To debug a program, start radare with the -d option. Note that you can attach to a running process by specifying its PID, or you can start a new program by specifying its name and parameters:
$ pidof mc
32220
$ r2 -d 32220
$ r2 -d /bin/ls
$ r2 -a arm -b 16 -d gdb://192.168.1.43:9090
...
In the second case, the debugger will fork and load the debugee ls program in memory.
It will pause its execution early in ld.so dynamic linker. As a result, you will not yet see the entrypoint or any shared libraries at this point.
You can override this behavior by setting another name for an entry breakpoint. To do this, add a radare command e dbg.bep=entry or e dbg.bep=main to your startup script, usually it is ~/.config/radare2/radare2rc.
Another way to continue until a specific address is by using the dcu command. Which means: "debug continue until" taking the address of the place to stop at. For example:
dcu main
Be warned that certain malware or other tricky programs can actually execute code before main() and thus you'll be unable to control them. (Like the program constructor or the tls initializers)
Below is a list of most common commands used with debugger:
> d? ; get help on debugger commands
> ds 3 ; step 3 times
> db 0x8048920 ; setup a breakpoint
> db -0x8048920 ; remove a breakpoint
> dc ; continue process execution
> dcs ; continue until syscall
> dd ; manipulate file descriptors
> dm ; show process maps
> dmp A S rwx ; change permissions of page at A and size S
> dr eax=33 ; set register value. eax = 33
There is another option for debugging in radare, which may be easier: using visual mode.
That way you will neither need to remember many commands nor to keep program state in your mind.
To enter visual debugger mode use Vpp:
[0xb7f0c8c0]> Vpp
The initial view after entering visual mode is a hexdump view of the current target program counter (e.g., EIP for x86). Pressing p will allow you to cycle through the rest of visual mode views. You can press p and P to rotate through the most commonly used print modes. Use F7 or s to step into and F8 or S to step over current instruction. With the c key you can toggle the cursor mode to mark a byte range selection (for example, to later overwrite them with nop). You can set breakpoints with F2 key.
In visual mode you can enter regular radare commands by prepending them with :. For example, to dump a one block of memory contents at ESI:
<Press ':'>
x @ esi
To get help on visual mode, press ?. To scroll the help screen, use arrows. To exit the help view, press q.
A frequently used command is dr, which is used to read or write values of the target's general purpose registers. For a more compact register value representation you might use dr= command. You can also manipulate the hardware and the extended/floating point registers.
If you want to contribute to the Radare2 book, you can do it at the Github repository. Suggested contributions include:
• Crackme writeups
• CTF writeups
• Documentation on how to use Radare2
• Documentation on developing for Radare2
• Conference presentations/workshops using Radare2
• Missing content from the Radare1 book updated to Radare2
Please get permission to port any content you do not own/did not create before you put it in the Radare2 book.
See https://github.com/radareorg/radare2/blob/master/DEVELOPERS.md for general help on contributing to radare2.
The core reads ~/.config/radare2/radare2rc while starting. You can add e commands to this file to tune the radare2 configuration to your taste.
To prevent radare2 from parsing this file at startup, pass it the -N option.
All the configuration of radare2 is done with the eval commands. A typical startup configuration file looks like this:
$ cat ~/.radare2rc
e scr.color = 1
e dbg.bep = loader
The configuration can also be changed with -e <config=value> command-line option. This way you can adjust configuration from the command line, keeping the .radare2rc file intact. For example, to start with empty configuration and then adjust scr.color and asm.syntax the following line may be used:
$ radare2 -N -e scr.color=1 -e asm.syntax=intel -d /bin/ls
Internally, the configuration is stored in a hash table. The variables are grouped in namespaces: cfg., file., dbg., scr. and so on.
To get a list of all configuration variables just type e in the command line prompt. To limit the output to a selected namespace, pass it with an ending dot to e. For example, e file. will display all variables defined inside the "file" namespace.
To get help about e command type e?:
Usage: e [var[=value]] Evaluable vars
| e?asm.bytes show description
| e?? list config vars with description
| e a get value of var 'a'
| e a=b set var 'a' the 'b' value
| e var=? print all valid values of var
| e var=?? print all valid values of var with description
| e.a=b same as 'e a=b' but without using a space
| e,k=v,k=v,k=v comma separated k[=v]
| e- reset config vars
| e* dump config vars in r commands
| e!a invert the boolean value of 'a' var
| ec [k] [color] set color for given key (prompt, offset, ...)
| eevar open editor to change the value of var
| ed open editor to change the ~/.radare2rc
| ej list config vars in JSON
| env [k[=v]] get/set environment variable
| er [key] set config key as readonly. no way back
| es [space] list all eval spaces [or keys]
| et [key] show type of given config variable
| ev [key] list config vars in verbose format
| evj [key] list config vars in verbose format in JSON
A simpler alternative to the e command is accessible from the visual mode. Type Ve to enter it, use arrows (up, down, left, right) to navigate the configuration, and q to exit it. The start screen for the visual configuration edit looks like this:
[EvalSpace]
> anal
asm
scr
asm
bin
cfg
diff
dir
dbg
cmd
fs
hex
http
graph
hud
scr
search
io
For configuration values that can take one of several values, you can use the =? operator to get a list of valid values:
[0x00000000]> e scr.nkey = ?
scr.nkey = fun, hit, flag
Console access is wrapped in API that permits to show the output of any command as ANSI, W32 Console or HTML formats. This allows radare's core to run inside environments with limited displaying capabilities, like kernels or embedded devices. It is still possible to receive data from it in your favorite format.
To enable colors support by default, add a corresponding configuration option to the .radare2 configuration file: