Chapter 5: Searching bytes

The search engine of radare is based on the work done by esteve plus multiple features on top of it that allows multiple keyword searching with binary masks and automatic flagging of results.

This powerful command is '/'.

[0x00000000]> /?
 / \x7FELF      ; plain string search (supports \x).
 /. [file]      ; search using the token file rules
 /s [string]    ; strip strings matching optional string
 /x A0 B0 43    ; hex byte pair binary search.
 /k# keyword    ; keyword # to search
 /m# FF 0F      ; Binary mask for search '#' (optional)
 /a [opcode]    ; Look for a string in disasembly
 /A             ; Find expanded AES keys from current seek(*)
 /w foobar      ; Search a widechar string (f\0o\0o\0b\0..)
 /r 0,2-10      ; launch range searches 0-10
 /p len         ; search pattern of length = len
 /P count       ; search pattern with count bytes equal compared to curblock
 //             ; repeat last search

The search is performed from the current seek until the end of the file or 'cfg.limit' if != 0. So in this way you can perform limited searches between two offsets of a file or the process memory.

With radare everything is handled as a file, it doesn't matters if it is a socket, a remote device, the process memory, etc..