esil - Evaluable Strings Intermediate Language

NAME

ESIL — Evaluable Strings Intermediate Language

SYNOPSIS

ESIL (Evaluable Strings Intermediate Language) provides an abstract, stack-based format for representing CPU instruction semantics across various architectures, facilitating instruction emulation for analysis and debugging within the radare2 framework.

DESCRIPTION

Evaluable Strings Intermediate Language (ESIL) adopts a Forth-like syntax, offering a method to describe and emulate the behavior of machine instructions in a platform-agnostic manner. It is particularly useful in reverse engineering, allowing for cross-architecture binary analysis and exploitation through radare2.

At its core, ESIL is a stack-based language where operations manipulate values on a stack. Each CPU instruction gets translated into an ESIL expression that models its behavior. This abstraction layer allows radare2 to emulate code execution without actually running it, making it invaluable for analyzing untrusted binaries or understanding complex code flows.

SYNTAX

ESIL expressions use a series of operands and operations, manipulating values on an internal stack. These expressions are executed within an ESIL virtual machine (VM), enabling the simulation of CPU instructions’ effects on registers and memory.

The basic components of ESIL syntax are:

•

Uppercase words are special keywords that operate on the ESIL VM (e.g., POP, DUP, TRAP)

•

Lowercase words are register names that can be used for reading or writing through operations

•

Words starting with $ represent internal variables of the VM that are readonly (e.g., $z for zero flag)

•

Numbers can be in base 10 or hexadecimal (with 0x prefix)

•

Operations are separated by commas

•

Results are pushed onto the stack or written to registers/memory

The rest of keywords can be added or removed via ESIL or architecture plugins, but this document describes the common and standard ESIL commands.

USING ESIL IN RADARE2

Radare2 provides several ways to work with ESIL:

•

The ’e asm.esil=true’ option displays ESIL expressions alongside assembly instructions

•

The ’e emu.str=true’ option enables string emulation during analysis

•

The ’ae’ command family provides ways to evaluate and debug ESIL expressions

•

Visual mode offers ESIL debugging capabilities through VdE command

These features allow users to inspect register states, memory modifications, and operation flow without actually executing the binary code on the CPU.

ESIL COMMANDS

Radare2 leverages ESIL for detailed emulation of instruction execution, enabling users to step through instructions, inspect changes to registers and memory, and evaluate conditional logic in a controlled environment.

Here are the most commonly used ESIL-related commands:

ae [expr]

Evaluate an ESIL expression. Note that some expressions contain special characters that can be evaluated by the radare2 shell, so it’s better to prefix the command with a single quote ’ to skip that parsing.

aei

Initialize the ESIL VM state (required before emulation)

aeim

Initialize ESIL VM stack memory

aeip

Initialize ESIL program counter to current offset

aer

Show or modify ESIL registers

aes

ESIL Step: execute a single step in ESIL emulation

aeso

ESIL Step Over: perform a step over call instructions in ESIL emulation

aesu [addr]

ESIL Step Until: continue ESIL execution until a specified address is reached

aev [expr]

Enter the interactive visual debugger to debug and emulate an ESIL expression

Typical workflow for ESIL emulation:

aei # Initialize ESIL VM state
aeim # Initialize memory for ESIL VM
aeip # Set program counter to current address
aes # Start stepping through instructions

ESIL OPERATION CATEGORIES

The comma-separated words in an ESIL expression can be grouped into different categories:

Internal flags

Prefixed with ’$’, they represent internal states of the ESIL VM and are used to perform conditional operations:

•

$z - Zero flag: Set when result is zero

•

$c - Carry flag: Set when operation produces a carry

•

$b - Borrow flag: Set when operation requires a borrow

•

$p - Parity flag: Set when result has even parity

•

$s - Sign flag: Set when result is negative

•

$o - Overflow flag: Set when result overflows

•

$$ - Current address being executed

•

$ds, $jt, $js - Used for delay slots and jump targeting

Assignment operations

Pop value and destination from stack and perform assignment:

•

= : Strong assignment (updates flags)

•

:= : Weak assignment (no flag updates)

Arithmetic and binary operations

Basic math operations:

•

+ - Addition

•

- - Subtraction

•

* - Multiplication

•

L* - Long multiplication (128-bit result)

•

/ - Division

•

˜/ - Signed division

•

% - Modulo

•

˜% - Signed modulo

•

˜ - Sign extension

•

& - Bitwise AND

•

| - Bitwise OR

•

ˆ - Bitwise XOR

•

! - Logical NOT

•

<< - Left shift

•

>> - Right shift

•

<<< - Rotate left

•

>>> - Rotate right

•

<<<< - Arithmetic shift left

•

>>>> - Arithmetic shift right

Comparison operations

Compare values and set flags:

