TransWikia.com

radare2 memory changing in debug mode

Reverse Engineering Asked by buhaz on July 18, 2021

I have tiny program:

        0x08048080      66a1a0900408   mov ax, word loc.name       
        0x08048086      66bbafbe       mov bx, 0xbeaf
        0x0804808a      66891da09004.  mov word loc.name, bx    ; [0x80490a0:2]=0xdead

        0x08048091      31c0           xor eax, eax
        0x08048093      66a1a0900408   mov ax, word loc.name       
        0x08048099      b801000000     mov eax, 1
        0x0804809e      cd80           int 0x80
        0x080480a0      ad             lodsd eax, dword [esi]
        0x080480a1      de00           fiadd word [eax]

when program changing memory:

0x0804808a 66891da09004 mov word loc.name, bx ; [0x80490a0:2]=0xdead

memory dump (with px @ 0x80490a0) not changed

is there possible to view memory change in real time when debugging?

thanks!

radare2

One Answer

I've run the following on the latest r2 from git:

r2 -d ./example

after setting the breakpoint on main and running to it I'm getting the following disassembly:

0x004004a6 b    668b04252810.  mov ax, word [loc.name]     ; [0x601028:2]=0xdead
0x004004ae      66bbafbe       mov bx, 0xbeaf
0x004004b2      66891c252810.  mov word [loc.name], bx     ; [0x601028:2]=0xdead
0x004004ba      31c0           xor eax, eax
0x004004bc      668b04252810.  mov ax, word [loc.name]     ; [0x601028:2]=0xdead
0x004004c4      b801000000     mov eax, 1
0x004004c9      cd80           int 0x80

The memory location shows, 0xdead @ 0x601028.

After executing 3 step instructions. This is what I get when running px @ 0x601028

:> px@0x601028
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0 1  0123456789ABCDEF01
0x00601028  afbe 0000 0000 0000 0000 0000 0000 0000 0000  ..................

So the change is reflected in memory but also when I check the disassembly

 0x004004a6 b    668b04252810.  mov ax, word [loc.name]     ; [0x601028:2]=0xbeaf rbx
 0x004004ae      66bbafbe       mov bx, 0xbeaf              ; rbx
 0x004004b2      66891c252810.  mov word [loc.name], bx     ; [0x601028:2]=0xbeaf rbx
 ;-- rip:
 0x004004ba      31c0           xor eax, eax
 0x004004bc      668b04252810.  mov ax, word [loc.name]     ; [0x601028:2]=0xbeaf rbx
 0x004004c4      b801000000     mov eax, 1
 0x004004c9      cd80           int 0x80

Now there's 0xbeaf @ 0x601028.

Answered by Paweł Łukasik on July 18, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP