One of the most common task in automation is looping through something, there are multiple ways to do this in radare2.

We can loop over flags:

@@ flagname-regex

For example, we want to see function information with afi command:

[0x004047d6]> afi
offset: 0x004047d0
name: entry0
size: 42
realsz: 42
stackframe: 0
call-convention: amd64
cyclomatic-complexity: 1
bits: 64
type: fcn [NEW]
num-bbs: 1
edges: 0
end-bbs: 1
call-refs: 0x00402450 C
data-refs: 0x004136c0 0x00413660 0x004027e0
args: 0
diff: type: new

Now let's say, for example, that we'd like see a particular field from this output for all functions found by analysis. We can do that with a loop over all function flags (whose names begin with fcn.):

[0x004047d6]> afi @@ fcn.* ~name

This command will extract the name field from the afi output of every flag with a name matching the regexp fcn.*.

We can also loop over a list of offsets, using the following syntax:

@@=1 2 3 ... N

For example, say we want to see the opcode information for 2 offsets: the current one, and at current + 2:

[0x004047d6]> ao @@=$$ $$+2
address: 0x4047d6
opcode: mov rdx, rsp
prefix: 0
bytes: 4889e2
refptr: 0
size: 3
type: mov
esil: rsp,rdx,=
stack: null
family: cpu
address: 0x4047d8
opcode: loop 0x404822
prefix: 0
bytes: e248
refptr: 0
size: 2
type: cjmp
esil: 1,rcx,-=,rcx,?{,4212770,rip,=,}
jump: 0x00404822
fail: 0x004047da
stack: null
cond: al
family: cpu

Note we're using the $$ variable which evaluates to the current offset. Also note that $$+2 is evaluated before looping, so we can use the simple arithmetic expressions.

A third way to loop is by having the offsets be loaded from a file. This file should contain one offset per line.

[0x004047d0]> ?v $$ > offsets.txt
[0x004047d0]> ?v $$+2 >> offsets.txt
[0x004047d0]> !cat offsets.txt
[0x004047d0]> pi 1 @@.offsets.txt
xor ebp, ebp
mov r9, rdx

radare2 also offers various foreach constructs for looping. One of the most useful is for looping through all the instructions of a function:

[0x004047d0]> pdf
╒ (fcn) entry0 42
│                ; UNKNOWN XREF from 0x00400018 (unk)
│                ; DATA XREF from 0x004064bf (sub.strlen_460)
│                ; DATA XREF from 0x00406511 (sub.strlen_460)
│                ; DATA XREF from 0x0040b080 (unk)
│                ; DATA XREF from 0x0040b0ef (unk)
│                0x004047d0      31ed           xor ebp, ebp
│                0x004047d2      4989d1         mov r9, rdx
│                0x004047d5      5e             pop rsi
│                0x004047d6      4889e2         mov rdx, rsp
│                0x004047d9      4883e4f0       and rsp, 0xfffffffffffffff0
│                0x004047dd      50             push rax
│                0x004047de      54             push rsp
│                0x004047df      49c7c0c03641.  mov r8, 0x4136c0
│                0x004047e6      48c7c1603641.  mov rcx, 0x413660      ; "AWA..AVI..AUI..ATL.%.. "
0x00413660  ; "AWA..AVI..AUI..ATL.%.. "
│                0x004047ed      48c7c7e02740.  mov rdi, main          ; "AWAVAUATUH..S..H...." @
│                0x004047f4      e857dcffff     call sym.imp.__libc_start_main
╘                0x004047f9      f4             hlt
[0x004047d0]> pi 1 @@i
mov r9, rdx
pop rsi
mov rdx, rsp
and rsp, 0xfffffffffffffff0
push rax
push rsp
mov r8, 0x4136c0
mov rcx, 0x413660
mov rdi, main
call sym.imp.__libc_start_main

In this example the command pi 1 runs over all the instructions in the current function (entry0). There are other options too (not complete list, check @@? for more information):

  • @@k sdbquery - iterate over all offsets returned by that sdbquery
  • @@t- iterate over on all threads (see dp)
  • @@b - iterate over all basic blocks of current function (see afb)
  • @@f - iterate over all functions (see aflq)

The last kind of looping lets you loop through predefined iterator types:

  • symbols
  • imports
  • registers
  • threads
  • comments
  • functions
  • flags

This is done using the @@@ command. The previous example of listing information about functions can also be done using the @@@ command:

[0x004047d6]> afi @@@ functions ~name

This will extract name field from afi output and will output a huge list of function names. We can choose only the second column, to remove the redundant name: on every line:

[0x004047d6]> afi @@@ functions ~name[1]

results matching ""

    No results matching ""