Latest mercurial version has added some new fields on the aop_t structure to store information for source, dest for register, inmediates and memory pointers.
This way i can abstract any architecture opcodes into a risc-like (3 arguments) pseudocode. It's more or less the concept of a virtual machine to allow me to calculate jumps/calls to registers or in the future (radare 2.0?) support a pseudo decompilation of the function. I think you are right. syscalls needs to be commented. reading code and converting hex values to kernel syscall name is a stupid loss of time and unreadibility. I know that after some time doing reverse engineering you can easily translate all this stuff in your mind, but its ok. During the CCC, pof wrote an rsc script to do this called "syscall-flag". You can use it in this way from radare: [0x8048000]> .!rsc syscall-flag $FILE On Wed, 2008-05-21 at 13:06 +0200, sha0 sha0 wrote: > Hi, > > What do you think about adding metadata comments on every int 0x80 > saying the syscall that is being calling? > > I suggest adding syscall integer at aop_t and 2 more enums: Please . use diff -u oldcode.h code.h or better... hg diff > radare/src# diff code.h oldcode.h > 19d18 > < AOP_TYPE_SYS, // syscall > 24d22 > < AOP_TYPE_MOV, // mov eax/ax/al > 44d41 > < int syscall; /* syscall number */ > > Then at x86 code.c identify the MOV eax variants, and the int 80: > (...) > > Then put the metadata_comment_add calls at analyze.c > more or less something like: > > (...) > > But saying the syscall called, for ex syscall(__NR_read) > and doing it only if arch is x86 > > what do you think about? This is of course a partial hacky patch. Can you send it to me again in a proper format (hg diff) and I will evaluate it. Because it partially does what I plan to do with the virtual machine concept inside the code analysis module. Thanks! --pancake _______________________________________________ radare mailing list [email protected] http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org
