Hi,
What do you think about adding metadata comments on every int 0x80
saying the syscall that is being calling?
I suggest adding syscall integer at aop_t and 2 more enums:
radare/src# diff code.h oldcode.h
19d18
< AOP_TYPE_SYS, // syscall
24d22
< AOP_TYPE_MOV, // mov eax/ax/al
44d41
< int syscall; /* syscall number */
Then at x86 code.c identify the MOV eax variants, and the int 80:
radare/src/arch/x86# diff code.c oldcode.c
41,53d40
< case 0xb0: // movl to al
< aop->type = AOP_TYPE_MOV;
< aop->syscall = bytes[1];
< case 0x66: // movw to ax
< if (bytes[1] == 0xb8) {
< aop->type = AOP_TYPE_MOV;
< if (bytes[3] == 0x00)
< aop->syscall = bytes[2];
< }
< case 0xb8: // movl to eax
< aop->type = AOP_TYPE_MOV;
< if (bytes[2] == 0x00 && bytes[3] == 0x00 && bytes[4] == 0x00)
< aop->syscall = bytes[1];
100,104c87
< if (bytes[1] == 0x80) {
< aop->syscall = -1;
< aop->type = AOP_TYPE_SYS;
< } else
< aop->type = AOP_TYPE_SWI;
---
> aop->type = AOP_TYPE_SWI;
Then put the metadata_comment_add calls at analyze.c
more or less something like:
pwn3d:/opt/radare/radare/src# diff analyze.c oldanalyze.c
116,126d115
< case AOP_TYPE_MOV:
< if (aop.syscall > 0) {
< lastEAX = aop.syscall;
< aop.syscall = 0;
< }
< break;
< case AOP_TYPE_SYS:
< aop.syscall = lastEAX;
< metadata_comment_add(ptr, "SYSCALL");
< //printf("SYSCALL!!\n");
< break;
334,342d322
< /*
< case AOP_TYPE_MOV:
< if (aop.syscall > 0) {
< lastEAX = aop.syscall;
< aop.syscall = 0;
< }
< case AOP_TYPE_SYS:
< aop.syscall = lastEAX;
< metadata_comment_add(tmp, "SYSCALL");*/
But saying the syscall called, for ex syscall(__NR_read)
and doing it only if arch is x86
what do you think about?
_______________________________________________
radare mailing list
[email protected]
http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org
