r2vsql registers 34 scalar SQL functions backed by the live RCore. They can
be used anywhere a SQLite expression is valid — in SELECT, WHERE, ORDER BY,
joins, etc. Standard SQLite built-ins (count, sum, group_concat, like,
printf, substr, …) are of course available too.
| Function | Returns | Description |
|---|---|---|
hex(v) |
text | Format an integer as 0x... |
disasm(addr) |
text | Disassemble one instruction at addr |
disasm(addr, n) |
text | Disassemble n instructions (≤ 1000), newline-joined |
mnemonic(addr) |
text | Mnemonic (first token) of the instruction at addr |
bytes(addr, n) |
text | n bytes at addr as a hex string (≤ 65536) |
name_at(addr) |
text | Closest flag name at/below addr |
func_at(addr) |
text | Name of the function containing addr |
func_start(addr) |
int | Entry address of the function containing addr |
func_end(addr) |
int | Maximum address of the function containing addr |
func_qty() |
int | Number of analyzed functions |
size_of(addr) |
int | Real size of the function containing addr |
disasm_func(addr) |
text | Full disassembly of the function containing addr |
func_signature(addr) |
text | Function prototype at addr (same as afs) |
demangle(name) |
text | Demangled symbol name (returns the input if not mangled) |
comment_at(addr) |
text | Comment at addr, if any |
section_at(addr) |
text | Name of the section containing addr |
string_at(addr) |
text | String literal whose address is exactly addr |
read_cstr(addr) |
text | NUL/non-printable-terminated C string read from memory |
xrefs_to(addr) |
text(JSON) | [{"from":ea,"type":"C"}, ...] references to addr |
xrefs_from(addr) |
text(JSON) | [{"to":ea,"type":"C"}, ...] references from addr |
demangle(name) |
text | Demangled symbol name (input if not mangled) |
| Function | Returns | Description |
|---|---|---|
decompile(addr) |
text | Pseudocode from the configured decompiler (cmd.pdc; default pdc). Set e cmd.pdc=pdg/pdd/… to switch backend |
assemble(asm) |
text | Hex encoding of an assembled instruction (e.g. assemble('mov eax, 1') → b801000000) |
search_bytes(pat[, start, end]) |
text(JSON) | Addresses where a hex/wildcard byte pattern occurs (e.g. '48 8b ??') |
search_first(pat) |
int | Address of the first byte-pattern match, or NULL |
search_asm(asm) |
text(JSON) | Addresses where an instruction's encoding occurs (assembles asm, then searches) |
rop(query) |
text(JSON) | [{addr,gadget,retaddr}, …] ROP gadgets matching query (radare2's /g) |
entities_search(pat[, limit]) |
text(JSON) | [{name,kind,address}, …] entities whose name matches pat (funcs/flags/imports/strings) |
The command-backed helpers (
decompile,assemble,search_asm, andpatch_asmbelow) dispatch viar_core_call_*, which does not evaluate r2 command separators, so the asm/text argument cannot inject other commands.
These write straight back into the radare2 session — the change is visible to subsequent queries and to the rest of r2 immediately.
| Function | Returns | Description |
|---|---|---|
set_name(addr, name) |
int | Rename the function at addr; if none, create a flag. 1 on success |
set_comment(addr, text) |
int | Set the comment at addr. 1 on success |
del_comment(addr) |
int | Delete the comment at addr |
patch_bytes(addr, hex) |
int | Write hex bytes at addr; returns bytes written |
patch_asm(addr, asm) |
int | Assemble asm in context at addr and write it; returns bytes written |
parse_decls(text) |
int | Parse C declarations into the type database (compat: idasql/ghidrasql parse_decls) |
set_var_type(faddr, var, type) |
int | Apply a C type to a function local/argument |
set_cc(faddr, cc) |
int | Set a function's calling convention (like afc; see the callconvs table) |
Patching requires the file opened writable — start r2 with
-w, or sete io.cache=trueto keep edits in an overlay cache.
-- pretty addresses
SELECT name, hex(addr) FROM funcs LIMIT 5;
-- disassemble the first 8 instructions of main
SELECT disasm((SELECT addr FROM funcs WHERE name = 'main'), 8);
-- the byte pattern at every call site (first 4 bytes)
SELECT hex(from_ea), bytes(from_ea, 4) FROM xrefs WHERE type = 'CALL' LIMIT 10;
-- which section is each entry point in?
SELECT hex(addr), section_at(addr) FROM entries;
-- read the C string a data xref points to
SELECT hex(from_ea), read_cstr(to_ea) FROM xrefs WHERE type = 'DATA' LIMIT 10;
-- rename and annotate from SQL
SELECT set_name(0x4da0, 'real_main');
SELECT set_comment(0x4da0, 'entry of the program');
SELECT name, comment_at(addr) FROM funcs WHERE addr = 0x4da0;