Radare2: Rename/Comment function arguments and local variables

Created on 21 Dec 2014  ·  16Comments  ·  Source: radareorg/radare2

Hello again,

It would be great if when disassembling, function arguments and local variables would be renamed (or at least commented) to identify if the function is working with a parameter or with a local variable.

For example, rename offsets from esp/ebp as parameters or local vars with a name - varC or paramB, where 0xC and 0xB are offsets from esp/ebp - (not only related to windows). A la IDA Pro.

This would increase the usability of using the disassembler.

Thanks for your hard work!

RAnal bug enhancement

Most helpful comment

this was already implemented but disabled because it was an ugly solution that only works on x86. i discused this with pwntester and he accepted to enable it and test it while fixing some parsing issues. so thats working now.

It will be good to handle also the local var accesses with LEA, because right now only works with MOVs.will be good to investigate on porting this to other archs

All 16 comments

Thats asm.varsub option and already works for some cases, not all. Ping @pwntester for this

On 21 Dec 2014, at 00:50, Newlog [email protected] wrote:

Hello again,

It would be great if when disassembling, function arguments and local variables would be renamed (or at least commented) to identify if the function is working with a parameter or with a local variable.

For example, rename offsets from esp/ebp as parameters or local vars with a name - varC or paramB, where 0xC and 0xB are offsets from esp/ebp - (not only related to windows). A la IDA Pro.

This would increase the usability of using the disassembler.

Thanks for your hard work!


Reply to this email directly or view it on GitHub.

It should work now for x86:

[0x00400e95]> pd 20
/ (fcn) sym.main 754
|          ; var int local_454 @ rbp-0x454
|          ; var int local_460 @ rbp-0x460
|          ; var int local_18 @ rbp-0x18
|          ; var int local_444 @ rbp-0x444
|          ; var int local_430 @ rbp-0x430
|          ; var int local_42c @ rbp-0x42c
|          ; var int local_448 @ rbp-0x448
|          ; var int local_42e @ rbp-0x42e
|          ; var int local_438 @ rbp-0x438
|          ; var int local_440 @ rbp-0x440
|          ; DATA XREF from 0x00400b4d (entry0)
|          0x00400e95    55           push rbp
|          0x00400e96    4889e5       mov rbp, rsp
|          0x00400e99    53           push rbx
|          0x00400e9a    4881ec58040. sub rsp, 0x458
|          0x00400ea1    89bdacfbffff mov dword [rbp-local_454], edi
|          0x00400ea7    4889b5a0fbf. mov qword [rbp-local_460], rsi
|          0x00400eae    64488b04252. mov rax, qword fs:[0x28]          ; [0x28:8]=0x2210  ; '('
|          0x00400eb7    488945e8     mov qword [rbp-local_18], rax
|          0x00400ebb    31c0         xor eax, eax
|          0x00400ebd    e83efbffff   call sym.imp.getpid

I implementted afvn and afan for renaming.

Let me know if they are not working as expected.

Rhoooooooooooooo, this is awesome!

\o/

Let the party begin!

this was already implemented but disabled because it was an ugly solution that only works on x86. i discused this with pwntester and he accepted to enable it and test it while fixing some parsing issues. so thats working now.

It will be good to handle also the local var accesses with LEA, because right now only works with MOVs.will be good to investigate on porting this to other archs

Awesome work pwntester! Thank you very much!

mis dies

hey @pwntester

It seems that might be some problem in some cases, for example, reversing the Lab06-02.exe binary from the practical malware analysis book it doesn't rename/comment local variables:

