TransWikia.com

Find reference to string in radare2

Reverse Engineering Asked on May 27, 2021

In this crackme solution first the strings are found:

$ rabin2 -z crackserial_linux

addr=0x00000aa0 off=0x00000aa0 ordinal=000 sz=7 len=7 section=.rodata type=A string=User:
addr=0x00000aa7 off=0x00000aa7 ordinal=001 sz=11 len=11 section=.rodata type=A string=Password:
addr=0x00000ab2 off=0x00000ab2 ordinal=002 sz=10 len=10 section=.rodata type=A string=Good job!
addr=0x00000abc off=0x00000abc ordinal=003 sz=10 len=10 section=.rodata type=A string=Try again

after that referenced for “Good job” are looked for.

$ radare2 crackserial_linux

 -- How about a nice game of chess?
[0x080488c4]> /c ab2
f hit_0 @ 0x08048841   # 5: push 0x8048ab2
[0x080488c4]>

I tried the same thing, but for me is not working:

$ r2 crackserial_linux
[0x080488d0]> !!rabin2 -z crackserial_linux
[strings]
addr=0x08048d80 off=0x00000d80 ordinal=000 sz=7 section=.rodata string=User:
addr=0x08048d87 off=0x00000d87 ordinal=001 sz=9 section=.rodata string=Serial:
addr=0x08048d90 off=0x00000d90 ordinal=002 sz=10 section=.rodata string=Good job!
addr=0x08048d9a off=0x00000d9a ordinal=003 sz=10 section=.rodata string=Try again

4 strings
[0x080488d0]> /c d90
[0x080488d0]> 

By the way, why are the strings in my case at different locations?

2 Answers

Update:

As commented by Daniel W Crompton the /c command has been reassigned to crypto stuff use axt to find references.

[0x140035bf0]> !radare2 -v
radare2 4.3.1 6 @ windows-x86-64 git.4.3.1
commit: 54ac837b5503f10f91e2069ac357791f7a3e635a build: Fri 03/06/2020__15:52:24.93
[0x140035bf0]> /c?
Usage: /c   Search for crypto materials
| /ca                 Search for AES keys expanded in memory
| /cc[algo] [digest]  Find collisions (bruteforce block length values until given checksum is found)
| /cd                 Search for ASN1/DER certificates
| /cr                 Search for ASN1/DER private keys (RSA and ECC)

Original:

Judging from the several posts you made recently it appears you do not have a proper installation may be you should try uninstalling and reinstalling the radare2 package

The commend per se seems to work correctly for me here:

radare2-w32-0.9.9> cat xxxhelloworld.cpp

#include <stdio.h>
int main (void) {
  printf("hello worldn");
  return 0;
}

radare2-w32-0.9.9> radare2 xxxhelloworld.exe
[0x00401347]> iz~hello world  
    vaddr=0x0041218c paddr=0x0001118c ordinal=000 sz=13 len=12 section=.rdata type=a string=hello worldn    

/c uses pattern matching using 1118c wont give you any results using 18c will spew a lot of results think about it before asking why (that is one of the drawbacks of following tuts blindly your /d90 or /ab2 are falling in this category )

Lets search for xrefs to the virtual address

[0x00401347]> /c 41218c
0x00401003   # 5: push 0x41218c

Disassemble around the hit

[0x00401347]> pd 5 @0x401000
           ;-- section..text:
           0x00401000    55             push ebp               ; 
           0x00401001    8bec           mov ebp, esp
           ;-- hit0_0:
           0x00401003    688c214100     push str.hello_world_n ; "hello world."
           0x00401008    e807000000     call 0x401014 ;0x00401014(unk, unk)
           0x0040100d    83c404         add esp, 4

Correct answer by blabb on May 27, 2021

Also axt:

Use like axt @ hello_world_n gives you the reference.

Answered by Maijin on May 27, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP