Rizin Reference Card

This chapter is based on the Radare 2 reference card by Thanat0s, which is under the GNU GPL. Original license is as follows:

This card may be freely distributed under the terms of the GNU
general public licence — Copyright by Thanat0s - v0.1 -

Survival Guide

Those are the basic commands you will want to know and use for moving around a binary and getting information about it.

s (tab)Seek to a different place
x [nbytes]Hexdump of nbytes, $b by default
aaAuto analyze
pdf@ funcnameDisassemble function (main, fcn, etc.)
f fcn(Tab)List functions
f str(Tab)List strings
fr [flagname] [newname]Rename flag
psz [offset]~grepPrint strings and grep for one
axF [flag]Find cross reference for a flag


Flags are like bookmarks, but they carry some extra information like size, tags or associated flagspace. Use the f command to list, set, get them.

fList flags
fd $$Describe an offset
fjDisplay flags in JSON
flShow flag length
fx [flagname]Show hexdump of flag
fC [name] [comment]Set flag comment


Flags are created into a flagspace, by default none is selected, and listing flags will list them all. To display a subset of flags you can use the fs command to restrict it.

fsDisplay flagspaces
fs *Select all flagspaces
fs [space]Select one flagspace


Binary files have information stored inside the headers. The i command uses the RzBin api and allows us to the same things rz-bin do. Those are the most common ones.

iiInformation on imports
iIInfo on binary
ieDisplay entrypoint
iSDisplay sections
irDisplay relocations
izList strings (izz, izzz)

There are different ways to represent a string in memory. The ps command allows us to print it in utf-16, pascal, zero terminated, .. formats.

psz [offset]Print zero terminated string
psb [offset]Print strings in current block
psx [offset]Show string with scaped chars
psp [offset]Print pascal string
psw [offset]Print wide string

Visual mode

The visual mode is the standard interactive interface of rizin.

To enter in visual mode use the v or V command, and then you'll only have to press keys to get the actions happen instead of commands.

VEnter visual mode
p/PRotate modes (hex, disasm, debug, words, buf)
cToggle (c)ursor
qBack to rizin shell
hjklMove around (or HJKL) (left-down-up-right)
EnterFollow address of jump/call
sSStep/step over
oToggle asm.pseudo and asm.esil
.Seek to program counter
/In cursor mode, search in current block
:cmdRun rizin command
;[-]cmtAdd/remove comment
/*+-[]Change block size, [] = resize hex.cols
<,>Seek aligned to block size
i/a/A(i)nsert hex, (a)ssemble code, visual (A)ssembler
bToggle breakpoint
BBrowse evals, symbols, flags, classes, ...
d[f?]Define function, data, code, ..
DEnter visual diff mode (set diff.from/to)
eEdit eval configuration variables
f/FSet/unset flag
gGGo seek to begin and end of file (0-$s)
mK/’KMark/go to Key (any key)
n/NSeek next/prev function/flag/hit (scr.nkey)
CToggle (C)olors
RRandomize color palette (ecr)
tTTab related. see also tab
vVisual code analysis menu
V(V)iew graph (agv?)
wWSeek cursor to next/prev word
uUUndo/redo seek
xShow xrefs of current func from/to data/code
yYCopy and paste selection
zfold/unfold comments in disassembly


There are many situations where we need to find a value inside a binary or in some specific regions. Use the e search.in=? command to choose where the / command may search for the given value.

/ foo\00Search for string ’foo\0’
/bSearch backwards
//Repeat last search
/w fooSearch for wide string ’f\0o\0o\0’
/wi fooSearch for wide string ignoring case
/! ffSearch for first occurrence not matching
/i fooSearch for string ’foo’ ignoring case
/e /E.F/iMatch regular expression
/x a1b2c3Search for bytes; spaces and uppercase nibbles are allowed, same as /x A1 B2 C3
/x a1..c3Search for bytes ignoring some nibbles (auto-generates mask, in this example: ff00ff)
/x a1b2:fff3Search for bytes with mask (specify individual bits)
/d 101112Search for a deltified sequence of bytes
/!x 00Inverse hexa search (find first byte != 0x00)
/c jmp [esp]Search for asm code (see search.asmstr)
/a jmp eaxAssemble opcode and search its bytes
/ASearch for AES expanded keys
/r sym.printfAnalyze opcode reference an offset
/RSearch for ROP gadgets
/PShow offset of previous instruction
/m magicfileSearch for matching magic file
/p patternsizeSearch for pattern of given size
/z min maxSearch for strings of given size
/v[?248] numLook for a asm.bigendian 32bit value

Usable variables in expression

The ?$? command will display the variables that can be used in any math operation inside the rizin shell. For example, using the ? $$ command to evaluate a number or ?v to just the value in one format.

All commands in rizin that accept a number supports the use of those variables.

$$here (current virtual seek)
$$$current non-temporary virtual seek
$?last comparison value
$alias=valuealias commands (simple macros)
$bblock size
$Bbase address (aligned lowest map address)
$fjump fail address (e.g. jz 0x10 => next instruction)
$flflag length (size) at current address (fla; pD $l @ entry0)
$Fcurrent function size
$FBbegin of function
$Fbaddress of the current basic block
$Fssize of the current basic block
$FEend of function
$FSfunction size
$Fjfunction jump destination
$Fffunction false destination
$FIfunction instructions
$c,$rget width and height of terminal
$Cnget nth call of function
$Dnget nth data reference in function
$Dcurrent debug map base address ?v $D @ rsp
$DDcurrent debug map size
$e1 if end of block, else 0
$jjump address (e.g. jmp 0x10, jz 0x10 => 0x10)
$Jaget nth jump of function
$Xnget nth xref of function
$lopcode length
$mopcode memory reference (e.g. mov eax,[0x10] => 0x10)
$Mmap address (lowest map address)
$ohere (current disk io offset)
$Ppid of children (only in debug)
$sfile size
$Ssection offset
$SSsection size
$vopcode immediate value (e.g. lui a0,0x8010 => 0x8010)
$wget word size, 4 if asm.bits=32, 8 if 64, ...
${ev}get value of eval config variable
$r{reg}get value of named register
$k{kv}get value of an sdb query value
$s{flag}get size of flag
RzNum$variables usable in math expressions