r2-cheatsheet.tex

\documentclass[a4paper,landscape]{article}
\usepackage[T1]{fontenc}
\usepackage{lmodern}
\usepackage[bookmarks=true,colorlinks=true,linkcolor=black,citecolor=black,filecolor=black,urlcolor=black]{hyperref}
\usepackage{multicol}
\usepackage{geometry}
\geometry{top=1cm,left=1cm,right=1cm,bottom=1cm}
\pagestyle{empty}

% Redefine section commands to use less space
\makeatletter
\renewcommand{\section}{\@startsection{section}{1}{0mm}%
                                {-1ex plus -.5ex minus -.2ex}%
                                {0.5ex plus .2ex}%x
                                {\normalfont\large\bfseries}}
\renewcommand{\subsection}{\@startsection{subsection}{2}{0mm}%
                                {-1explus -.5ex minus -.2ex}%
                                {0.5ex plus .2ex}%
                                {\normalfont\normalsize\bfseries}}
\renewcommand{\subsubsection}{\@startsection{subsubsection}{3}{0mm}%
                                {-1ex plus -.5ex minus -.2ex}%
                                {1ex plus .2ex}%
                                {\normalfont\small\bfseries}}
\makeatother

\setcounter{secnumdepth}{0} % Don't print section numbers
\setlength{\parindent}{0pt}
\setlength{\parskip}{0pt plus 0.5ex}
\begin{document}
%\raggedright
\footnotesize
\begin{multicols*}{3}
% multicol parameters
% These lengths are set only within the two main columns
%\setlength{\columnseprule}{0.25pt}
\setlength{\premulticols}{1pt}
\setlength{\postmulticols}{1pt}
\setlength{\multicolsep}{1pt}
\setlength{\columnsep}{2pt}

\begin{center}
     \Large{\textbf{Reversing with Radare2}} \\
\end{center}

\section{Starting Radare}
The basic usage is \texttt{radare2} \textit{exe} (on some systems you can
use simply \texttt{r2} instead of \texttt{radare2}).
If there exists a script named \textit{exe}\texttt{.r2},
then it gets executed after the others rc-files.
If you want to run radare2 without opening any file, you can use \texttt{-{}-} instead of an executable name.

Some command-line options are:

\begin{tabular}{@{}ll@{}}
\texttt{-d} \textit{file} & debug executable \textit{file} \\
\texttt{-d} \textit{pid} & debug process \textit{pid} \\
\texttt{-A}	& analyze all referenced code (\texttt{aaa} command) \\
\texttt{-r} \textit{profile}\texttt{.rr2} & specifies \texttt{rarun2} profile (same as \\ & \texttt{-e dbg.profile=}\textit{profile}\texttt{.rr2}) \\
\texttt{-w}	& open file in write mode \\
\texttt{-p} [\textit{prj}] & list projects / use project \textit{prj} \\
\texttt{-h} & show help message (\texttt{-hh} the verbose one)
\end{tabular}

Example: \texttt{r2 -dA /bin/ls}

\subsection{Running in different environments: rarun2}
\texttt{rarun2} runs programs with different environments,
arguments, permissions, directories and overridden default file-descriptors.
Usage:

\texttt{rarun2} [\texttt{-t}$|$\textit{script-name}\texttt{.rr2}] [\textit{directives}] [\texttt{-{}-}] [\textit{prog-name}] [\textit{args}]

\texttt{rarun2 -t} shows the terminal name, say $\alpha$, and wait for a connection from another process. For instance, from another terminal, you can execute \texttt{rarun2 stdio=$\alpha$ program=/bin/sh} (use \texttt{stdin}/\texttt{stdout} to redirect one stream only). Run \texttt{rarun2 -h} to get a sample \texttt{.rr2} file.

rarun2 supports \emph{a lot} of directives, see the man page for details.

\section{General information}
The command \texttt{?} prints the help. Command names are hierarchically defined; for instance, all \textbf{p}rinting commands start with \texttt{p}. So, to understand what a command does, you can append \texttt{?} to a \emph{prefix} of such a command; e.g., to learn what \texttt{pdf} does, you can first try \texttt{pd?}, then the more general \texttt{p?}.
You can get recursive help with \texttt{?*}; e.g.: \texttt{p?*}

Single-line comments can be entered using \texttt{\#}; e.g. \texttt{s \# where R we?}.

Command \texttt{?} can also be used to evaluate an expression and print its result in various format; e.g. \texttt{? 5 * 8+2} (note the space after \texttt{?}). Commands \texttt{?v}/\texttt{?vi} print result only in hex/decimal. There are also some special \texttt{\$}-variables
(list them all with: \texttt{?\$?}); e.g.:

\begin{tabular}{@{}ll@{}}
\texttt{\$\$} & current virtual seek \\
\texttt{\$b} & 	block size \\
\end{tabular}

Where an address \textit{addx} is expected, you can provide any expression that evaluates to an address,
e.g. a function name or a register name. In this cheatsheet we sometimes use \textit{fn-name}, instead of \textit{addx}, to emphasize that the argument is supposed to be a function starting address. As default address is (usually?) used the current seek: \texttt{\$\$}.

All commands that:
\begin{itemize}
\item accept an optional size (e.g. \texttt{pd}), use the current block size by default (see: \texttt{b})
\item accept an optional address (e.g., \texttt{pdf}), use the current position by default (see: \texttt{s})
\end{itemize}
Commands can be chained by using \texttt{;}; e.g. \texttt{s fun; pd 2}.

A single command can be applied to each element of a sequence by using \texttt{@@}; e.g. \texttt{axt @@ str.*}, see \texttt{@@?}.

\subsection{Internal grep-like filtering}
You can filter command output by appending \texttt{\textasciitilde{}}[\texttt{!}]\textit{str}, to display only rows [not] containing string \textit{str}; e.g. \texttt{pdf\textasciitilde{}rdx} and \texttt{pdf\textasciitilde{}!rdx}. You can further filter by appending

\begin{tabular}{@{}ll@{}}
\texttt{:}\textit{r}	& display row \textit{r} ($0\le r < \#\mathit{rows}$ or, backwards \\ & with: $-\#\mathit{rows}\le r \le -1)$ \\
\texttt{[}$c_1[,c_2,\ldots]$\texttt{]}	& display columns $c_1,c_2,\ldots$ ($0\le c_i < \#\mathit{cols}$) \\
\texttt{:r[}$c_1,\ldots,c_n$\texttt{]}	& display columns $c_1,\ldots,c_n$ of row $r$ \\
\texttt{..} & pipe output into less-like viewer \\
\texttt{...} & pipe into HUD, which filters space separated strings \\
\end{tabular}

Examples: \texttt{afl\textasciitilde{}[0]}, \texttt{afl\textasciitilde{}malloc[0]}, \texttt{pdf\textasciitilde{}:2} and \texttt{pdf\textasciitilde{}mov:2}

There is much more (sorting, counting, \ldots); see: \texttt{\textasciitilde?}

\subsection{Shell interaction}
Command output can be redirected to a file by appending \texttt{>}\textit{filename}
or piped to an external command with \texttt{|}\textit{progname} [\textit{args}].
Examples: \texttt{afl > all\_functions} and \texttt{afl | wc -l}.

External commands can be run with \texttt{!!}\textit{progname} [\textit{args}].
Note: if a command starts with a single \texttt{!}, the rest of the string is passed to currently loaded IO plugin (only if no plugin can handle the command, it is passed to the shell).

Moreover, backticks can be used to send the output of r2-commands as arguments; e.g.
\texttt{!!echo `? 42`}.
Vice versa output of external programs can be used as arguments for internal commands; e.g. \texttt{pdf `echo 3` @ `echo entry0`}.

Some common Unix-like commands are implemented as built-ins; e.g. \texttt{ls}, \texttt{cd}, \texttt{pwd}, \texttt{mkdir} and \texttt{rm}.

\subsection{Radare scripting}
\begin{tabular}{@{}ll@{}}
\texttt{.} \textit{filename} & interpret r2 script \textit{filename} \\
\texttt{.!} \textit{command} & interpret output of \textit{command} as r2 commands \\
\end{tabular}

\subsection{Python scripting (via r2pipe)}
You can script Radare2 with Python, by leveraging \emph{r2pipe}, that can be easily installed (inside any Python 2 virtual environment)
with: \\ \texttt{pip install r2pipe}.

Then, you can spawn a Python interpreter, from inside r2, with: \\
\texttt{\#!pipe python} [\textit{python-file}] \\
or simply: \\
\texttt{\#.} \textit{python-file}

Once you are in Python-world, you can connect to r2 by \texttt{import}ing \texttt{r2pipe} and inizializing some variable,
say \texttt{r2}, with \texttt{r2pipe.open("\#!pipe")}, or simply \texttt{r2pipe.open()}.

Then you can interact with Radare by invoking method \texttt{cmd}; e.g. \texttt{print(r2.cmd('pdf @ entry0'))}.

You can make most Radare2 commands output in JSON format by appending a \texttt{j}; e.g. \texttt{pdfj} (instead of \texttt{pdf}).

Method \texttt{cmdj} can de-serialize JSON output into Python objects; e.g. \texttt{f = r2.cmdj('pdfj @ entry0')} \\ \texttt{print f['name'], f['addr'], f['ops'][0]['opcode']}

\subsubsection{r2pipe: connecting to other r2 instances}
You can connect to any web-listening instance of r2 by passing \texttt{r2pipe.open} a
string of the form \texttt{'http://}\textit{host}\texttt{:}\textit{port}\texttt{'}.
By using this approach you get your own seek-cursor: your seek commands won't affect
others.

To open a background web-service in r2 use command \texttt{=h\&}. You may also want to
take a look at configuration variable \texttt{http.sandbox}.

\subsection{Configuration}
\begin{tabular}{@{}ll@{}}
\texttt{e??} & list all variable names and descriptions \\
\texttt{e?}[\texttt{?}] \textit{var-name} & show description of \textit{var-name}\\
\texttt{e} [\textit{var-name}] & show the value of all variables [\textit{var-name} only] \\
\texttt{e} \textit{var-name} \texttt{=?}[\texttt{?}]& print valid values of \textit{var-name} [with descript.]\\
	& E.g. \texttt{e asm.arch=??} \\
\texttt{eco} \textit{theme-name} & select theme; eg. \texttt{eco solarized} \\
\texttt{eco} & list available themes \\
\texttt{b} [\textit{size}]& display [set] current block size \\
\texttt{env} [\textit{name} [\texttt{=}\textit{value}]] & get/set environment variables \\
\end{tabular}
\subsubsection{Some variables}
\begin{tabular}{@{}ll@{}}
% \texttt{asm.pseudo} & enable pseudo-code syntax \\
\texttt{asm.bytes} & display bytes of each instruction \\
\texttt{asm.describe} & show opcode description \\
\texttt{asm.cmt.right} & comments at right of disassembly if they fit \\
\texttt{asm.emu} & run ESIL emulation analysis on disasm \\
\texttt{asm.demangle} & Show demangled symbols in disasm \\
\texttt{asm.shortcut} & Shortcut (e.g. [1],[2],\ldots) position in visual mode \\
\texttt{bin.baddr} & base address of the binary \\
% % \\
% \texttt{bin.demangle} & Import demangled symbols from RBin \\
% \\
\texttt{cmd.bp} & command to run when a breakpoint is hit; \\ & e.g. \texttt{cmd.bp=!!}\textit{program} \\
\texttt{cmd.stack} & command to display the stack in visual \\ & debug mode (Eg: \texttt{px 32}) \\
% \\
\texttt{dbg.follow.child} & continue tracing the child process on fork \\
\texttt{dbg.funcarg} & display func.~arguments in visual mode [experimental]\\
\texttt{dbg.slow} & show stack and regs in visual mode, in a slow but \\ & verbose (e.g. telescoping) mode; check \emph{column mode} \\
\texttt{dbg.trace} & trace program execution (check also \texttt{asm.trace}) \\
% \\
\texttt{io.cache} & enable cache for IO (=non-persistent write-mode) \\
% \\
\texttt{scr.utf8} & show nice UTF-8 chars instead of ANSI \\ & (Windows: switch code-page with \texttt{chcp 65001})\\
\texttt{scr.utf8.curvy} & show curved UTF-8 corners (requires \texttt{scr.utf8}) \\
\texttt{scr.nkey} & select seek mode; affects \texttt{n}/\texttt{N} in visual mode \\
\texttt{scr.breaklines} & break lines in Visual instead of truncating them \\
\texttt{scr.html} & disassembly outputs in HTML syntax \\
%\texttt{scr.wheel} & enables mouse-wheel in visual mode
\end{tabular}
% \subsubsection{Example: my \texttt{\textasciitilde{}/.radare2rc}}
% \begin{verbatim}
% e asm.bytes=0
% e asm.cmtright=true
% e cmd.stack=px 32
% e dbg.slow=true
% e scr.utf8=true
% e scr.wheel=false
% eco solarized
% \end{verbatim}

\section{Searching: \texttt{/}}
\begin{tabular}{@{}ll@{}}
\texttt{/ \textit{str}} & search for string \textit{str} \\
\texttt{/c \textit{instr}} & search for instruction \textit{instr} \\
\texttt{/x \textit{hstr}} & search for hex-string \textit{hstr} \\
\texttt{/a \textit{asm-instr}} & assemble instruction and search for its bytes \\
\texttt{/R}[\texttt{/}]\ \textit{opcode} & find ROP gadgets [with r.e.] containing opcode; \\ & see: \url{http://radare.today/posts/ropnroll/} \\
\texttt{/A }\textit{type} & find instructions of type \textit{type} (\texttt{/A?} for the listof types) \\
\end{tabular}

Also: \texttt{e search.in=??} and \texttt{e??search} for options

\section{Seeking: \texttt{s}}
\begin{tabular}{@{}ll@{}}
\texttt{s} & print current position/address \\
\texttt{s} \textit{addx} & seek to \textit{addx} \\
\texttt{s..} \textit{hex} & changes least-significant part of current address to \textit{hex}\\
\texttt{s+} \textit{n} and \texttt{s-} \textit{n} & seek \textit{n} bytes forward/backward \\
\texttt{s++} and \texttt{s-{}-} & seek block-size bytes forward/backward \\
\texttt{s-} and \texttt{s+} & undo/redo seek \\
\texttt{s=} & list seek history \\
\texttt{s*} & list seek history as r2-commands \\
\end{tabular}

\section{Writing: \texttt{w}}
\begin{tabular}{@{}ll@{}}
\texttt{wa} \textit{asm-instr} & assemble+write opcodes;
	quote the whole command \\ &  for more instructions:
\texttt{"wa} \textit{instr$_1$}\texttt{;} \textit{instr$_2$}\texttt{;} \ldots\texttt{"} \\
\texttt{wao} \textit{\ldots} & replace current instruction; see \texttt{wao?} for details \\
\texttt{w}[\texttt{z}] \textit{str} & write string \textit{str} [and append byte \texttt{\textbackslash x00}] \\
\texttt{wx} \textit{hex-pairs} & write hex-pairs \\
\texttt{wc} & list pending changes (see variable \texttt{io.cache}) \\
% \texttt{wc*} & list pending changes in Radare commands \\
\texttt{wtf} [\textit{file}] [\textit{size}] & write to file \\
\texttt{wopO} \textit{v} & print offset of \textit{v} inside De Bruijn pattern; equiv. to\\
	& \texttt{ragg2 -q }\textit{v}; to produce a pattern: \texttt{ragg2 -r -P} \textit{size} \\
\end{tabular}

