🖥️r2

➡️This is a command-line reference manual for commands and command combinations that you don’t use often enough to remember it. This cheatsheet explains the r2 command with important options and switches using examples.

▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁

#  ██████╗ ██████╗ 
#  ██╔══██╗╚════██╗
#  ██████╔╝ █████╔╝
#  ██╔══██╗██╔═══╝ 
#  ██║  ██║███████╗
#  ╚═╝  ╚═╝╚══════╝

# Command Line options
	-L: List of supported IO plugins

	-q: Exit after processing commands

	-w: Write mode enabled

	-i: Interprets a r2 script

	-A: Analize executable at load time (xrefs, etc)

	-n: Bare load. Do not load executable info as the entrypoint

	-c'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')

	-p: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)

	-: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed); Similar to r2 malloc://512

-----------------------------------------------------------------------------------------------------------------------------

# Configuration properties
	e: Returs configuration properties
	
	e <property>: Checks a specific property:
    		e asm.tabs => false

	e <property>=<value>: Change property value
    		e asm.arch=ppc

	e? help about a configuration property
    		e? cmd.stack

	
	
	# Show comments at right of disassembly if they fit in screen
		e asm.cmtright=true

	# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
		e asm.pseudo = true

	# Display stack and register values on top of disasembly view (visual mode)
		e cmd.stack = true

	# Solarized theme
		eco solarized

	# Use UTF-8 to show cool arrows that do not look like crap :)
		e scr.utf8 = true

-----------------------------------------------------------------------------------------------------------------------------

# Basic Commands

	; Command chaining: x 3;s+3;pi 3;s+3;pxo 4;
    
	| Pipe with shell commands: pd | less
    
	! Run shell commands: !cat /etc/passwd
    
	!! Escapes to shell, run command and pass output to radare buffer
    		
		Note: 	The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this
			command to launch it directly to the shell. A single one will walk through the io plugin list.

    	` Radare commands: wx `!ragg2 -i exec`
    
	~ grep
    
	~! grep -v
    
	~[n] grep by columns afl~[0]

    	~:n grep by rows afl~:0
	
	<command>~.. less/more mode

	+-------------------------------------------------------------------
	
	pi~mov,eax            ; lines with mov or eax
    	pi~mov&eax            ; lines with mov and eax
    	pi~mov,eax:6          ; 6 first lines with mov or eax
    	pd 20~call[0]:0       ; grep first column of the first row matching 'call'
	
	+-------------------------------------------------------------------

	.cmd Interprets command output
	
	+-------------------------------------------------------------------
	
	is* prints symbolos
	.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
	
	+-------------------------------------------------------------------
	
	.. repeats last commands (same as enter \n)
    	
	( Used to define and run macros
    
	$ Used to define alias
    
	$$: Resolves to current address
    	
	Offsets (@) are absolute, we can use $$ for relative ones @ $$+4
    
	? Evaluate expression
	+-------------------------------------------------------------------

	[0x00000000]> ? 33 +2
	35 0x23 043 0000:0023 35 00100011 35.0 0.000000
	Note: | and & need to be escaped

	+-------------------------------------------------------------------

	?$? Help for variables used in expressions
    
	$$: Here
    
	$s: File size
    
	$b: Block size
    
	$l: Opcode length
    
	$j: When $$ is at a jmp, $j is the address where we are going to jump to
    
	$f: Same for jmp fail address
	
	$m: Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
    
	??? Help for ? command
    
	?i Takes input from stdin. Eg ?i username
    
	?? Result from previous operations
    
	?s from to [step]: Generates sequence from to every
    
	?p: Get physical address for given virtual address
    
	?P: Get virtual address for given physical one
    
	?v Show hex value of math expr

	+-------------------------------------------------------------------

	?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
	?v 0x4141414a - 0x41414140  = 0xa

	+-------------------------------------------------------------------

	?l str: Returns the length of string
    
	@@: Used for iteractions

	+-------------------------------------------------------------------

	wx ff @@10 20 30      Writes ff at offsets 10, 20 and 30
	wx ff @@`?s  1 10 2`  Writes ff at offsets 1, 2 and 3
	wx 90 @@ sym.*        Writes a nop on every symbol

	+-------------------------------------------------------------------

# Positioning

	s address: Move cursor to address or symbol
	
	s-5 (5 bytes backwards)
	
	s- undo seek

	s+ redo seek

# Block Size

	b size: Change block size

# Analyze
	
	aa: Analyze all (fcns + bbs) same that running r2 with -A

	ahl <length> <range>: fake opcode length for a range of bytes
	
	ad: Analyze data

	ad@rsp (analize the stack)

	+ Normal mode
		
		af: Analyze functions

		afl: List all functions
    			number of functions: afl~?

		afi: Returns information about the functions we are currently at

		afr: Rename function: structure and flag
	
		afr off: Restore function name set by r2

		afn: Rename function
		
		afn strlen 0x080483f0

		af-: Removes metadata generated by the function analysis

		af+: Define a function manually given the start address and length
			af+ 0xd6f 403 checker_loop

		axt: Returns cross references to (xref to)

		axf: Returns cross references from (xref from)
	
	+ Visual mode

		d, f: Function analysis

		d, u: Remove metadata generated by function analysis

	+ Opcode analysis
		
		ao x: Analize x opcodes from current offset

		a8 bytes: Analize the instruction represented by specified bytes

# Information

		iI: File info

		iz: Strings in data section

		izz: Strings in the whole binary
	
		iS: Sections
			iS~w returns writable sections

		is: Symbols
			is~FUNC exports
		
		il: Linked libraries

		ii: Imports

		ie: Entrypoint

	+ Mitigations

		i~pic : check if the binary has position-independent-code
	
		i~nx : check if the binary has non-executable stack

		i~canary : check if the binary has canaries

# Print

	psz n @ offset: Print n zero terminated String

	px n @ offset: Print hexdump (or just x) of n bytes

	pxw n @ offset: Print hexdump of n words
		pxw size@offset  prints hexadecimal words at address

	pd n @ offset: Print n opcodes disassambled

	pD n @ offset: Print n bytes disassembled

	pi n @ offset: Print n instructions disassambeled (no address, XREFs, etc. just instrunctions)

	pdf @ offset: Print disassembled function
		pdf~XREF (grep: XREFs)
		pdf~call (grep: calls)

	pcp n @ offset: Print n bytes in python string output.
		pcp 0x20@0x8048550
		import struct
		buf = struct.pack ("32B",
    			0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
			0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
			0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)

	p8 n @ offset: Print n bytes (8bits) (no hexdump)
	
	pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)

	pt: Interpret data as dates

	pf: Print with format

	pf.: list all formats

	p=: Print entropy ascii graph

# Write

	wx: Write hex values in current offset
    		wx 123456
    		wx ff @ 4

	wa: Write assembly
    		wa jnz 0x400d24

	wc: Write cache commit

	wv: Writes value doing endian conversion and padding to byte

	wo[x]: Write result of operation
    		wow 11223344 @102!10
        		write looped value from 102 to 102+10
        		0x00000066  1122 3344 1122 3344 1122 0000 0000 0000
    
	wox 0x90
        	XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
    	
	wox 67 @4!10
        	XOR from offset 4 to 10 with value 67

	wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)

	wF file: Writes the content of the file at the current address or specified offset

	wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
    		Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)

	woO 41424344 : get the index in the De Bruijn Pattern of the given word

# Flags

	f: List flags

	f label @ offset: Define a flag `label` at offset
    		f str.pass_len @ 0x804999c

	f -label: Removes flag

	fr: Rename flag

	fd: Returns position from nearest flag (looking backwards). Eg => entry+21

	fs: Show all flag spaces

	fs flagspace: Change to the specified flag space

	fe loop and create numbered flags:
		
