radare
commented
5 years ago with ahe you can replace the esil expression at any address. Esil expressions can contain r2 commands or run r2pipe scripts that change any register or memory value. You can also use aep to set an esil pin.. this is basicslly the same as an esil hint but only to run r2 commands instead of replacing esil expressions.
The help msg of aep is not clear at all.. but heres a simple example:
$ r2 -
aep ?e hello world @ 0 aes Hello world
This esil pin thing was kind of idea before esil expressions allowed to run r2 commands ans that was stuck waiting for feedback 2 years ago. So i would be happy to hear about your comments on this.
How would u expect to solve this without knowing any of this? I would be happy to deprecate the esil pins and just use esil hints. But we should provide an easy way to reimplement most libc imports and do that with one command or using a script that comes with r2.. maybe having some custom implementations like we have for syscalls,
Anither option i would think is to treat calls specially and be able to reimplement or ignore any call that falls in a memory range (plt). And just return 0. (We have wao to write portable assembly). So another solution is to use io.cache and reimplement those instructions by patching them in memory.
As i said. I understand this is a very common problem when using esil for real many cases and i want/need feedback to get this right/tight so it makes sense for everyone and not just me :) but as i said there r already a bunch of possible solutions right now, like the esil hint way
ahe rsp,[8],rip,=,8,rsp,-= @@ sym.imp*
Obv this is not portable, and i think we should have a bunch of crossplatform esil expressions or way to ignore calls.
Feedback is welcome. If u search for “aep” and “ahe” is issues u will find other attempts to simplify this issue
On 19 Aug 2019, at 00:31, lamin3 notifications@github.com wrote:
Hello,
A very simple question: in the sequence below, how can I with ESIL, don't get into the code of sym.imp.func:
address1 call dword [sym.imp.function] address2 mov ...
Ideally, when I meet a call [sym.import...] , I want just to replace the address of import by the address +1 of the actual sequence(i.e. mov instruction on that case). I don't want to make a step over, because I need to see the code of other calls. My concern is only about imports.
Could you please help with some commands that automate that for all sym.imports, and for for any binary.
Thanks a lot for your help in advance
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
laminenoureddine
Hello,
A very simple question: in the sequence below, how can I with ESIL, don't get into the code of sym.imp.func:
address1 call dword [sym.imp.function] address2 mov ...
Ideally, when I meet a call [sym.import...] , I want just to replace the address of import by the address +1 of the actual sequence(i.e. mov instruction on that case). I don't want to make a step over, because I need to see the code of other calls. My concern is only about imports.
Could you please help with some commands that automate that for all sym.imports that I can find in the binary.
Thanks a lot for your help in advance