Closed xpn closed 7 years ago
Maijin
commented
7 years ago Hello,
Ensure you are using radare2 from git, if you're unsure paste output of r2 -v here.
To install radare2 from git, first uninstall your version of radare2 and clean your distro. Then use git clone https://github.com/radare/radare2 && cd radare2 && ./sys/install.sh, verify your version and check if there is no error using r2 -v.
xpn
commented
7 years ago Hi Maijin,
The version is listed above, it is:
radare2 1.0.2 9999999 @ linux-x86-64 git.1.0.2
commit: HEAD build: 2016-11-11I believe this is the latest release, but I'll check out from github and retest.
radare
commented
7 years ago sysenter != syscall
radare
commented
7 years ago git pull and try again i have added sysenter as an alias for syscall. it should work now
On 09 Dec 2016, at 14:59, xpn notifications@github.com wrote:
Hi Maijin,
The version is listed above, it is:
radare2 1.0.2 9999999 @ linux-x86-64 git.1.0.2 commit: HEAD build: 2016-11-11 I believe this is the latest release, but I'll check out from github and retest.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/6296#issuecomment-266019973, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-ll-L6ghjquFQLEaU_ehcf-TIhMCZks5rGV6vgaJpZM4LI67b.
Maijin
commented
7 years ago latest release, but not latest from git
xpn
commented
7 years ago Sorry, no idea why I provided 'sysenter' when I tested 'syscall'.
OK, so I've done a fresh git pull:
radare2 1.1.0-git 13167 @ linux-x86-64 git.1.0.2-222-g8c55d19
commit: 8c55d197b60d0a8890d138e13a8442ffcd37a0a4 build: 2016-12-09I've updated the above assembly file to to the following:
BITS 64
GLOBAL _start
SECTION .text
_start:
mov rax, 0x1
syscall
mov rax, 0x1
int 0x80
jmp $and I appear to still have the same issue:
[0x00400080]> pdf
;-- section..text:
;-- _start:
;-- rip:
/ (fcn) entry0 16
| entry0 ();
| 0x00400080 b801000000 mov eax, 1 ; [1] va=0x00400080 pa=0x00000080 sz=16 vsz=16 rwx=--r-x .text
| 0x00400085 0f05 syscall
| 0x00400087 b801000000 mov eax, 1
\ 0x0040008c cd80 int 0x80
| | ; JMP XREF from 0x0040008e (entry0)
| `-> 0x0040008e ebfe jmp 0x40008e
[0x00400080]>[0x00400080]> aes
[0x00400080]> aes
[0x00400080]> aes
[0x00400080]> aes
Fired by r2
[0x00400080]> Due to the change you have now made, I've also tested this with the above "sysenter" version of the script, which seems to have a similar issue:
[0x00400080]> pdf
;-- section..text:
;-- _start:
;-- rip:
/ (fcn) entry0 16
| entry0 ();
| 0x00400080 b801000000 mov eax, 1 ; [1] va=0x00400080 pa=0x00000080 sz=16 vsz=16 rwx=--r-x .text
| 0x00400085 0f34 sysenter
| 0x00400087 b801000000 mov eax, 1
\ 0x0040008c cd80 int 0x80
| | ; JMP XREF from 0x0040008e (entry0)
| `-> 0x0040008e ebfe jmp 0x40008e
[0x00400080]>[0x00400080]> aes
[0x00400080]> aes
[0x00400080]> aes
[0x00400080]> aes
Fired by r2
[0x00400080]> [0x00400080]> e cmd.esil.intr
#!pipe python /home/xpn/radare/int_hook.py
This issue follows on from the twitter conversation here: https://twitter.com/_xpn_/status/806939903577591808
Issue: A syscall instruction (0f05) does not appear to fire the python script set within cmd.esil.intr, however int 0x80 (cd80) does.
Radare Version:
During testing of the cmd.esil.intr option, the following was used:
e cmd.esil.intr=#!pipe python /home/xpn/int_hook.pyThis file contains the following script, to allow notification when fired:
I used the following test case:
Compiled with:
nasm test.asm -o test.o -f elf64; ld test.o -o testI load this into r2 with the following script named 'test.r2'
And execute radare2 with:
r2 -i ./test.r2 ./testWhen we emulate our sample by single stepping, we find that the script is only executed on the 'int 0x80', and not the 'syscall':