assemblyreverse-engineeringdisassemblyradare2

ASM pattern search in radare2

I want to perform a search in radare2 for an ASM pattern of the type

pop, mov, mov

that is three consecutive instructions: the first beginning with pop, the second beginning with mov and the third also.

There is a related issue of Radare2 (https://github.com/radareorg/radare2/issues/13322) and says "itss alrady implemented in /c" but /c is now needed for Search for crypto materials.

I'm using radare2 4.5.0 on Linux.

Solution

  • This can be achieved with /ad (tested with version 4.5.0 and 5.0.1):

    r2 /bin/ls
> "/ad pop;mov;mov"
0x00009b40   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009bb8   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009c38   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x00009d40   # 7: pop rbp; mov rsi, r13; mov rdi, r12
0x0000a120   # 19: pop r12; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x0000a120   # 18: pop rsp; mov byte [rip + 0x1832c], 0; mov dword [rip + 0x1817e], 0
0x000120f1   # 9: pop rcx; mov rcx, qword [rbx]; mov edx, 2

    Note: the quotes (") around the command are necessary as radare2 also uses the semicolon for chaining of commands.

    For reference (radare2 5.0.1):

    > /a?
Usage: /a[?] [arg]  Search for assembly instructions matching given properties
| /a push rbp           Assemble given instruction and search the bytes
| /a1 [number]          Find valid assembly generated by changing only the nth byte
| /aI                   Search for infinite loop instructions (jmp $$)
| /aa mov eax           Linearly find aproximated assembly (case insensitive strstr)
| /ac mov eax           Same as /aa, but case-sensitive
| /ad[/*j] push;mov     Match ins1 followed by ins2 in linear disasm
| /ad/ ins1;ins2        Search for regex instruction 'ins1' followed by regex 'ins2'
| /ad/a instr           Search for every byte instruction that matches regexp 'instr'
| /ae esil              Search for esil expressions matching substring
| /af[l] family         Search for instruction of specific family (afl=list
| /ai[j] 0x300 [0x500]  Find all the instructions using that immediate (in range)
| /al                   Same as aoml, list all opcodes
| /am opcode            Search for specific instructions of specific mnemonic
| /ao instr             Search for instruction 'instr' (in all offsets)
| /as[l] ([type])       Search for syscalls (See /at swi and /af priv)
| /at[l] ([type])       Search for instructions of given type