Command Format

A general format for radare commands is as follows:

[.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ;

Commands are identified by a single case-sensitive character [a-zA-Z]. To repeatedly execute a command, prefix the command with a number:

px    # run px
3px   # run px 3 times

The ! prefix is used to execute a command in shell context. If a single exclamation mark is used, commands will be sent to the system() hook defined in currently loaded I/O plugin. This is used, for example, by the ptrace I/O plugin, which accepts debugger commands from radare interface.

A few examples:

ds                    ; call the debugger's 'step' command
px 200 @ esp          ; show 200 hex bytes at esp
pc > file.c           ; dump buffer as a C byte array to file.c
wx 90 @@ sym.*        ; write a nop on every symbol
pd 2000 | grep eax    ; grep opcodes that use the 'eax' register
px 20 ; pd 3 ; px 40  ; multiple commands in a single line

The @ character is used to specify a temporary offset at which the command to its left will be executed. The original seek position in a file is then restored. For example, pd 5 @ 0x100000fce to disassemble 5 instructions at address 0x100000fce.

The ~ character enables internal grep-like function used to filter output of any command. For example:

pd 20~call            ; disassemble 20 instructions and grep output for 'call'

Additionally, you can either grep for columns or rows:

pd 20~call:0          ; get first row
pd 20~call:1          ; get second row
pd 20~call[0]         ; get first column
pd 20~call[1]         ; get second column

Or even combine them:

pd 20~call:0[0]       ; grep the first column of the first row matching 'call'

This internal grep function is a key feature for scripting radare, because it can be used to iterate over a list of offsets or data generated by disassembler, ranges, or any other command. Refer to the macros section (iterators) for more information.

Most of the commands offer autocompletion support using <TAB> key, for example seek or flags commands. It offers autocompletion using the all possible values, taking flagnames in this case. Note, that it's possible to see the history of the commands using !~... command - it offers a visual mode to scroll through the radare2 command history.

results matching ""

    No results matching ""