如何使用radare2分解可执行文件？

p:Cannot find function at 0x100401000

#1 楼

首先，您必须了解pdf命令用于反汇编函数，因此首先必须查找函数的起点（我认为它们正在使用符号以及其他一些启发式方法来找到它）。

要自动分析功能，只需先键入aaa。它将在可执行文件上运行大多数必需的分析。然后，键入pdf。

如果您只想进行未经函数分析的原始反汇编，则只需键入pd。具有意义并建立树状命令族。

例如，“ p”用于“打印”命令系列。尝试键入p?，您将得到以下内容：

[0x00005430]> p?
|Usage: p[=68abcdDfiImrstuxz] [arg|len] [@addr]
| p=[?][bep] [blks] [len] [blk]  show entropy/printable chars/chars bars
| p2 [len]                       8x8 2bpp-tiles
| p3 [file]                      print stereogram (3D)
| p6[de] [len]                   base64 decode/encode
| p8[?][j] [len]                 8bit hexpair list of bytes
| pa[edD] [arg]                  pa:assemble  pa[dD]:disasm or pae: esil from hexpairs
| pA[n_ops]                      show n_ops address and type
| p[b|B|xb] [len] ([skip])       bindump N bits skipping M
| pb[?] [n]                      bitstream of N bits
| pB[?] [n]                      bitstream of N bytes
| pc[?][p] [len]                 output C (or python) format
| pC[d] [rows]                   print disassembly in columns (see hex.cols and pdi)
| pd[?] [sz] [a] [b]             disassemble N opcodes (pd) or N bytes (pD)
| pf[?][.nam] [fmt]              print formatted data (pf.name, pf.name $<expr>)
| ph[?][=|hash] ([len])          calculate hash for a block
| p[iI][df] [len]                print N ops/bytes (f=func) (see pi? and pdi)
| pm[?] [magic]                  print libmagic data (see pm? and /m?)
| pr[?][glx] [len]               print N raw bytes (in lines or hexblocks, 'g'unzip)
| p[kK] [len]                    print key in randomart (K is for mosaic)
| ps[?][pwz] [len]               print pascal/wide/zero-terminated strings
| pt[?][dn] [len]                print different timestamps
| pu[?][w] [len]                 print N url encoded bytes (w=wide)
| pv[?][jh] [mode]               show variable/pointer/value in memory
| p-[?][jh] [mode]               bar|json|histogram blocks (mode: e?search.in)
| px[?][owq] [len]               hexdump of N bytes (o=octal, w=32bit, q=64bit)
| pz[?] [len]                    print zoom view (see pz? for help)
| pwd                            display current working directory

然后，第二个字母（d）代表“反汇编”，请尝试pd?：

[0x00005430]> pd?
|Usage: p[dD][ajbrfils] [sz] [arch] [bits] # Print Disassembly
| NOTE: len  parameter can be negative
| NOTE:      Pressing ENTER on empty command will repeat last pd command and also seek to end of disassembled range.
| pd N       disassemble N instructions
| pd -N      disassemble N instructions backward
| pD N       disassemble N bytes
| pda        disassemble all possible opcodes (byte per byte)
| pdb        disassemble basic block
| pdc        pseudo disassembler output in C-like syntax
| pdC        show comments found in N instructions
| pdk        disassemble all methods of a class
| pdj        disassemble to json
| pdr        recursive disassemble across the function graph
| pdf        disassemble function
| pdi        like 'pi', with offset and bytes
| pdl        show instruction sizes
| pds[?]     disassemble summary (strings, calls, jumps, refs) (see pdsf and pdfs)
| pdt        disassemble the debugger traces (see atd)

如您所见，pdf代表“反汇编功能”。您需要什么。它从当前地址到内存的特定窗口盲目地拆卸。如果要在精确的地址拆卸，请使用pd。

#2 楼

打印反汇编的大小重定向output_filename



pd：打印反汇编的代码>
$s：将输出重定向到文件
output_filename：将输出写入此文件

，然后尝试：

pd $s >myfile.asm

>或者，（s）搜索.text段的开头，然后（p）rint（D）汇编N个字节段地址（section..text）：

s section..text
pD section_end..text-section..text > myfiles.txt

如果可执行文件具有多个段，则需要在名称（例如，段。 text.0）。通过列出所有（S）部分列表来找到各部分的名称：

S

P.S我只是在自己学习如何使用radare2。