[Info] Radare2 with r2pipe about botanist HOT 32 CLOSED

Thanks for the suggestion dude. I had got what I needed through RCore and it's hard to believe that disass'ing can be easier than that :p

However, the json-ness, nodejs-focus, and seemingly good docs may inspire me to just do the whole thing in nodejs. Merci!

from botanist.

Is also for your potential user, bindings are super hard to install and maintain. r2pipe => just a pip

from botanist.

Good call! I'll change it soon :D

from botanist.

:)

from botanist.

Hey,

I'm able to find the JNI_OnLoad starting address and code fine through the symbols table.

syms = r2.cmd("pd 1 @@ sym.*").split('\n')

And am using the reference guide https://radare.gitbooks.io/radare2book/content/refcard/intro.html

However, I'd like to search for a function instead of getting the whole symbols table. Do you know a command off the top of your head or should I enter visual mode to seek across functions?

Update: I can print out the current address using 's' (seek) but seeking to the next function address with 'sf' doesn't seem to work...

Any tips are appreciated =-)

Thanks!

from botanist.

There are seveal ways to identify functions in r2.

aac : analyze all calls in text section
af with e anal.hasnext=true ; assume a function after the end of a function
aap : find functions by using preludes

You can also use other signatures like flirt, zignatures and find pointer tables using the ranged search.

Also, if you want to get disasm that is easy to parse use the pdj or pij command which outputs in json. Theres also the pi command that shows a disasm much simpler.

You probably want to disable scr.color and asm.comments between others.

To list all the functions you have afl command that will give you the list. Also you can do something like:

pd 1 @@= 'aflq'

(Use backticks not single quotes)

I guess thats a common operation so i can add another @@ iterator for functions to speed up things too..

On 24 Nov 2015, at 02:00, Cory Pruce [email protected] wrote:

Hey,

I'm able to find the JNI_OnLoad starting address and code fine through the symbols table.

syms = r2.cmd("pd 1 @@ sym.*").split('\n')

And am using the reference guide https://radare.gitbooks.io/radare2book/content/refcard/intro.html

However, I'd like to search for a function instead of getting the whole symbols table. Do you know a command off the top of your head or should I enter visual mode to seek across functions?

Thanks!

—
Reply to this email directly or view it on GitHub.

from botanist.

asm_lines = r2.cmd('aa; s sym.JNI_OnLoad; pd $b').split('\n')

Looks like I was using seek incorrectly (I wasn't preprending sym. to JNI_OnLoad when seeking for it). A little rummaging through the github instances of r2pipe in python got me what I needed, which was with the analysis :D

I see in the quick reference there is no /f for searching. Perhaps this could be used for finding the start address of a function name (with or without the sym. in front). Let me know if you think this is a good idea!

from botanist.

Use pd $b @ sym.JNI_OnLoad

I dont get what you want /f to do

On 24 Nov 2015, at 18:10, Cory Pruce [email protected] wrote:

asm_lines = r2.cmd('aa; s sym.JNI_OnLoad; pd $b').split('\n')

Looks like I was using seek incorrectly (I wasn't preprending sym. to JNI_OnLoad when seeking for it). A little rummaging through the github instances of r2pipe in python got me what I needed, which was with the analysis :D

I see in the quick reference there is no /f for searching. Perhaps this could be used for finding the start address of a function name (with or without the sym. in front). Let me know if you think this is a good idea!

—
Reply to this email directly or view it on GitHub.

from botanist.

Just tried it. Although it gives pretty much the same thing, the one with the analysis will help me parse the mnemonics better. Is there a way to just get all the mnemonics for a function?

What I was suggesting was pretty much have something like "/f JNI_OnLoad" be shorthand for say pd $b @ sym.JNI_OnLoad. Not sure if this is desirable, just putting in my 2 cents since I want r2 to be awesome :-)

from botanist.

You can also output most of command in json : pdj for example and retrieve them with cmdj instead of cmd in your code

from botanist.

pd $b makes no sense. $b is ik bytes the blocksize and pd expects the mumber of instructions. If you wanna do this use pD instead of pd. But if uou want to parse the output just use pij or pid/pdi

On 24 Nov 2015, at 20:47, Cory Pruce [email protected] wrote:

Just tried it. Although it gives pretty much the same thing, the one with the analysis will help me parse the mnemonics better. Is there a way to just get all the mnemonics for a function?

