Radare2

Radare2 is a free and open-source reverse engineering framework supporting multiple architectures and file formats. This guide covers r2 commands, visual mode, scripting, and analysis workflows.

Installation

Linux

# Ubuntu/Debian
sudo apt update
sudo apt install radare2

# Fedora/RHEL
sudo dnf install radare2

# Build from source
git clone https://github.com/radareorg/radare2.git
cd radare2
./configure && make
sudo make install

macOS

# Homebrew
brew install radare2

# Build from source
git clone https://github.com/radareorg/radare2.git
cd radare2
./configure --prefix=/usr/local && make
sudo make install

Windows

# Download installer from radare.org/get
# Or use Chocolatey
choco install radare2

# Build with MSVC or MinGW
git clone https://github.com/radareorg/radare2.git
cd radare2
sys\\install.bat        ; Windows batch install

Starting Radare2

# Open binary for analysis
r2 ./binary_file

# Open with specific processor
r2 -a x86 -b 32 binary_file
r2 -a arm -b 64 binary_file

# Open at specific offset
r2 -o 0x1000 binary_file

# Debug mode
r2 -d ./binary_file
r2 -d -p <PID>

# Analyze specific file offset
r2 -m 0x1000 binary_file

Essential Commands

Command	Description
`s <addr>`	Seek to address
`s-`	Undo seek
`s+`	Redo seek
`pd <n>`	Print disassembly (n lines)
`px <n>`	Print hex dump (n bytes)
`pz`	Print C-string at current position
`ps`	Print string at current position
`p8 <n>`	Print 8-byte values
`.`	Show current location

Analysis and Information

Command	Description
`aaa`	Auto-analyze all
`af`	Analyze function at cursor
`afl`	List all functions
`afn <name>`	Rename function
`afi`	Function info
`axf`	Show function xrefs
`aflm`	List functions as minigraph
`ii`	Show imports
`il`	Show libraries

Searching and Finding

Command	Description
`/b <bytes>`	Search for bytes
`/s <string>`	Search for string
`/x <pattern>`	Search for hex pattern
`/ <pattern>`	Plain text search (UTF-8)
`//`	Repeat last search
`iz`	Find strings in binary

Functions and Xrefs

Command	Description
`afl`	List all functions
`pdf`	Print function disassembly
`pdf @ <addr>`	Disassemble function at address
`axt <addr>`	Show xrefs to address
`axf`	Show xrefs from current address
`ax`	Show all xrefs
`arn`	Rename node/function

Disassembly and Analysis

Viewing Code

# Disassemble current function
pdf

# Disassemble specific address
pdf @ 0x401000

# Disassemble with n lines
pd 20
pd 20 @ 0x401000

# Disassemble in graph mode
ag
agf                    ; Function graph

# List instructions
pi <n>                 ; Print n instructions

# Print with analysis
pda                    ; Print disassembly with annotations

Understanding Functions

# Get function info
afi
afi @ main

# Function boundaries
af main                ; Analyze function
afl                    ; List functions
aflm                   ; ASCII art function list

# Jump to function
s main
s sym.main

# Get stack frame
afvs                   ; Stack variables

Variables and Types

Managing Variables

# Set variable name
afvn <old> <new>       ; Rename variable
afvt <type> <var>      ; Set variable type

# Show variables
afv                    ; All variables
afvs                   ; Stack variables
afvr                   ; Register variables
afva                   ; Arguments
afvl                   ; Locals

# Print variable at address
pv <size>              ; Print variable

Type Management

# Define structure
t struct mystruct "int a; int b; char c"

# Print structure
p <type> @ <addr>
p mystruct @ 0x401000

# List types
tl

# Get type info
ti <type>

Visual Mode

Entering Visual Mode

# Enter visual mode (disassembly view)
V

# Visual mode variations
Vv                     ; Vertical split
Vu                     ; Undo split
V!                     ; Enable asm editor

Key	Action
`hjkl`	Navigate (vim-style)
`g`	Go to address
`G`	Go to offset
`R`	Refresh/redraw
`x`	Jump to xref
`X`	Jump back
`Space`	Select/edit
`:`	Run commands
`!`	Edit instruction
`d`	Toggle data/code
`p`	Cycle print modes
`P`	Cycle analysis modes

Print Modes in Visual

p cycles through:
1. Disassembly (default)
2. Hex dump
3. C-strings
4. Assembly
5. Debugger
6. Stack
7. Stack (human readable)

Debugging

Debug Mode

# Enter debug mode
r2 -d ./binary

# Continue execution
dc
dcs                    ; Continue step
dcc                    ; Continue until call

# Step through code
ds                     ; Step
dsi                    ; Step instruction
dso                    ; Step over

# Breakpoints
db <addr>              ; Set breakpoint
dbc <addr> 1           ; Breakpoint with count
dbi                    ; Show breakpoints
dbd <addr>             ; Delete breakpoint

Debugging Inspection

# Show registers
dr
dr rax                 ; Show specific register
dr rax=<value>         ; Set register

# Show memory map
dm

# Show threads
dbt

# Show stack
dbt                    ; Stack trace
dts                    ; Thread summary

Binary Information

File and Format Analysis

# Show file info
iH                     ; Headers
iH+                    ; Headers (extended)

# Show sections
iS                     ; Sections
iSS @ <addr>           ; Section at address

# Imports and exports
ii                     ; Imports
iie                    ; Imports extended
ie                     ; Exports

# Relocations
ir                     ; Relocations
irl                    ; Show long relocations

Entrypoint Analysis

# Show entry points
ie
iej                    ; Entry points JSON

# Seek to entry
s entry0               ; Jump to entry
s main                 ; Jump to main (if found)

Scripting

Radare2 Script Language (r2script)

# Simple loop
for i in `afl` ; do echo $i ; done

# Get function addresses
afl | awk '{print $1}'

# Generate script
echo 'af' > script.r2
echo 'pdf' >> script.r2
r2 -i script.r2 binary_file

Python Scripting

#!/usr/bin/env python3
import r2pipe

# Open binary
r = r2pipe.open("./binary")

# Run commands
r.cmd("aaa")           # Auto-analyze

# Get functions
functions = r.cmdj("aflj")  # JSON output
for func in functions:
    print(func['name'], hex(func['offset']))

# Get disassembly
code = r.cmd("pdf @ main")
print(code)

# Seek and examine
r.cmd("s 0x401000")
print(r.cmd("px 16"))

# Close
r.quit()

JavaScript Scripting

// Run inside r2 with -i flag or in r2 console
load("r_core.js");

// List functions
cmd("afl");

// Print disassembly
cmd("pdf @ main");

// Get JSON
var funcs = cmdj("aflj");
for (var f of funcs) {
    print(f.name + " at " + f.offset.toString(16));
}

Common Analysis Tasks

Finding Strings

# List all strings
iz

# Search for specific string
/ "password"

# Get strings in JSON
izj | grep -i "password"

# Get xrefs to string
axt @<string_addr>     ; Show xrefs to string

Analyzing Functions

# List functions with size
aflm

# Get specific function
afi @ main

# Print function disassembly
pdf @ main

# Get function calls
afvf @ main            ; Function calls

Memory Search

# Search for pattern
/x "48 89 c3"         ; Search for "mov rbx,rax"

# Find string
/s "kernel32"

# Find byte sequence
/b "\x48\x89\xc3"

# Show all matches
//                    ; Repeat search

Configuration

Setting Options

# Set screen size
e scr.width=120
e scr.height=40

# Set architecture
e asm.arch=x86
e asm.bits=64

# Set syntax
e asm.syntax=intel
e asm.syntax=att

# Show configuration
e

# Save configuration
e scr.color=1
Config saved to ~/.radare2rc

Common Options

Option	Values
`asm.arch`	x86, arm, mips, ppc, etc
`asm.bits`	16, 32, 64
`asm.syntax`	intel, att
`asm.describe`	1/0 (show instruction descriptions)
`scr.color`	0/1 (enable colors)
`scr.utf8`	0/1 (UTF-8 output)

Useful Workflows

Reverse Engineer a Function

1. Open binary: r2 ./binary
2. Analyze: aaa
3. List functions: afl
4. Jump to function: s main
5. Print disassembly: pdf
6. Examine xrefs: axf or axt
7. Follow calls: s <function>
8. Document findings

Find Vulnerable Code

1. Search for dangerous functions: / "strcpy"
2. Get xrefs: axt @<string>
3. Analyze caller function
4. Check for bounds checking
5. Examine stack layout
6. Determine if exploitable

Analyze Imports/Exports

1. List imports: ii
2. List exports: ie
3. Find API calls: /x "call [address]"
4. Determine functionality
5. Patch calls for testing

Advanced Features

ESIL (Intermediate Language)

# Show ESIL representation
ae
aeso                   ; ESIL overview

# ESIL is Radare's IL for analysis
# Allows architecture-agnostic analysis

Patching and Modifying

# Write bytes
wx 90 90 90            ; Write NOPs

# Write string
ws "new string"

# Asm write
wa mov rax, 0x42       ; Write assembly

# Undo changes
e io.cache=1          ; Enable I/O cache
wx 90                 ; Changes not permanent
e io.cache=0          ; Commit changes

Tips and Best Practices

Use aaa to automatically analyze the binary
Visual mode (V) is great for exploring code structure
Use Python scripting for repetitive analysis
Always analyze functions before examining them
Use xrefs (axt/axf) to understand control flow
Document findings with comments and renaming
Use / to search for patterns, strings, bytes
Set breakpoints in debug mode to trace execution
Use print modes (p key in visual) to see different data
Export results: . > file.txt to save analysis

Resources

Radare2 Official: https://radare.org/
Radare2 Book: https://book.rada.re/
GitHub: https://github.com/radareorg/radare2
Community: https://discord.gg/C9qKLlL

Last updated: 2026-03-30