Examining memory in radare2

Question

How can I examine a memory address in radare2 using registers? I would like to achive what this command does in gdb: x/s $ebp+0x4

blabb · Accepted Answer · 2015-12-18T13:20:16.710

4

[0x080495e0]> x/8x @0x80483d0
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x080483d0  7275 6e20 6173 202e                      run as .
[0x080495e0]> x/8s @0x80483d0
run as ./prog a_number (e.g. ./prog 90)
good.
bad.
[0x080495e0]>

radare2 -d xxxx\calc.exe

[0x7c999712]> dr ebp
0x0007fd14
[0x7c999712]> x/16x @ebp+0x48
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0007fd5c  7d4c 5480 0000 0000 3400 00c0 a8a0 128a  }LT.....4.......
[0x7c999712]> x/s @ebp+0x48
}LT
4
[0x7c999712]>

edited Dec 18 '15 at 13:20

answered Dec 18 '15 at 11:44

blabb

16,376
1
15
30

Can not be used the register itself instead of the concrete address? – robert Dec 18 '15 at 12:06

score 3 · Answer 2 · answered Dec 20 '15 at 12:51

You can use register names as offset of course.

jvoisin@kaa 13:48 ~ r2 -d /bin/ls
Process with PID 3963 started...
Attached debugger to pid = 3963, tid = 3963
Debugging pid = 3963, tid = 3963 now
Using BADDR 0x400000
Assuming filepath /bin/ls
bits 64
Attached debugger to pid = 3963, tid = 3963
 -- I did it for the pwnz.
[0x7fc7e0a02cd0]> db main
[0x7fc7e0a02cd0]> dc
hit breakpoint at: 4028a0
Debugging pid = 3963, tid = 1 now
[0x004028a0]> px 8 @ rsp
- offset -       0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x7ffc0cb65198  40ba 22e0 c77f 0000                      @.".....        
[0x004028a0]> px 8 @ rsp + 4
- offset -       0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x7ffc0cb6519c  c77f 0000 7852 b60c                      ....xR..        
[0x004028a0]>

Feel free to check the output of p? if you want to dump the data as strings/numbers/float/timestamps/hexdump/…

score 1 · Answer 3 · answered Jul 29 '19 at 21:54

In addition to previous answers, you can also review memory via Visual panel (or just via Visual mode).

drr        ; to show register values
s rcx      ; for example, we're going to review address which is stores in rcx
V!         ; Open visual pannels
Press `m`  ; to select the menu panel
View -> Hexdump

You will see a new hex dump pannel. Just press Enter to open this panel in Zoom mode (Fullscreen).

Note 0: You can go through pannels by tab.

Note 1: To seek back - use shift + : to open console abd s- to seek back.

Examining memory in radare2

3 Answers3