Radare2 "pd“命令

Question

我目前正在使用Radare2从PE文件中提取操作码。目前，我正在尝试使用API中的"pd“命令："pd n@偏移:打印n操作码解压缩”。我想知道是否有一种方法可以精确地计算/找出我处理的每个文件的"n“是什么。谢谢

Answer 1

环境

• radare2: radare2 4.2.0-git 23519 @ linux-x86-64 git.4.1.1-84-g0c46c3e1e提交: 0c46c3e1e30bb272a5a05fc367d874af32b41fe4构建: 2020-01-08__09:49:0
• system: Ubuntu18.04.3 LTS

溶液

此示例显示了查看/打印反汇编或操作码的4个不同选项。

1. 视图通过可视化模式在radare2中反汇编：

- Command one: `aaaa` # Analyze the file
- Command two: `Vp` # Open disassembly in visual mode

​

1. 打印拆卸r2或r2pipe中的所有函数：

- Command one: `aaaa` # Analyze the file
- Command two: `pdf @@f > out` 
    - `pdf` # Print disassembly of a function
    - `@@f` # Repeat the command for every function
    - `> out` # Redirect the output to the file named _out_

​

​

1. 只打印r2或r2pipe:

中的指令

- Command one: `aaaa` # Analyze the file
- Command two: `pif @@f ~[0] > out` 
    - `pif` # Print instructions of a function
    - `@@f` # Repeat the command for every function
    - `~[0]` # Only print the first column (The instruction)
    - `> out` # Redirect the output to the file named _out_

​

​

1. 使用r2或r2pipe:

获取每个操作码的详细信息

- Command one: `aaaa` # Analyzey the file
- Command two: `aoj @@=`pid @@f ~[0]` > out` 
    - `aoj` # Display opcode analysis information in JSON
    - `@@=` # Repeat the command for every offset return by sub-query
    - `pid @@f ~[0]` # The sub-query  
        1. `pid` # Print disassembly with offset and bytes
        2. `@@f` # Repeat the command for every function
        3. `~[0]` # Only print the first column (The offset) 

​

    - `> out` # Redirect the output to the file named _out_

​

​

示例

用上面的任意选项替换这里的命令。

使用radare2外壳的示例

user@host:~$ r2 /bin/ls
[0x00005850]> aaaa
...
[0x00005850]> pdf @@f > out
[0x00005850]> q
user@host:~$ cat out
...
┌ 38: fcn.00014840 ();
│           ; var int64_t var_38h @ rsp+0xffffffd0
│           0x00014840      53             push rbx
│           0x00014841      31f6           xor esi, esi
│           0x00014843      31ff           xor edi, edi
│           0x00014845      e846f2feff     call sym.imp.getcwd
│           0x0001484a      4885c0         test rax, rax
│           0x0001484d      4889c3         mov rbx, rax
│       ┌─< 0x00014850      740e           je 0x14860
│       │   ; CODE XREF from fcn.00014840 @ 0x14868
│      ┌──> 0x00014852      4889d8         mov rax, rbx
│      ╎│   0x00014855      5b             pop rbx
│      ╎│   0x00014856      c3             ret
..
│      ╎│   ; CODE XREF from fcn.00014840 @ 0x14850
│      ╎└─> 0x00014860      e88beffeff     call sym.imp.__errno_location
│      ╎    0x00014865      83380c         cmp dword [rax], 0xc
│      └──< 0x00014868      75e8           jne 0x14852
└           0x0001486a      e861feffff     call fcn.000146d0
            ; CALL XREFS from fcn.00013d00 @ 0x13d9d, 0x13da8
...

使用Python与r2pipe的示例

import r2pipe

R2 = r2pipe.open('/bin/ls') # Open r2 with file
R2.cmd('aaaa')              # Analyze file
R2.cmd('pdf @@f > out')     # Write disassembly for each function to out file
R2.quit()                   # Quit r2