radare2中的ASM模式搜索

Question

我想在radare2中搜索该类型的ASM模式。

pop, mov, mov

这是三个连续的指令:第一个以pop开头，第二个以mov开头，第三个也是。

Radare2 (https://github.com/radareorg/radare2/issues/13322)有一个相关的问题，它说“在/c中实现了它的高效性”，但是现在需要/c来搜索密码材料。

我在Linux上使用radare2 4.5.0。

Answer 1

这可以用/ad实现(用4.5.0和5.0.1版本进行测试)：

r2 /bin/ls
> "/ad pop;mov;mov"
0x00009b40   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009bb8   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009c38   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009d40   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x0000a120   # 19: pop r12; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x0000a120   # 18: pop rsp; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x000120f1   # 9: pop rcx; mov rcx, qword [rbx]; mov edx, 2

注意:命令周围的引号(")是必要的，因为radare2还使用分号来链接命令。

供参考(radare2 5.0.1)：

> /a?
Usage: /a[?] [arg]  Search for assembly instructions matching given properties
| /a push rbp           Assemble given instruction and search the bytes
| /a1 [number]          Find valid assembly generated by changing only the nth byte
| /aI                   Search for infinite loop instructions (jmp $$)
| /aa mov eax           Linearly find aproximated assembly (case insensitive strstr)
| /ac mov eax           Same as /aa, but case-sensitive
| /ad[/*j] push;mov     Match ins1 followed by ins2 in linear disasm
| /ad/ ins1;ins2        Search for regex instruction 'ins1' followed by regex 'ins2'
| /ad/a instr           Search for every byte instruction that matches regexp 'instr'
| /ae esil              Search for esil expressions matching substring
| /af[l] family         Search for instruction of specific family (afl=list
| /ai[j] 0x300 [0x500]  Find all the instructions using that immediate (in range)
| /al                   Same as aoml, list all opcodes
| /am opcode            Search for specific instructions of specific mnemonic
| /ao instr             Search for instruction 'instr' (in all offsets)
| /as[l] ([type])       Search for syscalls (See /at swi and /af priv)
| /at[l] ([type])       Search for instructions of given type