Rogue Binary

Open once, ask focused questions

The r2 tools are split between lifecycle, metadata, code views, references, projections, bytes, and expression helpers.

Session lifecycle: r2_open, r2_close, r2_sessions, and r2_cmd.
Metadata and inventory: r2_metadata, r2_find, r2_classes, r2_imports_grouped, and r2_lookup_address.
Code views: r2_disassemble, r2_decompile, and r2_function_view.
References and flow: r2_xrefs, r2_trace_data_flow, r2_value_trace, and r2_var_xrefs.

Tool	Purpose	Key params	Next step
`r2_open`	Start a persistent r2pipe session.	`binary_path`.	`r2_metadata mode=functions`.
`r2_metadata`	Mode-driven inventory.	`mode`, `filter`, `offset`, `limit`.	`r2_function_view`.
`r2_find`	Search functions, strings, imports, or bytes.	`search_type`, `pattern`, `limit`.	`r2_lookup_address`.
`r2_imports_grouped`	Group imports by behavior with callers.	`binary_path`.	`r2_xrefs` or Ghidra calls.
`r2_cmd`	Escape hatch for raw r2 commands.	`command`.	Prefer typed tools once the query is known.

Open and list functions

{
  "tool": "r2_open",
  "arguments": {
    "binary_path": "/samples/payload.exe"
  }
}

{
  "tool": "r2_metadata",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "mode": "functions",
    "limit": 100
  }
}

Function view modes

r2_function_view is the cheap first-pass function projection. Use analyze first, then narrow the mode.

analyze for first-pass function triage.
cfg for blocks and edges.
refs for compact reference summaries.
vars, profile, and strings when the target is already narrowed.

Mode	Use when	Returns	Follow with
`analyze`	First look at a function.	Compact summary; optional asm preview.	`cfg`, `refs`, or `strings`.
`info`	You need address/name/size facts.	Function metadata.	`signature` or `vars`.
`signature`	You need typed args/return hints.	Structured signature.	`vars`.
`vars`	You need locals and arguments.	Register and stack variables.	`refs` or Ghidra variables.
`profile`	You need behavior counts.	Function profile stats.	`callees`.
`strings`	You need literals referenced by the function.	String refs.	`r2_find` or Ghidra inventory.
`constants`	You need immediate values.	Constants in the function.	`crypto_detect` or manual review.
`callees`	You need called functions.	Callee list.	`r2_xrefs`.
`refs`	You need function references.	Ref summaries.	`cfg`.
`cfg`	You need control flow.	Blocks and edges.	`r2_disassemble` only after narrowing.

Cheap function triage

{
  "tool": "r2_function_view",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "addr": "0x401000",
    "mode": "analyze",
    "include_asm": false
  }
}

CFG follow-up

{
  "tool": "r2_function_view",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "addr": "0x401000",
    "mode": "cfg"
  }
}

Focused projections

Use these when the question is about paths, artifacts, fields, jump tables, or ESIL access patterns.

r2_path_digest
r2_artifact_summary
r2_field_xrefs
r2_jump_table_slices
r2_esil_accesses
r2_get_bytes and r2_calculate

Need	Use	Avoid	Reason
Byte proof at an address	`r2_get_bytes`.	Full disassembly.	Bytes are cheaper and exact.
Address meaning	`r2_lookup_address`.	Manual symbol search.	Resolves flags, symbols, modules, and enclosing function.
Expression math	`r2_calculate`.	Client-side guessing.	r2 understands symbols and flags.
Function path summary	`r2_path_digest`.	Raw graph dumps.	Returns a smaller path-level projection.