How to use radare2 to disassemble an executable file?

Question

I have a cgywin executable file (shall be in PE format) and would like to disassemble it to get the assembly code on the text section using radare2, most of the examples disassemble per instruction instead of a whole file.

I typed radare2 filename then, pdf, it said

p:Cannot find function at 0x100401000

What am I missing?

Any help is really appreciated.

Answer 1

First, you have to understand that the pdf command is used to disassemble functions, so you first have to look for function starting points (I think that they are using symbols and some others heuristics to find it).

To get an automatic analysis of the functions, just type aaa first. It will run most of the required analysis on the executable. Then, type pdf.

If you just want a raw disassembly without function analysis, then type just pd.

The logic behind the radare commands is that each character of the command has a meaning and build tree-like command family.

For example, the 'p' is for the 'printing' command family. Try to type p?, you will get the following:

[0x00005430]> p?
|Usage: p[=68abcdDfiImrstuxz] [arg|len] [@addr]
| p=[?][bep] [blks] [len] [blk]  show entropy/printable chars/chars bars
| p2 [len]                       8x8 2bpp-tiles
| p3 [file]                      print stereogram (3D)
| p6[de] [len]                   base64 decode/encode
| p8[?][j] [len]                 8bit hexpair list of bytes
| pa[edD] [arg]                  pa:assemble  pa[dD]:disasm or pae: esil from hexpairs
| pA[n_ops]                      show n_ops address and type
| p[b|B|xb] [len] ([skip])       bindump N bits skipping M
| pb[?] [n]                      bitstream of N bits
| pB[?] [n]                      bitstream of N bytes
| pc[?][p] [len]                 output C (or python) format
| pC[d] [rows]                   print disassembly in columns (see hex.cols and pdi)
| pd[?] [sz] [a] [b]             disassemble N opcodes (pd) or N bytes (pD)
| pf[?][.nam] [fmt]              print formatted data (pf.name, pf.name $<expr>)
| ph[?][=|hash] ([len])          calculate hash for a block
| p[iI][df] [len]                print N ops/bytes (f=func) (see pi? and pdi)
| pm[?] [magic]                  print libmagic data (see pm? and /m?)
| pr[?][glx] [len]               print N raw bytes (in lines or hexblocks, 'g'unzip)
| p[kK] [len]                    print key in randomart (K is for mosaic)
| ps[?][pwz] [len]               print pascal/wide/zero-terminated strings
| pt[?][dn] [len]                print different timestamps
| pu[?][w] [len]                 print N url encoded bytes (w=wide)
| pv[?][jh] [mode]               show variable/pointer/value in memory
| p-[?][jh] [mode]               bar|json|histogram blocks (mode: e?search.in)
| px[?][owq] [len]               hexdump of N bytes (o=octal, w=32bit, q=64bit)
| pz[?] [len]                    print zoom view (see pz? for help)
| pwd                            display current working directory

Then, the second letter (d) stands for 'disassemble', try pd?:

[0x00005430]> pd?
|Usage: p[dD][ajbrfils] [sz] [arch] [bits] # Print Disassembly
| NOTE: len  parameter can be negative
| NOTE:      Pressing ENTER on empty command will repeat last pd command and also seek to end of disassembled range.
| pd N       disassemble N instructions
| pd -N      disassemble N instructions backward
| pD N       disassemble N bytes
| pda        disassemble all possible opcodes (byte per byte)
| pdb        disassemble basic block
| pdc        pseudo disassembler output in C-like syntax
| pdC        show comments found in N instructions
| pdk        disassemble all methods of a class
| pdj        disassemble to json
| pdr        recursive disassemble across the function graph
| pdf        disassemble function
| pdi        like 'pi', with offset and bytes
| pdl        show instruction sizes
| pds[?]     disassemble summary (strings, calls, jumps, refs) (see pdsf and pdfs)
| pdt        disassemble the debugger traces (see atd)

As you can see, pdf stands for 'disassemble function'.

But, if you want a raw disassembly of a memory area, then pd is probably what you need. It disassembly blindly from the current address up to a certain windows of memory. If you want to disassemble at a precise address, then use pd @0xdeadbeef.

Answer 2

print disassembly size redirect output_filename

• pd : print disassembled code
• $s : size of the executable is assigned to this variable by radare2
• > : redirect output to file
• output_filename : output written to this file

thus, try:

pd $s >myfile.asm

Or, (s)eek to beginning of .text section then (p)rint(D)isassemble N bytes N computed from the end of the .text section address (section_end..text) minus the beginning .text section address (section..text):

s section..text
pD section_end..text-section..text > myfiles.txt

If your executable has multiple sections, you will need to add the section number after the name (e.g., section..text.0). Find the name of the sections by listing them all (S)ection list:

S

P.S. I'm just learning how to use radare2 myself.

Answer 3

I aggregate all usefull information from the last responses and did an improvement.

You can solve your problem in 3 steps:

1. Use rabin2.exe to inspect .text section size and virtual address

   rabin2.exe -S [filename]

2. Then load the file with radare2 and seek to vaddress obtained in last step

   radare2.exe -d [filename] [0x14000aadc]> s [vaddress] # [vaddress] = 0x140001000 in my case

3. And then lastly, print in assembly code format from the seek position to the seek position + [size of .text section] to the stdout.

   [0x140001000]> pd [vsize] > out.txt # [vsize] = 0x28000 in my case

In my case the first 30 lines of my out.txt resulted in this: