Im a bit busy for different reasons these days and I am spending more
time thinking on
how to implement stuff for radare than doing it.. Things are changing
smoothly but
nicely in the core.
Every week more and more stuff is being moved into the "libr", so we
expect to use some
of them for the upcomming pre2k9 1.1 release.
I have fixed some packaging issues that will make gentoo users happy and
what i'm currently
doing is enhacing the internal virtual machine.
Since few releases radare wears a command to manage this virtual machine
whcih allows
to create virtual registers and evaluate expressions.
This weekend I implemented a cached memory access with a virtual-mmu
layer that can allow
us to emulate code by using overlapped files or just using the basic
radare IO as source,
the write operations are cached in an internal cache, so the stack
access (for example) is
emulated and the underlying process stills working without any manipulation.
Registers support get/set eval expressions, so it is easy to implement
sub-registers like
intel does for AH, AL, ... each register is defined with a type and
size. All this stuff
can be scripted, so you can define your own architecture in a single
file and use it to
emulate a piece of code.
The emulation of code is done thru the 'pas' layer which parses a
disassembled opcode
into an evaluation expresion that can be executed by the vm.
Currently the expression parser is a bit primitive and needs more love,
but I will work
on this part for a while to reach a decent state. Actually this code can
be used to
emulate few opcodes and determine the values and memory accesses of a
program, but
does not yet supports metamorphic code. But will help in the work of
dropping garbage
code and determining syscalls access.
About the syscalling stuff I have moved all this shit into a new library
called libr.syscall
that offers an interface for resolving syscalling by name or number and
interrupt number
for multiple architectures and operating systems. I plan to do it more
extensible and
support user-defined tables given by the user.
So, keep tuned for advances. afaik Nibble is working on libr.bin and
libr.asm that will
enable radare to rebase binaries for multiple architectures based on the
concepts of PAS
and the VM that sometime will be moved into libr.vm. The new APIs are
not yet used in
the core, but they can be used manually (check the test programs fmi)
Enjoy! :)
[0x465D8810]> avi ; import reg values from debugger
[0x465D8810]> avr ; show regs of the vm
eax int32 0x00000000
al int8 0x00000000
ah int8 0x00000000
ebx int32 0x00000000
ecx int32 0x00000000
edx int32 0x00000000
esi int32 0x00000000
edi int32 0x00000000
eip int32 0x465d8810
esp int32 0xbfdfa4a0
ebp int32 0x00000000
zf bit 0x00000000
cf bit 0x00000000
cf bit 0x00000000
[0x465D8810]> avx 10 ; emulate 10 opcodes
Emulating 10 opcodes
0x465d8810, eip:
0x465d8810, eax = esp
0x465d8812 call 0x465d8a60
CALL( 0x465d8a60)
0x465d8a60, push ebp
0x465d8a61 ebp = esp
0x465d8a63 push edi
0x465d8a64, push esi
0x465d8a65 push ebx
0x465d8a66 call 0x465ed79b
CALL( 0x465ed79b)
0x465ed79b ebx = [esp]
0x465ed79e ret
[0x465D8810]> avr ; show registers again.
eax int32 0xbfed8570
al int8 0x70
ah int8 0x85
ebx int32 0xba5500c3
ecx int32 0x00000000
edx int32 0x00000000
esi int32 0x00000000
edi int32 0x00000000
eip int32 0x465ed79f
esp int32 0xbfed8588
ebp int32 0xbfed8578
zf bit 0x00000000
cf bit 0x00000000
cf bit 0x00000000
--pancake
_______________________________________________
radare mailing list
[email protected]
http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org
