22.1 Cheat Sheet

Command syntax

[#][!][cmd] [arg] [@ offset| @@ flags] [> file] [| shell-pipe] [ && ...]

All commands will show its help when '?' is appended. (pm -> pm?)

Examples

10!step ; this will perform 10 steps
s +3 && 4x
pd 4 @@ sym. > file

Movement

>, <      ; seek = block_aligned( seek + block_size )
s 0x3000  ; absolute seek
s +20     ; relative seek
x @ 0x300 ; print hexdump at temporal 0x300 seek
b 10K     ; set block size to 10 * 1024

Print command (p)

By default will print block size, all print commands accept a numeric argument to specify another size.

px         ; print hexa (aliased as 'x')
p8, p16, p32, p64 ; print byte, word, dword, qword list
pz         ; print until \0 reached (zero-end strings)
pr         ; raw print
pc         ; print block as C array
ps         ; GAS assembly byte buffer
pt, pT, pF ; print unix, dos and windows file times
pi, pl, pf ; print integer, long or float
pm [format] ; print formatted buffer
 e - temporally swap endian
 d - double (8 bytes)
 f - float value
 b - one byte 
 B - show 10 first bytes of buffer
 i - %d integer value (4 byets)
 w - word (16 bit hexa)
 q - quadword (8 bytes)
 p - pointer reference
 x - 0x%08x hexadecimal value
 z - \0 terminated string
 Z - \0 terminated wide string
 s - pointer to string
 t - unix timestamp string
 * - next char is pointer
 . - skip 1 byte

Visual keys

Use 'V' command to enter into visual mode.

hjkl  ; for moving
HJKL  ; for page scrolling or byte selection in cursor mode
c     ; to toggle cursor mode
C     ; toggle scr.color
t     ; track flags (visual flag browser)
e     ; visual eval configurator
b     ; runs cmd.visualbind command

Plugins

H                  ; list plugins
H plugin-name args ; launch plugin with args

Debugger commands

!pid <pid>  ; choose working process
!th <tid>   ; choose working thread
!step       ; one step
!stepbp     ; one step using code analysis and soft breakpoints
!cont       ; continue until exception
!bt         ; show backtrace
!wp         ; manage watchpoints
!maps       ; show memory regions
!mp rw- addr len ; change memory protections
!reg        ; list registers
!oregs      ; show previous cached value of registers
!fpregs     ; display floating point or extended registers
!reg eax    ; view register value
!reg eax=33 ; set register value
!bp addr    ; set breakpoint
!bp -addr   ; unset breakpoint
!dr         ; manual setup of DRx registers
!trace      ; perform traces
!alloc size ; allocate 'size' bytes
!free addr  ; free region
!fd         ; list filedescriptors
!dump/!restore ; dump or restore process state
!dall       ; dump all pages
!core       ; force core generation
!signal     ; manage signals