A boolean value which substitutes pc relative expressions in disassembly. When turned on, it shows the references as string references.

For example:

0x5563844a0181 488d3d7c0e00. lea rdi, [rip + 0xe7c] ; str.argv__2d_:__s

When turned on, this variable lets you display the above instruction as:

0x5563844a0181 488d3d7c0e00. lea rdi, str.argv__2d_:__s ; 0x5563844a1004 ; "argv[%2d]: %s\n"

Boolean which shows offsets in disassembly prefixed with the name of the section or map.

That means, from something like:

0x000067ea 488d0def0c01. lea rcx, [0x000174e0]

to the one below, when toggled on.

0x000067ea 488d0def0c01. lea rcx, [fmap.LOAD1.0x000174e0]

Boolean which substitutes the variable expression with the local variable name.

For example: var_14h as rbp - var_14h, in the disassembly.

Change endianness. "true" means big-endian, "false" is for little-endian. "file.id" and "file.flag" both to be true.

If this variable is enabled, help messages will be displayed along with command names in tab completion for commands.

This variable specifies the mode for colorized screen output: "false" (or 0) means no colors, "true" (or 1) means 16-colors mode, 2 means 256-colors mode, 3 means 16 million-colors mode. If your favorite theme looks weird, try to bump this up.

This variable accepts a full-featured expression or a pointer/flag (eg. eip). If set, radare will set seek position to its value on startup.

If you have set up any flagzones (fz?), this variable will let you display the scrollbar with the flagzones, in Visual mode. Set it to 1 to display the scrollbar at the right end, 2 for the top and 3 to display it at the bottom.

A boolen variable to show UTF-8 characters instead of ANSI.

Enables or disables "fortune" messages displayed at each radare start.

Fortunes are classified by type. This variable determines which types are allowed for displaying when cfg.fortunes is true, so they can be fine-tuned on what's appropriate for the intended audience. Current types are tips, fun, nsfw, creepy.

This variable lets you set the size of stack in bytes.

Use r2 -H to list all the environment variables that matter to know where it will be looking for files. Those paths depend on the way (and operating system) you have built r2 for.

R2_PREFIX=/usr

MAGICPATH=/usr/share/radare2/2.8.0-git/magic

PREFIX=/usr

INCDIR=/usr/include/libr

LIBDIR=/usr/lib64

LIBEXT=so

RCONFIGHOME=/home/user/.config/radare2

RDATAHOME=/home/user/.local/share/radare2

RCACHEHOME=/home/user/.cache/radare2

LIBR_PLUGINS=/usr/lib/radare2/2.8.0-git

USER_PLUGINS=/home/user/.local/share/radare2/plugins

USER_ZIGNS=/home/user/.local/share/radare2/zigns

RC files are r2 scripts that are loaded at startup time. Those files must be in 3 different places:

radare2 will first try to load /usr/share/radare2/radare2rc

Each user in the system can have its own r2 scripts to run on startup to select the color scheme, and other custom options by having r2 commands in there.

   • ~/.radare2rc

   • ~/.config/radare2/radare2rc

   • ~/.config/radare2/radare2rc.d/

If you want to run a script everytime you open a file, just create a file with the same name of the file but appending .r2 to it.

Most command names in radare are derived from action names. They should be easy to remember, as they are short. Actually, all commands are single letters. Subcommands or related commands are specified using the second character of the command name. For example, / foo is a command to search plain string, while /x 90 90 is used to look for hexadecimal pairs.

The general format for a valid command (as explained in the Command Format chapter) looks like this:

[.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ; ...

For example,

> 3s +1024 ; seeks three times 1024 from the current seek

If a command starts with =!, the rest of the string is passed to the currently loaded IO plugin (a debugger, for example). Most plugins provide help messages with =!? or =!help.

$ r2 -d /bin/ls

> =!help ; handled by the IO plugin

If a command starts with !, posix_system() is called to pass the command to your shell. Check !? for more options and usage examples.

> !ls ; run `ls` in the shell

The meaning of the arguments (iter, addr, size) depends on the specific command. As a rule of thumb, most commands take a number as an argument to specify the number of bytes to work with, instead of the currently defined block size. Some commands accept math expressions or strings.

> px 0x17 ; show 0x17 bytes in hexs at current seek

> s base+0x33 ; seeks to flag 'base' plus 0x33

> / lib ; search for 'lib' string.

The @ sign is used to specify a temporary offset location or a seek position at which the command is executed, instead of current seek position. This is quite useful as you don't have to seek around all the time.

> p8 10 @ 0x4010 ; show 10 bytes at offset 0x4010

> f patata @ 0x10 ; set 'patata' flag at offset 0x10

Using @@ you can execute a single command on a list of flags matching the glob. You can think of this as a foreach operation:

> s 0

> / lib ; search 'lib' string

> p8 20 @@ hit0_* ; show 20 hexpairs at each search hit

The > operation is used to redirect the output of a command into a file (overwriting it if it already exists).

> pr > dump.bin ; dump 'raw' bytes of current block to file named 'dump.bin'

> f > flags.txt ; dump flag list to 'flags.txt'

The | operation (pipe) is similar to what you are used to expect from it in a *NIX shelclass="underline" an output of one command as input to another.

[0x4A13B8C0]> f | grep section | grep text

0x0805f3b0 512 section._text

0x080d24b0 512 section._text_end