good first issue
描述
it can be a good excuse to improve the help message for each command too
[0x00000000]> ?* | grep -E '.{81,}'
ERROR: Not running in interactive mode
| @B:nth temporary seek to nth instruction in current bb (negative numbers too)
| @c:cmd seek to the address printed by the given command. same as '@ `cmd`'
| @r:reg tmp seek to reg value (f.ex pd@r:PC, see also $r{PC} and $r:PC)
| @@==foo bar run the previous command appending a word on each iteration
| x @@ sym.* run 'x' over all flags matching 'sym.' in current flagspace
| x @@.file run 'x' over the offsets specified in the file (one offset per line)
| x @@/x 9090 temporary set cmd.hit to run a command on each search result
| x @@i run 'x' on all instructions of the current function (see pdr)
| '?e hello @ world print the given string, including the @ sign and the rest (r2.call)
| '0x123'?v $$ run the '?v $$' command in the 0x123 offset (same as r2.callAt)
| =[fd] cmd exec cmd at remote 'fd' (last open is default one)
| =+ [proto://]host:port connect to remote host:port (*rap://, raps://, tcp://, udp://, http://)
| =l[?] list, create or destroy background session server
| =tport start the tcp server (echo x|nc ::1 9090 or curl ::1:9090/cmd/x)
| =H[?] start the http webserver (and launch the web browser)
| ? eip-0x804800 show all representation result for this math expr
| ?' show help for the single quote (do not evaluate special characters in command)
| ?= eip-0x804800 update $? return code with result of operation
| ?d [num] disasssemble given number as a little and big endian dword
| ?e[=bdgnpst] arg echo messages, bars, pie charts and more (see ?e? for details)
| ?f [num] [str] map each bit of the number as flag string index
| ?i[?] arg prompt for number or Yes,No,Msg,Key,Path and store in $$?
| ?l[q] str returns the length of string ('q' for quiet, just set $?)
| ?p vaddr get physical address for given virtual address
| ?q num|expr compute expression like ? or ?v but in quiet mode
| ?v num|expr show hex value of math expr (no expr prints $?)
| ?w addr show what's in this address (like pxr/pxq does)
| ?x+num like ?v, but in hexpairs honoring cfg.bigendian
| "? show this help, NOTE that a single quote is simpler and works the same
| ""[cmd] directly call a command ignoring all special chars (fast)
| ""?e x;y";"?e y;x run two commands ignoring special chars (prints x;y";"?e y;x)
| */ end multiline comment. (use '/*' to start mulitiline comment
Usage: .[r2cmd] | [file] | [!command] | [(macro)] # define macro or interpret r2, r_lang,
:sql .tostring() == .tosql() # export table contents in SQL statements
| =[fd] cmd exec cmd at remote 'fd' (last open is default one)
| =+ [proto://]host:port connect to remote host:port (*rap://, raps://, tcp://, udp://, http://)
| =l[?] list, create or destroy background session server
| =tport start the tcp server (echo x|nc ::1 9090 or curl ::1:9090/cmd/x)
| =H[?] start the http webserver (and launch the web browser)
| /! ff search for first occurrence not matching, command modifier
| /!x 00 inverse hexa search (find first byte != 0x00)
| /a[?][1aoditfmsltf] jmp eax find instructions by text or bytes (asm/disasm)
| /b[?][p] search backwards, command modifier, followed by other command
| /E esil-expr offset matching given esil expressions $$ = here
| /g[g] [from] find all graph paths A to B (/gg follow jumps, see search.count and anal.depth)
| /h[?][algorithm] [digest] [size] find block of size bytes having this digest. See ph
| /m[?][ebm] magicfile search for magic, filesystems or binary headers
| /O [n] same as /o, but with a different fallback if anal cannot be used
| /s[*] [threshold] find sections by grouping blocks with similar entropy
| /r[?][erwx] sym.printf analyze opcode reference an offset (/re for esil)
| /R[?] [grepopcode] search for matching ROP gadgets, semicolon-separated
| /V[1248] min max look for an `cfg.bigendian` 32bit value in range
| /wi foo search for wide string ignoring case 'f\0o\0o\0'
| /x[?] [bytes] search for hex string with mask, ignoring some nibbles
| /a1 [number] find valid assembly generated by changing only the nth byte
| /aa mov eax linearly find aproximated assembly (case insensitive strstr)
| /aF[d] opstr find instructions matching given opstr only in analyzed code
| /ai[j] 0x300 [0x500] find all the instructions using that immediate (in range)
| /az[q] ([minstr]) search assembly constructed strings (q)uiet reduces FP (uses bin.minsz)
| /ad rax$ search in plaintext disasm for instruction matchin given glob expression
| /at [optype,optype2] list instructions matching any of the comma separated optypes
| /b[x] [str|414243] search in hexadecimal 'ABC' backwards starting in current address
| /ca[?] [algo] search for keys expanded in memory (algo can be 'aes' or 'sm4')
| /cc[?] [algo] [digest] find collisions (bruteforce block length values until given checksum is found)
| /cg search for GPG/PGP keys and signatures (Plaintext and binary form)
| /ck find well known constant tables from different hash and crypto algorithms
| /h[?][algorithm] [digest] [size] find block of size bytes having this digest. See ph
| /xn[1|2|4|8] value amount search for an array of Value repeated Amount of times
| /xv[1|2|4|8] v0 v1 v2 v3 .. search for an array of values with given size and endian
| #!?q list all available lang plugin names (See Ll?)
| #!<lang> enter interactive prompt for given language plugin
| #!pipe node -e 'console.log(123)'' run program with arguments inside an r2pipe environment
| a:[cmd] run a command implemented by an analysis plugin (like : for io)
| ad[?] analyze data trampoline (wip) (see 'aod' to describe mnemonics)
| an[?] [name] show/rename/create whatever var/flag/function used in current instruction
| aac* [len] flag function calls without performing a complete analysis
| aaf[?][efrt] analyze all functions relationships with flags, type matching and consecutive
| aaF [sym*] set anal.in=block for all the spaces between flags matching glob
| aaFa [sym*] same as aaF but uses af/a2f instead of af+/afb+ (slower but more accurate)
| aan[?][fgr] autoname functions (aang = golang, aanr = noreturn propagation, aanf = afna@@F)
| aat [fcn] analyze all/given function to convert immediate to linked structure offsets (see tl?)
| aau [len] list mem areas (larger than len bytes) not covered by functions
| aaw analyze all meta words (Cd) and add r. named flags for referenced pointers
| aae honor anal.{in,from,to} and emulate all executable regions
| aaef emulate all functions using esil to find out computed references (same as aef@@@F)
| aaepa run 'aep ret0@@@i' and then 'aaep' - all unknown imports are faked to return 0
| aaex emulate all code linearly and register only the computed xrefs
| aar [sz] analyze xrefs starting in current offset until sz bytes are consumed
| aarr analyze all function reference graph to find more functions (EXPERIMENTAL)
| ab [addr] show basic block information at given address (same as abi/afbi)
| abc[-] [color] change color of the current basic block (same as afbc, abc- to unset)
| abe [esil-expr] assign esil expression to basic block (see: aeb, dre, afbd)
| acll[j] (class_name) list all or single class detailed
| acv [class name] [addr] ([offset]) ([size]) add vtable address to class
| acvf [offset] ([class name]) lookup function address on vtable offset
| acv- [class name] [vtable id] delete vtable by id (from acv [class name])
| acb- [class name] [base class id] delete base by id (from acb [class name])
| acg print inheritance ascii graph
| aefa [addr] emulate function to find out args in given or current offset
| aet[?][s] esil trace listing and session management (requires aeim)
| aev [esil] visual esil debugger for the given expression or current instruction
| aeim initialize esil memory with default values from esil.stack.* evals
| aepa ([addr]) auto set pin in current or given address by flag name (see aaep)
| aep soft.show.r9=dr?r9 set a 'soft.' esil pin, only executed in the disasm loop
| ar.>$snapshot show r2 commands to set register values to the current state
| arp [gdb] [regprofile-file] parse gdb register profile and dump an r2 profile string
| arp* print r2 commands creating flags for each register inside the arena offset
| arpi show internal representation of the register profile
| NOTE: this help will show arp if you run drp? when cfg.debug=0
| aess step skip (in case of CALL, just skip, instead of step into)
| af ([name]) ([addr]) analyze functions (start at addr or $$)
| af- [addr] clean all function analysis data (or function at addr)
| afa analyze function arguments in a call (afal honors dbg.funcarg)
| afB 16 set current function as thumb (change asm.bits)
| afbF([0|1]) Toggle the basic-block 'folded' attribute
| afC[?] ([addr])@[addr] calculate the Cycles (afC) or Cyclomatic Complexity (afCc)
| afd[addr] show function + delta for given offset
| afi [addr|fcn.name] show function(s) information (verbose afl)
| afj [tableaddr] [elem_sz] [count] [seg] analyze function jumptable (adding seg to each elem)
| afl[?] [ls*] [fcn name] list functions (addr, size, bbs, name) (see afll)
| afn[?] name [addr] rename name for function at address (change flag too)
| afna suggest automatic name for current offset
| afo[?j] [fcn.name] show address for the function name or current offset
| afs[?] ([fcnsign]) get/set function signature at current address (afs! uses cfg.editor)
| afS[stack_size] set stack frame size for function at current address
| afu addr resize and analyze function from current address until addr
