radare2
radare2 copied to clipboard
radareorg
can't record the `syscall` and seems not to use `-i` to load script
Environment
# copypaste this script into your shell and replace it with the output
$ date
Tue Apr 11 09:06:36 PM CST 2023
$ r2 -v
radare2 5.8.5 30180 @ linux-x86-64 git.5.8.4-115-g9501a38638
commit: 9501a38638a7a6bfdfaf2af6fc47e81e292f4029 build: 2023-04-11__15:21:08
$ uname -ms
Linux x86_64
Description
Condition: stop at syscall after dts+ and -i foo.script seems no use
Expected: can record the syscall and can use -i to load script
Test
1- I tried the same as this official video but failed. Do I miss some key steps?
[root ~]$ cat ~/.radare2rc
e bin.cache=true
[root ~]$ cat /home/czg/r2_script/test.r2s
px 10
pD 10
[root ~]$ r2 /bin/ls -i /home/czg/r2_script/test.r2s
WARN: Don't use -B on unknown files. Consider using -m
-- Use +,-,*,/ to change the size of the block
[0x00005f70]>
2- is syscall record a little unrealistic and thorny ? (gdb can't record tested with 13.1 ver) Please tell me if my thoughts are wrong.
Best regards.
You are not suposed to pass flags after the filename. R2 doesnt uses the overengineered gnu getopt thing
Sorry, I didn't notice the parameter order in r2 -h
1- if I run r2 -i /home/czg/r2_script/test.r2s /bin/ls it shows r2slides which I don't find references in book and source codes. (~/.radare2rc same with shown above ).
when I read official book more carefully, changing file suffix to r2 works.
so could you tell me does the source code has suffix detection and where it is. Besides , what does r2slides do (does it similar to slides aming to representation on conferences like r2cons) ?
[root ~]$ r2 -i /home/czg/r2_script/test.r2s /bin/ls
# after clearing screen
[r2slides] [page:0/0]
px 10
pD 10
2- after searching syscall in ?*~... and e??~syscall, I modified ~/.radare2rc to skipping all syscall when recording with dts+, but seems no such option. And whether dbg.aftersyscall is true or false, dcs would always stop execution after the syscall is executed
temporarily modified ~/.radare2rc (here cmd.onsyscall has one small delay when running)
e cmd.onsyscall=dc
e dbg.aftersyscall=false
running result
[0x7fdb7e32eed0]> e dbg.aftersyscall=true;dcs;pd-- 2;dr rip
INFO: Running child until next syscall
INFO: --> SN 0x7fdb7e33408b syscall 12 brk (0x0)
0x7fdb7e32a398 b89e000000 mov eax, 0x9e ; 158 ; moves data from src to dst ; rax=0x9e
0x7fdb7e32a39d 0f05 syscall ; fast system call ; 158 = arch_prctl (0x00003001, 0x7ffed205f8a0, 0x7fdb7e32e800)
0x7fdb7e32a39f 4885c0 test rax, rax ; set eflags after comparing two registers (AF, CF, OF, PF, SF, ZF) ; zf=0x0 ; pf=0x0 ; sf=0x1 ; cf=0x0 ; of=0x0
┌─< 0x7fdb7e32a3a2 0f84b0010000 je 0x7fdb7e32a558 ; jump short if equal (zf=1) ; unlikely
0x7fdb7e32a39f
[0x7fdb7e32a39f]> e dbg.aftersyscall=false;dcs;pd-- 2;dr rip
INFO: Running child until next syscall
INFO: --> SN 0x7fdb7e335177 syscall 9 mmap (0x0 0x2000 0x3 0x7fdb7e335177 0xffffffff 0x0)
0x7fdb7e334fca bf9cffffff mov edi, 0xffffff9c ; 4294967196 ; moves data from src to dst ; rdi=0xffffff9c
0x7fdb7e334fcf 0f05 syscall ; fast system call ; 257 = openat (0xffffff9c, 0x7fdb7e312070, 0x00080000, 0x7fdb7e334fd1)
0x7fdb7e334fd1 483d00f0ffff cmp rax, 0xfffffffffffff000 ; compare two operands ; zf=0x0 ; cf=0x1 ; pf=0x1 ; sf=0x0 ; of=0x0 ; af=0x0
┌─< 0x7fdb7e334fd7 772f ja 0x7fdb7e335008 ; jump short if above (cf=0 and zf=0) ; unlikely
0x7fdb7e334fd1
r2s is the extension for r2 slides. so its expected that it loads the slides. the extension for r2 scripts is just 'r2', maybe thats confusing and we can use a different file extension for r2 slides, but thats how it works and thats expected behaviour.
The book is very unmaintained, and this feature was added 2 years ago and presented in 3 conferences. check my fosdem talk, i also published the slides if you are interested in using it.
So if I understand properly your last message, syscall tracing is working, right?
Thanks for replies.
r2s is the extension for r2 slides. so its expected that it loads the slides. the extension for r2 scripts is just 'r2', maybe thats confusing and we can use a different file extension for r2 slides, but thats how it works and thats expected behaviour.
The book is very unmaintained, and this feature was added 2 years ago and presented in 3 conferences. check my fosdem talk, i also published the slides if you are interested in using it.
Oh, I saw your 2023 fosdem talk after seeing your comment , slides rendered well. But maybe temporarily not needed for my daily development. Thanks.
So if I understand properly your last message, syscall tracing is working, right?
Yes, it can record syscall and also AVX instruction. (In gdb 13.1, both seem can't work)
And I want to know if r2 can skip all syscall temporarily when running dcu foo after dts+. I tried two parameter tweaks in above comment, but fails. Hope you can help me with this question.
Uhm, just use 'dc' instead of 'dcs' if you want to continue without stopping on syscalls. not sure if im understanding well the problem
It seems not work
$ r2 -NAdq -c "db main;dts+;db;dc;pd-- 2" /mnt/ubuntu/home/czg/csapp3e/asm/prog
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Skipping type matching analysis in debugger mode (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Integrate dwarf function information
INFO: Use -AA or aaaa to perform additional experimental analysis
INFO: Reading 8192 byte(s) from 0x00403000
INFO: Reading 16384 byte(s) from 0x7f66c46fa000
INFO: Reading 135168 byte(s) from 0x7ffcdc3e2000
0x00401136 - 0x00401137 1 --x sw break enabled valid cmd="" cond="" name="main" module="/mnt/ubuntu/home/czg/csapp3e/asm/prog"
0x7f66c46e9084 b80c000000 mov eax, 0xc ; 12
0x7f66c46e9089 0f05 syscall
0x7f66c46e908b 488905e64101. mov qword [0x7f66c46fd278], rax ; [0x7f66c46fd278:8]=0
0x7f66c46e9092 4839f8 cmp rax, rdi
free(): invalid pointer
zsh: IOT instruction (core dumped) r2 -NAdq -c "db main;dts+;db;dc;pd-- 2" /mnt/ubuntu/home/czg/csapp3e/asm/prog
Could I ask where to get how to use r2 better more quickly since the book is not well maintained ?
p.s. I also found r2 has one r2wiki having some good resources which has been archived although. Also with reverseengineering stackexchange and other blogs (But maybe not systematic)
Personally I would say that it's better to ask in the chat (telegram / matrix / discord / irc), i dont have time to update the book but im very active in the chat.
i fixed the crash you reported btw, thanks!
That's the oneliner you want:
r2 -c “dcu main;e dbg.trace=true;dsu -1;dt” -d /bin/ls
Some comments below:
- The dts+ command is used for stepback and dumps/records the state of memory in disk for every step which is not what you want
- dbg.swstep is causing an stack exhaustion if you try to run the whole program ( i need to fix this )
- dsu -1 is the only way you have to perform step until the program is gone. a helper command under
dcwould be easier to spot - You cant pass flags after the -d
- No need to analyze the program or avoid home scripts (-NA)
- dt command doesnt have table or json support, shuold be easy to implement
Also, bear in mind that you can't use dtd if you run the traces until the program dies, because there will be no memory allocated and you cant disassemble . better to continue until a specific address or exit syscall or so.
another thing is that you are tracing EVERYTHING so you probably want to see other vars like dbg.trace.inrange or dbg.trace.libs to avoid recording instructions from libraries or from sections of the binary that you dont need.
@czg-sci-42ver you are confused with the term plugin.
it is a debug plugin.
list plugin with radare2 -L and then choose one for example with radare2 -d windbg://file.exe. should work.
