-
Notifications
You must be signed in to change notification settings - Fork 276
cmd_dump_x_v
dump ADDRESS
It shows assembly or data from the command line. If any code was set (and if the analyzer didn't go through an address) only data will be printed.
0x804853a: .db 00
0x804853b: .db 00
0x804853c: .db 00
0x804853d: .db 00
0x804853e: .db 00
0x804853f: .db 00
; ---------------------------------------------------------------------
; SUBROUTINE
; ---------------------------------------------------------------------
main: __noreturn__
frame_size = 20
int arg_0 = 0x0
int arg_4 = 0x4
0x8048540: ecx = &(arg_4)
0x8048544: esp &= -16
0x8048547: push arg_0
0x804854a: push ebpx ADDRESS
Pseudo decompilation from the command line where the given address is the entry point. It means that if give an address which is inside a function it will not start at the beginning of the address. Moreover if any code was set it will force to disassemble without modifying the database (i.e. setting all addresses as code).
function 0x80486c1 (PT_LOAD) {
0x80486c1: push ebx
0x80486c2: push 17
0x80486c4: call ptrace
for (;;) {
loop_0x80486c9:
0x80486c9: jmp loop_0x80486c9
}
}v [ADDRESS]
This is the visual mode. You can alternate between a dump mode and a decompilation mode.
The dump is equivalent to the previous command. But for the decompilation, the difference
with x is that the entry point is the beginning of a function (it will be computed if
this is an address inside the function. Moreover if ADDRESS is net as code, the decompilation
mode is not accessible.
function main (PT_LOAD) {
frame_size = 20
int arg_0 = 0x0
int arg_4 = 0x4
0x8048540: ecx = &(arg_4)
0x8048544: esp &= -16
0x8048547: push arg_0
0x804854a: push ebp
0x804854b: ebp = esp
0x804854d: push edi
0x804854e: push esi
0x804854f: push ebx
0x8048550: push ecx
0x8048551: esp -= 92
0x8048554: push 6
0x8048556: push asc_80488d4 "Flag: "
0x804855b: push 1
...