\section{Analysis (functions and syscalls): \texttt{a}}
\begin{tabular}{@{}ll@{}}
\texttt{aaa} & analyze (\texttt{aa}) and auto-name functions \\
\texttt{aod} \textit{opcode} & description of \textit{opcode} (eg. \texttt{aod jle}) \\
\texttt{afl}[\texttt{l}] & list functions [with details] \\
\texttt{afi} \textit{fn-name} & show verbose info for \textit{fn-name} \\
\texttt{afn} \textit{new-name} \textit{addx} & (re)name function at address \textit{addx} \\
\texttt{asl} & list syscalls \\
\texttt{asl} \textit{name} & display syscall-number for \textit{name} \\
\texttt{asl} \textit{n} & display name of syscall number \textit{n} \\
\texttt{afvd} \textit{var-name} & output r2 command for displaying the \\ & address and value of arg/local \textit{var-name} \\
\texttt{.afvd} \textit{var-name} & display address and value of \textit{var-name} \\
\texttt{afvn} \textit{new-name} \textit{old-name} & rename argument/local variable \\
\texttt{afvt} \textit{name} \textit{type} & change type for given argument/local \\
\texttt{afv-} \textit{name} & removes variable \textit{name} \\
\texttt{axt} \textit{addx} & find data/code references to \textit{addx} \\
\texttt{ahi} $\{$\texttt{b}$|$\texttt{d}$|$\texttt{h}$|$\texttt{o}$|$\texttt{r}$|$\texttt{S}$|$\texttt{s}$\}$ \texttt{@} \textit{addx} & define binary/decimal/hex/octal/IP/ \\ & syscall/string base for immediate \\
\end{tabular}
\vspace{-4mm}
\subsection{ESIL code emulation: \texttt{ae}}
\begin{tabular}{@{}ll@{}}
\texttt{aei}[\texttt{m}] & initialize ESIL VM state [stack] \\
\texttt{aepc} \textit{addr} & change ESIL PC to \textit{addx} (\texttt{aeip} sets PC to curseek)\\
\texttt{aer} \dots & handle ESIL registers like \texttt{dr} does \\
\texttt{aes}[\texttt{b}|\texttt{o}] & perform emulated debugger step [back|over] \\
\texttt{aecu} \textit{addr} & continue until given address \\
\end{tabular}
\vspace{-1mm}
\subsection{Graphviz/graph code: \texttt{ag}}
\begin{tabular}{@{}ll@{}}
\texttt{agfd} \textit{addr} & output graphviz code (BB at \textit{addr} and children) \\ &  E.g. view the function graph with: \texttt{agfd \$\$ | xdot -} \\
\texttt{agcd} \textit{addr} & callgraph of function at \textit{addx} \\
\texttt{agCd} & full program callgraph \\
\end{tabular}

\section{Flags (AKA ``bookmarks''): \texttt{f}}
\begin{tabular}{@{}ll@{}}
\texttt{fs [\textit{name}]} & display flagspaces [select/create fs \textit{name}] \\
\texttt{fs+} \textit{name} & push previous flagspace and set \textit{name} \\
\texttt{fs-} &           pop to the previous flagspace \\
\texttt{f} & list flags \\
\texttt{f} \textit{name} \texttt{@} \textit{addx} & \emph{or}\\
\texttt{f} \textit{name} \texttt{=} \textit{addx} & associate name \textit{name} to address \textit{addx} \\
\texttt{f- @} \textit{addx} & remove the association at address \textit{addx} \\
\texttt{f-} \textit{name} & remove the association with name \textit{name} \\
\end{tabular}

\section{Comments: \texttt{C}}
\begin{tabular}{@{}ll@{}}
% \texttt{CC} & list all comments in human friendly form \\
\texttt{CCu} \textit{text} [\texttt{@} \textit{addx}] & set (update?) comment \textit{text} at \textit{addx} \\
\texttt{CC} \textit{text} [\texttt{@} \textit{addx}] & append comment \textit{text} at \textit{addx} \\
\texttt{CC-} [\texttt{@} \textit{addx}] & remove comment at \textit{addx} \\
\texttt{CC.} [\texttt{@} \textit{addx}] & show comment at \textit{addx} \\
\texttt{CC!} [\texttt{@} \textit{addx}] & edit comment using \texttt{cfg.editor} (vim, \ldots) \\
\end{tabular}

\section{Debugging: \texttt{d}}
\begin{tabular}{@{}ll@{}}
\texttt{dc} & continue (or start) execution \\
\texttt{dcu} \textit{addx} & continue until \textit{addx} is reached \\
\texttt{dcs} [\textit{name}] & continue until the next syscall [\textit{name}] \\
\texttt{dcr} & continue until ret (uses step over) \\
\texttt{dr=} & show general-purpose regs and their values \\
\texttt{dro} & show previous (old) values of registers \\
\texttt{drr} & show register references (telescoping) \\
\texttt{dr} \textit{reg-name} \texttt{=} \textit{value} & set register value \\
\texttt{drt} & list register types \\
\texttt{drt} \textit{type} & list registers of type \textit{type} and their values \\
\texttt{db} & list breakpoints \\
\texttt{db}[\texttt{-}]\ \textit{addx} & add [remove] breakpoint \\
\texttt{doo} [\textit{args}] & (re)start debugging; synonym of \texttt{ood}\\
\texttt{ds}[\texttt{o}] & step into [over]\\
\texttt{dbt} & display backtrace (check \texttt{dbg.btdepth}/\texttt{btalgo}) \\
\texttt{drx} & hardware breakpoints \\
\texttt{dm} & list memory maps; the asterisk shows where \\ & the current offset is \\
\texttt{dmh} & show heap allocation (see: \texttt{dmh?}) \\
\texttt{dmm} & list modules (libraries, loaded binaries) \\
\texttt{dmi} [\textit{addr}|\textit{lib}] [\textit{sym}] & list symbols of target lib \\
\texttt{dmp} & change page permissions (see: \texttt{dmp?}) \\
\texttt{dt}[\texttt{d}] & list all traces [disassembled] \\
\texttt{dd} & handle file descriptors (see: \texttt{dd?}) \\
\end{tabular}

