radare-doc 1:1.5.2-4 / usr / share / doc / radare-doc / html / Section3.5.5.html

This file is indexed.

/usr/share/doc/radare-doc/html/Section3.5.5.html is in radare-doc 1:1.5.2-4.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=US-ASCII">
<title>Strings</title>
<link rel="previous" href="Section3.5.4.html">
<link rel="ToC" href="contents.html">
<link rel="next" href="Section3.5.6.html">
</head>
<body>
<h1><a name="print-strings"></a>3.5.5 Strings</h1>
<p>
Strings are probably one of the most important entrypoints while starting to reverse engineer a program because they are usually referencing information about the functions actions ( asserts, debug or info messages, ...).
</p>
<p>
So it is important for radare to be able to print strings in multiple ways:
</p>
<pre><code>..p?..
 a : ascii                   (null)
 A : ascii printable         (null)
 z : ascii null terminated   (null)
 Z : wide ascii null end     (null)
 r : raw ascii               (null)
</code></pre>
<p>
Commands 'pa' and 'pA' are pretty similar, but 'pA' protects your console from strange non-printable characters. These two commands are restricted to the block size, so you will have to manually adjust the block size to get a nicer format. If the analyzed strings are zero-terminated or wide-chars, use 'z' or 'Z'.
</p>
<p>
Most common strings will be just zero-terminated ones. Here's an example by using the debugger to continue the execution of the program until it executes the 'open' syscall. When we recover the control over the process, we get the arguments passed to the syscall, pointed by <code>%ebx</code>. Which is obviously a zero terminated string.
</p>
<pre><code>[0x4A13B8C0]&gt; !contsc open
0x4a14fc24 syscall(5) open ( 0x4a151c91 0x00000000 0x00000000 ) = 0xffffffda
[0x4A13B8C0]&gt; !regs
  eax  0xffffffda    esi  0xffffffff    eip    0x4a14fc24
  ebx  0x4a151c91    edi  0x4a151be1    oeax   0x00000005
  ecx  0x00000000    esp  0xbfbedb1c    eflags 0x200246  
  edx  0x00000000    ebp  0xbfbedbb0    cPaZstIdor0 (PZI)
[0x4A13B8C0]&gt; 
[0x4A13B8C0]&gt; pz @ 0x4a151c91
/etc/ld.so.cache
</code></pre>
<p>
Finally, the 'pr' is used to raw print the bytes to stdout. These bytes can be redirected to a file by using the '&gt;' character:
</p>
<pre><code>[0x4A13B8C0]&gt; pr 20K &gt; file
[0x4A13B8C0]&gt; !!du -h file
20K     file
</code></pre>

<!-- version IDs:
$Id: radare.but 2009-04-25 pancake $
-->
</body>
</html>

APT Browse - Built by Thomas Orozco.