#1 楼
本质上,它是以下工作流程:r2 -A /path/to/binary // load the binary and perform initial analysis
afl // print function symbols
pdf @sym.of.interest // disassemble
pdc @sym.of.interest // "decompile" or generate pseudo code
这里是如何拆卸MachoViewer功能的示例:
通过巧妙的逻辑命令输入,生成某种形式的伪代码(“反编译”)的工作原理类似:
如下:
@0x4B6169:/$ r2 -A /Applications/MachOView.app/Contents/MacOS/MachOView 2>/dev/null
-- Run .dmm* to load the flags of the symbols of all modules loaded in the debugger
[0x100001da0]> afl | grep sym.__MachOLayout_get
0x10000b252 4 49 sym.__MachOLayout_getSectionByIndex:_
0x10000b283 4 49 sym.__MachOLayout_getSection64ByIndex:_
0x10000b2b4 4 49 sym.__MachOLayout_getSymbolByIndex:_
0x10000b2e5 4 49 sym.__MachOLayout_getSymbol64ByIndex:_
0x10000b316 4 49 sym.__MachOLayout_getDylibByIndex:_
[0x100001da0]> pdf @sym.__MachOLayout_getSymbolByIndex:_
;-- func.10000b2b4:
;-- method.MachOLayout.getSymbolByIndex::
╒ (fcn) sym.__MachOLayout_getSymbolByIndex:_ 49
│ 0x10000b2b4 55 push rbp
│ 0x10000b2b5 4889e5 mov rbp, rsp
│ 0x10000b2b8 89d0 mov eax, edx
│ 0x10000b2ba 488b151f760f. mov rdx, qword [rip + 0xf761f] ; [0x1001028e0:8]=176 LEA sym._OBJC_IVAR___MachOLayout.symbols ; sym._OBJC_IVAR___MachOLayout.symbols
│ 0x10000b2c1 488b0c17 mov rcx, qword [rdi + rdx]
│ 0x10000b2c5 488b541708 mov rdx, qword [rdi + rdx + 8] ; [0x8:8]=0x280000003
│ 0x10000b2ca 4829ca sub rdx, rcx
│ 0x10000b2cd 48c1fa03 sar rdx, 3
│ 0x10000b2d1 4839d0 cmp rax, rdx
│ ┌─< 0x10000b2d4 7306 jae 0x10000b2dc
│ │ 0x10000b2d6 488b04c1 mov rax, qword [rcx + rax*8]
│ ┌──< 0x10000b2da eb07 jmp 0x10000b2e3
│ ││ ; JMP XREF from 0x10000b2d4 (sym.__MachOLayout_getSymbolByIndex:_)
│ │└─> 0x10000b2dc 488d05e5fd0a. lea rax, [rip + 0xafde5] ; 0x1000bb0c8 ; sym.__MachOLayoutgetSymbolByIndex:_::notfound ; sym.__MachOLayoutgetSymbolByIndex:_::notfound
│ │ ; JMP XREF from 0x10000b2da (sym.__MachOLayout_getSymbolByIndex:_)
│ └──> 0x10000b2e3 5d pop rbp
╘ 0x10000b2e4 c3 ret
[0x100001da0]> quit
这将打开料斗,您可以单击“过程”。标签,然后搜索功能。单击它后,您将看到以下反汇编(radare2 1.5.0 0 @ darwin-x86-64 git.1.5.0,提交:HEAD build:2017-05-31__14:31:32):
[0x100001da0]> pdc @sym.__MachOLayout_getSymbolByIndex:_
function sub.__MachOLayoutgetSymbolByIndex:_.notfound_2b4 () {
loc_0x10000b2b4:
push rbp
rbp = rsp
eax = edx
rdx = qword sym._OBJC_IVAR___MachOLayout.symbols //[0x1001028e0:8]=176 ; "__text"
rcx = qword [rdi + rdx]
rdx = qword [rdi + rdx + 8] //[0x8:8]=0x280000003
rdx -= rcx
rdx >>= 3
var = rax - rdx
jae 0x10000b2dc //unlikely
{
loc_0x10000b2dc:
//JMP XREF from 0x10000b2d4 (sub.__MachOLayoutgetSymbolByIndex:_.notfound_2b4)
rax = [sym.__MachOLayoutgetSymbolByIndex:_::notfound] //method.__MachOLayoutgetSymbolByIndex:_.notfound ; 0x1000bb0c8 ; method.__MachOLayoutgetSymbolByIndex:_.notfound
do
{
loc_0x10000b2e3:
//JMP XREF from 0x10000b2da (sub.__MachOLayoutgetSymbolByIndex:_.notfound_2b4)
pop rbp
} while (?);
} while (?);
}
return;
}
很明显,目前,料斗内的伪代码仍比我在radare2内能得到的要好。上面在料斗(v4.2.1)中用伪代码进行的反汇编为:
#2 楼
只需使用rabin2 -c
....现在我必须填写愚蠢的文字才能填充30个字符
评论
rabin2 -c将仅列出类。我的问题是这些方法之一的拆卸。
– 3asm_
15年12月31日在18:16