Scripting

Radare2 provides a wide set of a features to automate boring work. It ranges from the simple sequencing of the commands to the calling scripts/another programs via IPC (Inter-Process Communication), called r2pipe.

As mentioned a few times before there is an ability to sequence commands using ; semicolon operator.

  1. [0x00404800]> pd 1 ; ao 1
  2.            0x00404800      b827e66100     mov eax, 0x61e627      ; "tab"
  3. address: 0x404800
  4. opcode: mov eax, 0x61e627
  5. prefix: 0
  6. bytes: b827e66100
  7. ptr: 0x0061e627
  8. refptr: 0
  9. size: 5
  10. type: mov
  11. esil: 6415911,rax,=
  12. stack: null
  13. family: cpu
  14. [0x00404800]>

It simply runs the second command after finishing the first one, like in a shell.

The second important way to sequence the commands is with a simple pipe |

  1. ao|grep address

Note, the | pipe only can pipe output of r2 commands to external (shell) commands, like system programs or builtin shell commands. There is a similar way to sequence r2 commands, using the backtick operator `command` . The quoted part will undergo command substitution and the output will be used as an argument of the command line.

For example, we want to see a few bytes of the memory at the address referred to by the ‘mov eax, addr’ instruction. We can do that without jumping to it, using a sequence of commands:

  1. [0x00404800]> pd 1
  2.               0x00404800      b827e66100     mov eax, 0x61e627      ; "tab"
  3. [0x00404800]> ao
  4. address: 0x404800
  5. opcode: mov eax, 0x61e627
  6. prefix: 0
  7. bytes: b827e66100
  8. ptr: 0x0061e627
  9. refptr: 0
  10. size: 5
  11. type: mov
  12. esil: 6415911,rax,=
  13. stack: null
  14. family: cpu
  15. [0x00404800]> ao~ptr[1]
  16. 0x0061e627
  17. 0
  18. [0x00404800]> px 10 @ `ao~ptr[1]`
  19. - offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
  20. 0x0061e627  7461 6200 2e69 6e74 6572                 tab..inter
  21. [0x00404800]>

And of course it’s possible to redirect the output of an r2 command into a file, using the > and >> commands

  1. [0x00404800]> px 10 @ `ao~ptr[1]` > example.txt
  2. [0x00404800]> px 10 @ `ao~ptr[1]` >> example.txt

Radare2 also provides quite a few Unix type file processing commands like head, tail, cat, grep and many more. One such command is Uniq, which can be used to filter a file to display only non-duplicate content. So to make a new file with only unique strings, you can do:

  1. [0x00404800]> uniq file > uniq_file

The head command can be used to see the first N number of lines in the file, similarly tail) command allows the last N number of lines to be seen.

  1. [0x00404800]> head 3 foodtypes.txt
  2. 1 Protein
  3. 2 Carbohydrate
  4. 3 Fat
  5. [0x00404800]> tail 2 foodtypes.txt
  6. 3 Shake
  7. 4 Milk

The join command could be used to merge two different files with common first field.

  1. [0x00404800]> cat foodtypes.txt
  2. 1 Protein
  3. 2 Carbohydrate
  4. 3 Fat
  5. [0x00404800]> cat foods.txt
  6. 1 Cheese 
  7. 2 Potato
  8. 3 Butter
  9. [0x00404800]> join foodtypes foods.txt
  10. 1 Protein Cheese
  11. 2 Carbohydrate Potato
  12. 3 Fat Butter

Similarly, sorting the content is also possible with the sort command. A typical example could be:

  1. [0x00404800]> sort file
  2. eleven
  3. five
  4. five
  5. great
  6. one
  7. one
  8. radare

The ?$? command describes several helpful variables you can use to do similar actions even more easily, like the $v “immediate value” variable, or the $m opcode memory reference variable.