14

In this crackme solution, first the strings are found:

$ rabin2 -z crackserial_linux addr=0x00000aa0 off=0x00000aa0 ordinal=000 sz=7 len=7 section=.rodata type=A string=User: addr=0x00000aa7 off=0x00000aa7 ordinal=001 sz=11 len=11 section=.rodata type=A string=Password: addr=0x00000ab2 off=0x00000ab2 ordinal=002 sz=10 len=10 section=.rodata type=A string=Good job! addr=0x00000abc off=0x00000abc ordinal=003 sz=10 len=10 section=.rodata type=A string=Try again

after that, references for "Good job" are looked for:

$ radare2 crackserial_linux -- How about a nice game of chess? [0x080488c4]> /c ab2 f hit_0 @ 0x08048841 # 5: push 0x8048ab2 [0x080488c4]>

I tried the same thing, but for me it's not working:

$ r2 crackserial_linux [0x080488d0]> !!rabin2 -z crackserial_linux [strings] addr=0x08048d80 off=0x00000d80 ordinal=000 sz=7 section=.rodata string=User: addr=0x08048d87 off=0x00000d87 ordinal=001 sz=9 section=.rodata string=Serial: addr=0x08048d90 off=0x00000d90 ordinal=002 sz=10 section=.rodata string=Good job! addr=0x08048d9a off=0x00000d9a ordinal=003 sz=10 section=.rodata string=Try again 4 strings [0x080488d0]> /c d90 [0x080488d0]>

By the way, why are the strings in my case at different locations?

Improve this question
1
  • /c uses pattern matching using 1118c wont give you any results using 18c will spew a lot of results think about it before asking why. Why? Is that because of PIE and is related to virtual memory? Commented Jul 19, 2017 at 6:42

2 Answers 2

Reset to default
8

Update:

As commented by Daniël W. Crompton, the /c command has been reassigned to crypto stuff, use axt to find references.

[0x140035bf0]> !radare2 -v radare2 4.3.1 6 @ windows-x86-64 git.4.3.1 commit: 54ac837b5503f10f91e2069ac357791f7a3e635a build: Fri 03/06/2020__15:52:24.93 [0x140035bf0]> /c? Usage: /c Search for crypto materials | /ca Search for AES keys expanded in memory | /cc[algo] [digest] Find collisions (bruteforce block length values until given checksum is found) | /cd Search for ASN1/DER certificates | /cr Search for ASN1/DER private keys (RSA and ECC)

Original:

Judging from the multitude of posts you made recently, it appears you do not have a proper installation. Maybe you should try uninstalling and reinstalling the radare2 package.

The command per se seems to work correctly for me here:

radare2-w32-0.9.9> cat xxx\helloworld.cpp #include <stdio.h> int main (void) { printf("hello world\n"); return 0; } radare2-w32-0.9.9> radare2 xxx\helloworld.exe [0x00401347]> iz~hello world vaddr=0x0041218c paddr=0x0001118c ordinal=000 sz=13 len=12 section=.rdata type=a string=hello world\n

/c uses pattern matching, using 1118c wont give you any results, using 18c will spew out a lot of results. Think about it before asking why (that is one of the drawbacks of following tuts blindly. Your /d90 or /ab2 are falling into this category).

Let's search for xrefs to the virtual address:

[0x00401347]> /c 41218c 0x00401003 # 5: push 0x41218c

Disassemble around the hit:

[0x00401347]> pd 5 @0x401000 ;-- section..text: 0x00401000 55 push ebp ; 0x00401001 8bec mov ebp, esp ;-- hit0_0: 0x00401003 688c214100 push str.hello_world_n ; "hello world." 0x00401008 e807000000 call 0x401014 ;0x00401014(unk, unk) 0x0040100d 83c404 add esp, 4
Improve this answer
1
  • 1
    The /c command no longer works for this, it's now used for crypto, axt continues work. Commented Apr 1, 2020 at 9:47
11

Also axt:

Use like axt @ hello_world_n gives you the reference.

Improve this answer
2
  • 2
    axt seems to take only an address as input not a string i was able to coax axt to print a xref with axt str.hello_world_n in the hello world.exe but many other exes fail to find the xrefs Commented Dec 22, 2015 at 13:36
  • 1
    Yes you give the command a flag aka an address. To find more xref use aar. aaa includes aar. r2 -A bin.exe is the same as aaa Commented Dec 22, 2015 at 14:17

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.