-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
r2frida-cheatsheet.tex
129 lines (117 loc) · 4.83 KB
/
r2frida-cheatsheet.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
\documentclass[10pt]{article}
\usepackage{r2style}
\usepackage{enumitem}
%----------------------------------------------------------------------
\title{r2frida Cheatsheet}
\begin{document}
\pagestyle{r2fancy}
\begin{center}
\Large{\bf r2frida Cheatsheet}
\rule{\textwidth}{0.2pt}
\end{center}
\begin{multicols}{3}
\subsection*{Launching}
\noindent
r2frida is an IO plugin, commands start with `{\ttc:}'
\begin{center}
\ttc{r2 frida://action/link/device/target}
\end{center}
where:
\begin{itemize}[itemsep=0pt, topsep=5pt, leftmargin=*]
\itemcmd{action}{list $\vert$ apps $\vert$ attach $\vert$ spawn $\vert$ launch}
\itemcmd{link}{local $\vert$ usb $\vert$ remote}
\itemcmd{device}{{\tt \textquotesingle \textquotesingle} $\vert$ host:port $\vert$ device-id}
\itemcmd{target}{pid $\vert$ app $\vert$ program $\vert$ abspath}
\end{itemize}
\subsection*{Target Addresses}
\noindent
Commands accepting an {\tt[addr]} follow this pattern:
\begin{itemize}[itemsep=0pt, topsep=5pt, leftmargin=*]
\itemcmd{0xabcd}{absolute address in hexadecimal}
\itemcmd{symname}{symbol name from module exports}
\itemcmd{objc:class}{Objective C}
\itemcmd{java:class}{Java class + method}
\end{itemize}
\subsection*{Trace Format}
\noindent
The \ttc{:dtf} command create trace hooks from a simple format-string. See \ttc{:dtf?}
\begin{itemize}[itemsep=0pt, topsep=5pt, leftmargin=*]
\itemcmd{\^{}}{trace onEnter instead of onExit}
\itemcmd{\%{}}{also trace the return value (onLeave)}
\itemcmd{+}{show backtrace when trace is hit}
\itemcmd{s}{string in place (w=wide, a=ansi)}
\itemcmd{S}{pointer to string (Z=nullable string)}
\itemcmd{O}{object reference (valid for java and objc)}
\itemcmd{x}{hexadecimal value (i=decimal)}
\itemcmd{h}{hexdump from pointer (H for ptr+length)}
\end{itemize}
%\columnbreak
\subsection*{Configuration}
\cmd{:e}{get and edit r2frida options}
\cmd{:e patch.code}{fix page perms for patching code}
\cmd{:e search.from/to/align}{scan restrictions}
\cmd{:e hook.backtrace}{show backtrace on traces}
\cmd{:e hook.verbose}{show verbose details on trace}
\cmd{:e hook.time}{show timestamp in traces}
\cmd{:e file.log}{store trace logs in a file}
\cmd{:e want.swift}{enable experimental swift support}
\subsection*{Basic Commands}
\cmd{:i}{get arch/bits from target (\ttc{.i*} to load into r2)}
\cmd{:ih}{parse binary headers of the current module}
\cmd{:ii[*]}{list imports}
\cmd{:il}{list libraries}
\cmd{:is[*] lib}{list local and global symbols of lib}
\cmd{:isa[*] [lib] sym}{show address of sym}
\cmd{:ie}{show entrypoint}
\cmd{:iE[*] lib}{same as \ttc{is}, for exported globals}
\cmd{:ic class}{list Objective-C classes or methods}
\cmd{:icn name}{list native methods from Java classes}
\cmd{:icw}{locate ObjC classes implementations (where)}
\cmd{:ip protocol}{list ObjC protocols/methods}
\cmd{:fd[*j] addr}{inverse symbol resolution}
\subsection*{Tracing}
\cmd{:dtr addr regs}{trace given registers at addr}
\cmd{:dtf addr [fmt]}{trace with format}
\cmd{:dt (addr|sym)}{trace addresses or symbols}
\cmd{:dtl[-*] [msg]}{debug trace log, useful to \ttc{.\textbackslash T*}}
\cmd{:dt.}{trace at current offset}
\cmd{:dm[.|j|*]}{show memory regions}
\cmd{:dmm[.|j|*]}{show memory range (grouped maps)}
\cmd{:dt-[*]}{clear all tracing}
%\columnbreak
\subsection*{Debugging}
\cmd{:db (addr|sym)}{list or place breakpoint}
\cmd{:db- (addr|sym|*)}{remove breakpoint(s)}
\cmd{:dc}{continue after breakpoint or resume execution}
\cmd{:dk}{send signal}
\cmd{:dkr}{show the crashdump}
\cmd{:d.}{start the chrome tools debugger}
\cmd{:dl path}{{\tt dlopen}}
\cmd{:dr}{show register values}
\subsection*{Injecting}
\cmd{:dxc [target] [args]}{call target symbol with args}
\cmd{:dxo [sym] [args]}{call an ObjC function with args}
%TODO: this command should be fixed in the future when related changes applied
\cmd{:di[0,1,-1] [addr]}{replace function to return value}
\cmd{:dii [addr] [num]}{replace function to return num}
\cmd{:dis [addr] [str]}{replace to return a string}
\cmd{:div}{replace with another function returning null}
\cmd{:dif[0,1,-1] [addr]}{replace the return value}
\cmd{:difi [addr] [num]}{replace return number}
\cmd{:difs [addr] [str]}{replace return with given string}
%TODO: this command should be fixed in the future when related changes applied
\cmd{:dir function}{revert to previous implementation}
\cmd{:dd}{list file descriptors}
\cmd{:dl lib}{{\tt dlopen} the given library}
\cmd{:dlf [path]}{load a framework (ObjC only)}
\cmd{:dl2 lib [main]}{inject a library}
\cmd{:. \hspace{-5pt}script.js}{run script}
\cmd{:eval code.js}{evaluate script in the agent}
\subsection*{Searching}
\cmd{:/[x][j] pattern}{find hex/str in \ttc{search.in=?}}
\cmd{:/w[j] string}{search wide string}
\cmd{:/v[1248][j] value}{find \ttc{e cfg.bigendian} value}
\cmd{:env [k[=v]]}{get/set environment variable}
\cmd{:e[?] \hspace{-8pt}[a[=b]]}{list/get/set config evaluable variables}
\end{multicols}
\end{document}