💾 Archived View for radare.org › book › visual › visual_disassembly.gmi captured on 2024-08-18 at 17:27:55. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
The visual disassembler mode in radare2 is accessed by pressing 'p' after entering the V command. This mode displays the disassembled code in a structured format, making it easier to read and navigate through the program's instructions.
In this view, users can scroll through the code, examine function calls, and identify control flow structures. The layout includes address information, machine code, and human-readable assembly instructions. This presentation helps in understanding the program's logic and behavior.
The visual disassembler mode also offers various keybindings for quick actions such as jumping to specific addresses, adding comments, or setting breakpoints.
In other words, it's like using the `pd` command from the shell but in an interactive way.
For example, you can press the `spacebar` key to toggle between the control-flow-graph and linear disassembly listing. Or press the numeric comments `;[1]` in the jump/reference hints next to the instructions to quickly jump there.
Move within the Disassembly using arrow keys or `hjkl`. Use `g` to seek directly to a flag or an offset, type it when requested by the prompt: `[offset]>`.
Follow a jump or a call using the `number` of your keyboard `[0-9]` and the number on the right in disassembly to follow a call or a jump. In this example typing `1` on the keyboard would follow the call to `sym.imp.__libc_start_main` and therefore, seek at the offset of this symbol.
0x00404894 e857dcffff call sym.imp.__libc_start_main ;[1]
Seek back to the previous location using `u`, `U` will allow you to redo the seek.
Remember that, to be able to actually edit files loaded in radare2, you have to start it with the `-w` option. Otherwise a file is opened in read-only mode.
Pressing lowercase `c` toggles the cursor mode. When this mode is active, the currently selected byte (or byte range) is highlighted.
Cursor at 0x00404896[1]
The cursor is used to select a range of bytes or simply to point to a byte. You can use the cursor to create a named flag at specific location. To do so, seek to the required position, then press `f` and enter a name for a flag.
If the file was opened in write mode using the `-w` flag or the `o+` command, you can also use the cursor to overwrite a selected range with new values. To do so, select a range of bytes (with HJKL and SHIFT key pressed), then press `i` and enter the hexpair values for the new data. The data will be repeated as needed to fill the range selected. For example: ``` <select 10 bytes in visual mode using SHIFT+HJKL> <press 'i' and then enter '12 34'> ``` The 10 bytes you have selected will be changed to "12 34 12 34 12 ...".
The Visual Assembler is a feature that provides a live-preview while you type in new instructions to patch into the disassembly. To use it, seek or place the cursor at the wanted location and hit the 'A' key. To provide multiple instructions, separate them with semicolons, `;`.
When radare2 has discovered a XREF during the analysis, it will show you the information in the Visual Disassembly using `XREF` tag:
; DATA XREF from 0x00402e0e (unk) str.David_MacKenzie:
To see where this string is called, press `x`, if you want to jump to the location where the data is used then press the corresponding number [0-9] on your keyboard. (This functionality is similar to `axt`)
`X` corresponds to the reverse operation aka `axf`.
To enable this view use this config var `e dbg.funcarg = true`
funcarg[1]
To add a comment press `;`.
Quickly type commands using `:`.
`/`: allows highlighting of strings in the current display.
`:cmd` allows you to use one of the "/?" commands that perform more specialized searches.
The "UserFriendly HUD" can be accessed using the `??` key-combination. This HUD acts as an interactive Cheat Sheet that one can use to more easily find and execute commands. This HUD is particularly useful for new-comers. For experienced users, the other HUDS which are more activity-specific may be more useful.
This HUD can be displayed using the `_` key, it shows a list of all the flags defined and lets you jump to them. Using the keyboard you can quickly filter the list down to a flag that contains a specific pattern.
Hud input mode can be closed using ^C. It will also exit when backspace is pressed when the user input string is empty.
The disassembly's look-and-feel is controlled using the "asm.* configuration keys, which can be changed using the `e` command. All configuration keys can also be edited through the Visual Configuration Editor.
This HUD can be accessed using the `e` key in visual mode. The editor allows you to easily examine and change radare2's configuration. For example, if you want to change something about the disassembly display, select `asm` from the list, navigate to the item you wish to modify it, then select it by hitting `Enter`.
If the item is a boolean variable, it will toggle, otherwise you will be prompted to provide a new value.
First Select asm[1]
Example switch to pseudo disassembly:
Pseudo disassembly disabled[1]
1: Pseudo disassembly disabled
Pseudo disassembly enabled[1]
Following are some example of eval variable related to disassembly.
You can view the list of all arch using `e asm.arch=?`
e asm.arch = dalvik
0x00404870 31ed4989 cmp-long v237, v73, v137
0x00404874 d15e4889 rsub-int v14, v5, 0x8948
0x00404878 e24883e4 ushr-int/lit8 v72, v131, 0xe4
0x0040487c f0505449c7c0 +invoke-object-init-range {}, method+18772 ;[0]
0x00404882 90244100 add-int v36, v65, v0
e asm.bits = 16 0000:4870 31ed xor bp, bp 0000:4872 49 dec cx 0000:4873 89d1 mov cx, dx 0000:4875 5e pop si 0000:4876 48 dec ax 0000:4877 89e2 mov dx, sp
This latest operation can also be done using `&` in Visual mode.
e asm.pseudo = true 0x00404870 31ed ebp = 0 0x00404872 4989d1 r9 = rdx 0x00404875 5e pop rsi 0x00404876 4889e2 rdx = rsp 0x00404879 4883e4f0 rsp &= 0xfffffffffffffff0
e asm.syntax = att 0x00404870 31ed xor %ebp, %ebp 0x00404872 4989d1 mov %rdx, %r9 0x00404875 5e pop %rsi 0x00404876 4889e2 mov %rsp, %rdx 0x00404879 4883e4f0 and $0xfffffffffffffff0, %rsp
e asm.describe = true 0x00404870 xor ebp, ebp ; logical exclusive or 0x00404872 mov r9, rdx ; moves data from src to dst 0x00404875 pop rsi ; pops last element of stack and stores the result in argument 0x00404876 mov rdx, rsp ; moves data from src to dst 0x00404879 and rsp, -0xf ; binary and operation between src and dst, stores result on dst