[0x00401040 280 Lab06-02.exe]> pd $r @ section..text+64 # 0x401040                                                                                                                        
           ; CALL XREF from 0x00401148 (fcn.00401130)                                                                                                                                     
           0x00401040    55           push ebp                                                                                                                                            
           0x00401041    8bec         mov ebp, esp                                                                                                                                        
           0x00401043    81ec10020000 sub esp, 0x210                                                                                                                                      
           0x00401049    6a00         push 0                                                                                                                                              
           0x0040104b    6a00         push 0                                                                                                                                              
           0x0040104d    6a00         push 0                                                                                                                                              
           0x0040104f    6a00         push 0                                                                                                                                              
           0x00401051    68f4704000   push 0x4070f4                                                                                                                                       
           0x00401056    ff15c4604000 call dword [reloc.WININET.dll_InternetOpenA_196]                                                                                                    
              unk(unk, unk, unk, unk, unk, unk) ; section_end..data    ; "Tf" @ 0x4060c4                                                                                                  
           0x0040105c    8945f4       mov dword [ebp - 0xc], eax                                                                                                                          
           0x0040105f    6a00         push 0                                                                                                                                              
           0x00401061    6a00         push 0                                                                                                                                              
           0x00401063    6a00         push 0                                                                                                                                              
           0x00401065    6a00         push 0                                                                                                                                              
           0x00401067    68c4704000   push 0x4070c4                    ; "http://www.practicalmalwareanalysis.com/cc.htm" @ 0x4070c4                                                      
           0x0040106c    8b45f4       mov eax, dword [ebp - 0xc]                                                                                                                          
           0x0040106f    50           push eax                                                                                                                                            
           0x00401070    ff15b4604000 call dword [reloc.WININET.dll_InternetOpenUrlA_180]                                                                                                 
              unk(unk, unk, unk, unk, unk, unk) ; section_end..data    ; "@f" @ 0x4060b4                                                                                                  
           0x00401076    8945f0       mov dword [ebp - 0x10], eax                                                                                                                         
           0x00401079    837df000     cmp dword [ebp - 0x10], 0                    

I have an updated version of r2 with the two commands you mention.
The binary can be found here: http://practicalmalwareanalysis.com/labs/

Note:

In the same binary there are functions that are correctly commented:

[0x00401130 280 Lab06-02.exe]> pd $r @ section..text+304 # 0x401130                                                                                                                       
/ (fcn) fcn.00401130 79                                                                                                                                                                   
|          ; var int local_4 @ ebp-0x4                                                                                                                                                    
|          ; var int local_8 @ ebp-0x8                                                                                                                                                    
|          ; CALL XREF from 0x0040125f (entry0)                                                                                                                                           
|          0x00401130    55           push ebp                                                                                                                                            
|          0x00401131    8bec         mov ebp, esp                                                                                                                                        
|          0x00401133    83ec08       sub esp, 8                                                                                                                                          
|          0x00401136    e8c5feffff   call section..text               ;[1]                                                                                                               
|             0x00401000(unk, unk, unk, unk, unk, unk) ; section..text                                                                                                                    
|          0x0040113b    8945fc       mov dword [ebp-local_4], eax                                                                                                                        
|          0x0040113e    837dfc00     cmp dword [ebp-local_4], 0

Edit:

It seems that IDA also has some problems with this stack frame. In fact, the array local variable ebp-0x210 is of 512 bytes and you have to manualy set it (ctrl+k).

It seems that r2 has not found any functions at 0x401040 and so the var/arg analysis has not been run.
Im not sure if 'af' or 'a2f' will run this analysis though since it seems they dont call 'fcn_recurse' where the analysis takes place. @radare , should we add this analysis to the new 'a2f' command

The recursivity in the analysis can be configured with anal.depth. You may also want to look at 'ac'. And if you want to analyze that function just use af @ 0x401040 or if you want to use a2f prefix it with a dot: .a2f@0x401040

On 30 Dec 2014, at 21:17, Alvaro [email protected] wrote:

It seems that r2 has not found any functions at 0x401040 and so the var/arg analysis has not been run.
Im not sure if 'af' or 'a2f' will run this analysis though since it seems they dont call 'fcn_recurse' where the analysis takes place. @pancake, should we add this analysis to the new 'a2f' command


Reply to this email directly or view it on GitHub.

Hi, this work with ebp but I have assembly code using offsets from esp for local variables. Is it possible to rename variable with offset from esp instead of ebp?

Thanks. I guess that means a "no, not yet".

No but you can contribute and subscribe to the issue to show interest

Adding comment has been done by @oddcoder ! 👍 See C?

Was this page helpful?
0 / 5 - 0 ratings