Читать онлайн "The Official Radare2 Book" - authors Collective of - RuLit

• d : disassembly N opcodes count of opcodes

• D : asm.arch disassembler bsize bytes

[0x00404888]> pd 1

;-- entry0:

0x00404888 31ed xor ebp, ebp

The architecture flavor for the disassembler is defined by the asm.arch eval variable. You can use e asm.arch=?? to list all available architectures.

[0x00005310]> e asm.arch=??

_dAe _8_16 6502 LGPL3 6502/NES/C64/Tamagotchi/T-1000 CPU

_dAe _8 8051 PD 8051 Intel CPU

_dA_ _16_32 arc GPL3 Argonaut RISC Core

a___ _16_32_64 arm.as LGPL3 as ARM Assembler (use ARM_AS environment)

adAe _16_32_64 arm BSD Capstone ARM disassembler

_dA_ _16_32_64 arm.gnu GPL3 Acorn RISC Machine CPU

_d__ _16_32 arm.winedbg LGPL2 WineDBG's ARM disassembler

adAe _8_16 avr GPL AVR Atmel

adAe _16_32_64 bf LGPL3 Brainfuck

_dA_ _32 chip8 LGPL3 Chip8 disassembler

_dA_ _16 cr16 LGPL3 cr16 disassembly plugin

_dA_ _32 cris GPL3 Axis Communications 32-bit embedded processor

adA_ _32_64 dalvik LGPL3 AndroidVM Dalvik

ad__ _16 dcpu16 PD Mojang's DCPU-16

_dA_ _32_64 ebc LGPL3 EFI Bytecode

adAe _16 gb LGPL3 GameBoy(TM) (z80-like)

_dAe _16 h8300 LGPL3 H8/300 disassembly plugin

_dAe _32 hexagon LGPL3 Qualcomm Hexagon (QDSP6) V6

_d__ _32 hppa GPL3 HP PA-RISC

_dAe _0 i4004 LGPL3 Intel 4004 microprocessor

_dA_ _8 i8080 BSD Intel 8080 CPU

adA_ _32 java Apache Java bytecode

_d__ _32 lanai GPL3 LANAI

...

Configuring the Disassembler

There are multiple options which can be used to configure the output of the disassembler. All these options are described in e? asm.

[0x00005310]> e? asm.

asm.anaclass="underline" Analyze code and refs while disassembling (see anal.strings)

asm.arch: Set the arch to be used by asm

asm.assembler: Set the plugin name to use when assembling

asm.bbline: Show empty line after every basic block

asm.bits: Word size in bits at assembler

asm.bytes: Display the bytes of each instruction

asm.bytespace: Separate hexadecimal bytes with a whitespace

asm.calls: Show callee function related info as comments in disasm

asm.capitalize: Use camelcase at disassembly

asm.cmt.coclass="underline" Column to align comments

asm.cmt.flgrefs: Show comment flags associated to branch reference

asm.cmt.fold: Fold comments, toggle with Vz

...

Currently there are 136 asm. configuration variables so we do not list them all.

Disassembly Syntax

The asm.syntax variable is used to change the flavor of the assembly syntax used by a disassembler engine. To switch between Intel and AT&T representations:

e asm.syntax = intel

e asm.syntax = att

You can also check asm.pseudo, which is an experimental pseudocode view, and asm.esil which outputs ESIL ('Evaluable Strings Intermediate Language'). ESIL's goal is to have a human-readable representation of every opcode semantics. Such representations can be evaluated (interpreted) to emulate effects of individual instructions.

Flags

Flags are conceptually similar to bookmarks. They associate a name with a given offset in a file. Flags can be grouped into 'flag spaces'. A flag space is a namespace for flags, grouping together flags of similar characteristics or type. Examples for flag spaces: sections, registers, symbols.

To create a flag:

[0x4A13B8C0]> f flag_name @ offset

You can remove a flag by appending the - character to command. Most commands accept - as argument-prefix as an indication to delete something.

[0x4A13B8C0]> f-flag_name

To switch between or create new flagspaces use the fs command:

[0x00005310]> fs?

|Usage: fs [*] [+-][flagspace|addr] # Manage flagspaces

| fs display flagspaces

| fs* display flagspaces as r2 commands

| fsj display flagspaces in JSON

| fs * select all flagspaces

| fs flagspace select flagspace or create if it doesn't exist

| fs-flagspace remove flagspace

| fs-* remove all flagspaces

| fs+foo push previous flagspace and set

| fs- pop to the previous flagspace

| fs-. remove the current flagspace

| fsq list flagspaces in quiet mode

| fsm [addr] move flags at given address to the current flagspace

| fss display flagspaces stack

| fss* display flagspaces stack in r2 commands

| fssj display flagspaces stack in JSON

| fsr newname rename selected flagspace

[0x00005310]> fs

0 439 * strings

1 17 * symbols

2 54 * sections

3 20 * segments

4 115 * relocs

5 109 * imports

[0x00005310]>

Here there are some command examples:

[0x4A13B8C0]> fs symbols ; select only flags in symbols flagspace

[0x4A13B8C0]> f ; list only flags in symbols flagspace

[0x4A13B8C0]> fs * ; select all flagspaces

[0x4A13B8C0]> f myflag ; create a new flag called 'myflag'

[0x4A13B8C0]> f-myflag ; delete the flag called 'myflag'

You can rename flags with fr.

Local flags

Every flag name should be unique for addressing reasons. But it is quite a common need to have the flags, for example inside the functions, with simple and ubiquitous names like loop or return. For this purpose you can use so called "local" flags, which are tied to the function where they reside. It is possible to add them using f. command:

[0x00003a04]> pd 10

│ 0x00003a04 48c705c9cc21. mov qword [0x002206d8], 0xffffffffffffffff ;

[0x2206d8:8]=0

│ 0x00003a0f c60522cc2100. mov byte [0x00220638], 0 ; [0x220638:1]=0

│ 0x00003a16 83f802 cmp eax, 2

│ .─< 0x00003a19 0f84880d0000 je 0x47a7

│ │ 0x00003a1f 83f803 cmp eax, 3

│ .──< 0x00003a22 740e je 0x3a32

│ ││ 0x00003a24 83e801 sub eax, 1

│.───< 0x00003a27 0f84ed080000 je 0x431a

││││ 0x00003a2d e8fef8ffff call sym.imp.abort ; void abort(void)

││││ ; CODE XREF from main (0x3a22)

││╰──> 0x00003a32 be07000000 mov esi, 7

[0x00003a04]> f. localflag @ 0x3a32

[0x00003a04]> f.

0x00003a32 localflag [main + 210]