2

I'm about to write a software that puts a binary into radare2 and then dumps subroutines including instructions, addresses and binary representation of instructions into a text file.

I got it working with IDA Pro and IDAPython but I also want to recreate it for radare2. The text file should look like this in the end:

0x0804ba0a      55             push ebp
0x0804ba0b      89e5           mov ebp, esp
0x0804ba0d      83ec18         sub esp, 0x18
0x0804ba10      83e4f0         and esp, 0xfffffff0
0x0804ba13      b800000000     mov eax, 0
0x0804ba18      29c4           sub esp, eax

Unfortunately, the sources in the web are scarce and the documentation is not exactly long. I would love to give you more to work with but I'm somehow stuck here. I figured out how to disassemble a function using the pdf command and I could probably use it like this in python but the way I've done it, the main, entry point and sym.main would be missing. I would like to disassemble the whole .text section or all functions in the .text section:

import r2pipe

file = 'path_to_file'
r = r2pipe.open()

with open (file, 'w') as f:
    r.cmd('aaa')
    # disassemble all functions starting with fcn and write them
    # to the file
    f.write(r.cmd('pdf @@ fcn*'))
Melvin
  • 407
  • 5
  • 16

1 Answers1

3

ENVIRONMENT

  • radare2: radare2 4.2.0-git 23519 @ linux-x86-64 git.4.1.1-84-g0c46c3e1e commit: 0c46c3e1e30bb272a5a05fc367d874af32b41fe4 build: 2020-01-08__09:49:0
  • system: Ubuntu 18.04.3 LTS

SOLUTION

  • This can be implemented utilizing two radare2 commands either from the command prompt or a language with r2pipe support.
    • Command one: aaaa # Analyze the file
    • Command two: pdf @@f > out
      • pdf # Print disassembly of a function
      • @@f # Repeat the command for every function
      • > out # Redirect the output to the file named out

EXAMPLE

Example using radare2 shell

user@host:~$ r2 /bin/ls
[0x00005850]> aaaa
...
[0x00005850]> pdf @@f > out
[0x00005850]> q
user@host:~$ cat out
...
┌ 38: fcn.00014840 ();
│           ; var int64_t var_38h @ rsp+0xffffffd0
│           0x00014840      53             push rbx
│           0x00014841      31f6           xor esi, esi
│           0x00014843      31ff           xor edi, edi
│           0x00014845      e846f2feff     call sym.imp.getcwd
│           0x0001484a      4885c0         test rax, rax
│           0x0001484d      4889c3         mov rbx, rax
│       ┌─< 0x00014850      740e           je 0x14860
│       │   ; CODE XREF from fcn.00014840 @ 0x14868
│      ┌──> 0x00014852      4889d8         mov rax, rbx
│      ╎│   0x00014855      5b             pop rbx
│      ╎│   0x00014856      c3             ret
..
│      ╎│   ; CODE XREF from fcn.00014840 @ 0x14850
│      ╎└─> 0x00014860      e88beffeff     call sym.imp.__errno_location
│      ╎    0x00014865      83380c         cmp dword [rax], 0xc
│      └──< 0x00014868      75e8           jne 0x14852
└           0x0001486a      e861feffff     call fcn.000146d0
            ; CALL XREFS from fcn.00013d00 @ 0x13d9d, 0x13da8
...

Example using Python with r2pipe

import r2pipe

R2 = r2pipe.open('/bin/ls') # Open r2 with file
R2.cmd('aaaa')              # Analyze file
R2.cmd('pdf @@f > out')     # Write disassembly for each function to out file
R2.quit()                   # Quit r2
Kuma
  • 427
  • 5
  • 17
  • Also consider checking out https://reverseengineering.stackexchange.com/ for reverse engineering questions! – Kuma Jan 17 '20 at 14:20