radare2 can list all strings with iz , and list all functions with afl. How can I use radar2e to list the XREFs for each string? That is, for each string, which funcs reference it?
I'd like to be able to do this for all strings and also for select strings (one by one).
Likewise: How can I find xrefs (call sites) to a given func? E.g. "Show me all funcs (or addresses) that call sym.imp.system"?
[0x140012e60]> ps @ 0x1400143f8
Usage: r2 -c '!*r2p x' # run commands via r2pipe
[0x140012e60]> axt 0x1400143f8
main 0x140001253 [DATA] lea rdx, str.Usage:_r2__c__r2p_x__run_commands_via_r2pipe_n
[0x140012e60]> pd 6 @ 0x140001253-10
| 0x140001249 00ff add bh, bh
| 0x14000124b 1500300100 adc eax, 0x13000
| 0x140001250 488bc8 mov rcx, rax ; int64_t arg1
| 0x140001253 488d159e3101. lea rdx, str.Usage:_r2__c__r2p_x__run_commands_via_r2pipe_n ; 0x1400143f8 ; "Usage: r2 -c '!*r2p x' # run commands via r2pipe\n" ; int64_t arg2
| 0x14000125a e8b1fdffff call fcn.140001010
| 0x14000125f c74424600100. mov dword [var_60h], 1
[0x140012e60]>
Edit:
type ps? for help on ps
any command in radare2 if appended with a ?( question mark ) will print the help on usage
C:\>r2 -qq -c "ps?;q" -
Usage: ps[bijqpsuwWxz+] [N] Print String
| ps print string
| ps+[j] print libc++ std::string (same-endian, ascii, zero-terminated)
| psb print strings in current block
| psi print string inside curseek
| psj print string in JSON format
| psp[j] print pascal string
| psq alias for pqs
| pss print string in screen (wrap width)
| psu[zj] print utf16 unicode (json)
| psw[j] print 16bit wide string
| psW[j] print 32bit wide string
| psx show string with escaped chars
| psz[j] print zero-terminated string
so ps does a print string
so search for an arbitrary string inside the binary whose address we would like to look for reference
(do not ask what iz~6 does below learn yourself )
C:\>r2 -qq -c "iz~:6;q" f:\radare2\bin\radare2.exe
3 0x000131f8 0x1400143f8 49 50 .rdata ascii Usage: r2 -c '!*r2p x' # run commands via r2pipe\n
so the file address of an arbitrary string inside the arbitrary binary is
0x000131f8
virtual address of the arbitrary string inside the arbitrary binary is
0x1400143f8
we are trying to find if any xrefs exist to this address using the command axt
(to learn yourself do a? b? c? d? to know what commands exist and what subcommands exist )
C:\>r2 -qq -c "axt?;q" -
Usage: axt[?gq*] find data/code references to this address
| axtj [addr] find data/code references to this address and print in json format
| axtg [addr] display commands to generate graphs according to the xrefs
| axtq [addr] find and list the data/code references in quiet mode
| axt* [addr] same as axt, but prints as r2 commands
so axt address will show if any xrefs exist
lets learn something new here
( try to learn why I am not using the address as shown above ?.
what is the backtick doing and more importantly where you can find it using ? in radare2 help.
what does the [] (square brackets do ?
how the whole things get magically converted to an apparent address
[0x140012e60]> axt `iz~:6[2]`
main 0x140001253 [DATA] lea rdx, str.Usage:_r2__c__r2p_x__run_commands_via_r2pipe_n
[0x140012e60]>
ps, which just seems to display a usage message.
Commented
Dec 31, 2021 at 16:17
axt @sym.imp.systemwill give you all addresses that reference that import