| afv[?] manipulate args, registers and variables in function
| .afbr- set breakpoint on every return address of the function
| .afbr-* remove breakpoint on every return address of the function
| afb, show basic blocks of current function in a table
| afb= display ascii-art bars for basic block regions
| afba[!] list basic blocks of current offset in analysis order (EXPERIMENTAL, see afla)
| afbc[-] [color] ([addr]) colorize basic block (same as 'abc', afbc- to unset)
| afbd list function basic block dependency list in order and set abe values
| afbe bbfrom bbto add basic-block edge for switch-cases
| afbi[j] print current basic block information
| afbj [addr] show basic blocks information in json
| afbr show addresses of instructions which leave the function
| afbo list addresses of each instruction for every basic block in function (see abo)
| afB [bits] define asm.bits for the given function
| aflx[?*jv] list function xrefs (who references or calls the current function)
| afn. same as afn without arguments. show the function name in current offset
| afs ([fcnsign]) get/set function signature at current address (afs! uses cfg.editor)
| afsq same as afs without the error message (See afsQ for non-current offset)
| afs! edit current function signature with cfg.editor
| afsv[j] print function signature filling the values from current reg and stack state
| afv* output r2 command to add args/locals to flagspace
| afv= list function variables and arguments with disasm refs
| afvd name output r2 command for displaying the value of args/locals in the debugger
| w [path] write to path or display graph image (see graph.gv.format)
| agn title1 body1 add a node with title "title1" and body "body1"
| agn "title with space" "body with space" add a node with spaces in the title and in the body
| agn title1 base64:Ym9keTE= add a node with the body specified as base64
| age title1 title2 add an edge from the node with "title1" as title to the one with title "title2"
| age "title1 with spaces" title2 add an edge from node "title1 with spaces" to node "title2"
| age- title1 title2 remove an edge from the node with "title1" as title to the one with title "title2"
| ah. list hints in human-readable format from current offset
| aha ppc @ 0x42 force arch ppc for all addrs >= 0x42 or until the next hint
| aha 0 @ 0x84 disable the effect of arch hints for all addrs >= 0x84 or until the next hint
| ahi[?] 10 define numeric base for immediates (2, 8, 10, 10u, 16, i, p, S, s)
| aht[?][s] <type> mark immediate as a type offset (deprecated, moved to "aho")
| ahv val change opcode's val field (useful to set jmptbl sizes in jmp rax)
| ahi 10|d set base to signed decimal (10), sign bit should depend on receiver size
Usage: an [aj*] # analyze name for the current address (see fd and aan commands)
| ar.>$snapshot show r2 commands to set register values to the current state
| arp [gdb] [regprofile-file] parse gdb register profile and dump an r2 profile string
| arp* print r2 commands creating flags for each register inside the arena offset
| arpi show internal representation of the register profile
| NOTE: this help will show arp if you run drp? when cfg.debug=0
| axm addr [at] copy data/code references pointing to addr to also point to curseek (or at)
| axfj [addr] find data/code references to this address and print in json format
| axtj ([addr]) find data/code references to this address and print in json format
| b64:AA= receive a base64 string that is executed without evaluating special chars
| cg[?][afo] [file] compare graphdiff current file and find similar functions
| cV[1248] [addr] @at compare 1,2,4,8-byte address contents (silent, return in $?)
| cu2 $$+1 > p compare words (half, 16bit) from current seek and +1
| C list meta info in human friendly form
| C*. list meta info of current offset in r2 commands
| C- [len] [[@]addr] delete metadata at given address range
| C. list meta info of current offset in human friendly form
| CCa[+-] [addr] [text] add/remove comment at given address
| CL[-][*] [file:line] [addr] show or add 'code line' information (bininfo)
| CS[-][space] manage meta-spaces to filter comments, etc..
