Don't like this style? Click here to change it! blue.css
OK so most of the time if I want to teach x86 and how a CPU works I use radare2.
It is a command line decompiler/reverse engineering tool that helps you step through and debug your thinking.
Here is the minimum you need to know:
Run it with r2 -Ad ./nameofbinary
(ASIDE: Sometimes the binary can't run on your box, in that case you can drop the -d, e.g. r2 -A ./nameofbinary)
(ASIDE: Later on we'll want to connect to a running process using r2 -Ad :PROCESSID: where you swap :PROCESSID: with a number you lookup)
r2 has "MODES" of using it, the two we care about are the "command mode" (not sure if that's what they call it) and "visual mode"
COMMAND MODE is when you see a little terminal indicator like: >
VISUAL MODE is when you see all sorts of code and such
You can switch into VISUAL MODE by typing V
You can switch into COMMAND MODE by typing :
When in visual mode you can cycle through the various ways of seeing the same stuff with the key p and P (p cycles in one order P the opposite order)
(ASIDE: in visual mode if you hit SPACE you'll see a branching flow chart)
You'll want to SEEK the main body of what is happening. The command (from COMMAND MODE) is s main to "seek" "main". You can seek other addresses and other "symbols" too.
The most common sequence of commands I do when starting an r2 session are:
You can use up/down and j/k to move up and down.
You can use the letter c to move your cursor to "the stack" and back.
If you open a command from visual mode with : you can get back to visual mode with ENTER
You can JUMP TO a function by hitting the number shown in square brackets at the function call.
You can JUMP BACK with the letter u (iirc)
From command mode you can set a breakpoint as follows:
db main the d is for "debug" then the b is for "breakpoint" then a space then the location to set breakpoint atdc the d prefix is for "debug" and the c is for "continue"s and step OVER with S (the capital S is useful for not going into a rabbit hole of some libc function)Sometimes you want to view the contents of memory at some location
From COMMAND MODE you can px @addresshere and replace x with some other format letter (x is for hex) (p is for print)
You can sometimes read from an address in a register etc.
There is MUCH BETTER documentation all over the internet, google around.