Log in

View Full Version : How to make radare automatically follow the eip?

jcyang
November 9th, 2009, 23:47
I downloaded the radare source code http://www.radare.org/get/shot/radare-20090722.tar.gz ("http://www.radare.org/get/shot/radare-20090722.tar.gz") and installed it,but when I try to follow the tut http://www.radare.org/swf/01 ("http://www.radare.org/swf/01"). I get stuck setting asm.follow.Radare returns,
Quote:
(config-locked: 'asm.follow' no new keys could be created

I have tried to modify the ~./radare.rc and add e asm.follow=eip to it,but this method doesn't work.

I glanced at the config part in source code repository,the code line
Code:
config_set("asm.follow", ""
is comment out and it seems this problem was caused by file lock.

I do not know much about the techniques(hash or lock) radare used to do configuration.And learning these right away is overkill for me now.

So the question is there any solution to make radare automatically follow the eip?

ps.My enviroment is Debian Linux/i386.The version of radare is 1.4.2b.

thanks.
pancake
November 10th, 2009, 10:31
As replied in the mailing list:


in short: asm.follow has been deprecated many releases ago.

in long:

It was deprecated because following a register has no relation with 'asm', so we
moved to scr.seek, which forces to seek if the resulting number of the given
expression is far from the current screen seek.

The problem in this situation is that sometimes you loss the pointer. Because the
screen can get many different sizes, and the internal block size doesnt needs to
reflect the screen height (different opcode sizes, etc..) so actually with the current
implementation of the console handle the disassembly engine has no way to know
if the given value is far enought to seek.

If you press '.' in visual mode you will seek to the program counter address.

If you want to follow the program counter strictly you can use the cmd.vprompt*
environment variables to execute a seek to the address you like. f.ex:

> e cmd.vprompt=s eip
> V

You can put more complex expressions in this eval field.

The other problem you face is that you are editing the ~/.radare.rc which is not the
rc file. You should edit the ~/.radarerc

About the source code I recommend you to always get it from mercurial. I will
try to push snapshots after every release, but you should check if the last
snapshot is newer than the last release or what, snapshots are just for testing
purposes. This is why you are using 1.4.2b (b is for beta) and the last release was 1.4.2

--pancake