| pg[?][x y w h] [cmd] create new visual gadget or print it (see pg? for details)

| ph[?][=|hash] ([len]) calculate hash for a block

| pj[?] [len] print as indented JSON

| pm[?] [magic] print libmagic data (see pm? and /m?)

| po[?] hex print operation applied to block (see po?)

| pp[?][sz] [len] print patterns, see pp? for more help

| pq[?][is] [len] print QR code with the first Nbytes

| pr[?][glx] [len] print N raw bytes (in lines or hexblocks, 'g'unzip)

| ps[?][pwz] [len] print pascal/wide/zero-terminated strings

| pt[?][dn] [len] print different timestamps

| pu[?][w] [len] print N url encoded bytes (w=wide)

| pv[?][jh] [mode] show variable/pointer/value in memory

| pwd display current working directory

| px[?][owq] [len] hexdump of N bytes (o=octal, w=32bit, q=64bit)

| pz[?] [len] print zoom view (see pz? for help)

[0x00005310]>

Tip: when using json output, you can append the ~{} to the command to get a pretty-printed version of the output:

[0x00000000]> oj

[{"raised":false,"fd":563280,"uri":"malloc://512","from":0,"writable":true,"size":512,"overlaps":false}]

[0x00000000]> oj~{}

[

{

"raised": false,

"fd": 563280,

"uri": "malloc://512",

"from": 0,

"writable": true,

"size": 512,

"overlaps": false

}

]

For more on the magical powers of ~ see the help in ?@?, and the Command Format chapter earlier in the book.

px gives a user-friendly output showing 16 pairs of numbers per row with offsets and raw representations:

[0x00404888]> p8 16

31ed4989d15e4889e24883e4f0505449

Currently supported timestamp output modes are:

[0x00404888]> pt?

|Usage: pt [dn] print timestamps

| pt. print current time

| pt print UNIX time (32 bit `cfg.bigendian`) Since January 1, 1970

| ptd print DOS time (32 bit `cfg.bigendian`) Since January 1, 1980

| pth print HFS time (32 bit `cfg.bigendian`) Since January 1, 1904

| ptn print NTFS time (64 bit `cfg.bigendian`) Since January 1, 1601

For example, you can 'view' the current buffer as timestamps in the ntfs time:

[0x08048000]> e cfg.bigendian = false

[0x08048000]> pt 4

29:04:32948 23:12:36 +0000

[0x08048000]> e cfg.bigendian = true

[0x08048000]> pt 4

20:05:13001 09:29:21 +0000

As you can see, the endianness affects the result. Once you have printed a timestamp, you can grep the output, for example, by year:

[0x08048000]> pt ~1974 | wc -l

15

[0x08048000]> pt ~2022

27:04:2022 16:15:43 +0000

The default date format can be configured using the cfg.datefmt variable. Formatting rules for it follow the well known strftime(3) format. Check the manpage for more details, but these are the most important:

%a The abbreviated name of the day of the week according to the current locale.

%A The full name of the day of the week according to the current locale.

%d The day of the month as a decimal number (range 01 to 31).

%D Equivalent to %m/%d/%y. (Yecch—for Americans only).

%H The hour as a decimal number using a 24-hour clock (range 00 to 23).

%I The hour as a decimal number using a 12-hour clock (range 01 to 12).

%m The month as a decimal number (range 01 to 12).

%M The minute as a decimal number (range 00 to 59).

%p Either "AM" or "PM" according to the given time value.

%s The number of seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC). (TZ)

%S The second as a decimal number (range 00 to 60). (The range is up to 60 to allow for occasional leap seconds.)

%T The time in 24-hour notation (%H:%M:%S). (SU)

%y The year as a decimal number without a century (range 00 to 99).

%Y The year as a decimal number including the century.

%z The +hhmm or -hhmm numeric timezone (that is, the hour and minute offset from UTC). (SU)

%Z The timezone name or abbreviation.

There are print modes available for all basic types. If you are interested in a more complex structure, type pf?? for format characters and pf??? for examples:

[0x00499999]> pf??

|pf: pf[.k[.f[=v]]|[v]]|[n]|[0|cnt][fmt] [a0 a1 ...]

| Format:

| b byte (unsigned)

| B resolve enum bitfield (see t?)

| c char (signed byte)

| C byte in decimal

| d 0xHEX value (4 bytes) (see 'i' and 'x')

| D disassemble one opcode

| e temporally swap endian

| E resolve enum name (see t?)

| f float value (4 bytes)

| F double value (8 bytes)

| i signed integer value (4 bytes) (see 'd' and 'x')

| n next char specifies size of signed value (1, 2, 4 or 8 byte(s))

| N next char specifies size of unsigned value (1, 2, 4 or 8 byte(s))

| o octal value (4 byte)

| p pointer reference (2, 4 or 8 bytes)

| q quadword (8 bytes)

| r CPU register `pf r (eax)plop`

| s 32bit pointer to string (4 bytes)

| S 64bit pointer to string (8 bytes)

| t UNIX timestamp (4 bytes)

| T show Ten first bytes of buffer

| u uleb128 (variable length)

| w word (2 bytes unsigned short in hex)

| x 0xHEX value and flag (fd @ addr) (see 'd' and 'i')

| X show formatted hexpairs

| z null terminated string

| Z null terminated wide string

| ? data structure `pf ? (struct_name)example_name`

| * next char is pointer (honors asm.bits)

| + toggle show flags for each offset

| : skip 4 bytes

| . skip 1 byte

| ; rewind 4 bytes

| , rewind 1 byte

Use triple-question-mark pf??? to get some examples using print format strings.

[0x00499999]>

pf???

|pf: pf[.k[.f[=v]]|[v]]|[n]|[0|cnt][fmt] [a0 a1 ...]

| Examples:

| pf 3xi foo bar 3-array of struct, each

with named fields: 'foo' as hex, and 'bar' as int

| pf B (BitFldType)arg_name` bitfield type

| pf E (EnumType)arg_name` enum type

| pf.obj xxdz prev next size name Define the obj format as

xxdz

| pf obj=xxdz prev next size name Same as above

| pf *z*i*w nb name blob Print the pointers with

given labels

| pf iwq foo bar troll Print the iwq format with

foo, bar, troll as the respective names for the fields

| pf 0iwq foo bar troll Same as above, but