There are many situations where we need to find a value inside a binary or in some specific regions. Use the e search.in=? command to choose where the / command may search for the given value.
| Command | Description |
|---|---|
| / foo\00 | Search for string ’foo\0’ |
| /b | Search backwards |
| // | Repeat last search |
| /w foo | Search for wide string ’f\0o\0o\0’ |
| /wi foo | Search for wide string ignoring case |
| /! ff | Search for first occurrence not matching |
| /i foo | Search for string ’foo’ ignoring case |
| /e /E.F/i | Match regular expression |
| /x a1b2c3 | Search for bytes; spaces and uppercase nibbles are allowed, same as /x A1 B2 C3 |
| /x a1..c3 | Search for bytes ignoring some nibbles (auto-generates mask, in this example: ff00ff) |
| /x a1b2:fff3 | Search for bytes with mask (specify individual bits) |
| /d 101112 | Search for a deltified sequence of bytes |
| /!x 00 | Inverse hexa search (find first byte != 0x00) |
| /c jmp [esp] | Search for asm code (see search.asmstr) |
| /a jmp eax | Assemble opcode and search its bytes |
| /A | Search for AES expanded keys |
| /r sym.printf | Analyze opcode reference an offset |
| /R | Search for ROP gadgets |
| /P | Show offset of previous instruction |
| /m magicfile | Search for matching magic file |
| /p patternsize | Search for pattern of given size |
| /z min max | Search for strings of given size |
| /v[?248] num | Look for a asm.bigendian 32bit value |
This feature has broken and not been resolved at the time of writing these words (Nov.16th 2020). check #Issue 6945: META - Project files and #Issue 17034 for more details.
To save your analysis for now, write your own script which records the function name, variable name, etc. for example:
vim sample_A.r2
e scr.utf8 = false
s 0x000403ce0
aaa
s fcn.00403130
afn return_delta_to_heapaddr
afvn iter var_04h
...
The ?$? command will display the variables that can be used in any math operation inside the r2 shell. For example, using the ? $$ command to evaluate a number or ?v to just the value in one format.
All commands in r2 that accept a number supports the use of those variables.
| Command | Description |
|---|---|
| $$ | here (current virtual seek) |
| $$$ | current non-temporary virtual seek |
| $? | last comparison value |
| $alias=value | alias commands (simple macros) |
| $b | block size |
| $B | base address (aligned lowest map address) |
| $f | jump fail address (e.g. jz 0x10 => next instruction) |
| $fl | flag length (size) at current address (fla; pD $l @ entry0) |
| $F | current function size |
| $FB | begin of function |
| $Fb | address of the current basic block |
| $Fs | size of the current basic block |
| $FE | end of function |
| $FS | function size |
| $Fj | function jump destination |
| $Ff | function false destination |
| $FI | function instructions |
| $c,$r | get width and height of terminal |
| $Cn | get nth call of function |
| $Dn | get nth data reference in function |
| $D | current debug map base address ?v $D @ rsp |
| $DD | current debug map size |
| $e | 1 if end of block, else 0 |
| $j | jump address (e.g. jmp 0x10, jz 0x10 => 0x10) |
| $Ja | get nth jump of function |
| $Xn | get nth xref of function |
| $l | opcode length |
| $m | opcode memory reference (e.g. mov eax,[0x10] => 0x10) |
| $M | map address (lowest map address) |
| $o | here (current disk io offset) |
| $p | getpid() |
| $P | pid of children (only in debug) |
| $s | file size |
| $S | section offset |
| $SS | section size |
| $v | opcode immediate value (e.g. lui a0,0x8010 => 0x8010) |
| $w | get word size, 4 if asm.bits=32, 8 if 64, ... |
| ${ev} | get value of eval config variable |
| $r{reg} | get value of named register |
| $k{kv} | get value of an sdb query value |
| $s{flag} | get size of flag |
| RNum | $variables usable in math expressions |