3 files changed, 128 insertions, 0 deletions

diff --git a/docs/re/ptrace_not_permitted.txt b/docs/re/ptrace_not_permitted.txt
new file mode 100644
index 0000000..07ca568
--- /dev/null
+++ b/docs/re/ptrace_not_permitted.txt
@@ -0,0 +1,22 @@
+If you are seeing errors from your debugger such as
+strace: (PTRACE_ATTACH): operation not permitted
+ptrace: operation not permitted
+ptrace_attach: operation not permitted
+etc.
+
+This is likely because of a linux kernel hardening setting.
+/proc/sys/kernel/yama/ptrace_scope
+This setting prevents a process from running ptrace on a non-child process.
+Even with this on, a can still ptrace another process if it is a child.
+Debuggers like gdb and radare2 use ptrace when you attach via PID.
+
+You can turn this off
+$ sudo su
+$ echo 0 > /proc/sys/kernel/yama/ptrace_scope
+
+Turning this off is global, though.
+Instead, set the capabilities of just your debugger to override this setting.
+
+$ sudo setcap CAP_SYS_PTRACE=+eip /usr/bin/gdb
+$ sudo setcap CAP_SYS_PTRACE=+eip /usr/bin/radare2
+
diff --git a/docs/re/radare2_cheatsheet.txt b/docs/re/radare2_cheatsheet.txt
new file mode 100644
index 0000000..7c30b89
--- /dev/null
+++ b/docs/re/radare2_cheatsheet.txt
@@ -0,0 +1,88 @@
+r2 command cheatsheet
+
+https://github.com/radareorg/radare2
+https://book.rada.re
+
+#Install
+git clone https://github.com/radareorg/radare2.git
+./sys/install.sh
+
+#Uninstall
+sudo make uninstall
+sudo make purge
+
+#Run Command From Shell Without Opening r2 Prompt
+r2 -q -c "<r2 command>" <target>
+
+#Generic
+? <expr>            expression evaluation/conversions
+!<command>          run shell command from inside r2
+s <addr>            seek to address
+
+#Useful Operators
+<command1>;<command2>               do command2 after command1
+"<command>"                         don't parse r2 operators in the command
+<command> `<inner command>`         run inner command and use its output in outer command
+<command> ~<word>                   grep output of command for lines matching word
+<command> @ <address>               temporarily seek to address and run command
+<command> @@ <flag>*                run command on every flag matching flag*
+<command> @@f                       run command on all functions
+<command> @@f:<func>                run command on all functions matching name
+<command> @@s:<from> <to> <step>    run command on each offset from->to incrementing by step
+
+#Info and Analysis
+i                   print file info (including binary info; e.g. rabin -I or checksec)
+ia                  print binary info, imported symbols, and exported symbols
+il                  print linked libraries
+iS                  print sections (with permissions)
+is                  print symbols
+ic                  print classes
+afl                 print functions
+ie                  print entry points
+iM                  print main's address
+iz                  print strings in data section
+izz                 print strings in whole binary
+aaa                 analyze all
+fs                  list flagspaces
+fs <flagspace>      set current flagspace
+f                   print current flagspace
+axt [<addr>]        show references to this address
+axf [<addr>]        show references from this address
+
+#Searching
+/ <string>              search for string
+/i <string>             case-insensitive search for string
+/e /<string>/<options>  regex search for string
+/R <opcodes>            search for opcodes
+/R/ <opcodes>           regex search for opcodes
+/v <value>              search for value
+/V <min> <max>          search for value in range
+/x <hex>                search for hex string
+
+#Print Address Contents
+pdf         print function disassembled
+pdc         print function in c-like pseudo-code
+pv          print value
+px          print hexdump
+ps          print string
+psz         print zero-terminated string
+
+#Tracking Things
+afn <func> [<addr>]         rename function at address
+afvn <arg> [<old_name>]     rename variable or function argument
+
+#Visual Mode
+V                       enter visual mode
+VV                      enter visual graph mode
+:                       open r2 cli
+p                       next screen
+P                       previous screen
+g <address>             seek to address 
+[tag next to call]      seek to tag (in visual mode)
+o[tag next to call]     seek to tag (in visual graph mode)
+x                       xrefs to
+X                       xrefs from
+m<key>                  mark offset (in visual mode)
+'<key>                  seek to marked offset (in visual mode)
+u                       undo seek
+U                       redo seek
diff --git a/docs/re/rep_prefix.txt b/docs/re/rep_prefix.txt
new file mode 100644
index 0000000..23e0cec
--- /dev/null
+++ b/docs/re/rep_prefix.txt
@@ -0,0 +1,18 @@
+The "rep" prefix on a string instruction repeats that string instruction for CX block loads.
+e.g.
+STOS is "Store String"
+It will store the value in AX at the address in RDI
+(technically, STOSB, STOSW, STOD, and STOSQ use AL, AX, EAX, and RAX respectively)
+If RCX = 0x20, RDI = some buffer, and RAX = 0,
+
+`rep stosq`
+
+is equivalent to:
+
+```
+buf_ptr = buf
+for(i = 0x20; i != 0; i--)
+    *buf_ptr = 0;
+    buf_ptr++;
+```
+