1

I am currently using Radare2 to extract opcodes from PE files. Currently, I am attempting to use the "pd" command which from the API: "pd n @ offset: Print n opcodes disassembled". I am wondering if there is a way to calculate/find out exactly what "n" is for each file I process. Thanks

Allen Ye
  • 27
  • 2
  • 13

1 Answers1

4

ENVIRONMENT

  • radare2: radare2 4.2.0-git 23519 @ linux-x86-64 git.4.1.1-84-g0c46c3e1e commit: 0c46c3e1e30bb272a5a05fc367d874af32b41fe4 build: 2020-01-08__09:49:0
  • system: Ubuntu 18.04.3 LTS

SOLUTION

This example shows 4 different options to view / print disassembly or opcodes.

  1. View disassembly in radare2 via visual mode:

    • Command one: aaaa # Analyze the file
    • Command two: Vp # Open disassembly in visual mode

  2. Print disassembly of all functions in r2 or r2pipe:

    • Command one: aaaa # Analyze the file
    • Command two: pdf @@f > out
      • pdf # Print disassembly of a function
      • @@f # Repeat the command for every function
      • > out # Redirect the output to the file named out

  3. Print only the instruction in r2 or r2pipe:

    • Command one: aaaa # Analyze the file
    • Command two: pif @@f ~[0] > out
      • pif # Print instructions of a function
      • @@f # Repeat the command for every function
      • ~[0] # Only print the first column (The instruction)
      • > out # Redirect the output to the file named out

  4. Obtained detailed information for each opcode using r2 or r2pipe:

    • Command one: aaaa # Analyzey the file
    • Command two: aoj @@=`pid @@f ~[0]` > out
      • aoj # Display opcode analysis information in JSON
      • @@= # Repeat the command for every offset return by sub-query
      • pid @@f ~[0] # The sub-query
        1. pid # Print disassembly with offset and bytes
        2. @@f # Repeat the command for every function
        3. ~[0] # Only print the first column (The offset)
      • > out # Redirect the output to the file named out

EXAMPLE

Replace the commands here with any option from above.

Example using radare2 shell

user@host:~$ r2 /bin/ls
[0x00005850]> aaaa
...
[0x00005850]> pdf @@f > out
[0x00005850]> q
user@host:~$ cat out
...
┌ 38: fcn.00014840 ();
│           ; var int64_t var_38h @ rsp+0xffffffd0
│           0x00014840      53             push rbx
│           0x00014841      31f6           xor esi, esi
│           0x00014843      31ff           xor edi, edi
│           0x00014845      e846f2feff     call sym.imp.getcwd
│           0x0001484a      4885c0         test rax, rax
│           0x0001484d      4889c3         mov rbx, rax
│       ┌─< 0x00014850      740e           je 0x14860
│       │   ; CODE XREF from fcn.00014840 @ 0x14868
│      ┌──> 0x00014852      4889d8         mov rax, rbx
│      ╎│   0x00014855      5b             pop rbx
│      ╎│   0x00014856      c3             ret
..
│      ╎│   ; CODE XREF from fcn.00014840 @ 0x14850
│      ╎└─> 0x00014860      e88beffeff     call sym.imp.__errno_location
│      ╎    0x00014865      83380c         cmp dword [rax], 0xc
│      └──< 0x00014868      75e8           jne 0x14852
└           0x0001486a      e861feffff     call fcn.000146d0
            ; CALL XREFS from fcn.00013d00 @ 0x13d9d, 0x13da8
...

Example using Python with r2pipe

import r2pipe

R2 = r2pipe.open('/bin/ls') # Open r2 with file
R2.cmd('aaaa')              # Analyze file
R2.cmd('pdf @@f > out')     # Write disassembly for each function to out file
R2.quit()                   # Quit r2
Kuma
  • 427
  • 5
  • 17