		1. fs demo_flagspace
		2. fe demo_flagspace @@=`pdf~jne[1]`

# Yank & Paste

	y n: Copies n bytes from current position

	y: Shows yank buffer contentent with address and length where each entry was copied from

	yp: Prints yank buffer

	yy offset: Paste the contents of the yank buffer at the specified offset

	yt n target @ source: Yank to. Copy n bytes fromsource to target address

# Visual Mode

	q: Exits visual mode

	hjkl: move around (or HJKL) (left-down-up-right)

	o: go/seek to given offset

	?: Help

	.: Seek EIP

	<enter>: Follow address of the current jump/call

	:cmd: Enter radare commands. Eg: x @ esi

	d[f?]: Define cursor as a string, data, code, a function, or simply to undefine it.
    		dr: Rename a function
    		df: Define a function

	v: Get into the visual code analysis menu to edit/look closely at the current function.

	p/P: Rotate print (visualization) modes
    		hex, the hexadecimal view
    		disasm, the disassembly listing
        		Use numbers in [] to follow jump
        		Use "u" to go back
    		
		debug, the debugger
    		words, the word-hexidecimal view
    		buf, the C-formatted buffer
    		annotated, the annotated hexdump.

	c: Changes to cursor mode or exits the cursor mode
    		select: Shift+[hjkl]
    		i: Insert mode
    		a: assembly inline
    		A: Assembly in visual mode
    		y: Copy
    		Y: Paste
    		f: Creates a flag where cursor points to
    		<tab> in the hexdump view to toggle between hex and strings columns

	V: View ascii-art basic block graph of current function

	W: WebUI

	x, X: XREFs to current function. ("u" to go back)

	t: track flags (browse symbols, functions..)

	gG: Begging or end of file

	HUD
    		_ Show HUD
    		backspace: Exits HUD
    		We can add new commands to HUD in: radare2/shlr/hud/main

	;[-]cmt: Add/remove comment

	m<char>: Define a bookmark

	'<char>: Go to previously defined bookmark

# ROP
	
	/R opcodes: Search opcodes
    	
	/R pop,pop,ret
	
	/Rl opcodes: Search opcodes and print them in linear way
	
	/Rl jmp eax,call ebx

	/a: Search assembly
    	
	/a jmp eax

	pda: Returns a library of gadgets that can be use. These gadgets are obtained by disassmbling byte per byte instead of obeying to opcode leng

	e search.roplen = 4  (change the depth of the search, to speed-up the hunt)

# Searching

	/ bytes: Search bytes
    		\x7fELF

	+-------------------------------------------------------------------

	push ebp
	mov ebp, esp

	Opcodes: 5589e5

	/x 5589e5
		[# ]hits: 54c0f4 < 0x0804c600  hits = 1
    		0x08049f70 hit0_0 5589e557565383e4f081ec
    		0x0804c31a hit0_1 5589e583ec18c704246031
    		0x0804c353 hit0_2 5589e583ec1889442404c7
    		0x0804c379 hit0_3 5589e583ec08e87cffffff
    		0x0804c3a2 hit0_4 5589e583ec18c70424302d

		pi 5 @@hit* (Print 5 first instructions of every hit)

	+-------------------------------------------------------------------

	Its possible to run a command for each hit. Use the cmd.hit property:

		e cmd.hit=px

# Comments and defines

	Cd [size]: Define as data

	C- [size]: Define as code

	Cs [size]: Define as String

	Cf [size]: Define as struct
    		We can define structures to be shown in the disassmbly

	CC: List all comments or add a new comment in console mode
    		C* Show all comments/metadata
    		CC <comment> add new comment
    		CC- remove comment

# Magic files

	pm: Print Magic files analysis
    		[0x00000000]> pm
    		0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1

	/m [magicfile]: Search magic number headers with libmagic

	search.align
	search.from (0 = beginning)
	search.to (0 = end)
	search.asmstr
	search.in

# Yara
	
	:yara scan

# Zignatures

	zg <language> <output file>: Generate signatures
		eg: zg go go.z

	Run the generated script to load signatures
    		eg: . go.z

	z: To show signatures loaded:

	+-------------------------------------------------------------------
	
	r2-(pid2)> pd 35 @ 0x08049adb-10
	|          0x08049adb   call fcn.0805b030
	|             fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
	|          0x08049ae0   add esp, 0xc
	|          0x08049ae3   call fcn.08095580

	+-------------------------------------------------------------------

# Compare Files

	r2 -m 0xf0000 /etc/fstab    ; Open source file
	
	o /etc/issue                ; Open file2 at offset 0
	
	o                           ; List both files

	cc offset: Diff by columns between current offset address and "offset"

# Graphs

	+ Basic block graphs
		
		af: Load function metadata

		ag $$ > a.dot: Dump basic block graph to file

		ag $$ | xdot: Show current function basic block graph

	+ Call graphs

		af: Load function metadata

		agc $$ > b.dot: Dump basic block graph to file

	+ Convert .dot in .png

		dot -Tpng -o /tmp/b.png b.dot

	+ Generate graph for file

		radiff2 -g main crackme.bin crackme.bin > /tmp/a
		xdot /tmp/a

# Debugger

	+ Start r2 in debugger mode. r2 will fork and attach
		
		r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")
		
		ptrace://pid (debug backend does not notice, only access to mapped memory)

	+ Pass arguments
		
		r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)

	+ Pass stdin
		
		r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)

	+ Commands

		do: Reopen program

		dp: Shows debugged process, child processes and threads

		dc: Continue

		dcu <address or symbol>: Continue until symbol (sets bp in address, continua until bp and remove bp)

		dc[sfcp]: Continue until syscall(eg: write), fork, call, program address (To exit a library)

		ds: Step in

		dso: Step out

		dss: Skip instruction

		dr register=value: Change register value

		dr(=)?: Show register values

		db address: Sets a breakpoint at address
    			db sym.main add breakpoint into sym.main
    			db 0x804800 add breakpoint
    			db -0x804800 remove breakpoint

		dsi (conditional step): Eg: "dsi eax==3,ecx>0"

		dbt: Shows backtrace

		drr: Display in colors and words all the refs from registers or memory

		dm: Shows memory map (* indicates current section)
    			[0xb776c110]> dm
    			sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
    			sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
    			sys 0xb776a000 - 0xb776b000 s r-x [vdso]
    			sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
    			sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
    			sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]

	+ To follow child processes in forks (set-follow-fork-mode in gdb)

		dcf until a fork happen then use dp to select what process you want to debug.

	+ PEDA like details
		
		drr;pd 10@-10;pxr 40@esp

	+ Debug in visual mode

		toggl breakpoints with F2
		single-step with F7 (s)
		step-over with F8 (S)
		continue with F9

# WebGUI
	
	=h: Start the server
	=H: Start server and browser

# rax2 - Base Conversion

	-e: Change endian
	
	-k: random ASCII art to represent a number/hash. Similar to how SSH represents keys
	
	-s: ASCII to hex
    		rax2 -S hola (from string to hex)
    		rax2 -s 686f6c61 (from hex to string)

	-S: binary to hex (for files)
	
	-N: pack an integer 
		rax2 -N 0x1234 # \x34\x12\x00\x00

# rahash2 - Entropy, hashes and checksums

	-a: Specify the algorithm

	-b XXX: Block size

	-B: Print all blocks

	-a entropy: Show file entropy or entropy per block (-B -b 512 -a entropy)
	
	+ Rot13 with rahash2
		rahash2 -E rot -S s:13 -s ‘Hello\n’

# radiff2 - File diffing

	-s: Calculate text distance from two files.

	-d: Delta diffing (For files with different sizes. Its not byte per byte)

	-C: Code diffing (instead of data)

	+-------------------------------------------------------------------

	Diff original and patched on x86_32, using graphdiff algorithm
    		radiff2 -a x86 -b32 -C original patched

	Show differences between original and patched on x86_32
    		radiff2 -a x86 -b32 original patched :

	+-------------------------------------------------------------------

# rasm2 - Assembly/Disasembly
 
	-L: Supported architectures

	-a arch instruction: Sets architecture
    		rasm2 -a x86 'mov eax,30' => b81e000000

	-b tam: Sets block size

	-d: Disassembly
    		rasm2 -d b81e000000 => mov eax, 0x1e

	-C: Assembly in C output
    		rasm2 -C 'mov eax,30' => "\xb8\x1e\x00\x00\x00"

	-D: Disassemble showing hexpair and opcode
    		rasm2 -D b81e0000 => 0x00000000   5               b81e000000  mov eax, 0x1e

	-f: Read data from file instead of ARG.