\section{Types: \texttt{t}}
\begin{tabular}{@{}ll@{}}
\texttt{"td\ }\textit{C-type-def}\texttt{"} & define a new type \\
\texttt{t} \textit{t-name} & show type \textit{t-name} in \texttt{pf} syntax \\
\texttt{.t }\textit{t-name} \texttt{@} \textit{addx} & display the value (of type \textit{t-name}) at \textit{addx} \\
\texttt{t}[\texttt{e}/\texttt{s}/\texttt{u}] & list all-types/enums/structs/unions \\
\texttt{to} \textit{file} & parse type information from C header file \\
\texttt{tl} \textit{t-name} & link \textit{t-name} to current address \\
\texttt{tl} \textit{t-name} \texttt{=} \textit{addx} & link \textit{t-name} to address \textit{addx} \\
\texttt{tl} & list all links in readable format \\
\texttt{tp} \textit{t-name} \texttt{=} \textit{addx} & cast data at \textit{addx} to type \textit{t-name}, \\ & and prints it \\
\end{tabular}

\section{Printing: \texttt{p}}
\begin{tabular}{@{}ll@{}}
\texttt{ps} [\texttt{@} \textit{addx}]& print C-string at \textit{addx} (or current position) \\
\texttt{psb} [\texttt{@} \textit{addx}]& print C-strings at \textit{addx} (or current block) \\
\texttt{pxr} [\textit{n}] [\texttt{@} \textit{addx}] & print with references to flags/code (telescoping) \\
\texttt{px} [\textit{n}] [\texttt{@} \textit{addx}] & hexdump --- note: \texttt{x} is an alias for \texttt{px}\\
\texttt{px}$\{$\texttt{h}$|$\texttt{w}$|$\texttt{q}$\}$ \ldots & hexdump in 16/32/64 bit words \\
\texttt{px}$\{$\texttt{H}$|$\texttt{W}$|$\texttt{Q}$\}$ \ldots & as the previous one, but one per line \\
\texttt{pxl} [\textit{n}] [\texttt{@} \textit{addx}] & display \textit{n} rows of hexdump \\
\texttt{px/}\textit{fmt} [\texttt{@} \textit{addx}] & gdb-style printing \textit{fmt} (in gdb see: \texttt{help x} \\ & from r2: \texttt{!!gdb -q -ex 'help x' -ex quit}) \\
\texttt{pd} [\textit{n}] [\texttt{@} \textit{addx}] & disassemble \textit{n} instructions (backwards if $n<0$) \\
\texttt{p8} [\textit{n}] [\texttt{@} \textit{addx}] & print bytes \\
\texttt{pD} [\textit{n}] [\texttt{@} \textit{addx}] & disassemble \textit{n} bytes \\
\texttt{pdf} [\texttt{@} \textit{fn-name}] & disassemble function \textit{fn-name} \\
\texttt{pc}[\texttt{p}] [\textit{n}] [\texttt{@} \textit{addx}] & dumps in C [Python] format \\
\texttt{*} \textit{addx} [\texttt{=}\textit{value}] & shortcut for reading/writing at \textit{addx} \\
\texttt{pf} \textit{fmt} $a_1 [,a_2,\dots]$ & formatted print, see \texttt{pf??} and \texttt{pf???} \\
\texttt{pa}[\texttt{d}] \ldots & assemble-to/disassemble-from hex-pairs \\
\end{tabular}

