| /E esil-expr offset matching given esil expressions %%= here

| /f search forwards, command modifier, followed by other command

| /F file [off] [sz] search contents of file with offset and size

| /g[g] [from] find all graph paths A to B (/gg follow jumps, see search.count and

anal.depth)

| /h[t] [hash] [len] find block matching this hash. See ph

| /i foo search for string 'foo' ignoring case

| /m magicfile search for matching magic file (use blocksize)

| /M search for known filesystems and mount them automatically

| /o [n] show offset of n instructions backward

| /O [n] same as /o, but with a different fallback if anal cannot be used

| /p patternsize search for pattern of given size

| /P patternsize search similar blocks

| /r[erwx][?] sym.printf analyze opcode reference an offset (/re for esil)

| /R [grepopcode] search for matching ROP gadgets, semicolon-separated

| /s search for all syscalls in a region (EXPERIMENTAL)

| /v[1248] value look for an `cfg.bigendian` 32bit value

| /V[1248] min max look for an `cfg.bigendian` 32bit value in range

| /w foo search for wide string 'f\0o\0o\0'

| /wi foo search for wide string ignoring case 'f\0o\0o\0'

| /x ff..33 search for hex string ignoring some nibbles

| /x ff0033 search for hex string

| /x ff43:ffd0 search for hexpair with mask

| /z min max search for strings of given size

Because everything is treated as a file in radare2, it does not matter whether you search in a socket, a remote device, in process memory, or a file.

note that '/' starts multiline comment. It's not for searching. type '/' to end comment.

A basic search for a plain text string in a file would be something like:

$ r2 -q -c "/ lib" /bin/ls

Searching 3 bytes from 0x00400000 to 0x0041ae08: 6c 69 62

hits: 9

0x00400239 hit0_0 "lib64/ld-linux-x86-64.so.2"

0x00400f19 hit0_1 "libselinux.so.1"

0x00400fae hit0_2 "librt.so.1"

0x00400fc7 hit0_3 "libacl.so.1"

0x00401004 hit0_4 "libc.so.6"

0x004013ce hit0_5 "libc_start_main"

0x00416542 hit0_6 "libs/"

0x00417160 hit0_7 "lib/xstrtol.c"

0x00417578 hit0_8 "lib"

As can be seen from the output above, radare2 generates a "hit" flag for every entry found. You can then use the ps command to see the strings stored at the offsets marked by the flags in this group, and they will have names of the form hit0_<index>:

[0x00404888]> / ls

...

[0x00404888]> ps @ hit0_0

lseek

You can search for wide-char strings (e.g., unicode letters) using the /w command:

[0x00000000]> /w Hello

0 results found.

To perform a case-insensitive search for strings use /i:

[0x0040488f]> /i Stallman

Searching 8 bytes from 0x00400238 to 0x0040488f: 53 74 61 6c 6c 6d 61 6e

[# ]hits: 004138 < 0x0040488f hits = 0

It is possible to specify hexadecimal escape sequences in the search string by prepending them with "\x":

[0x00000000]> / \x7FELF

if, instead, you are searching for a string of hexadecimal values, you're probably better of using the /x command:

[0x00000000]> /x 7F454C46

Once the search is done, the results are stored in the searches flag space.

[0x00000000]> fs

0 0 . strings

1 0 . symbols

2 6 . searches

[0x00000000]> f

0x00000135 512 hit0_0

0x00000b71 512 hit0_1

0x00000bad 512 hit0_2

0x00000bdd 512 hit0_3

0x00000bfb 512 hit0_4

0x00000f2a 512 hit0_5

To remove "hit" flags after you do not need them anymore, use the f- hit* command.

Often, during long search sessions, you will need to launch the latest search more than once. You can use the // command to repeat the last search.

[0x00000f2a]> // ; repeat last search

The radare2 search engine can be configured through several configuration variables, modifiable with the e command.

e cmd.hit = x ; radare2 command to execute on every search hit

e search.distance = 0 ; search string distance

e search.in = [foo] ; pecify search boundarie. Supported values are listed under e search.in=??

e search.align = 4 ; only show search results aligned by specified boundary.

e search.from = 0 ; start address

e search.to = 0 ; end address

e search.asmstr = 0 ; search for string instead of assembly

e search.flags = true ; if enabled, create flags on hits

The search.align variable is used to limit valid search hits to certain alignment. For example, with e search.align=4 you will see only hits found at 4-bytes aligned offsets.

The search.flags boolean variable instructs the search engine to flag hits so that they can be referenced later. If a currently running search is interrupted with Ctrl-C keyboard sequence, current search position is flagged with search_stop.

The /p command allows you to apply repeated pattern searches on IO backend storage. It is possible to identify repeated byte sequences without explicitly specifying them. The only command's parameter sets minimum detectable pattern length. Here is an example:

[0x00000000]> /p 10

This command output will show different patterns found and how many times each of them is encountered.

The cmd.hit configuration variable is used to define a radare2 command to be executed when a matching entry is found by the search engine. If you want to run several commands, separate them with ;. Alternatively, you can arrange them in a separate script, and then invoke it as a whole with . script-file-name command. For example:

[0x00404888]> e cmd.hit = p8 8

[0x00404888]> / lib

Searching 3 bytes from 0x00400000 to 0x0041ae08: 6c 69 62

hits: 9

0x00400239 hit4_0 "lib64/ld-linux-x86-64.so.2"

31ed4989d15e4889

0x00400f19 hit4_1 "libselinux.so.1"

31ed4989d15e4889

0x00400fae hit4_2 "librt.so.1"

31ed4989d15e4889

0x00400fc7 hit4_3 "libacl.so.1"

31ed4989d15e4889

0x00401004 hit4_4 "libc.so.6"

31ed4989d15e4889

0x004013ce hit4_5 "libc_start_main"

31ed4989d15e4889

0x00416542 hit4_6 "libs/"

31ed4989d15e4889

0x00417160 hit4_7 "lib/xstrtol.c"

31ed4989d15e4889

0x00417578 hit4_8 "lib"

31ed4989d15e4889

Sometimes you want to find a keyword backwards. This is, before the current offset, to do this you can seek back and search forward by adding some search.from/to restrictions, or use the /b command.

[0x100001200]> / nop

0x100004b15 hit0_0 .STUWabcdefghiklmnopqrstuvwxbin/ls.

0x100004f50 hit0_1 .STUWabcdefghiklmnopqrstuwx1] [file .

[0x100001200]> /b nop

[0x100001200]> s 0x100004f50p

[0x100004f50]> /b nop

0x100004b15 hit2_0 .STUWabcdefghiklmnopqrstuvwxbin/ls.

[0x100004f50]>

Note that /b is doing the same as /, but backward, so what if we want to use /x backward? We can use /bx, and the same goes for other search subcommands:

[0x100001200]> /x 90