A general format for radare commands is as follows:
[.][times][cmd][~grep][@[@iter]addr!size][|>pipe] ;
Commands are identified by a single case-sensitive character [a-zA-Z]. To repeatedly execute a command, prefix the command with a number:
px # run px
3px # run px 3 times
The ! prefix is used to execute a command in shell context. If a single exclamation mark is used, commands will be sent to the system() hook defined in currently loaded I/O plugin. This is used, for example, by the ptrace I/O plugin, which accepts debugger commands from radare interface.
A few examples:
ds ; call the debugger's 'step' command
px 200 @ esp ; show 200 hex bytes at esp
pc > file.c ; dump buffer as a C byte array to file.c
wx 90 @@ sym.* ; write a nop on every symbol
pd 2000 | grep eax ; grep opcodes that use the 'eax' register
px 20 ; pd 3 ; px 40 ; multiple commands in a single line
The @ character is used to specify a temporary offset at which the command to its left will be executed. The original seek position in a file is then restored. For example, pd 5 @ 0x100000fce to disassemble 5 instructions at address 0x100000fce.
The ~ character enables internal grep-like function used to filter output of any command. For example:
pd 20~call ; disassemble 20 instructions and grep output for 'call'
Additionally, you can either grep for columns or rows:
pd 20~call:0 ; get first row
pd 20~call:1 ; get second row
pd 20~call[0] ; get first column
pd 20~call[1] ; get second column
Or even combine them:
pd 20~call:0[0] ; grep the first column of the first row matching 'call'
This internal grep function is a key feature for scripting radare, because it can be used to iterate over a list of offsets or data generated by disassembler, ranges, or any other command. Refer to the macros section (iterators) for more information.