5.1 Basic searchs

A basic search for a plain string in a whole file would be something like:

$ echo "/ lib" | radare -nv /bin/ls
001  0x00000135  hit0_0 lib/ld-linux.so.2
002  0x00000b71  hit0_1 librt.so.1__gmon_st
003  0x00000bad  hit0_2 libselinux.so.1_ini
004  0x00000bdd  hit0_3 libacl.so.1acl_exte
005  0x00000bfb  hit0_4 libc.so.6_IO_stdin_
006  0x00000f2a  hit0_5 libc_start_maindirf
$

As you can see, radare generates a 'hit' flag for each search result found. You you can just use the 'pz' command to visualize the strings at these offsets in this way:

[0x00000000]> / ls
...
[0x00000000]> pz @ hit0_0
lib/ld-linux.so.2

We can also search wide-char strings (the ones containing zeros between each letter) using the '/w' in this way:

[0x00000000]> /w Hello
0 results found.

It is also possible to mix hexadecimal scape sequences in the search string:

$ radare -u /dev/mem
[0x00000000]> / \x7FELF

But if you want to perform an hexadecimal search you will probably prefer an hexpair input with '/x':

[0x00000000]> /x 7F 45 4C 46

Once the search is done, the results are stored in the 'search' flag space.

[0x00000000]> fs search
[0x00000000]> f
0x00000135 512 hit0_0
0x00000b71 512 hit0_1
0x00000bad 512 hit0_2
0x00000bdd 512 hit0_3
0x00000bfb 512 hit0_4
0x00000f2a 512 hit0_5

To remove these flags, you can just use the 'f -hit*' command.

Sometimes while working long time in the same file you will need to launch the last search more than once and you will probably prefer to use the '//' command instead of typing all the string again.

[0x00000f2a]> //     ; repeat last search