To debug a program, start rizin with the
-d option. Note that you can attach to a running process by specifying its PID, or you can start a new program by specifying its name and parameters:
$ pidof mc 32220 $ rizin -d 32220 $ rizin -d /bin/ls $ rizin -a arm -b 16 -d gdb://192.168.1.43:9090 ...
In the second case, the debugger will fork and load the debugee
ls program in memory.
It will pause its execution early in
ld.so dynamic linker. As a result, you will not yet see the entrypoint or any shared libraries at this point.
You can override this behavior by setting another name for an entry breakpoint. To do this, add a rizin command
e dbg.bep=entry or
e dbg.bep=main to your startup script, usually it is
Another way to continue until a specific address is by using the
dcu command. Which means: "debug continue until" taking the address of the place to stop at. For example:
Be warned that certain malware or other tricky programs can actually execute code before
main() and thus you'll be unable to control them. (Like the program constructor or the tls initializers)
Below is a list of most common commands used with debugger:
> d? ; get help on debugger commands > ds 3 ; step 3 times > db 0x8048920 ; setup a breakpoint > db -0x8048920 ; remove a breakpoint > dc ; continue process execution > dcs ; continue until syscall > dd ; manipulate file descriptors > dm ; show process maps > dmp A S rwx ; change permissions of page at A and size S > dr eax=33 ; set register value. eax = 33
There is another option for debugging in rizin, which may be easier: using visual mode.
That way you will neither need to remember many commands nor to keep program state in your mind.
To enter visual debugger mode use
The initial view after entering visual mode is a hexdump view of the current target program counter (e.g., EIP for x86).
p will allow you to cycle through the rest of visual mode views.
You can press
P to rotate through the most commonly used print modes.
Use F7 or
s to step into and F8 or
S to step over current instruction.
c key you can toggle the cursor mode to mark a byte range selection
(for example, to later overwrite them with nop). You can set breakpoints with
In visual mode you can enter regular rizin commands by prepending them with
For example, to dump a one block of memory contents at ESI:
<Press ':'> x @ esi
To get help on visual mode, press
?. To scroll the help screen, use arrows. To
exit the help view, press
A frequently used command is
dr, which is used to read or write values of the target's general purpose registers.
For a more compact register value representation you might use
You can also manipulate the hardware and the extended/floating point registers.