•

== - Equality comparison

•

< - Less than

•

<= - Less than or equal

•

> - Greater than

•

>= - Greater than or equal

Control flow

Conditional expressions and flow control:

•

?{ - If condition, execute next block if top of stack is non-zero

•

} - End of conditional block

•

}{ - Else statement

•

GOTO - Jump to specified location

•

BREAK - Stop execution

Memory access

Read from or write to memory:

•

Reading: [1], [2], [4], [8], [16] - Read 1, 2, 4, 8, or 16 bytes

•

Writing: =[1], =[2], =[4], =[8], =[16] - Write 1, 2, 4, 8, or 16 bytes

•

Combined: |=[2], +=[4], &=[4], --=[2] - Read-modify-write operations

•

Special: [*], =[*] - Variable size operations

Stack manipulation

Special operations to manage the ESIL stack:

•

STACK - Display stack contents

•

POP - Remove top value

•

DUP - Duplicate top value

•

NUM - Push number or register value

•

SWAP - Swap top two values

•

CLEAR - Empty the stack

Special operations

•

() - Syscall

•

$ - Hardware interrupt

•

#! - Execute radare2 command

•

TRAP - CPU trap

•

BITS - Change bits mode

Floating point operations

•

NAN - Check if value is Not-a-Number

•

I2D, U2D - Convert integer to double (signed, unsigned)

•

D2I - Convert double to integer

•

D2F, F2D - Convert between double and float

•

F==, F!=, F<, F<= - Floating point comparisons

•

F+, F-, F*, F/ - Floating point arithmetic

•

-F - Negate floating point value

•

CEIL, FLOOR, ROUND - Rounding operations

•

SQRT - Square root

UNDERSTANDING ESIL EXPRESSIONS

ESIL expressions are evaluated from left to right, with values being pushed onto or popped from a stack. The following examples demonstrate how common CPU instructions translate to ESIL:

mov eax, 0x3

Simply assigns the value 3 to register eax:

3,eax,=

add ebx, eax

Adds the value in eax to ebx and stores the result in ebx:

eax,ebx,+=

This is equivalent to the longer form:

eax,ebx,+,ebx,=

xor eax, eax

Performs XOR on eax with itself (effectively zeroing it):

eax,eax,ˆ=

mov byte [ebx], 0x3

Writes the value 3 to the memory address in ebx:

3,ebx,=[1]

test eax, eax

Sets flags based on eax value (primarily the zero flag):

eax,eax,&,zf,=

jz 0x123456

Jumps to address if zero flag is set:

zf,?{,0x123456,eip,=,}

VISUAL ESIL DEBUGGER

Radare2 provides a visual ESIL debugger that allows stepping through ESIL expressions to understand exactly how they work. This is accessed through the ’aev’ command or in visual mode with ’VdE’.

The visual ESIL debugger offers several advantages:

•

Step-by-step execution of ESIL expressions

•

Visualization of the stack after each operation

•

Inspection of register and flag changes

•

Memory access monitoring

•

Finer-grained control than regular ESIL emulation

When using the visual ESIL debugger, you can use the following controls:

Step forward one ESIL operation

Reset the ESIL VM state

Quit the debugger

This tool is particularly useful for understanding complex instructions or when debugging emulation issues.

PRACTICAL USAGE EXAMPLES

Here are some practical ways to use ESIL in radare2 for analysis and debugging:

Basic ESIL evaluation

To evaluate a simple ESIL expression:

[0x00000000]> ae 1,1,+
2

Step-by-step emulation

To emulate a function and see register changes:

[0x00000000]> aei # Initialize ESIL VM
[0x00000000]> aeim # Initialize memory
[0x00000000]> aeip # Set PC to current address
[0x00000000]> aes # Step one instruction
[0x00000000]> aer # View registers

ESIL debugging of an expression

To debug a complex ESIL expression using the visual debugger:

[0x00000000]> aev 1,5,+,eax,=

Conditional emulation

To emulate until a condition is met:

[0x00000000]> aecu 0x4000 # Continue until address 0x4000

R2WARS

A code-wars like game implemented on top of ESIL used in the r2con conference. Players write small programs that compete in a virtual arena, with the ESIL VM executing and evaluating their behavior.

More information: https://github.com/radareorg/r2wars

SEE ALSO

radare2(1)

WWW

https://www.radare.org/

AUTHORS

pancake <[email protected]> Jul 13, 2025 ESIL(7)

Updated 2026-06-01 - jenkler.se | uex.se