1. Главная
  2. Книги
  3. authors Collective of
  4. The Official Radare2 Book
  5. Страница 29
Выбрать главу

0x00000010 322d 5671 8788 8182 5679 7568 82a2 7d89

0x00000020 8173 7f7b 727a 9588 a07b 5c7d 8daf 836d

0x00000030 b167 6192 a67d 8aa2 6246 856e 8c9b 999f

0x00000040 a774 96c3 b1a4 6c8e a07c 6a8f 8983 6a62

0x00000050 7d66 625f 7ea4 7ea6 b4b6 8b57 a19f 71a2

[0x08049790]> eval zoom.byte = flags

[0x08049790]> pz // or pzf

0x00406e65 48d0 80f9 360f 8745 ffff ffeb ae66 0f1f

0x00406e75 4400 0083 f801 0f85 3fff ffff 410f b600

0x00406e85 3c78 0f87 6301 0000 0fb6 c8ff 24cd 0026

0x00406e95 4100 660f 1f84 0000 0000 0084 c074 043c

0x00406ea5 3a75 18b8 0500 0000 83f8 060f 95c0 e9cd

0x00406eb5 feff ff0f 1f84 0000 0000 0041 8801 4983

0x00406ec5 c001 4983 c201 4983 c101 e9ec feff ff0f

[0x08049790]> e zoom.byte=F

[0x08049790]> pO // or pzF

0x00000000 0000 0000 0000 0000 0000 0000 0000 0000

0x00000010 0000 2b5c 5757 3a14 331f 1b23 0315 1d18

0x00000020 222a 2330 2b31 2e2a 1714 200d 1512 383d

0x00000030 1e1a 181b 0a10 1a21 2a36 281e 1d1c 0e11

0x00000040 1b2a 2f22 2229 181e 231e 181c 1913 262b

0x00000050 2b30 4741 422f 382a 1e22 0f17 0f10 3913

You can limit zooming to a range of bytes instead of the whole bytespace. Change zoom.from and zoom.to eval variables:

[0x00003a04]> e? zoom.

zoom.byte: Zoom callback to calculate each byte (See pz? for help)

zoom.from: Zoom start address

zoom.in: Specify boundaries for zoom

zoom.maxsz: Zoom max size of block

zoom.to: Zoom end address

[0x00003a04]> e zoom.

zoom.byte = h

zoom.from = 0

zoom.in = io.map

zoom.maxsz = 512

zoom.to = 0

Yank/Paste

Radare2 has an internal clipboard to save and write portions of memory loaded from the current io layer.

This clipboard can be manipulated with the y command.

The two basic operations are

   • copy (yank)

   • paste

The yank operation will read N bytes (specified by the argument) into the clipboard. We can later use the yy command to paste what we read before into a file.

You can yank/paste bytes in visual mode selecting them with the cursor mode (Vc) and then using the y and Y key bindings which are aliases for y and yy commands of the command-line interface.

[0x00000000]> y?

Usage: y[ptxy] [len] [[@]addr] # See wd? for memcpy, same as 'yf'.

| y! open cfg.editor to edit the clipboard

| y 16 0x200 copy 16 bytes into clipboard from 0x200

| y 16 @ 0x200 copy 16 bytes into clipboard from 0x200

| y 16 copy 16 bytes into clipboard

| y show yank buffer information (srcoff len bytes)

| y* print in r2 commands what's been yanked

| yf 64 0x200 copy file 64 bytes from 0x200 from file

| yfa file copy copy all bytes from file (opens w/ io)

| yfx 10203040 yank from hexpairs (same as ywx)

| yj print in JSON commands what's been yanked

| yp print contents of clipboard

| yq print contents of clipboard in hexpairs

| ys print contents of clipboard as string

| yt 64 0x200 copy 64 bytes from current seek to 0x200

| ytf file dump the clipboard to given file

| yw hello world yank from string

| ywx 10203040 yank from hexpairs (same as yfx)

| yx print contents of clipboard in hexadecimal

| yy 0x3344 paste clipboard

| yz [len] copy nul-terminated string (up to blocksize) into clipboard

Sample session:

[0x00000000]> s 0x100 ; seek at 0x100

[0x00000100]> y 100 ; yanks 100 bytes from here

[0x00000200]> s 0x200 ; seek 0x200

[0x00000200]> yy ; pastes 100 bytes

You can perform a yank and paste in a single line by just using the yt command (yank-to). The syntax is as follows:

[0x4A13B8C0]> x

offset 0 1 2 3 4 5 6 7 8 9 A B 0123456789AB

0x4A13B8C0, 89e0 e839 0700 0089 c7e8 e2ff ...9........

