我的书签
添加书签
移除书签Loops
One of the most common task in automation is looping through something, there are multiple ways to do this in radare2.
We can loop over flags:
@@ flagname-regex
For example, we want to see function information with afi command:
[0x004047d6]> afi#offset: 0x004047d0name: entry0size: 42realsz: 42stackframe: 0call-convention: amd64cyclomatic-complexity: 1bits: 64type: fcn [NEW]num-bbs: 1edges: 0end-bbs: 1call-refs: 0x00402450 Cdata-refs: 0x004136c0 0x00413660 0x004027e0code-xrefs:data-xrefs:locals:0args: 0diff: type: new[0x004047d6]>
Now let’s say, for example, that we’d like see a particular field from this output for all functions found by analysis. We can do that with a loop over all function flags (whose names begin with fcn.):
[0x004047d6]> fs functions[0x004047d6]> afi @@ fcn.* ~name
This command will extract the name field from the afi output of every flag with a name matching the regexp fcn.*. There are also a predefined loop called @@f, which runs your command on every functions found by r2:
[0x004047d6]> afi @@f ~name
We can also loop over a list of offsets, using the following syntax:
@@=1 2 3 ... N
For example, say we want to see the opcode information for 2 offsets: the current one, and at current + 2:
[0x004047d6]> ao @@=$$ $$+2address: 0x4047d6opcode: mov rdx, rspprefix: 0bytes: 4889e2refptr: 0size: 3type: movesil: rsp,rdx,=stack: nullfamily: cpuaddress: 0x4047d8opcode: loop 0x404822prefix: 0bytes: e248refptr: 0size: 2type: cjmpesil: 1,rcx,-=,rcx,?{,4212770,rip,=,}jump: 0x00404822fail: 0x004047dastack: nullcond: alfamily: cpu[0x004047d6]>
Note we’re using the variable which evaluates to the current offset. Also note that +2 is evaluated before looping, so we can use the simple arithmetic expressions.
A third way to loop is by having the offsets be loaded from a file. This file should contain one offset per line.
[0x004047d0]> ?v $$ > offsets.txt[0x004047d0]> ?v $$+2 >> offsets.txt[0x004047d0]> !cat offsets.txt4047d04047d2[0x004047d0]> pi 1 @@.offsets.txtxor ebp, ebpmov r9, rdx
radare2 also offers various foreach constructs for looping. One of the most useful is for looping through all the instructions of a function:
[0x004047d0]> pdf╒ (fcn) entry0 42│; UNKNOWN XREF from 0x00400018 (unk)│; DATA XREF from 0x004064bf (sub.strlen_460)│; DATA XREF from 0x00406511 (sub.strlen_460)│; DATA XREF from 0x0040b080 (unk)│; DATA XREF from 0x0040b0ef (unk)│0x004047d0 xor ebp, ebp│0x004047d2 mov r9, rdx│0x004047d5 pop rsi│0x004047d6 mov rdx, rsp│0x004047d9 and rsp, 0xfffffffffffffff0│0x004047dd push rax│0x004047de push rsp│0x004047df mov r8, 0x4136c0│0x004047e6 mov rcx, 0x413660 ; "AWA..AVI..AUI..ATL.%.. "0A..AVI..AUI.│0x004047ed mov rdi, main ; "AWAVAUATUH..S..H...." @0│0x004047f4 call sym.imp.__libc_start_main╘0x004047f9 hlt[0x004047d0]> pi 1 @@imov r9, rdxpop rsimov rdx, rspand rsp, 0xfffffffffffffff0push raxpush rspmov r8, 0x4136c0mov rcx, 0x413660mov rdi, maincall sym.imp.__libc_start_mainhlt
In this example the command pi 1 runs over all the instructions in the current function (entry0). There are other options too (not complete list, check @@? for more information):
@@k sdbquery- iterate over all offsets returned by that sdbquery@@t- iterate over on all threads (see dp)@@b- iterate over all basic blocks of current function (see afb)@@f- iterate over all functions (see aflq)
The last kind of looping lets you loop through predefined iterator types:
- symbols
- imports
- registers
- threads
- comments
- functions
- flags
This is done using the @@@ command. The previous example of listing information about functions can also be done using the @@@ command:
[0x004047d6]> afi @@@ functions ~name
This will extract name field from afi output and will output a huge list of function names. We can choose only the second column, to remove the redundant name: on every line:
[0x004047d6]> afi @@@ functions ~name[1]
Beware, @@@ is not compatible with JSON commands.
