radare2 中的 ASM 模式搜索
ASM pattern search in radare2
我想在 radare2 中搜索
类型的 ASM 模式
pop, mov, mov
即三个连续的指令:第一个以pop开头,第二个以mov开头,第三个也是[=13] =]
Radare2 有一个相关问题 (https://github.com/radareorg/radare2/issues/13322) 并说“它已经在 /c 中实现”但是 /c 现在需要 搜索加密材料.
我在 Linux 上使用 radare2 4.5.0。
这可以通过 /ad 实现(使用版本 4.5.0 和 5.0.1 测试):
r2 /bin/ls
> "/ad pop;mov;mov"
0x00009b40 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009bb8 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009c38 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009d40 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x0000a120 # 19: pop r12; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x0000a120 # 18: pop rsp; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x000120f1 # 9: pop rcx; mov rcx, qword [rbx]; mov edx, 2
注意:命令两边的引号 (") 是必需的,因为 radare2 也使用分号来链接命令。
供参考(radare2 5.0.1):
> /a?
Usage: /a[?] [arg] Search for assembly instructions matching given properties
| /a push rbp Assemble given instruction and search the bytes
| /a1 [number] Find valid assembly generated by changing only the nth byte
| /aI Search for infinite loop instructions (jmp $$)
| /aa mov eax Linearly find aproximated assembly (case insensitive strstr)
| /ac mov eax Same as /aa, but case-sensitive
| /ad[/*j] push;mov Match ins1 followed by ins2 in linear disasm
| /ad/ ins1;ins2 Search for regex instruction 'ins1' followed by regex 'ins2'
| /ad/a instr Search for every byte instruction that matches regexp 'instr'
| /ae esil Search for esil expressions matching substring
| /af[l] family Search for instruction of specific family (afl=list
| /ai[j] 0x300 [0x500] Find all the instructions using that immediate (in range)
| /al Same as aoml, list all opcodes
| /am opcode Search for specific instructions of specific mnemonic
| /ao instr Search for instruction 'instr' (in all offsets)
| /as[l] ([type]) Search for syscalls (See /at swi and /af priv)
| /at[l] ([type]) Search for instructions of given type
我想在 radare2 中搜索
类型的 ASM 模式pop, mov, mov
即三个连续的指令:第一个以pop开头,第二个以mov开头,第三个也是[=13] =]
Radare2 有一个相关问题 (https://github.com/radareorg/radare2/issues/13322) 并说“它已经在 /c 中实现”但是 /c 现在需要 搜索加密材料.
我在 Linux 上使用 radare2 4.5.0。
这可以通过 /ad 实现(使用版本 4.5.0 和 5.0.1 测试):
r2 /bin/ls
> "/ad pop;mov;mov"
0x00009b40 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009bb8 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009c38 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009d40 # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x0000a120 # 19: pop r12; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x0000a120 # 18: pop rsp; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x000120f1 # 9: pop rcx; mov rcx, qword [rbx]; mov edx, 2
注意:命令两边的引号 (") 是必需的,因为 radare2 也使用分号来链接命令。
供参考(radare2 5.0.1):
> /a?
Usage: /a[?] [arg] Search for assembly instructions matching given properties
| /a push rbp Assemble given instruction and search the bytes
| /a1 [number] Find valid assembly generated by changing only the nth byte
| /aI Search for infinite loop instructions (jmp $$)
| /aa mov eax Linearly find aproximated assembly (case insensitive strstr)
| /ac mov eax Same as /aa, but case-sensitive
| /ad[/*j] push;mov Match ins1 followed by ins2 in linear disasm
| /ad/ ins1;ins2 Search for regex instruction 'ins1' followed by regex 'ins2'
| /ad/a instr Search for every byte instruction that matches regexp 'instr'
| /ae esil Search for esil expressions matching substring
| /af[l] family Search for instruction of specific family (afl=list
| /ai[j] 0x300 [0x500] Find all the instructions using that immediate (in range)
| /al Same as aoml, list all opcodes
| /am opcode Search for specific instructions of specific mnemonic
| /ao instr Search for instruction 'instr' (in all offsets)
| /as[l] ([type]) Search for syscalls (See /at swi and /af priv)
| /at[l] ([type]) Search for instructions of given type