GCC Extended Asm - C/C++ inline assembly
With extended asm you can read and write C variables from assembler and perform jumps from assembler code to C labels.
toolchain#
radare2 d/v modules - debug/visual
So far, we've combed through the basics - expr, a module - analysis and i/p modules - info/print.
In this article, I'll give an overview of the d and v modules:
d: Debugging module is dedicated to dynamic analysis. Support viewing registers, setting breakpoints, controlling program running process(continue, step), etc.v: Visual mode is a user-friendly alternative to the command line that offers a variety of visualization features.
radare2 i/p modules - info/print
So far, we've combed through the basics - expr and a module - analysis.
In this article, I'll give an overview of the i and p modules:
i: displaying information about the binary(the program being debugged).p: printing memory and data, such as the hexdump, the disassembly, and the strings.
radare2 a module - analysis
So far, we've combed through the basic usage of r2, see basics and expr.
In this article, I'll give an overview of the a module that supports analysis.
radare2 basics - sail
After installing the radare2 toolset, we've come on board.
Let's set sail with some important and frequently used commands.
First raw, then ripe. Well begun is half done.
radare2 basics - embark
radare: UNIX-like reverse engineering framework and command-line toolset.
The Radare2 project is a set of small command-line utilities that can be used together or independently.
Software Reverse Engineering Toolkits
You can debug a program from the command line using GDB or even more powerful tools such as Radare2, IDA Pro and Binary Ninja.
VMA & LMA
Every loadable or allocatable output section has two addresses. The first is the VMA, or virtual memory address. This is the address the section will have when the output file is run. The second is the LMA, or load memory address. This is the address at which the section will be loaded.
In most cases, the two addresses will be the same, because wherever the program is loaded into memory, that is where it will be executed. So what's the actual difference between the VMA and the LMA? Under what circumstances does VMA != LMA?
Ubuntu Apport Core Dump
Core dump: In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information.
Core File Generation (Debugging with GDB): A core file or core dump is a file that records the memory image of a running process and its process status (register values etc.). Its primary use is post-mortem debugging of a program that crashed while it ran outside a debugger. A program that crashes automatically produces a core file, unless this feature is disabled by the user.
GNU Binutils - strings
strings - print the sequences of printable characters in files.
For each file given, GNU strings prints the printable character sequences that are at least 4 characters long (or the number given with the options below) and are followed by an unprintable character.
strings is mainly useful for determining the contents of non-text files.