I have written another plugin for radare which comes on the development
repository. It uses the winedbg program via 'tm' (terminal mixer) to be
able to debug w32 programs from a *nix system.
At the moment it's a bit buggy, because of the unaligned memory reads and
the lack of debugger commands, but it is possible to directly call winedbg
commands:
$ radare winedbg://./notepad.exe
[0x00400000]> x
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 1 2 3 4 5
0123456789ABCDEF012345
.--------+-------------------------------------------------------+-----------------------
0x00400000 4d5a 9000 0300 0000 0400 0000 ffff 0000 b800 0000 0000
MZ....................
0x00400016 0000 4000 0000 0000 0000 0000 0000 0000 0000 0000 0000 [EMAIL
PROTECTED]
0x0040002C 0000 0000 0000 0000 0000 0000 0000 0000 d800 0000 0e1f
......................
0x00400042 ba0e 00b4 09cd 21b8 014c cd21 5468 6973 2070 726f 6772
......!..L.!This progr
0x00400058 616d 2063 616e 6e6f 7420 6265 2072 756e 2069 6e20 444f am cannot be
run in DO
0x0040006E 5320 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 e56c 4aa8 S
mode....$........lJ.
0x00400084 a10d 24fb a10d 24fb a10d 24fb 2f05 7bfb a30d 24fb a10d
..$...$...$./.{...$...
0x0040009A 25fb 390d 24fb 2205 79fb b00d 24fb f52e 14fb a80d 24fb
%.9.$.".y...$.......$.
0x004000B0 660b 22fb a00d 24fb 5269 6368 a10d 24fb 0000 0000 0000
f."...$.Rich..$.......
0x004000C6 0000 ..
[0x00400000]>
[ 0x0040316C (inc=6, bs=48) visualcmd ] edi+0x6
Stack:
a8b8 ec7e 0000 0000 0000 0000 0000 0000 0000 0000 0000 ...~..................
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ......................
0000 0000 ....
Registers:
eip = 0x0040316d eax = 0x00000000
esp = 0x0034fd8c ebx = 0x7eecb8a8
ebp = 0x0034ffe8 ecx = 0x00000000
Disassembly:
0x0040316D eip:
0x0040316D 53 push ebx
0x0040316E 55 push ebp
0x0040316F 56 push esi
0x00403170 33f6 esi ^= esi
0x00403172 57 push edi
0x00403173 89742418 [esp+0x18] = esi
0x00403177 bd40924000 ebp = 0x409240
0x0040317C c644241020 byte [esp+0x10] = 0x20 ; 32
0x00403181 ff1530704000 v call dword near [0x407030]
[0x000403145]> !!help
The commands accepted by the Wine debugger are a reasonable
subset of the commands that gdb accepts.
The commands currently are:
help quit
break [*<addr>] watch *<addr>
delete break bpnum disable bpnum
enable bpnum condition <bpnum> [<expr>]
finish cont [N]
step [N] next [N]
stepi [N] nexti [N]
x <addr> print <expr>
display <expr> undisplay <disnum>
local display <expr> delete display <disnum>
enable display <disnum> disable display <disnum>
bt [<tid>|all] frame <n>
up down
list <lines> disassemble [<addr>][,<addr>]
show dir dir <path>
set <reg> = <expr> set *<addr> = <expr>
pass whatis
info (see 'help info' for options)
The 'x' command accepts repeat counts and formats (including 'i') in the
same way that gdb does.
The following are examples of legal expressions:
$eax $eax+0x3 0x1000 ($eip + 256) *$eax *($esp + 3)
Also, a nm format symbol table can be read from a file using the
symbolfile command.
--pancake
_______________________________________________
radare mailing list
[email protected]
https://lists.nopcode.org/mailman/listinfo/radare
