# radare2 cmd syntax ``` Command = '!' Shell | Statement { ';' Statement } | QuotedStatement QuotedStatement = Statement - Redirection - TmpSeek + ';' Statement = Head {Arg} Redirection? TmpSeek? Grep? TmpSeek = '@' (addr ('!' blocksize)? [0x1000011e0]> ?@? |Usage: [.][#]<cmd>[*] [`cmd`] [@ addr] [~grep] [|syscmd] [>[>]file] | 0 alias for 's 0' | 0xaddr alias for 's 0x..' | #cmd if # is a number repeat the command # times | /* start multiline comment | */ end multiline comment | .cmd execute output of command as r2 script | .:8080 wait for commands on port 8080 | .!rabin2 -re $FILE run command output as r2 script | * output of command in r2 script format (CC*) | j output of command in JSON format (pdj) | @ 0x1024 temporary seek to this address (sym.main+3) | @ [addr]!blocksize temporary set a new blocksize | @a:arch[:bits] temporary set arch and bits | @b:bits temporary set asm.bits | @e:k=v,k=v temporary change eval vars | @r:reg tmp seek to reg value (f.ex pd@r:PC) | @i:nth.op temporary seek to the Nth relative instruction | @f:file temporary replace block with file contents | @o:fd temporary switch to another fd | @s:string same as above but from a string | @x:909192 from hex pairs string | @..from to temporary set from and to for commands supporting ranges | @@=1 2 3 run the previous command at offsets 1, 2 and 3 | @@ hit* run the command on every flag matching 'hit*' | @@?[ktfb..] show help for the iterator operator | @@@ [type] run a command on every [type] (see @@@? for help) Input Slurp from file or stdin '<' | has been removed to avoid issues with confused users or hangs Redirection = '>' filename | >file pipe output of command to file | >>file append to file | H>file pipe output of command to file in HTML | H>>file append to file with the output of command in HTML | `pdi~push:0[0]` replace output of command inside the line | |cmd pipe output to command (pd|less) (.dr*) Grep = '~' [^"`] | ~? count number of lines (like wc -l) | ~?? show internal grep help | ~.. internal less | ~{} json indent | ~{}.. json indent and less | ~word grep for lines matching word | ~!word grep for lines NOT matching word | ~word[2] grep 3rd column of lines matching word | ~word:3[0] grep 1st column from the 4th line matching word + see ## Use of ~ Head = [-+=A-Za-z0-9.*!?/] # '?' (not followed by '*') '-' '+' ends parsing Arg = ([-/+*^A-Za-z0-9.,_=\[\]?{}$] | Escape)* ``` ## Use of `$` ``` aetr ==,$z x $(x) ``` ## Use of `^` ``` ?v 32^'a' ``` ## Use of ~ ``` [0x1000011e0]> ~? |Usage: [command]~[modifier][word,word][endmodifier][[column]][:line] modifier: | & all words must match to grep the line | $[n] sort numerically / alphabetically the Nth column | + case insensitive grep (grep -i) | ^ words must be placed at the beginning of line | ! negate grep | ? count number of matching lines | ?. count number chars | ?? show this help message | :[s]-[e] show lines s-e | .. internal 'less' | ... internal 'hud' (like V_) | {} json indentation | {path} json grep | {}.. less json indentation | endmodifier: | $ words must be placed at the end of line | column: | [n] show only column n | [n-m] show column n to m | [n-] show all columns starting from column n | [i,j,k] show the columns i, j and k | Examples: | i~:0 show first line of 'i' output | i~:-2 show first three lines of 'i' output | pd~mov disasm and grep for mov | pi~[0] show only opcode | i~0x400$ show lines ending with 0x400 [0x1000011e0]> ``` ## Use of $ [0x1000011e0]> ?$? |Usage: ?v [$.] | $$ here (current virtual seek) | $? last comparison value | $alias=value Alias commands (simple macros) | $b block size | $B base address (aligned lowest map address) | $f jump fail address (e.g. jz 0x10 => next instruction) | $fl flag length (size) at current address (fla; pD $l @ entry0) | $F current function size | $FB begin of function | $Fb address of the current basic block | $Fs size of the current basic block | $FE end of function | $FS function size | $Fj function jump destination | $Ff function false destination | $FI function instructions | $c,$r get width and height of terminal | $Cn get nth call of function | $Dn get nth data reference in function | $D current debug map base address ?v $D @ rsp | $DD current debug map size | $e 1 if end of block, else 0 | $j jump address (e.g. jmp 0x10, jz 0x10 => 0x10) | $Ja get nth jump of function | $Xn get nth xref of function | $l opcode length | $m opcode memory reference (e.g. mov eax,[0x10] => 0x10) | $M map address (lowest map address) | $o here (current disk io offset) | $p getpid() | $P pid of children (only in debug) | $s file size | $S section offset | $SS section size | $v opcode immediate value (e.g. lui a0,0x8010 => 0x8010) | $w get word size, 4 if asm.bits=32, 8 if 64, ... | ${ev} get value of eval config variable | $k{kv} get value of an sdb query value | RNum $variables usable in math expressions ## Use of . [0x1000011e0]> .?? |Usage: .[r2cmd] | [file] | [!command] | [(macro)] # define macro or load r2, cparse or rlang file | . repeat last command backward | .r2cmd interpret the output of the command as r2 commands | .. repeat last command forward (same as \n) | .:8080 listen for commands on given tcp port | . foo.r2 interpret r2 script | .- open cfg.editor and interpret tmp file | .!rabin -ri $FILE interpret output of command | .(foo 1 2 3) run macro 'foo' with args 1, 2, 3 | ./ ELF interpret output of command /m ELF as r. commands ## Use of ! ``` [0x1000011e0]> !?? |Usage: !<cmd> Run given command as in system(3) | ! list all historic commands | !ls execute 'ls' in shell | !! save command history to hist file | !!ls~txt print output of 'ls' and grep for 'txt' | .!rabin2 -rpsei ${FILE} run each output line as a r2 cmd | !echo $SIZE display file size | !- clear history in current session | !-* clear and save empty history log | !=! enable remotecmd mode | =!= disable remotecmd mode | Environment: | R2_FILE file name | R2_OFFSET 10base offset 64bit value | R2_BYTES TODO: variable with bytes in curblock | R2_XOFFSET same as above, but in 16 base | R2_BSIZE block size | R2_ENDIAN 'big' or 'little' | R2_IOVA is io.va true? virtual addressing (1,0) | R2_DEBUG debug mode enabled? (1,0) | R2_BLOCK TODO: dump current block to tmp file | R2_SIZE file size | R2_ARCH value of asm.arch | R2_BITS arch reg size (8, 16, 32, 64) | RABIN2_LANG assume this lang to demangle | RABIN2_DEMANGLE demangle or not | PDB_SERVER e pdb.server ``` ## Use of () [0x1000011e0]> (?? |Usage: (foo args,cmd1,cmd2,..)Aliases | (foo args,..,..) define a macro | (foo args,..,..)() define and call a macro | (-foo) remove a macro | .(foo) to call it | () break inside macro | (* list all defined macros | Argument support: | (foo x y, $0 @ $1) define fun with args (x - $0, y - $1) | .(foo 128 0x804800) call it with args | Iterations: | .(foo,() $@) define iterator returning iter index | x @@ .(foo) iterate over them