| C[Cthsdmf] list comments/types/hidden/strings/data/magic/formatted in human friendly form
| C[Cthsdmf]* list comments/types/hidden/strings/data/magic/formatted in r2 commands
| Cd[-] [size] [repeat] [@addr] hexdump data array (Cd 4 10 == dword [10])
| Cd. [@addr] show size of data at current address
| Cb[?][-] [addr] [@addr] bind both addresses for reflines purposes
| Cr[?][-] [sz] [r2cmd] [@addr] run the given command to replace SZ bytes in the disasm
| Ct[?] [-] [comment-text] [@addr] add/remove type analysis comment
| Ct.[@addr] show comment at current or specified address
| dct <len> traptrace from curseek to len, no argument to list
| dd[*] <file|addr> open file as read-only (r--); addr = use as char* for path
| dd+[*] <file|addr> open/create file as read-write (rw-); addr = use as char* for path
| dm address size allocate <size> bytes at <address> (anywhere if address is -1) in child process
| dm= list memory maps of target process (ascii-art bars)
| dmd[aw] [file] dump current (all or writable) debug map region to a file (from-to.dmp) (see Sd)
| dmi* [addr|libname] [symname] list symbols of target lib in radare commands
| dmis [libname] same as .dmi* - import all symbols from given lib as flags
| dml <file> load contents of file into the current map region
| dmm[?][j*] list modules (libraries, binaries loaded in memory)
| dmp[?] <address> <size> <perms> change page at <address> with <size>, protection <perms> (perm)
| dmL address size allocate <size> bytes at <address> and promote to huge page
| dmh @[malloc_state] List heap chunks of a particular arena
| dmh List the chunks inside the heap segment
| dmh* Display heap details as radare2 commands
| dmha List all malloc_state instances in application
| dmhb @[malloc_state] Display all parsed Double linked list of main_arena's or a particular arena bins instance
| dmhb [bin_num|bin_num:malloc_state] Display parsed double linked list of bins instance from a particular arena
| dmhbg [bin_num] Display double linked list graph of main_arena's bin [Under developemnt]
| dmhc @[chunk_addr] Display malloc_chunk struct for a given malloc chunk
| dmhf @[malloc_state] Display all parsed fastbins of main_arena's or a particular arena fastbinY instance
| dmhf [fastbin_num|fastbin_num:malloc_state] Display parsed single linked list in fastbinY instance from a particular arena
| dmhg [malloc_state] Display heap graph of a particular arena
| dmhg Display heap graph of heap segment
| dmhi @[malloc_state] Display heap_info structure/structures for a given arena
| dmhj List the chunks inside the heap segment in JSON format
| dmhm[*j] List all malloc_state instance of a particular arena (@ malloc_state#addr)
| dmht Display all parsed thread cache bins of all arena's tcache instance
| dor [rarun2] comma separated list of k=v rarun2 profile options (e dbg.profile)
| dr?? same as dr?`drp~=[0]+` # list all reg roles alias names and values
| drv[?] show vector registers (also known as sve / packed / multimedia)
| arp [gdb] [regprofile-file] parse gdb register profile and dump an r2 profile string
| arp* print r2 commands creating flags for each register inside the arena offset
| arpi show internal representation of the register profile
| NOTE: this help will show arp if you run drp? when cfg.debug=0
| dsuo <optype> [<optype> ...] step until an instr matches one of the <optype>s.
| dt= show ascii-art color bars with the debug trace ranges
| dtd[qi] [nth-start] list all traced disassembled (quiet, instructions)
| dtg* graph in agn/age commands. use .dtg*;aggi for visual
| dts[?] manage trace sessions, used for step back (EXPERIMENTAL)
| dxrs <hexpairs> execute opcodes and restore state, excluding the stack
| e scr.color=0 use more colors (0: no color 1: ansi 16, 2: 256, 3: 16M)
| ecHw[word] [color] highlight 'word ' in current instruction with 'color' background
| f list flags (will only list flags from selected flagspaces)
| f-.blah@fcn.foo delete local label from function at current seek (also f.-)
| f-@addr remove flag at address expression (same as f-$$ or f-0x..)
| fe [name] create flag name.#num# enumerated flag. (f.ex: fe foo @@= 1 2 3 4)
| fla [glob] automatically compute the size of all flags matching glob
| fnj list flags displaying the real name (demangled) in JSON format
| fN [[name]] [realname] set flag real name (if no flag name current seek one is used)
| fr [[old]] [new] rename flag (if no new flag current seek one is used)
| ft[?]* flag tags, useful to find all flags matching some words
Usage: fD[*.j] [rawname] # filter/mangle raw symbol name to be valid flag name
| fD rawname print the mangled flag name using the raw name, see the ' command prefix
Usage: fR [from] [to] ([mask]) # Relocate flags matching a mask asuming old and new base addresses
| ig[?][h] guess size of binary program (igh use human units instead of number of bytes)
| ic+[klass.method] add new symbol in current seek for a given klass and method name
| icc [lang] List classes, methods and fields in Header Format (see bin.lang=swift,java,objc,cxx)
| icg [str] List classes hirearchy graph with agn/age (match str if provided)
| icqq List classes, in quieter mode (only show non-system classnames)
| icl[c] Show addresses of class and it methods, without names (iclc = class count)
| ig[?][h] guess size of binary program (igh use human units instead of number of bytes)
| li list source of current function (like gdb's 'list' command)
| m /mnt mount fs at /mnt with autodetect fs and current offset
| mL[Lj] list filesystem plugins (Same as Lm), mLL shows only fs plugin names
| mg /foo [offset size] get fs file/dir and dump to disk (support base64:)
| ms /mnt open filesystem shell at /mnt (or fs.cwd if not defined)
| mwf [diskfile] [r2filepath] write contents of local diskfile into r2fs mounted path
| o*[*] list opened files in r2 commands, show r2 script to set flag for each fd
| o++ [file] create and open file in read-write mode (see ot and omr)
| o: [len] open a malloc://[len] copying the bytes from current offset
| oo[?][+bcdnm] reopen current file (see oo?) (reload in rw or debugger)
| op[npr] [fd] select priorized file by fd (see ob), opn/opp/opr = next/previous/rotate
| ox fd fdx exchange the descs of fd and fdx and keep the mapping
| obio Load bin info from the io plugin forcing the use of bin.io
| obm([id]) merge current selected binfile into previous binfile (id-1)
| om [fd] list all defined IO maps for a specific fd
| om-.. hud view of all the maps to select the one to remove
| om. show map, that is mapped to current offset
| oma [fd] create a map covering all VA for given fd
| omd from to @ paddr simplified om; takes current seek, fd and perms
| omf [mapid] rwx change flags/perms for current/given map
| omfg[+-]rwx change flags/perms for all maps (global)
| omm [fd] create default map for given fd (omm `oq`)
| ompb [fd] prioritize maps of the bin associated with the binid
| ompd mapid deprioritize map with corresponding id
| omqq list all maps addresses (See $MM to get the size)
| omt mapid toggle map backwards tying (same as omtb)
| onn [file] ([rwx]) open file without creating any map or parsing headers with rbin)
| onnu [file] ([rwx]) same as onn, but unique, will return previos fd if already opened
| pg[?][x y w h] [cmd] create new visual gadget or print it (see pg? for details)
| py([-:file]) [expr] print clipboard (yp) run python script (py:file) oneliner `py print(1)` or stdin slurp `py-`
Usage: p=[=bep?][qj] [N] ([len]) ([offset]) show entropy/printable chars/chars bars
| NOTE: Pressing ENTER on empty command will repeat last print command in next page
| pde[q|qq|j] N disassemble N instructions following execution flow from current PC
| pdo N convert esil expressions of N instructions to C (pdO for bytes)
| pdr. recursive disassemble across the function graph (from current basic block)
| pdR recursive disassemble block size bytes without analyzing functions
| pdsf[sjq] show function summary of strings, calls, variables, references..
| pd, [n] [query] disassemble N instructions in a table (see dtd for debug traces)
| pf fmt show data using the given format-string. See 'pf??' and 'pf???'.
