分解搜索radare2的输出

逆向工程 雷达2
2021-07-09 03:50:36 
[0x00402079]> / valid
Searching 5 bytes from 0x00401000 to 0x0040561e: 76 61 6c 69 64
# 3 [0x401000-0x40561e]
hits: 5
0x00401695 hit6_0 "valid"
0x00401fca hit6_1 "valid"
0x00402095 hit6_2 "valid"
0x004029ca hit6_3 "valid"
0x004037ca hit6_4 "valid"

[0x00402079]> / valid~[0]
Searching 5 bytes from 0x00401000 to 0x0040561e: 76 61 6c 69 64
# 3 [0x401000-0x40561e]
hits: 5
0x00401695
0x00401fca
0x00402095
0x004029ca
0x004037ca

[0x008040f2]> ? {/ valid~[0]}
RNum ERROR: Division by Zero
0

[0x008040f2]> ? 0x00401695
4200085 0x401695 020013225 4M 40000:0695 4200085 10010101 0.0 0.000000f 0.000000

我如何反汇编或使用一次搜索的输出?

我同意使用搜索结果自动化工作的其他方法,谢谢。

1个回答
[0x01012475]> / calc
Searching 4 bytes from 0x01001000 to 0x0101e960: 63 61 6c 63
# 3 [0x1001000-0x101e960]
hits: 3
0x0100161c hit1_0 "calc"
0x01015079 hit1_1 "\\u00ff\\u00ff\\u00ff\\u00ff"
0x01016679 hit1_2 "calc"
[0x01012475]> pdi 4 @ hit1_0
0x0100161c    hit1_0:
0x0100161c           63616c  arpl word [ecx + 0x6c], sp
0x0100161f             632e  arpl word [esi], bp
0x01001621             7064  jo 0x1001687
0x01001623             6200  bound eax, qword [eax]
[0x01012475]> pdi 4 @ hit1_1
0x01015079    hit1_1:
0x01015079               ff  invalid
0x0101507a               ff  invalid
0x0101507b               ff  invalid
0x0101507c               ff  invalid
[0x01012475]> pdi 4 @ hit1_2
0x01016679    hit1_2:
0x01016679           63616c  arpl word [ecx + 0x6c], sp
0x0101667c             6322  arpl word [edx], sp
0x0101667e       0d0a202020  or eax, 0x2020200a
0x01016683           207072  and byte [eax + 0x72], dh
[0x01012475]>

或使用正则表达式

:>radare2 c:\WINDOWS\system32\calc.exe
 -- Nothing to see here. Move along.
[0x01012475]> / calc
Searching 4 bytes from 0x01001000 to 0x0101e960: 63 61 6c 63
# 3 [0x1001000-0x101e960]
hits: 3
0x0100161c hit0_0 "calc"
0x01015079 hit0_1 "\\u00ff\\u00ff\\u00ff\\u00ff"
0x01016679 hit0_2 "calc"
[0x01012475]> pdi 4 @@ hit*
0x0100161c    hit0_0:
0x0100161c           63616c  arpl word [ecx + 0x6c], sp
0x0100161f             632e  arpl word [esi], bp
0x01001621             7064  jo 0x1001687
0x01001623             6200  bound eax, qword [eax]
0x01015079    hit0_1:
0x01015079               ff  invalid
0x0101507a               ff  invalid
0x0101507b               ff  invalid
0x0101507c               ff  invalid
0x01016679    hit0_2:
0x01016679           63616c  arpl word [ecx + 0x6c], sp
0x0101667c             6322  arpl word [edx], sp
0x0101667e       0d0a202020  or eax, 0x2020200a
0x01016683           207072  and byte [eax + 0x72], dh
[0x01012475]>

您也可以使用迭代器:pid 4 @@ `/ ls`

感谢 jvoisin 的编辑 

[0x01012475]> px @@ `/ calc`
Searching 4 bytes from 0x01001000 to 0x0101e960: 63 61 6c 63
# 3 [0x1001000-0x101e960]
hits: 2
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0100161c  6361 6c63 2e70 6462 0000                 calc.pdb..
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x01016679  6361 6c63 220d 0a20 2020                 calc"..
[0x01012475]>
其它你可能感兴趣的问题
上一篇分析登录过程 下一篇HBGary FastDump Pro 转储是否与 WinDbg 兼容?