From 559520f56a2074f4daa3d6abf00a356f4ec6a144 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Mon, 20 Dec 2021 02:52:55 -0500 Subject: Add doc about the rep prefix on an x86 instruction Signed-off-by: dusoleil --- docs/re/rep_prefix.txt | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 docs/re/rep_prefix.txt (limited to 'docs/re') diff --git a/docs/re/rep_prefix.txt b/docs/re/rep_prefix.txt new file mode 100644 index 0000000..b1206cc --- /dev/null +++ b/docs/re/rep_prefix.txt @@ -0,0 +1,18 @@ +The "rep" prefix on a string instruction repeats that string instruction for CX block loads. +e.g. +STOS is "Store String" +It will store the value in AX at the address in RDI +(technically, STOSB, STOSW, STOD, and STOSQ use AL, AX, EAX, and RAX respectively) +If RCX = 0x20, RDI = some buffer, and RAX = 0, + +`rep stosq` + +is equivalent to: + +``` +buf_ptr = buf +for(i = 0x20; i != 0; i++) + *buf_ptr = 0; + buf_ptr++; +``` + -- cgit v1.2.3 From 980b6fb8689e202198adef3c44e07eafe26fefca Mon Sep 17 00:00:00 2001 From: dusoleil Date: Mon, 20 Dec 2021 02:54:37 -0500 Subject: Add doc about fixing a ptrace error in debugger. Signed-off-by: dusoleil --- docs/re/ptrace_not_permitted.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/re/ptrace_not_permitted.txt (limited to 'docs/re') diff --git a/docs/re/ptrace_not_permitted.txt b/docs/re/ptrace_not_permitted.txt new file mode 100644 index 0000000..07ca568 --- /dev/null +++ b/docs/re/ptrace_not_permitted.txt @@ -0,0 +1,22 @@ +If you are seeing errors from your debugger such as +strace: (PTRACE_ATTACH): operation not permitted +ptrace: operation not permitted +ptrace_attach: operation not permitted +etc. + +This is likely because of a linux kernel hardening setting. +/proc/sys/kernel/yama/ptrace_scope +This setting prevents a process from running ptrace on a non-child process. +Even with this on, a can still ptrace another process if it is a child. +Debuggers like gdb and radare2 use ptrace when you attach via PID. + +You can turn this off +$ sudo su +$ echo 0 > /proc/sys/kernel/yama/ptrace_scope + +Turning this off is global, though. +Instead, set the capabilities of just your debugger to override this setting. + +$ sudo setcap CAP_SYS_PTRACE=+eip /usr/bin/gdb +$ sudo setcap CAP_SYS_PTRACE=+eip /usr/bin/radare2 + -- cgit v1.2.3 From 3a6f50706a8a09e9507b7938616ae536d0e5af05 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Mon, 20 Dec 2021 06:22:57 -0500 Subject: Add radare2 command cheatsheet Signed-off-by: dusoleil --- docs/re/radare2_cheatsheet.txt | 80 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 docs/re/radare2_cheatsheet.txt (limited to 'docs/re') diff --git a/docs/re/radare2_cheatsheet.txt b/docs/re/radare2_cheatsheet.txt new file mode 100644 index 0000000..1929d03 --- /dev/null +++ b/docs/re/radare2_cheatsheet.txt @@ -0,0 +1,80 @@ +r2 command cheatsheet + +https://github.com/radareorg/radare2 +https://book.rada.re + +#Run Command From Shell Without Opening r2 Prompt +r2 -q -c "" + +#Generic +? expression evaluation/conversions +! run shell command from inside r2 +s seek to address + +#Useful Operators +; do command2 after command1 +"" don't parse r2 operators in the command + `` run inner command and use its output in outer command + ~ grep output of command for lines matching word + @
