binary    # File info
rabin2 -z binary    # Strings
rabin2 -i binary    # Imports
rabin2 -e binary    # Entrypoints
rabin2 -S binary    # Sections

rasm2 - Assembler/Disassembler

rasm2 -a x86 -b 64 'nop'           # Assemble
rasm2 -a x86 -b 64 -d '90'         # Disassemble
rasm2 -a arm -b 32 'mov r0, 1'     # ARM assembly

rahash2 - Hashing

rahash2 -a md5 binary
rahash2 -a sha256 binary
rahash2 -a all binary

rafind2 - Pattern Search

rafind2 -x 4141 binary    # Find hex pattern
rafind2 -s "flag" binary  # Find string

Architecture-Specific Notes

x86/x64

• Use e asm.syntax=att for AT&T syntax
• Common calling conventions: cdecl, fastcall, System V AMD64

ARM

• e asm.arch=arm and e asm.bits=32 or 64
• Check for Thumb mode with e asm.bits=16

MIPS

• e asm.arch=mips
• Big/little endian: e cfg.bigendian=true/false

Tips

1. Use ? after any command for help: pd?, a?, s?
2. Append j for JSON output: aflj, ij, izj
3. Append q for quiet output: aflq
4. Use @@ for iteration: pdf @@ fcn.*
5. Use ~ for grep: afl~main
6. Use ~: for column selection: afl~:0
7. Save project with Ps name and load with Po name

See references/REFERENCE.md for advanced usage.