0x4A13B8CC, ffff 81c3 eea6 0100 8b83 08ff ............

0x4A13B8D8, ffff 5a8d 2484 29c2 ..Z.$.).

[0x4A13B8C0]> yt 8 0x4A13B8CC @ 0x4A13B8C0

[0x4A13B8C0]> x

offset 0 1 2 3 4 5 6 7 8 9 A B 0123456789AB

0x4A13B8C0, 89e0 e839 0700 0089 c7e8 e2ff ...9........

0x4A13B8CC, 89e0 e839 0700 0089 8b83 08ff ...9........

0x4A13B8D8, ffff 5a8d 2484 29c2 ..Z.$.).

Comparing Bytes

For most generic reverse engineering tasks like finding the differences between two binary files, which bytes has changed, find differences in the graphs of the code analysis results, and other diffing operations you can just use radiff2:

$ radiff2 -h

Inside r2, the functionalities exposed by radiff2 are available with the c command.

c (short for "compare") allows you to compare arrays of bytes from different sources. The command accepts input in a number of formats and then compares it against values found at current seek position.

[0x00404888]> c?

Usage: c[?dfx] [argument] # Compare

| c [string] Compare a plain with escaped chars string

| c* [string] Same as above, but printing r2 commands instead

| c1 [addr] Compare 8 bits from current offset

| c2 [value] Compare a word from a math expression

| c4 [value] Compare a doubleword from a math expression

| c8 [value] Compare a quadword from a math expression

| cat [file] Show contents of file (see pwd, ls)

| cc [at] Compares in two hexdump columns of block size

| ccc [at] Same as above, but only showing different lines

| ccd [at] Compares in two disasm columns of block size

| ccdd [at] Compares decompiler output (e cmd.pdc=pdg|pdd)

| cf [file] Compare contents of file at current seek

| cg[?] [o] [file] Graphdiff current file and [file]

| cu[?] [addr] @at Compare memory hexdumps of $$ and dst in unified diff

| cud [addr] @at Unified diff disasm from $$ and given address

| cv[1248] [hexpairs] @at Compare 1,2,4,8-byte (silent return in $?)

| cV[1248] [addr] @at Compare 1,2,4,8-byte address contents (silent, return in $?)

| cw[?] [us?] [...] Compare memory watchers

| cx [hexpair] Compare hexpair string (use '.' as nibble wildcard)

| cx* [hexpair] Compare hexpair string (output r2 commands)

| cX [addr] Like 'cc' but using hexdiff output

| cd [dir] chdir

| cl|cls|clear Clear screen, (clear0 to goto 0, 0 only)

To compare memory contents at current seek position against a given string of values, use cx:

[0x08048000]> p8 4

7f 45 4c 46

[0x08048000]> cx 7f 45 90 46

Compare 3/4 equal bytes

0x00000002 (byte=03) 90 ' ' -> 4c 'L'

[0x08048000]>

Another subcommand of the c command is cc which stands for "compare code". To compare a byte sequence with a sequence in memory:

[0x4A13B8C0]> cc 0x39e8e089 @ 0x4A13B8C0

To compare contents of two functions specified by their names:

[0x08049A80]> cc sym.main2 @ sym.main

c8 compares a quadword from the current seek (in the example below, 0x00000000) against a math expression:

[0x00000000]> c8 4

Compare 1/8 equal bytes (0%)

0x00000000 (byte=01) 7f ' ' -> 04 ' '

0x00000001 (byte=02) 45 'E' -> 00 ' '

0x00000002 (byte=03) 4c 'L' -> 00 ' '

The number parameter can, of course, be math expressions which use flag names and anything allowed in an expression:

~ 29 ~