Add magic pattern search

radareorg · Aug 15, 2024 · 7d417f3 · 7d417f3
1 parent f42e8f3
commit 7d417f3
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/src/search/pattern_search.md b/src/search/pattern_search.md
@@ -1,4 +1,6 @@
-## Pattern Matching Search
+## Pattern Search
+
+### Pattern Matching Search
 
 The `/p` command allows you to apply repeated pattern searches on IO backend storage. It is possible to identify repeated byte sequences without explicitly specifying them. The only command's parameter sets minimum detectable pattern length.
 Here is an example:
@@ -18,3 +20,26 @@ hits: 2
 0x00000118 hit2_0 9a9b9d
 0x00000202 hit2_1 a4a5a7
 ```
+
+### Magic Pattern Search
+
+The `/m` command allows to search for known magic patterns helping to discover hidden filesystem, archives or other known file formats:
+
+```console
+[0x00000000]> /m
+-- 0 120eb
+0x00000000 0 hit0_0 JPEG image , JFIF standard
+0x00009f64 0 hit0_1 ZIP Zip archive data, at least v2.0 to extract
+0x000120d5 0 hit0_2 End of Zip archive
+```
+
+Those magic patterns a defined according to the [file command's magic pattern format](https://linux.die.net/man/5/magic). By default radare2 uses all the patterns files in the folder `libr/magic/d/default/`. Searching with all the pattern files may be long but it is possible to use a single file given as argument:
+
+```console
+[0x00000000]> /m ./libr/magic/d/default/archive
+-- 0 120eb
+0x00009f64 0 hit0_0 ZIP Zip archive data, at least v2.0 to extract
+0x000120d5 0 hit0_1 End of Zip archive
+```console
+
+It also allows to defined and search with custom pattern files.