3.1 Seeking

The command 's' is used to seek. It accepts a math expression as argument that can be composed by shift operations, basic math ones and memory access.

The 's'eek command supports '+-*!' characters as arguments to perform acts on the seek history.

[0x4A13B8C0]> s?
Usage: > s 0x128 ; absolute seek
       > s +33   ; relative seek
       > sn      ; seek to next opcode
       > sb      ; seek to opcode branch
       > sc      ; seek to call index (pd)
       > sx N    ; seek to code xref N
       > sX N    ; seek to data reference N
       > sS N    ; seek to section N (fmi: 'S?')
       > s-      ; undo seek
       > s+      ; redo seek
       > s*      ; show seek history
       > .s*     ; flag them all
       > s!      ; reset seek history

The '>' and '<' commands are used to seek into the file using a block-aligned base.

> >>>         ; seek 3 aligned blocks forward
> 3>          ; 3 times block-seeking
> s +30       ; seek 30 bytes forward from current seek
> s 0x300     ; seek at 0x300
> s [0x400]   ; seek at 4 byte dword at offset 0x400
> s 10+0x80   ; seek at 0x80+10

The 'sn' and 'sb' commands uses the code analysis module to determine information about the opcode in the current seek and seek to the next one (sn) or branch where it points (sb).

[0x4A13B8C0]> :pd 1
0x4A13B8C0, mov eax, esp
[0x4A13B8C0]> sn              ; seek next opcode
[0x4A13B8C2]> :pd 1
0x4A13B8C2  call 0x4a13c000     
[0x4A13B8C2]> sb              ; seek to branch address
[0x4A13C000]> :pd 1
0x4A13C000, push ebp            
[0x4A13C000]> 

To 'query' the math expression you can evaluate them using the '?' command and giving the math operation as argument. And getting the result in hexa, decimal, octal and binary.

> ? 0x100+200
0x1C8 ; 456d ; 710o ; 1100 1000