As for the call, as far as I can tell, radare is off on this one. Must be adding the length to the target address of the instruction twice or something like that.
On Fri, Nov 14, 2008 at 9:29 PM, Evan Teran <[EMAIL PROTECTED]> wrote: > just a note that the bytes: 83 e4 f0 decode to the BYTE version of > the AND instruction, meaning that it will only effect the lowest byte > of the target. In the context of AND, a 32-bit AND with 0xfffffff0 and > an 8-bit AND with 0xf0 are functionally equivalent. Both yield the > same result, and I would actually call radare more correct on this one > since it is a byte oriented op. > > Evan Teran > > On Fri, Nov 14, 2008 at 9:02 PM, Anderson Lizardo > <[EMAIL PROTECTED]> wrote: >> Hi, >> >> Finally I decided to spend some time playing with radare :) This was >> on my TODO for a long time. >> >> Anyway, I have a few notes after some short usage time: >> >> 1) Building from sources using ACR (i.e. ./configure ... ; make) >> always fails on my Ubuntu (Hardy) system while compiling grava (it >> cannot find some GTK headers and also some GUI headers, even though I >> used --without-gui in configure). I had to fiddle with CFLAGS to make >> it build properly. >> >> 2) I tried a simple session with /bin/ls. Steps followed: >> >> - set .radarerc to: >> >> eval scr.color = true >> eval asm.syntax = intel >> eval file.analyze = true >> eval file.id = true >> eval file.flag = true >> >> - start radare with "radare /bin/ls" >> - disassemble with "pd". Here are the first lines of what I get: >> ; [13] 0x08049a80 size=00066748 align=0x00000010 r-x .text >> ; framesize = 8 >> ; args = 0 >> ; vars = 0 >> ; drefs = 3 >> | | _text:0x08049A80, 0 / entrypoint: >> | | _text:0x08049A80, 0 | 31ed >> xor ebp, ebp >> | | _text:0x08049A82 -8_| 5e pop esi >> | | _text:0x08049A83 -8 | 89e1 >> mov ecx, esp >> | | _text:0x08049A85 -8 | 83e4f0 >> and esp, 0xf0 ; 240 ' ' >> | | _text:0x08049A88, 0_| 50 push >> eax >> | | _text:0x08049A89 8_| 54 push >> esp >> | | _text:0x08049A8A 16_| 52 push >> edx >> | | _text:0x08049A8B 24_| 68609e0508 >> push dword 0x8059e60 ; >> | | _text:0x08049A90, 32_| 68709e0508 >> push dword 0x8059e70 ; >> | | _text:0x08049A95 40_| 51 push >> ecx >> | | _text:0x08049A96 48_| 56 push >> esi >> | | _text:0x08049A97 56_| 6880e80408 >> push dword 0x804e880 ; >> | `=< _text:0x08049A9C, 56 | e88ffbffff >> call 0x8049635 ; 1 = imp___libc_start_main >> | _text:0x08049AA1 56 | f4 hlt >> .......... >> >> Note the instruction at 0x08049A85. While on radare it translates to >> "and esp, 0xf0", on objdump (and HT) it is "and esp,0xfffffff0". >> Also note the instruction at 0x08049A9C. While on radare it is "call >> 0x8049635", on objdump/HT, it is "call 0x8049630". >> >> I'm using radare 1.0. >> >> Keep up the good work! >> >> Regards, >> -- >> Anderson Lizardo >> _______________________________________________ >> radare mailing list >> [email protected] >> http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org >> > _______________________________________________ radare mailing list [email protected] http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org