	-t: Write data to file

	+ Disassemble shellcode from hex stdin

	+-------------------------------------------------------------------

	echo -n "31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05" | rasm2 -a x86 -b 64 -d -
		xor eax, eax
		movabs rbx, 0xff978cd091969dd1
		neg rbx
		push rbx
		push rsp
		pop rdi
		cdq
		push rdx
		push rdi
		push rsp
		pop rsi
		mov al, 0x3b
		syscall

	+-------------------------------------------------------------------

# rafind2 - Search

	-Z: Look for Zero terminated strings

	-s str: Look for specifc string

	-X: Hex dump around output

	+ Search "/bin/sh" in libc

		rafind2 -X -s "/bin/sh" /usr/lib/libc.so.6

# ragg2 - Shellcode generator, C/opcode compiler

	P: Generate De Bruijn patterns
    		ragg2 -P 300 -r

	-a arch: Configure architecture

	-b bits: Specify architecture bits (32/64)

	-i shellcode: Specify shellcode to generate

	-e encoder: Specify encoder

	+ ragg2-cc: Generate shellcode from c

	+ Generate a x86, 32 bits exec shellcode
    		ragg2 -a x86 -b 32 -i exec

# rabin2 - Executable analysis: symbols, imports, strings

	-I: Executable information

	-C: Returns classes. Useful to list Java Classes

	-l: Dynamic linked libraries

	-s: Symbols

	-z: Strings

# rarun2 - Launcher to run programs with different environments, args, stdin, permissions, fds

	r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
	r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py) : runs /bin/ls with the output of exploit.py directed to stdin

# ESIL emulation

	1) aei: Initialize ESIL VM
	
	2) aeim: Assign ESIL stack
		aeim 0xffffd000 0x1000 stack
	
	3) aeip: Program counter to current seek

	4) e io.cache=true: Enable caching read/write of virtual memory (Important if self modifying code)

	5) aes: Single stepping in emulation mode

	+ Toggle IL representation via O in Visual Mode

# ESIL Linear emulation

	Find all references to curr. address using linear esil emulation on all imports.
		
		/re$$@@ sym.imp.*

# ESIL IL Representation

	op 	esil
	------------
	mov 	=
	mul 	*
	div 	/
	and 	&
	neg	!
	read 	[]
	if 	?{
	add	+
	sub	-
	xor 	^
	or	|
	cmp	==
	write	=[]
	
	+ prefix is %
	+ carry from bit x -> %cx
	+ borrow from bit x -> %bx
	+ zero-flag -> %z
	+ parity of dst -> %p
	+ sign-flag -> %s
	+ overflow-flag -> %o

	+ BREAK - Stop parsing and emulate next instruction
	+ LOOP - restart emulation of instruction
	+ GOTO n - jump to n
	+ TODO - stop emulation and eprintf("TDOD %s", ins)

	x86			ESIL
	------------------------------------------------------
	mov eax, ebx		ebx,eax,=
	jz 0xaabbccdd		zf,?{,0xaabbccdd,eip,=,}
	cmp ecx,edx		edx,ecx,==,%z,zf,=,%b32,cf,=,%p,pf,=,%s,sf,=
	push ebp		4,esp,-=ebp,esp,=[4]

	+ ESIL Doc
		https://github.com/radare/radare2book/blob/master/esil.md
	
# r2pipe commands

	+ Invoke r2pipe script via r2 cmdline
		
		[0x00000000]> #!pipe node script.js
		[0x00000000]> #!pipe python script.py

	+ Good collection:
		https://radare.org/get/r2pipe-nn2015.pdf
		https://github.com/jpenalbae/r2-scripts
# Parsing ELF
	
	!!! open with r2 -nn 

	+ Parse 9 program headers (elf_phdr) from curr. seek plus offset 0x40 with temporary block size 0x200 in less mode (~..)

