Searching for Bytes

The radare2 search engine is based on work done by esteve, plus multiple features implemented on top of it. It supports multiple keyword searches, binary masks, and hexadecimal values. It automatically creates flags for search hit locations ease future referencing.

Search is initiated by / command.

  1. [0x00000000]> /?
  2. |Usage: /[!bf] [arg]Search stuff (see 'e??search' for options)
  3. |Use io.va for searching in non virtual addressing spaces
  4. | / foo\x00               search for string 'foo\0'
  5. | /j foo\x00              search for string 'foo\0' (json output)
  6. | /! ff                   search for first occurrence not matching, command modifier
  7. | /!x 00                  inverse hexa search (find first byte != 0x00)
  8. | /+ /bin/sh              construct the string with chunks
  9. | //                      repeat last search
  10. | /a jmp eax              assemble opcode and search its bytes
  11. | /A jmp                  find analyzed instructions of this type (/A? for help)
  12. | /b                      search backwards, command modifier, followed by other command
  13. | /B                      search recognized RBin headers
  14. | /c jmp [esp]            search for asm code matching the given string
  15. | /ce rsp,rbp             search for esil expressions matching
  16. | /C[ar]                  search for crypto materials
  17. | /d 101112               search for a deltified sequence of bytes
  18. | /e /E.F/i               match regular expression
  19. | /E esil-expr            offset matching given esil expressions %%= here
  20. | /f                      search forwards, command modifier, followed by other command
  21. | /F file [off] [sz]      search contents of file with offset and size
  22. | /g[g] [from]            find all graph paths A to B (/gg follow jumps, see search.count and
  23. anal.depth)
  24. | /h[t] [hash] [len]      find block matching this hash. See ph
  25. | /i foo                  search for string 'foo' ignoring case
  26. | /m magicfile            search for matching magic file (use blocksize)
  27. | /M                      search for known filesystems and mount them automatically
  28. | /o [n]                  show offset of n instructions backward
  29. | /O [n]                  same as /o, but with a different fallback if anal cannot be used
  30. | /p patternsize          search for pattern of given size
  31. | /P patternsize          search similar blocks
  32. | /r[erwx][?] sym.printf  analyze opcode reference an offset (/re for esil)
  33. | /R [grepopcode]         search for matching ROP gadgets, semicolon-separated
  34. | /s                      search for all syscalls in a region (EXPERIMENTAL)
  35. | /v[1248] value          look for an `cfg.bigendian` 32bit value
  36. | /V[1248] min max        look for an `cfg.bigendian` 32bit value in range
  37. | /w foo                  search for wide string 'f\0o\0o\0'
  38. | /wi foo                 search for wide string ignoring case 'f\0o\0o\0'
  39. | /x ff..33               search for hex string ignoring some nibbles
  40. | /x ff0033               search for hex string
  41. | /x ff43:ffd0            search for hexpair with mask
  42. | /z min max              search for strings of given size

Because everything is treated as a file in radare2, it does not matter whether you search in a socket, a remote device, in process memory, or a file.

note that ‘/‘ starts multiline comment. It’s not for searching. type ‘/‘ to end comment.