temporarily seek to address and run command + @@ * run command on every flag matching flag* + @@f run command on all functions + @@f: run command on all functions matching name + @@s: run command on each offset from->to incrementing by step + +#Info and Analysis +i print file info (including binary info; e.g. rabin -I or checksec) +ia print binary info, imported symbols, and exported symbols +il print linked libraries +iS print sections (with permissions) +is print symbols +ic print classes +afl print functions +ie print entry points +iM print main's address +iz print strings in data section +izz print strings in whole binary +aaa analyze all +fs list flagspaces +fs set current flagspace +f print current flagspace +axt [] show references to this address +axf [] show references from this address + +#Searching +/ search for string +/i case-insensitive search for string +/e // regex search for string +/R search for opcodes +/R/ regex search for opcodes +/v search for value +/V search for value in range +/x search for hex string + +#Print Address Contents +pdf print function disassembled +pdc print function in c-like pseudo-code +pv print value +px print hexdump +ps print string +psz print zero-terminated string + +#Tracking Things +afn [] rename function at address +afvn [] rename variable or function argument + +#Visual Mode +V enter visual mode +VV enter visual graph mode +: open r2 cli +p next screen +P previous screen +g
seek to address +[tag next to call] seek to tag (in visual mode) +o[tag next to call] seek to tag (in visual graph mode) +x xrefs to +X xrefs from +m mark offset (in visual mode) +' seek to marked offset (in visual mode) +u undo seek +U redo seek -- cgit v1.2.3 From e3bd4713fefce416e474f837001770501fcd632d Mon Sep 17 00:00:00 2001 From: dusoleil Date: Mon, 20 Dec 2021 06:35:54 -0500 Subject: Add install/uninstall instructions to radare doc Signed-off-by: dusoleil --- docs/re/radare2_cheatsheet.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs/re') diff --git a/docs/re/radare2_cheatsheet.txt b/docs/re/radare2_cheatsheet.txt index 1929d03..e1bb63c 100644 --- a/docs/re/radare2_cheatsheet.txt +++ b/docs/re/radare2_cheatsheet.txt @@ -3,6 +3,14 @@ r2 command cheatsheet https://github.com/radareorg/radare2 https://book.rada.re +#Install +git clone https://github.com/radareorg/radare2.git +sudo ./sys/install.sh + +#Uninstall +sudo make uninstall +sudo make purge + #Run Command From Shell Without Opening r2 Prompt r2 -q -c "" -- cgit v1.2.3 From d9b88e5486046a5d1f8c6b3d51b305152de3a51d Mon Sep 17 00:00:00 2001 From: dusoleil Date: Sat, 25 Dec 2021 12:43:52 -0500 Subject: Fix typo in for loop in asm rep prefix doc Signed-off-by: dusoleil --- docs/re/rep_prefix.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/re') diff --git a/docs/re/rep_prefix.txt b/docs/re/rep_prefix.txt index b1206cc..23e0cec 100644 --- a/docs/re/rep_prefix.txt +++ b/docs/re/rep_prefix.txt @@ -11,7 +11,7 @@ is equivalent to: ``` buf_ptr = buf -for(i = 0x20; i != 0; i++) +for(i = 0x20; i != 0; i--) *buf_ptr = 0; buf_ptr++; ``` -- cgit v1.2.3 From a666136666e1ea6207cd3b7445fe9bc5ff3d59a8 Mon Sep 17 00:00:00 2001 From: dusoleil Date: Sat, 25 Dec 2021 12:45:44 -0500 Subject: Remove 'sudo' from install command. Apparently, install.sh will automatically elevate privileges as it needs. Signed-off-by: dusoleil --- docs/re/radare2_cheatsheet.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/re') diff --git a/docs/re/radare2_cheatsheet.txt b/docs/re/radare2_cheatsheet.txt index e1bb63c..7c30b89 100644 --- a/docs/re/radare2_cheatsheet.txt +++ b/docs/re/radare2_cheatsheet.txt @@ -5,7 +5,7 @@ https://book.rada.re #Install git clone https://github.com/radareorg/radare2.git -sudo ./sys/install.sh +./sys/install.sh #Uninstall sudo make uninstall -- cgit v1.2.3