aemmitt-ns
commented
2 years ago radius2 can execute a limited subset of dalvik instructions. basically if it involves any object creation or non-static method then it wont work. also there is no ESIL translation of the CPOOLREF pcode instruction so dalvik will not fully work there either. However you can create a state with r2frida using Radius::frida_state in rust or using radius2 -p frida://... -a 0xcafebabe this will place a frida hook at the address 0xcafebabe and start symbolic execution once this hook is hit, reading the real register and memory values from the program. an example is in examples/frida . So it i possible to hook the odex code and symbolically execute those native instructions.
Hi,
the readme states:
"radius2 can execute Dalvik bytecode only involving static methods and variables."
Is this also given for a PCode representation? And what about odex elf binaries?
As r2frida is working on debugging capabilities, could this be used to have a concrete state for the symbolic execution to start and might help radius on execution of dalvik code? See https://github.com/nowsecure/r2frida/issues/284