What I was suggesting was pretty much have something like "/f JNI_OnLoad" be shorthand for say pd $b @ sym.JNI_OnLoad. Not sure if this is desirable, just putting in my 2 cents since I want r2 to be awesome :-)

—
Reply to this email directly or view it on GitHub.

from botanist.

@Maijin
I just did that and threw it into json.loads. However, I really don't need all this information and, for performance, I can just parse what I already get. I'm going to do without the analysis if I can get the function size down exact!

@radare
Lol I just saw that after I piped the output lines into "wc -l" and got 256 :p however, I had tried $F for the function size and that does not look correct (comparing with IDA). I think the JNI_OnLoad function happened to be 256 lines (so x4 bytes = 1024bytes, which is usually the default block size). I take it $F is the recommended way of getting the function size. Does that mean that JNI_OnLoad is not my current function? I thought it would be if I seek'd there.

from botanist.

i fyou want the function boundaries just append an ‘f’ like this:

pdfj

On 24 Nov 2015, at 21:49, Cory Pruce [email protected] wrote:

@Maijin https://github.com/Maijin
Could I just did that and threw it into json.loads. However, I really don't need all this information and, for performance, I can just parse what I already get. I'm going to do without the analysis if I can get the function size down exact!
https://cloud.githubusercontent.com/assets/2712171/11380188/6dac7098-92a9-11e5-9cbc-1e2dbd86b060.png
@radare https://github.com/radare
Lol I just saw that after I piped the output lines into "wc -l" and got 256 :p however, I had tried $F for the function size and that does not look correct (comparing with IDA). I think the JNI_OnLoad function happened to be 256 lines (so x4 bytes = 1024bytes, which is usually the default block size). I take it $F is the recommended way of getting the function size. Does that mean that JNI_OnLoad is not my current function? I thought it would be if I seek'd there.

pD $F is what you want. or just pdf

—
Reply to this email directly or view it on GitHub #1 (comment).

from botanist.

Awesome that was it :D

from botanist.

aaa for analysis before :p

from botanist.

Thanks for the tips @Maijin and @radare =-) Hit me up if you'd like my contribution to something or reopen the issue if you have any more relevant info!

from botanist.

👍

On 24 Nov 2015, at 23:55, Cory Pruce [email protected] wrote:

Thanks for the tips @Maijin and @radare =-) Hit me up if you'd my contribution to something or reopen the issue if you have any more relevant info!

—
Reply to this email directly or view it on GitHub.

from botanist.

Hey @Maijin and @radare I have another question.

Is there a way to suppress the exceptions being printed out? Namely, 'Function too big at 0xe66a4 + 730180' for example. This is a result of r2.cmd('aa; s sym.JNI_OnLoad; pdf').split('\n') and i think the f in pdf in particular.

Thanks!

from botanist.

close the stderr

On 01 Dec 2015, at 01:38, Cory Pruce [email protected] wrote:

Hey @Maijin https://github.com/Maijin and @radare https://github.com/radare I have another question.

Is there a way to suppress the exceptions being printed out? Namely, 'Function too big at 0xe66a4 + 730180' for example. This is a result of r2.cmd('aa; s sym.JNI_OnLoad; pdf').split('\n') and i think the f in pdf in particular.

Thanks!

—
Reply to this email directly or view it on GitHub #1 (comment).

from botanist.

maybe this can be provided by an specific r2 command or function in the r2pipe api

On 01 Dec 2015, at 02:20, pancake [email protected] wrote:

close the stderr

On 01 Dec 2015, at 01:38, Cory Pruce <[email protected] mailto:[email protected]> wrote:

Hey @Maijin https://github.com/Maijin and @radare https://github.com/radare I have another question.

Is there a way to suppress the exceptions being printed out? Namely, 'Function too big at 0xe66a4 + 730180' for example. This is a result of r2.cmd('aa; s sym.JNI_OnLoad; pdf').split('\n') and i think the f in pdf in particular.

Thanks!

—
Reply to this email directly or view it on GitHub #1 (comment).

from botanist.

So I was hoping that'd do it but wasn't expecting it to since I saw that in a forum but it wasn't closed after. Anyway, it didn't work after setup installing again :/

I think it is coming through stdout since closing that fd did end the printed lines but it also took out others. Im going to try to redirect stdout to a variable. I haven't looked. Does r2pipe use subprocess by any chance? If so, you can maybe supply an option to add 'stdout=subprocess.PIPE' to the command.

from botanist.

R2pipe supports many connection methods to tlak to r2. And one of them is the popen one. The stderr fd you have to close is in the child process, not in your app.

I'll have some time tomorrow to check this issue in more detail

On 01 Dec 2015, at 02:54, Cory Pruce [email protected] wrote:

So I was hoping that'd do it but wasn't expecting it to since I saw that in a forum but it wasn't closed after. Anyway, it didn't work after setup installing again :/

I think it is coming through stdout since closing that fd did end the printed lines but it also took out others. Im going to try to redirect stdout to a variable. I haven't looked. Does r2pipe use subprocess by any chance? If so, you can maybe supply an option to add 'stdout=subprocess.PIPE' to the command.

—
Reply to this email directly or view it on GitHub.

from botanist.

Makes sense, thanks!

from botanist.

Sorry to keep throwing more stuff at you but I think r2 had a little difficulty interpreting x86 instructions. It did well for the first several mnemonics but then resorted to hex.

Here is the comparison with IDA.

I'd think this is more important that covering up the stderr from the child process. I was able to ignore the err messages by redirecting to a file.

from botanist.

I dont understand the problem. Can you open an issue to track this problem? Provide a sample bin, or the bytes involved, etc? Or show the disasm in r2 to compare with ida? I doubt theres is any issue with the disassembler itself.

On 01 Dec 2015, at 03:34, Cory Pruce [email protected] wrote:

Sorry to keep throwing more stuff at you but I think r2 had a little difficulty interpreting x86 instructions. It did well for the first several mnemonics but then resorted to hex.

Here is the comparison with IDA.

I'd think this is more important that covering up the stderr from the child process. I was able to ignore the err messages by redirecting to a file.

—
Reply to this email directly or view it on GitHub.

from botanist.

I checked it out a bit more. You were right, the disassembly seems correct. However, the problem arose from another function being printed after seeking to JNI_OnLoad using 's JNI_OnLoad; pdf'

This only occurs once for my dataset but seems like an error. I'll give you some time to read this before I post an issue.

from botanist.

I dont think such flag name exists at all

On 01 Dec 2015, at 21:56, Cory Pruce [email protected] wrote:

I checked it out a bit more. You were right, the disassembly seems correct. However, the problem arose from another function being printed after seeking to JNI_OnLoad using 's JNI_OnLoad; pdf'

This only occurs once for my dataset but seems like an error. I'll give you some time to read this before I post an issue.

—
Reply to this email directly or view it on GitHub.

from botanist.

All symbols, imports.. Are prefixed by sym or sym.imp...

On 01 Dec 2015, at 21:56, Cory Pruce [email protected] wrote:

I checked it out a bit more. You were right, the disassembly seems correct. However, the problem arose from another function being printed after seeking to JNI_OnLoad using 's JNI_OnLoad; pdf'

This only occurs once for my dataset but seems like an error. I'll give you some time to read this before I post an issue.

—
Reply to this email directly or view it on GitHub.

from botanist.

I was doing that before but saw this worked too... what flag?

from botanist.

yeah because of the function name if the code is analized :)

On 03 Dec 2015, at 18:46, Cory Pruce [email protected] wrote:

I was doing that before but saw this worked too... what flag?

—
Reply to this email directly or view it on GitHub #1 (comment).

from botanist.

Flags are marks in r2. They basically associate a name with an offset.

On 03 Dec 2015, at 18:46, Cory Pruce [email protected] wrote:

I was doing that before but saw this worked too... what flag?

—
Reply to this email directly or view it on GitHub.

from botanist.

So in this case 'f' would be the flag associated with sym.JNI_OnLoad's address or 'JNI_OnLoad' itself is the flag? Also, sometimes the parsing ends and has 'invalid' instead of a mnemonic. Do you know what causes this? Thanks!

from botanist.