/usr/share/doc/radare-doc/html/Section3.5.5.html is in radare-doc 1:1.5.2-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=US-ASCII">
<title>Strings</title>
<link rel="previous" href="Section3.5.4.html">
<link rel="ToC" href="contents.html">
<link rel="next" href="Section3.5.6.html">
</head>
<body>
<h1><a name="print-strings"></a>3.5.5 Strings</h1>
<p>
Strings are probably one of the most important entrypoints while starting to reverse engineer a program because they are usually referencing information about the functions actions ( asserts, debug or info messages, ...).
</p>
<p>
So it is important for radare to be able to print strings in multiple ways:
</p>
<pre><code>..p?..
a : ascii (null)
A : ascii printable (null)
z : ascii null terminated (null)
Z : wide ascii null end (null)
r : raw ascii (null)
</code></pre>
<p>
Commands 'pa' and 'pA' are pretty similar, but 'pA' protects your console from strange non-printable characters. These two commands are restricted to the block size, so you will have to manually adjust the block size to get a nicer format. If the analyzed strings are zero-terminated or wide-chars, use 'z' or 'Z'.
</p>
<p>
Most common strings will be just zero-terminated ones. Here's an example by using the debugger to continue the execution of the program until it executes the 'open' syscall. When we recover the control over the process, we get the arguments passed to the syscall, pointed by <code>%ebx</code>. Which is obviously a zero terminated string.
</p>
<pre><code>[0x4A13B8C0]> !contsc open
0x4a14fc24 syscall(5) open ( 0x4a151c91 0x00000000 0x00000000 ) = 0xffffffda
[0x4A13B8C0]> !regs
eax 0xffffffda esi 0xffffffff eip 0x4a14fc24
ebx 0x4a151c91 edi 0x4a151be1 oeax 0x00000005
ecx 0x00000000 esp 0xbfbedb1c eflags 0x200246
edx 0x00000000 ebp 0xbfbedbb0 cPaZstIdor0 (PZI)
[0x4A13B8C0]>
[0x4A13B8C0]> pz @ 0x4a151c91
/etc/ld.so.cache
</code></pre>
<p>
Finally, the 'pr' is used to raw print the bytes to stdout. These bytes can be redirected to a file by using the '>' character:
</p>
<pre><code>[0x4A13B8C0]> pr 20K > file
[0x4A13B8C0]> !!du -h file
20K file
</code></pre>
<!-- version IDs:
$Id: radare.but 2009-04-25 pancake $
-->
</body>
</html>
|