Radare2: [TRACKER] radare2 is not as cool as binaryninja

Created on 20 Aug 2016  Â·  13Comments  Â·  Source: radareorg/radare2

Link: https://binary.ninja/features.html

  • [ ] Undo (see #3801)
  • [x] Auto-updater
  • [x] A cool graphical graph view
  • [x] Hints to which registers get modified after a call (I believe this can be done with ESIL, but I'm not sure if there's an option to annotate in comments i.e. call sym.func ; will change eax, ebx, ecx
  • [x] Handling switch statements in graph view
  • [x] Automatic recognition of noreturn functions, to stop disassembly (#4929)
  • [x] Better ESIL specification and design (see blogpost on BNIL)

binary.ninja:
binja_graph

r2:
r2_graph

That's it from what I can tell.

RAnal RGraph parity

Most helpful comment

this feature is already supported, but you need to specify that this function is noreturn type. we can improve this if we see that a function calls a noreturn function is also a noreturn one, but only if thats the only exit point

On 04 Sep 2016, at 03:19, Jordan [email protected] wrote:

There is another useful feature shown in your screenshots show that might be worth mentioning: automatic identification of functions that don't return by propagating a no-return property. The r2 basic block at 0x8048c88 calls explode_bomb for example (which presumably calls exit or otherwise doesn't return itself), but then keeps disassembling unlike the BN graph which terminates after the call which is one of the reasons our layout ends up being a bit cleaner in this instance.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/5568#issuecomment-244578716, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lkr2LBRk2kUpjAf26aH8FxqYSzMhks5qmhywgaJpZM4JpDe4.

All 13 comments

Hum for switch statement, have you tried anal.jmptbl and all the stuff related ?

anal.jmptbl indeed can analyze jump tables, but it doesn't connect the blocks. I guess it's because by default a basic block can only diverge into a t and f path?

Relevant image: _8bd3_ seems to not go anywhere, when in fact it's the bb containing the jmp instruction.
r2_jmptable

The undo operation is simply not generic in r2. Like you said, you have undo for ops such as seek and write, but not for things like undoing flag renaming, for example.

@crowell you have some experience with binary ninja. What do you feel would be useful for r2?

quite sure:

Hints to which registers get modified after a call (I believe this can be done with ESIL, but I'm not sure if there's an option to annotate in comments i.e. call sym.func ; will change eax, ebx, ecx

Is already done too.

There is another useful feature shown in your screenshots show that might be worth mentioning: automatic identification of functions that don't return by propagating a no-return property. The r2 basic block at 0x8048c88 calls explode_bomb for example (which presumably calls exit or otherwise doesn't return itself), but then keeps disassembling unlike the BN graph which terminates after the call which is one of the reasons our layout ends up being a bit cleaner in this instance.

this feature is already supported, but you need to specify that this function is noreturn type. we can improve this if we see that a function calls a noreturn function is also a noreturn one, but only if thats the only exit point

On 04 Sep 2016, at 03:19, Jordan [email protected] wrote:

There is another useful feature shown in your screenshots show that might be worth mentioning: automatic identification of functions that don't return by propagating a no-return property. The r2 basic block at 0x8048c88 calls explode_bomb for example (which presumably calls exit or otherwise doesn't return itself), but then keeps disassembling unlike the BN graph which terminates after the call which is one of the reasons our layout ends up being a bit cleaner in this instance.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/5568#issuecomment-244578716, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lkr2LBRk2kUpjAf26aH8FxqYSzMhks5qmhywgaJpZM4JpDe4.

I think that @oddcoder's work on function's types recognition might help too.

I would add here a better ESIL specification and design.

whats currently done is not suposed to change at all, maybe i would just rewrite the implementation because its a bit spaguetti. and for mmx, fpu, … we are discussing about doing it as “esil coprocessors”, just as extensions of the original esil. this way we can split the implementation in several layers and identify which esil processors we need to emulate some specific code.

On 03 May 2017, at 08:21, Anton Kochkov notifications@github.com wrote:

I would add here a better ESIL specification and design.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/5568#issuecomment-298831476, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lujPWxGRAx44g2Ay-co1TfGVx6Q8ks5r2Bz-gaJpZM4JpDe4.

For Binary Ninja experts - please update the bug, I think they added a lot of features these days.

i think the esil point can be marked as done, and the automatic noreturn..maybe its something to be done by a script. we already support noreturn points

about the undo thing. thats very related to the task of syncing instances

Closing here as the "undo all things" is covered. If someone is in the mood please reopen a new one with new features you want to see.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

PaquitoRiviera picture PaquitoRiviera  Â·  7Comments

MariasStory picture MariasStory  Â·  6Comments

S01den picture S01den  Â·  4Comments

ret2libc picture ret2libc  Â·  6Comments

XVilka picture XVilka  Â·  3Comments