		[0x00000000]> pf 9? (elf_phdr)phdr @ $$+0x40!0x200~..
	
# pf Templates
	
	+ Generate templates for structs/enums with td command

		"td enum elf_class {ELFCLASSNONE=0, ELFCLASS32=1, ELFCLASS64=2};"

	https://github.com/Maijin/r2-pf-templates/

	+ Cast data @ <addr> to <type> and print it		
		
		tp <type>  = <address>

# r2scapy

	r2 -i r2scapy.py dump.bin
		[0x00000000]> scapy DNS 0x81de3c 48
		DNS(aa=1L, qr=1L, an=DNSRR(rclass=32769, ttl=120, rrname='flashair.local.', rdata='192.168.0.1', type=1), ad=0L, nscount=0, qdcount=1, ns=None, tc=0L, rd=1L, arcount=0, ar=None, opcode=0L, ra=0L, cd=0L, z=0L, rcode=0L, id=0, ancount=1, qd=DNSQR(qclass=32769, qtype=255, qname='flashair.local.'))
	
	+ generate packets with scapy
		>>> from scapy.all import *
		>>> sr1(IP(dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="www.thepacketgeek.com")),verbose=0)

# r2m2 -Miasm  Intermediate Representation Plugin
	
	+ Assemble and disassemble MIPS32 using rasm2

		r2m2$ export R2M2_ARCH=mips32l; rasm2 -a r2m2 'addiu a0, a1, 2' |rasm2 -a r2m2 -d -
		ADDIU      A0, A1, 0x2

	+ Disassemble random MSP430 instructions in r2

		r2m2$ R2M2_ARCH=msp430 r2 -a r2m2 -qc 'woR; pd 5' -
            		0x00000000      07fa           and.w      R10, R7
            		0x00000002      47ad           dadd.b     R13, R7
            		0x00000004      f05e0778       add.b      @R14+, 0x7807(PC)
            		0x00000008      f46d81ed       addc.b     @R13+, 0xED81(R4)
            		0x0000000c      3fdc           bis.w      @R12+, R15
	+ Assemble MIPS32 using rasm2 and display the call graph using r2

		r2m2$ R2M2_ARCH=mips32b rasm2 -a r2m2 'j 0x4; nop' -B > j_nop.bin

		r2m2$ R2M2_ARCH=mips32b r2 -a r2m2 -qc 'pd 2' j_nop.bin
        		,=< 0x00000000      0c000001       JAL        0x4
       			`-> 0x00000004      00000000       NOP

# bin carving with r2

	+ Open raw dump
		
		r2 -n dump.bin
	
	+ Searching for  magic
		
		[0x00000000]> / \x7fELF
		Searching 4 bytes from 0x00000000 to 0x0000002d: 7f 45 4c 46
		0x00001340 hit0_0
		0x00001744 hit0_1
		...

	+ Dump 1M with at several hits

		[0x00000000]> b 1M
		[0x00000000]> wt @@ hit0*

	+ Automate it
		
		$ for a in dump.* ; do
		sz=`rabin2 -Z $a`     # get RBin.filesize
		r2 -wnqc"r $sz" $a  # resize file
		done

	http://radare.today/posts/carving-bins/

# r4ge - symbolic execution
	+ https://github.com/gast04/r4ge

	Usage: https://asciinema.org/a/155856

# r2wiki -Macro for using wiki in commandline
	
	+ https://github.com/securisec/r2wiki

	$wiki "query string"
	
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

  █║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌

              ██╗ ██╗ ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
             ████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
             ╚██╔═██╔╝██║  ██║██║   ██║ ╚███╔╝ █████╗  ██║  ██║
             ████████╗██║  ██║██║   ██║ ██╔██╗ ██╔══╝  ██║  ██║
             ╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
              ╚═╝ ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝

               █║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░