just a note that the bytes: 83 e4 f0 decode to the BYTE version of the AND instruction, meaning that it will only effect the lowest byte of the target. In the context of AND, a 32-bit AND with 0xfffffff0 and an 8-bit AND with 0xf0 are functionally equivalent. Both yield the same result, and I would actually call radare more correct on this one since it is a byte oriented op.
Evan Teran On Fri, Nov 14, 2008 at 9:02 PM, Anderson Lizardo <[EMAIL PROTECTED]> wrote: > Hi, > > Finally I decided to spend some time playing with radare :) This was > on my TODO for a long time. > > Anyway, I have a few notes after some short usage time: > > 1) Building from sources using ACR (i.e. ./configure ... ; make) > always fails on my Ubuntu (Hardy) system while compiling grava (it > cannot find some GTK headers and also some GUI headers, even though I > used --without-gui in configure). I had to fiddle with CFLAGS to make > it build properly. > > 2) I tried a simple session with /bin/ls. Steps followed: > > - set .radarerc to: > > eval scr.color = true > eval asm.syntax = intel > eval file.analyze = true > eval file.id = true > eval file.flag = true > > - start radare with "radare /bin/ls" > - disassemble with "pd". Here are the first lines of what I get: > ; [13] 0x08049a80 size=00066748 align=0x00000010 r-x .text > ; framesize = 8 > ; args = 0 > ; vars = 0 > ; drefs = 3 > | | _text:0x08049A80, 0 / entrypoint: > | | _text:0x08049A80, 0 | 31ed > xor ebp, ebp > | | _text:0x08049A82 -8_| 5e pop esi > | | _text:0x08049A83 -8 | 89e1 > mov ecx, esp > | | _text:0x08049A85 -8 | 83e4f0 > and esp, 0xf0 ; 240 ' ' > | | _text:0x08049A88, 0_| 50 push eax > | | _text:0x08049A89 8_| 54 push esp > | | _text:0x08049A8A 16_| 52 push edx > | | _text:0x08049A8B 24_| 68609e0508 > push dword 0x8059e60 ; > | | _text:0x08049A90, 32_| 68709e0508 > push dword 0x8059e70 ; > | | _text:0x08049A95 40_| 51 push ecx > | | _text:0x08049A96 48_| 56 push esi > | | _text:0x08049A97 56_| 6880e80408 > push dword 0x804e880 ; > | `=< _text:0x08049A9C, 56 | e88ffbffff > call 0x8049635 ; 1 = imp___libc_start_main > | _text:0x08049AA1 56 | f4 hlt > .......... > > Note the instruction at 0x08049A85. While on radare it translates to > "and esp, 0xf0", on objdump (and HT) it is "and esp,0xfffffff0". > Also note the instruction at 0x08049A9C. While on radare it is "call > 0x8049635", on objdump/HT, it is "call 0x8049630". > > I'm using radare 1.0. > > Keep up the good work! > > Regards, > -- > Anderson Lizardo > _______________________________________________ > radare mailing list > [email protected] > http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org > _______________________________________________ radare mailing list [email protected] http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org
