2

I am currently trying to extract all opcodes from PE files. I am wondering what the difference between Radare2's "pd" command which "disassemble N bytes" and the "pda" command which "disassemble all possible opcodes (byte per byte)". Which command should I use to find all the opcodes from a PE file?

Allen Ye
  • 27
  • 2
  • 13
  • Are you looking to extract the assembly `xor eax, eax`, the bytes `31 c0`, the opcode `31`, or maybe just the instruction `xor`? – Kuma Jun 24 '20 at 20:56

1 Answers1

1

It depends on what you mean by all opcodes. x861 is a CISC architecture. Not all instructions have the same size.

Consider the following byte sequence:

55 48 89 e5

which corresponds to

    55  push rbp
4889e5  mov rbp, rsp

in x86 64bit. And that's what you get with pd (if you start at the beginning). However, there is an other opcode hidden in this byte sequence, namely 89 e5 which is mov ebp, esp. pdA will also reveal this.

0     55  push rbp
1 4889e5  mov rbp, rsp
2   89e5  mov ebp, esp
3     e5  <invalid>

In pdA r2 always increments by a byte an tries to disassemble an opcode.

1 Since you want to analyze PEs I assume you use x86_64
Liblor
  • 480
  • 5
  • 13