5.5 Automatization

The cmd.hit eval variable is used to define a command that will be executed when a hit is reached by the search engine. If you want to run more than one command use '&&' or '. script-file-name' for including a file as a script.

For example:

[0x08048000]> eval cmd.hit = p8 8
[0x08048000]> / lib
6c 69 62 2f 6c 64 2d 6c 
001  0x00000155  hit0_0 lib/ld-linux
6c 69 62 72 74 2e 73 6f 
002  0x00013a25  hit0_1 librt.so.1c
6c 69 62 63 2e 73 6f 2e 
003  0x00013a61  hit0_2 libc.so.6st
6c 69 62 63 5f 73 74 61 
004  0x00013d6c  hit0_3 libc_start_m
6c 69 62 70 74 68 72 65 
005  0x00013e13  hit0_4 libpthread.s
6c 69 62 2f 6c 64 2d 6c 
006  0x00013e24  hit0_5 lib/ld-linux
6c 69 62 6c 69 73 74 00 
read err at 0x0001542c
007  0x00014f22  hit0_6 liblist.gnu

A simple and practical example for using cmd.hit can be for replacing some bytes for another ones, by setting 'wx ..' in cmd.hit. This example shows how to drop the selinux dependency on binaries compiled on selinux-enabled distributions to make the dynamic elf run on other systems without selinux:

$ for file in bin/* ; do \
    echo "/ libselinux" | radare -nvwe "cmd.hit=wx 00" $file \
  done

This shell command will run radare looking for the string 'libselinux' on the target binary. It ignores the user preferences with '-n', drops verbosity with '-v' and enables write mode with '-w'. Then it setups the 'cmd.hit' variable to run a 'wx 00' command so. it will truncate the 'libselinux' string to be 0length. This way the loader will ignore the loading because of the null-name.