Didier Stevens

Friday 30 September 2016

Quickpost: Enhancing Radare2 Disassembly Listing

Filed under: My Software,Quickpost — Didier Stevens @ 9:00

I threw a program together to add information to Radare2 disassembly listings: radare2-listing.py. I’m putting it in beta, because I hope there is another way to do this in Radare2 (e.g. without a program). So if you know of a better way to do this, please post a comment.

The tool looks for text pushed on the stack, and then adds a comment with the string build up on the stack.

Before:

20160930-104507

After:

20160930-104558

 

7 Comments »

  1. Ensure you are using the latest r2 from git, debian one is 5 years old minimum uninstall it then git clone https://github.com/radare/radare2 && cd radare2 && ./sys/install.sh
    For scripting r2 you can use r2pipe https://github.com/radare/radare2-bindings/tree/master/r2pipe/python#r2pipe-for-python every command have json output use cmdj to parse them.
    When you analysing stuff use aaa at first and then when you get the grip on how the analysis engines works (radare.today/posts/analysis-by-default/) use the separated commands wisely to improve performances and capabilities.

    Regards

    Comment by Maxime Morin (@Maijin212) — Friday 30 September 2016 @ 9:27

  2. Thanks, I’ll look into it.

    Comment by Didier Stevens — Friday 30 September 2016 @ 9:30

  3. […] The second, radare2-listing.py, adds information to Radare2 disassembly listings. Quickpost: Enhancing Radare2 Disassembly Listing […]

    Pingback by Week 39 – 2016 – This Week In 4n6 — Sunday 2 October 2016 @ 11:33

  4. […] Quickpost: Enhancing Radare2 Disassembly Listing […]

    Pingback by Overview of Content Published In September | Didier Stevens — Monday 3 October 2016 @ 0:00

  5. Hi,

    mind you share the bin in this issue https://github.com/radare/radare2/issues/5912? that way we can have something to test and add new command to handle those cases

    Comment by Álvaro Felipe (@alvaro_fe) — Tuesday 4 October 2016 @ 18:17

  6. No problem, I shared it.

    Comment by Didier Stevens — Tuesday 4 October 2016 @ 21:23

  7. […] decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit […]

    Pingback by Maldoc With Process Hollowing Shellcode | Didier Stevens — Wednesday 2 November 2016 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: