taking r2frida to the next level
Stalker: a code-tracer
Design goal #1: avoid context-switches
Design goal #2: identical side-effects
Design goal #3: high granularity
Demo
But then some weeks before r2con
CodeWriter APIs
(demo)
Which lead to
(demo)
How it works
@0x7f000:
mov eax, 42
prolog()
resume_at = compile(0x1234)
epilog()
jmp [resume_at]
@0x1000:
mov eax, 42
jmp 0x1234
@0x1000:
mov eax, 42
jmp 0x1234
@0x7f000:
mov eax, 42
prolog()
resume_at = compile(0x1234)
epilog()
jmp [resume_at]
@0x1234:
divsd xmm0, xmm1
movsd [rcx], xmm0
call 0x2000
@0x7f100:
divsd xmm0, xmm1
movsd [rcx], xmm0
prolog()
resume_at = compile(0x2000)
epilog()
push_original_retaddr()
jmp [resume_at]
@0x1000:
mov eax, 42
jmp 0x1234
@0x7f000:
mov eax, 42
jmp 0x7f100
@0x1234:
divsd xmm0, xmm1
movsd [rcx], xmm0
call 0x2000
@0x7f100:
divsd xmm0, xmm1
movsd [rcx], xmm0
prolog()
resume_at = compile(0x2000)
epilog()
push_original_retaddr()
jmp [resume_at]