More radare2 (1/?)

Last day of vacation, but being home with small kids completely flips
the perspective, which means that tomorrow, first day of work, will be
the actual first day of vacation...

Once everyone is in bed, I can finally indulge in learning some secret art.
Lately this means Radare2: a baroque binary analysis tool.
Let's list some commands I've been playing with:

    iI - Binary info
    af - Analyze functions
    px - Print hexadecimal

> Flags:_
Basically they are pointers: the value is usually an address in memory,
and the size property defines the size of the pointed object.  The `af`
command populates the flag space named "functions" with flags having
names such as `sym.main`.

    fs - list available flag spaces
    fs SPACENAME - enable filter on listed flags, only list from the flag space
                   named SPACENAME
    f FLAGNAME 0x10 0x23040 - Assign a flag having name FLAGNAME, size 0x10 and
                              offset 0x23040.
    f-- - Erase all flags.

> Example:_
af                  - analyze functions
fs functions        - filter flag space of functions
f | grep main       - print all flags, but grep for main
f--                 - reset the flags, losing analyzed info.

    bf FLAGNAME - set the block size to the size value of the provided flag.
    b* - display block size.

> Example:_
bf sym.main
b*

> Corollary:_
bf sym.x            - set block size the size of function x
pd sym.x            - disassemble one block starting from the beginning of x,
                      therefore the whole x.
pdf sym.x           - Same as for previous two commands, but without changing
                      the global block size.

> Dollar-prefix_

There's a bunch of variables prefixed with '$', such as...

    $l - length of the opcode at the current seek.
    $FB - function beginning
    $FS - function size
    $$ - current seek.

    ?v - Print value.

> Example:_
s sym.main        - Seek to main()
?v $l             - Print length of the first opcode.
?v $l @ sym.x     - (not tested), temporary seek to x() and print first opcode
                    length.

> Json querying?_

I've noticed that a few commands, usually suffixed with `j`, emit output in
json format.  I suppose this is useful for front-ends.
Since I learned that the pipe symbol works as in shells, I could do the
following:

    oj | jq .

where `oj` lists open files in json format, and jq(1) is used to pretty print
the resulting json.
Nice but pointless: as it turns ut, the `~` suffix allows to modify the output,
and `{}` stands for json indentation.  (hint: try `~?`).

    oj ~{}
    oj ~{[0].writable}

> Conclusions_

I spent some time fooling around the idea of loading a file in the
addressing space of a binary, so that a program (written on purpose)
that dumps data from an arbitrary address in memory will effectively
find something there, instead of crashing and burning.

I failed, but I've learned some valuable shit.

The notes above have been jotted on paper with my Parker Jotter, and
copied in this text file.  What a pleasant night!

Time to sleep now :)