| pf* fmt_name|fmt show data using (named) format as r2 flag create commands
| pf.fmt_name.field_name=33 set new value for the specified field in named format
| pfv.fmt_name[.field] print value(s) only for named format. Useful for one-liners
| piE[?] same as pie but taking an amount of bytes instead of instructions
| piu[q] [optype] disassemble until instruction of given optype is found (See /atl)
| piE[?] same as pie but taking an amount of bytes instead of instructions
| piu[q] [optype] disassemble until instruction of given optype is found (See /atl)
| pp1 print incremental byte pattern (honor lower bits of cur address and bsize)
| psp print zero-terminated string, taking length defined by the first byte (psp1)
| pspw print zero-terminated 16bit wide string, taking length in bytes defined by the first byte (pspw1)
| pspw4 same as pspW, but using 4 byte dword (honoring cfg.bigendian) for length
| pspW print zero-terminated 32bit wide string, taking length in bytes defined by the first byte (pspW1)
| pspW4 same as pspW, but using 4 byte dword (honoring cfg.bigendian) for length
Usage: pv[1248z][udj] Print value(s) given size and endian (u for unsigned, d for signed decimal, j for json)
| pve [1234] ([bsize]) print value with any endian (reorder bytes with the 1234 order)
| PS* [name] print the project script file (Like P*, but requires a project)
| sff seek to the nearest flag backwards (uses fd and ignored the delta)
| so ([[-]N]) seek to N opcode(s) forward (or backward when N is negative), N=1 by default
| td <string> load types from string (quote the whole command: "td ...")
| tp[?] <type> [addr|varname] cast data at <address> to <type> and print it (XXX: type can contain spaces)
| tccl list cc signatures (return ccname (arg0, arg1, ..) err;)
| ted list all loaded enums in C output format without newlines
| tn[a] 0x3000 stop function analysis if call/jmp to this address
| tp <type> [addr|varname] cast data at <address> to <type> and print it (XXX: type can contain spaces)
| tpx <type> <hexpairs> show value for type with specified byte sequence (XXX: type can contain spaces)
| txf ([addr]) list all types used in the current or given function (same as tx.)
| wa[?] push ebp write opcode, separated by ';' (use '"' around the command)
| waF f.asm assemble file and write bytes and show 'wx' op with hexpair bytes of assembled code
| wao[?] op modify opcode (change conditional of jump. nop, etc) (RArch.patch)
| wB[-]0xVALUE set or unset bits with given value (also wB-0x2000)
| we[?] [nNsxX] [arg] extend write operations (insert instead of replace)
| wg[et] [http://host/file] download file from http server and save it to disk (wget)
| wm f0ff set binary mask hexpair to be used as cyclic write mask
| ws[?] pstring write pascal string: 1 byte for length + N for the string
| wt[?][afs] [filename] [size] write to file (from current seek, blocksize or sz bytes)
| ww foobar write wide string 'f\x00o\x00o\x00b\x00a\x00r\x00'
| wa+ nop write a nop and seek after it (use 7wa+nop to write 7 consecutive nops)
| waF f.asm assemble file and write bytes and show 'wx' op with hexpair bytes of assembled code
| waF* f.asm assemble file and show 'wx' op with hexpair bytes of assembled code
| wc* print write commands to replicate the patches in the current cache layer
| wcp [fd] list all cached write-operations on p-layer for specified fd or current fd
| wcp* [fd] list all cached write-operations on p-layer in radare commands
| wen <num> extend the underlying file inserting NUM null bytes at current offset
| weN <addr> <len> extend current file and insert bytes at address
| wex <hex_bytes> insert bytes at current offset by extending the file
Usage: wo[asmdxoArl24] [hexpairs] @ addr[!bsize] write operation in current block
| woD [algo] [key] [IV] decrypt current block with given algo and key
| woE [algo] [key] [IV] encrypt current block with given algo and key
Usage: ws[124?] [string] Pascal strings are not null terminated and store the length in binary at the beginning
Usage: wt[afs] [filename] [size] Write current block or [size] bytes from offset to file
| wtf! [filename] write to file from current address to eof (ignores given size)
| wv2 234 write unsigned short (2 bytes) with this number
| wvp 934 write 4 or 8 byte pointer, depending on asm.bits
| zb [n] find n closest matching zignatures to function at current offset
| zfs /path/**.sig recursively search for FLIRT files and scan them (see dir.depth)
| zfz filename open FLIRT file and get sig commands (zfz flirt_file > zignatures.sig)
Usage: zc[n!] other_space # Compare zignspaces, match >= threshold (e zign.diff.*)
| zcn other_space compare current space with zigns with same name on other_space
[0x00000000]>