refactor(r2): improve shell and examples

chinggg · chinggg · commit ab41d49bbbe7 · 2022-12-31T22:00:40.000+08:00
r2.shell() can now be launched at an address (PC by default)
diff --git a/examples/extensions/r2/deflat_r2.py b/examples/extensions/r2/deflat_r2.py
@@ -7,20 +7,30 @@
 
 sys.path.append('..')
 
-from qiling import Qiling
 from qiling.const import QL_VERBOSE
-from qiling.extensions.r2 import R2Qiling
+from qiling.extensions.r2 import R2Qiling as Qiling
 
 
 
 if __name__ == "__main__":
-    # a program obfuscated by OLLVM CFF flatten, which should print 4 when argv[1] is 1
+    # a program obfuscated by OLLVM control flow graph flatten, which should print 4 when argv[1] is 1
     # see source code at examples/src/linux/fla_test.c
-    ql = R2Qiling(['rootfs/x86_linux/bin/test_fla_argv', '1'], 'rootfs/x86_linux', verbose=QL_VERBOSE.DEFAULT)
+    ql = Qiling(['rootfs/x86_linux/bin/test_fla_argv', '1'], 'rootfs/x86_linux', verbose=QL_VERBOSE.DEFAULT)
+    ctx = ql.save()
     r2 = ql.r2
-    # now we can use r2 parsed symbol name instead of address
+    # now we can use r2 parsed symbol name instead of address to get function
     fcn = r2.get_fcn('target_function')
-    print(fcn)
+    # de-flatten the target function, ql code will be patched
     r2.deflat(fcn)
+    # run the de-flattened program, it should print 4 as expected
     ql.run()
-    r2.shell()
+    # get a r2-like interactive shell to reverse engineering target_function
+    r2.shell('target_function')
+    # run `pdf` in r2 shell to print disassembly of target_function
+    # we should see many patched NOP instructions
+
+    print('restore the original program')
+    ql.restore(ctx)
+    r2 = ql.r2
+    # the program is still obfuscated
+    r2.shell('target_function')
diff --git a/examples/extensions/r2/hello_r2.py b/examples/extensions/r2/hello_r2.py
@@ -6,19 +6,18 @@
 import sys
 sys.path.append('..')
 
-from qiling import Qiling
 from qiling.const import QL_VERBOSE
-from qiling.extensions.r2 import R2
+from qiling.extensions.r2 import R2Qiling as Qiling
 
 
 def func(ql: Qiling, *args, **kwargs):
     ql.os.stdout.write(b"=====hooked main=====!\n")
     return
 
 def my_sandbox(path, rootfs):
-    ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DISASM)
+    ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEFAULT)
     # QL_VERBOSE.DISASM will be monkey-patched when r2 is available
-    r2 = R2(ql)
+    r2 = ql.r2
 
     # search bytes sequence using ql.mem.search
     addrs = ql.mem.search(b'llo worl')  # return all matching results
diff --git a/qiling/extensions/r2/r2.py b/qiling/extensions/r2/r2.py
@@ -471,7 +471,12 @@ def deflat(self, addr: int):
         deflator._search_path()
         deflator._patch_codes()
 
-    def shell(self):
+    @wrap_arg_addr
+    def shell(self, addr: int = None):
+        '''Start a r2-like interative shell at given address
+        TODO: now it just a REPL, terminal graph UI is not supported
+        '''
+        self._cmd(f's {addr or self.ql.arch.regs.arch_pc or self.offset}')
         while True:
             print(f"[{self.offset:#x}]> ", end="")
             cmd = input()
