%I The hour as a decimal number using a 12-hour clock (range 01 to 12).

%m The month as a decimal number (range 01 to 12).

%M The minute as a decimal number (range 00 to 59).

%p Either "AM" or "PM" according to the given time value.

%s The number of seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC). (TZ)

%S The second as a decimal number (range 00 to 60). (The range is up to 60 to allow for occasional leap seconds.)

%T The time in 24-hour notation (%H:%M:%S). (SU)

%y The year as a decimal number without a century (range 00 to 99).

%Y The year as a decimal number including the century.

%z The +hhmm or -hhmm numeric timezone (that is, the hour and minute offset from UTC). (SU)

%Z The timezone name or abbreviation.

There are print modes available for all basic types. If you are interested in a more complex structure, type pf?? for format characters and pf??? for examples:

[0x00499999]> pf??

|pf: pf[.k[.f[=v]]|[v]]|[n]|[0|cnt][fmt] [a0 a1 ...]

| Format:

| b byte (unsigned)

| B resolve enum bitfield (see t?)

| c char (signed byte)

| C byte in decimal

| d 0xHEX value (4 bytes) (see 'i' and 'x')

| D disassemble one opcode

| e temporally swap endian

| E resolve enum name (see t?)

| f float value (4 bytes)

| F double value (8 bytes)

| i signed integer value (4 bytes) (see 'd' and 'x')

| n next char specifies size of signed value (1, 2, 4 or 8 byte(s))

| N next char specifies size of unsigned value (1, 2, 4 or 8 byte(s))

| o octal value (4 byte)

| p pointer reference (2, 4 or 8 bytes)

| q quadword (8 bytes)

| r CPU register `pf r (eax)plop`

| s 32bit pointer to string (4 bytes)

| S 64bit pointer to string (8 bytes)

| t UNIX timestamp (4 bytes)

| T show Ten first bytes of buffer

| u uleb128 (variable length)

| w word (2 bytes unsigned short in hex)

| x 0xHEX value and flag (fd @ addr) (see 'd' and 'i')

| X show formatted hexpairs

| z null terminated string

| Z null terminated wide string

| ? data structure `pf ? (struct_name)example_name`

| * next char is pointer (honors asm.bits)

| + toggle show flags for each offset

| : skip 4 bytes

| . skip 1 byte

| ; rewind 4 bytes

| , rewind 1 byte

Use triple-question-mark pf??? to get some examples using print format strings.

[0x00499999]>

pf???

|pf: pf[.k[.f[=v]]|[v]]|[n]|[0|cnt][fmt] [a0 a1 ...]

| Examples:

| pf 3xi foo bar 3-array of struct, each

with named fields: 'foo' as hex, and 'bar' as int

| pf B (BitFldType)arg_name` bitfield type

| pf E (EnumType)arg_name` enum type

| pf.obj xxdz prev next size name Define the obj format as

xxdz

| pf obj=xxdz prev next size name Same as above

| pf *z*i*w nb name blob Print the pointers with

given labels

| pf iwq foo bar troll Print the iwq format with

foo, bar, troll as the respective names for the fields

| pf 0iwq foo bar troll Same as above, but

considered as a union (all fields at offset 0)

| pf.plop ? (troll)mystruct Use structure troll

previously defined

| pfj.plop @ 0x14 Apply format object at

the given offset

| pf 10xiz pointer length string Print a size 10 array of

the xiz struct with its field names

| pf 5sqw string quad word Print an array with sqw

struct along with its field names

| pf {integer}? (bifc) Print integer times the

following format (bifc)

| pf [4]w[7]i Print an array of 4 words

and then an array of 7 integers

| pf ic...?i foo bar "(pf xw yo foo)troll" yo Print nested anonymous

structures

| pf ;..x Print value located 6

bytes from current offset

| pf [10]z[3]i[10]Zb Print an fixed size str,

widechar, and var

| pfj +F @ 0x14 Print the content at

given offset with flag

| pf n2 print signed short (2

bytes) value. Use N instead of n for printing unsigned values

| pf [2]? (plop)structname @ 0 Prints an array of

structs

| pf eqew bigWord beef Swap endianness and print

with given labels

| pf.foo rr (eax)reg1 (eip)reg2 Create object referencing

to register values

| pf tt troll plop print time stamps with

labels troll and plop

Some examples are below:

[0x4A13B8C0]> pf i

0x00404888 = 837634441

[0x4A13B8C0]> pf

0x00404888 = 837634432.000000

Valid print code formats for human-readable languages are:

   • pc C

   • pc* print 'wx' r2 commands

   • pch C half-words (2 byte)

   • pcw C words (4 byte)

   • pcd C dwords (8 byte)

   • pci C array of bytes with instructions

   • pca GAS .byte blob

   • pcA .bytes with instructions in comments

   • pcs string

   • pcS shellscript that reconstructs the bin

   • pcj json

   • pcJ javascript

   • pco Objective-C

   • pcp python

   • pck kotlin

   • pcr rust

   • pcv JaVa

   • pcV V (vlang.io)

   • pcy yara

   • pcz Swift

If we need to create a .c file containing a binary blob, use the pc command, that creates this output. The default size is like in many other commands: the block size, which can be changed with the b command.

We can also just temporarily override this block size by expressing it as an argument.

[0xB7F8E810]>

pc 32

#define _BUFFER_SIZE 32

unsigned char buffer[_BUFFER_SIZE] = {

0x89, 0xe0, 0xe8, 0x49, 0x02, 0x00, 0x00, 0x89, 0xc7, 0xe8, 0xe2, 0xff,

0xff, 0xff, 0x81, 0xc3, 0xd6, 0xa7, 0x01, 0x00, 0x8b, 0x83, 0x00, 0xff,

0xff, 0xff, 0x5a, 0x8d, 0x24, 0x84, 0x29, 0xc2 };

That cstring can be used in many programming languages, not just C.

[0x7fcd6a891630]>

pcs

"\x48\x89\xe7\xe8\x68\x39\x00\x00\x49\x89\xc4\x8b\x05\xef\x16\x22\x00\x5a\x48\x8d\x24\xc4\x29\xc2\x52\x48\x89\xd6\x49\x89\xe5\x48\x83\xe4\xf0\x48\x8b\x3d\x06\x1a

Strings are probably one of the most important entry points when starting to reverse engineer a program because they usually reference information about functions' actions (asserts, debug or info messages...). Therefore, radare supports various string formats:

[0x00000000]> ps?

|Usage: ps[bijqpsuwWxz+] [N] Print String

| ps print string

| ps+[j] print libc++ std::string (same-endian, ascii, zero-terminated)

| psb print strings in current block

| psi print string inside curseek

| psj print string in JSON format

| psp[j] print pascal string

| psq alias for pqs

| pss print string in screen (wrap width)