It is possible to print various packed data types in a single line using the 'pm' command (print memory). Here's the help and some examples:
[0x4A13B8C0]> pm
Usage: pm [times][format] [arg0 arg1]
Example: pm 10xdz pointer length string
Example: pm {array_size}b @ array_base
Example: pm x[foo]b @ esp
e - little endian
E - big endian
f - float value
b - one byte
B - show 10 first bytes of buffer
d - %d integer value (4 bytes)
D - double value (4 bytes)
q - quadword (8 bytes)
x - 0x%08x hexadecimal value
X - 0x%08x hexadecimal value and flag (fd @ addr)
z - \0 terminated string
Z - \0 terminated wide string
s - pointer to string
t - unix timestamp string
* - next char is pointer
. - skip 1 byte
: - skip 4 bytes
{}- used to eval math expressions to repeat next fmt char
[]- used to nest format structures registered with 'am'
%1,%2,%4,%8 - type size (default is asm.bits/8)
NOTE: Use 'am' command to register inner structs
The simple use would be like this:
[0xB7F08810]> pm xxs @ esp
0xbf8614d4 = 0xb7f22ff4
0xbf8614d8 = 0xb7f16818
0xbf8614dc = 0xbf8614dc -> 0x00000000 /etc/ld.so.cache
This is sometimes useful for looking at the arguments passed to a function, by just giving the 'format memory string' as argument and temporally changing the current seek with the '@' token.
It is also possible to define arrays of structures with 'pm'. Just prefix the format string with a numeric value.
You can also define a name for each field of the structure by giving them as optional arguments after the format string splitted by spaces.
[0x4A13B8C0]> pm 2xw pointer type @ esp
0xbf87d160 [0] {
pointer : 0xbf87d160 = 0x00000001
type : 0xbf87d164 = 0xd9f3
}
0xbf87d164 [1] {
pointer : 0xbf87d164 = 0xbf87d9f3
type : 0xbf87d168 = 0x0000
}
If you want to store this information as metadata for the binary file just use the same arguments, but instead of using pm, use Cm. To store all the metadata stored while analyzing use the 'Ps <filename>' command to save the project and then run radare -p project-file to restore the session. Read 'projects' section for more information.
A practical example for using pm on a binary GStreamer plugin:
$ radare ~/.gstreamer-0.10/plugins/libgstflumms.so
[0x000028A0]> seek sym.gst_plugin_desc
[0x000185E0]> pm iissxsssss major minor name desc _init version \
license source package origin
major : 0x000185e0 = 0
minor : 0x000185e4 = 10
name : 0x000185e8 = 0x000185e8 flumms
desc : 0x000185ec = 0x000185ec Fluendo MMS source
_init : 0x000185f0 = 0x00002940
version : 0x000185f4 = 0x000185f4 0.10.15.1
license : 0x000185f8 = 0x000185f8 unknown
source : 0x000185fc = 0x000185fc gst-fluendo-mms
package : 0x00018600 = 0x00018600 Fluendo MMS source
origin : 0x00018604 = 0x00018604 http://www.fluendo.com