\section{Information: \texttt{i} (and \texttt{S})}
\begin{tabular}{@{}ll@{}}
\texttt{i} & show info of current file \\
\texttt{iz}[\texttt{z}] & strings in data sections [whole binary] \\
\texttt{i}$\{$\texttt{e}$|$\texttt{i}$|$\texttt{l}$|$\texttt{S}$|$\texttt{SS}$\}$ & entrypoint/imports/libraries/sections/segments \\
\end{tabular}

\section{Visual mode: \texttt{V} (\texttt{q} exits)}
Command \texttt{V} enters \emph{visual mode}.

\begin{tabular}{@{}ll@{}}
\texttt{q} & exit visual-mode \\
\texttt{c} & cursor-mode, \textit{tab} switches among panels \\
& \texttt{+}/\texttt{-} increment/decrement current byte \\
\texttt{:} & execute a normal-mode command; e.g. \texttt{:dm} \\
\texttt{p} and \texttt{P} & rotate forward/backward print modes \\
\texttt{/}\textit{str} & highlight occurrences of string \textit{str} \\
\texttt{\#} & toggle bytes \\
\texttt{O} & toggle ESIL-asm \\
\texttt{;} & add/remove comments (to current offset) \\
\texttt{x} & browse xrefs-to current offset \\
\texttt{X} & browse xrefs-from current function \\
\texttt{\_} & browse flags \\
\texttt{d} & define \texttt{f}unction, \texttt{e}nd-function, \texttt{r}ename, \ldots \\
\texttt{di}$\{$\texttt{b}$|$\texttt{o}$|$\texttt{d}$|$\texttt{h}$|$\texttt{s}$\}$ & define immediate bin/oct/dec/hex or str \\
\texttt{V} & enter block-graph viewer (\emph{space} toggles visual/graph)\\
\texttt{A} & enter visual-assembler (preview must be confirmed)\\
\texttt{n} / \texttt{N} & seek next/previous function/flag/hit (see \texttt{scr.nkey}) \\
\texttt{i} & enter insert mode \\
\texttt{e} & configures internal variables \\
\texttt{"} & toggle the column mode \\
\texttt{f} & (un)set flags \\
\end{tabular}
\subsection{Seeking (in Visual Mode)}
\begin{tabular}{@{}ll@{}}
\texttt{.} & seeks to program counter \\
\textit{Enter} & on jump/call instructions, follow target address \\
\texttt{u} / \texttt{U} & undo / redo \\
\texttt{o} & go/seek to given offset \\
\texttt{0} (\emph{zero})& seek to beginning of current function \\
\textit{d} (a non-zero digit) & jump to the jmp/lea-hint marked \texttt{[}\textit{d}\texttt{]} \\
\texttt{r} & toggle jmp/lea hints \\
\texttt{m}\textit{l} (a letter) & mark the spot with letter \textit{l} \\
\texttt{'}\textit{l} & jump to mark \textit{l} \\
\texttt{n} / \texttt{N} & jump to next/previous function \\
\end{tabular}
\subsection{Debugging (in Visual Mode)}
\begin{tabular}{@{}ll@{}}
\texttt{B} (\texttt{b} in older versions) or \texttt{F2} & toggle breakpoint \\
\texttt{F4} & run to cursor \\
\texttt{s} or \texttt{F7} & step-into \\
\texttt{S} or \texttt{F8} & step-over \\
\texttt{F9} & continue \\
\end{tabular}

\section{Projects: \texttt{P} [unstable feature]}
\begin{tabular}{@{}ll@{}}
\texttt{Pl} & list all projects \\
\texttt{P}$\{$\texttt{o}$|$\texttt{s}$|$\texttt{d}$\}$ [\textit{prj-name}] & open/save/delete project \textit{prj-name} \\
\texttt{Pc} \textit{prj-name} & show project script to console \\
\end{tabular}

\rule{1.0\linewidth}{0.25pt}
\scriptsize
Copyright \copyright 2017 by zxgio; cheat-sheet built on \today

This cheat-sheet may be freely distributed under the terms of the GNU
General Public License; the latest version can be found at: \\
\url{https://github.com/zxgio/r2-cheatsheet/}
\end{multicols*}
\end{document}