bin -> int ; rax2 1010d

ternary -> int ; rax2 1010dt

float -> hex ; rax2 3.33f

hex -> float ; rax2 Fx40551ed8

oct -> hex ; rax2 35o

hex -> oct ; rax2 Ox12 (O is a letter)

bin -> hex ; rax2 1100011b

hex -> bin ; rax2 Bx63

ternary -> hex ; rax2 212t

hex -> ternary ; rax2 Tx23

raw -> hex ; rax2 -S < /binfile

hex -> raw ; rax2 -s 414141

-l ; append newline to output (for -E/-D/-r/..

-a show ascii table ; rax2 -a

-b bin -> str ; rax2 -b 01000101 01110110

-B str -> bin ; rax2 -B hello

-d force integer ; rax2 -d 3 -> 3 instead of 0x3

-e swap endianness ; rax2 -e 0x33

-D base64 decode ;

-E base64 encode ;

-f floating point ; rax2 -f 6.3+2.1

-F stdin slurp code hex ; rax2 -F < shellcode.[c/py/js]

-h help ; rax2 -h

-i dump as C byte array ; rax2 -i < bytes

-k keep base ; rax2 -k 33+3 -> 36

-K randomart ; rax2 -K 0x34 1020304050

-L bin -> hex(bignum) ; rax2 -L 111111111 # 0x1ff

-n binary number ; rax2 -n 0x1234 # 34120000

-N binary number ; rax2 -N 0x1234 # \x34\x12\x00\x00

-r r2 style output ; rax2 -r 0x1234

-s hexstr -> raw ; rax2 -s 43 4a 50

-S raw -> hexstr ; rax2 -S < /bin/ls > ls.hex

-t tstamp -> str ; rax2 -t 1234567890

-x hash string ; rax2 -x linux osx

-u units ; rax2 -u 389289238 # 317.0M

-w signed word ; rax2 -w 16 0xffff

-v version ; rax2 -v

Some examples:

$ rax2 3+0x80

0x83

$ rax2 0x80+3

131

$ echo 0x80+3 | rax2

131

$ rax2 -s 4142

AB

$ rax2 -S AB

4142

$ rax2 -S < bin.foo

...

$ rax2 -e 33

0x21000000

$ rax2 -e 0x21000000

33

$ rax2 -K 90203010

+--[0x10302090]---+

|Eo. . |

| . . . . |

| o |

| . |

| S |

| |

| |

| |

| |

+-----------------+

Rafind2 is the command line fronted of the r_search library. Which allows you to search for strings, sequences of bytes with binary masks, etc

$ rafind2 -h

Usage: rafind2 [-mXnzZhqv] [-a align] [-b sz] [-f/t from/to] [-[e|s|S] str] [-x hex] -|file|dir ..

-a [align] only accept aligned hits

-b [size] set block size

-e [regex] search for regex matches (can be used multiple times)

-f [from] start searching from address 'from'

-h show this help

-i identify filetype (r2 -nqcpm file)

-j output in JSON

-m magic search, file-type carver

-M [str] set a binary mask to be applied on keywords

-n do not stop on read errors

-r print using radare commands

-s [str] search for a specific string (can be used multiple times)

-S [str] search for a specific wide string (can be used multiple times). Assumes str is UTF-8.

-t [to] stop search at address 'to'

-q quiet - do not show headings (filenames) above matching contents (default for searching a single file)

-v print version and exit

-x [hex] search for hexpair string (909090) (can be used multiple times)

-X show hexdump of search results

-z search for zero-terminated strings

-Z show string found on each search hit

That's how to use it, first we'll search for "lib" inside the /bin/ls binary.

$ rafind2 -s lib /bin/ls

0x5f9

0x675

0x679

...

$

Note that the output is pretty minimal, and shows the offsets where the string lib is found. We can then use this output to feed other tools.

Counting results:

$ rafind2 -s lib /bin/ls | wc -l

Displaying results with context:

$ export F=/bin/ls

$ for a in `rafind2 -s lib $F` ; do \

r2 -ns $a -qc'x 32' $F ; done

0x000005f9 6c69 622f 6479 6c64 .. lib/dyld........

0x00000675 6c69 622f 6c69 6275 .. lib/libutil.dyli

0x00000679 6c69 6275 7469 6c2e .. libutil.dylib...

0x00000683 6c69 6200 000c 0000 .. lib......8......

0x000006a5 6c69 622f 6c69 626e .. lib/libncurses.5

0x000006a9 6c69 626e 6375 7273 .. libncurses.5.4.d

0x000006ba 6c69 6200 0000 0c00 .. lib.......8.....

0x000006dd 6c69 622f 6c69 6253 .. lib/libSystem.B.

0x000006e1 6c69 6253 7973 7465 .. libSystem.B.dyli

0x000006ef 6c69 6200 0000 0000 .. lib......&......

rafind2 can also be used as a replacement of file to identify the mimetype of a file using the internal magic database of radare2.

$ rafind2 -i /bin/ls

0x00000000 1 Mach-O

Also works as a strings replacement, similar to what you do with rabin2 -z, but without caring about parsing headers and obeying binary sections.

$ rafind2 -z /bin/ls| grep http

0x000076e5 %http://www.apple.com/appleca/root.crl0\r

0x00007ae6 https://www.apple.com/appleca/0

0x00007fa9 )http://www.apple.com/certificateauthority0

0x000080ab $http://crl.apple.com/codesigning.crl0

Rarun2 is a tool allowing to setup a specified execution environment - redefine stdin/stdout, pipes, change the environment variables and other settings useful to craft the boundary conditions you need to run a binary for debugging.

$ rarun2 -h

Usage: rarun2 -v|-t|script.rr2 [directive ..]

It takes the text file in key=value format to specify the execution environment. Rarun2 can be used as both separate tool or as a part of radare2. To load the rarun2 profile in radare2 you need to use either -r to load the profile from file or -R to specify the directive from string.

The format of the profile is very simple. Note the most important keys - program and arg*

One of the most common usage cases - redirect the output of debugged program in radare2. For this you need to use stdio, stdout, stdin, input, and a couple similar keys.

Here is the basic profile example:

program=/bin/ls

arg1=/bin

# arg2=hello

# arg3="hello\nworld"

# arg4=:048490184058104849

# arg5=:!ragg2 -p n50 -d 10:0x8048123

# arg6=@arg.txt

# arg7=@300@ABCD # 300 chars filled with ABCD pattern

# system=r2 -

# aslr=no

setenv=FOO=BAR

# unsetenv=FOO

# clearenv=true

# envfile=environ.txt

timeout=3

# timeoutsig=SIGTERM # or 15

# connect=localhost:8080

# listen=8080

# pty=false

# fork=true

# bits=32

# pid=0

# pidfile=/tmp/foo.pid

# #sleep=0

# #maxfd=0

# #execve=false

# #maxproc=0

# #maxstack=0

# #core=false

# #stdio=blah.txt

# #stderr=foo.txt

# stdout=foo.txt

# stdin=input.txt # or !program to redirect input from another program

# input=input.txt

# chdir=/

# chroot=/mnt/chroot

# libpath=$PWD:/tmp/lib

# r2preload=yes

# preload=/lib/libfoo.so

# setuid=2000

# seteuid=2000

# setgid=2001

# setegid=2001

# nice=5