11.6 Strings

The -z flag is used to list all the strings located in the section .rodata for ELF binaries, and .text for PE ones.

$ rabin -z /bin/ls
address=0x08059b08 offset=0x00011b08 size=00000037 type=A name=Try `%s --help' for more...
address=0x08059b30 offset=0x00011b30 size=00000031 type=A name=Usage: %s [OPTION]... [FILE]...

Using -zv we will get a simpler and more readable output.

$ rabin -zv /bin/ls
Memory address  File offset     Name
0x08059b08      0x00011b08      Try `%s --help' for more information.
0x08059b30      0x00011b30      Usage: %s [OPTION]... [FILE]...

Combined with -vv, rabin will look for strings within all non-exectable sections (not only .rodata) and print the string size as well as its encoding (Ascii, Unicode).

$ rabin -zvv /bin/ls
Memory address  File offset     Size            Type    Name
0x08048134      0x00000134      00000018        A       /lib/ld-linux.so.2
0x08048154      0x00000154      00000003        A       GNU
0x08048b5d      0x00000b5d      00000010        A       librt.so.1
0x08048b68      0x00000b68      00000014        A       __gmon_start__
0x08048b77      0x00000b77      00000019        A       _Jv_RegisterClasses
0x08048b8b      0x00000b8b      00000013        A       clock_gettime
0x08048b99      0x00000b99      00000015        A       libselinux.so.1

With -r all this information is converted to radare commands, which will create a flag space called "strings" filled with flags for all those strings. Furtheremore, it will redefine them as strings insted of code.

$ rabin -zr /bin/ls
fs strings
b 37 && f str.Try___s___help__for_more_information_ @ 0x08059b08
Cs 37 @ 0x08059b08
b 31 && f str.Usage___s__OPTION______FILE____ @ 0x08059b30
Cs 31 @ 0x08059b30