More radare2 (2/?)

== xrefs ==

The dayjob monolith is using all RAM in our embedded platform.  A colleague is
trying to mitigate the problem, and he asked me if I knew a way to check the
amount of space used by strings.  Using strings(1) is of course the first thing
to do, but while doing so I've also found build paths leaked in the executable.
Classic [ab]use of __FILE__ and similar macros.

Where to find the culprit code?  radare2 has a way to find references to
simbols (in jargon we speak about "xrefs").
The command is `axt`, described as "find data/code references to this address".
In order to obtain results from `axt` enhanced binary analysis commands such as
`aa` must be executed first.

Example on narnia1 (https://overthewire.org/wargames/narnia/):

    [0x0040106e]> cat ./narnia1.c
    /*
       This program is free software; you can redistribute it and/or modify
       it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or
       (at your option) any later version.

       This program is distributed in the hope that it will be useful,
       but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
       GNU General Public License for more details.

       You should have received a copy of the GNU General Public License
       along with this program; if not, write to the Free Software
       Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
       */
    #include <stdio.h>

    int main(){
        int (*ret)();

        if(getenv("EGG")==NULL){
            printf("Give me something to execute at the env-variable EGG\n");
            exit(1);
        }

        printf("Trying to execute EGG!\n");
        ret = getenv("EGG");
        ret();

        return 0;
    }
    [0x0040106e]> fs strings
    [0x0040106e]> f
    0x00402010 53 str.Give_me_something_to_execute_at_the_env_variable_EGG
    0x00402045 23 str.Trying_to_execute_EGG_
    [0x0040106e]> aa
    INFO: Analyze all flags starting with sym. and entry0 (aa)
    INFO: Analyze all functions arguments/locals (afva@@@F)
    [0x0040106e]> axt str.Give_me_something_to_execute_at_the_env_variable_EGG
    main 0x401181 [DATA:r--] mov edi, str.Give_me_something_to_execute_at_the_env_variable_EGG


== Configuration is useful

Added ~/.radare2rc in my rcm(1).

I use light terminals at work, and dark terminals on my own machines
(this follows my life patterns: working by day, hacking at night).

    # The ogray theme works on both light and dark terminals.
    eco ogray


== Debugging session

Let's keep working on narnia1, however trivial, there's probably something to
learn from it about radare2.

First off, useful debugging commands:

  dc - continue execution of all children
 ood - reopen in debug mode

The exercise requires me to pass around an environment variable named EGG.
How do I in radare2? That's how I found out about rarun2.

My free time is so limited :(
Session is over.  Little learned is better than nothing.