Document vvs and improve visual mode chapters

radareorg · Jul 9, 2024 · 90e788e · 90e788e
1 parent be95915
commit 90e788e
Show file tree

Hide file tree

Showing 4 changed files with 120 additions and 31 deletions.
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -66,6 +66,7 @@
    * [Visual Disassembly](visual_mode/visual_disassembly.md)
    * [Visual Assembler](visual_mode/visual_assembler.md)
    * [Visual Configuration Editor](visual_mode/visual_configuration_editor.md)
+   * [Visual Menus](visual_mode/visual_menus.md)
    * [Visual Panels](visual_mode/visual_panels.md)
 * [Searching data](search/intro.md)
    * [Basic Searches](search/basic_searches.md)

diff --git a/src/visual_mode/visual_assembler.md b/src/visual_mode/visual_assembler.md
@@ -1,6 +1,7 @@
 ## Visual Assembler
 
-You can use Visual Mode to assemble code using `A`.
+You can use Visual Mode to assemble code pressing the `A` key inside the `V`isual mode (or just type `VA` from the shell). Note that the cursor mode also plays well with the visual assembler, use it to point to the instruction that you want to patch insted of just scrolling up and down changing the seek.
+
 For example let's replace the `push` by a `jmp`:
 
 ![Before](../pics/before.png)
@@ -9,7 +10,8 @@ Notice the preview of the disassembly and arrows:
 
 ![After](../pics/after.png)
 
-You need to open the file in writing mode (`r2 -w` or `oo+`) in order to patch the file.
+In order to patch the file you must open it in read-write mode (`r2 -w`), but if you are inside radare2, you can reopen the file in rw mode with `oo+`.
+
 You can also use the cache mode: `e io.cache = true` and `wc?`.
 
-Remember that patching files in debug mode only patch the memory not the file.
+**Note** that when you are debugging, patching the memory won't modify the files in disk.
diff --git a/src/visual_mode/visual_disassembly.md b/src/visual_mode/visual_disassembly.md
@@ -1,44 +1,27 @@
 ## Visual Disassembly
 
-### Navigation
+The visual disassembler mode in radare2 is accessed by pressing 'p' after entering the V command. This mode displays the disassembled code in a structured format, making it easier to read and navigate through the program's instructions.
 
-Move within the Disassembly using arrow keys or `hjkl`. Use `g` to seek directly to a flag or an offset, type it when requested by the prompt: `[offset]>`.
-Follow a jump or a call using the `number` of your keyboard `[0-9]` and the number on the right in disassembly to follow a call or a jump. In this example typing `1` on the keyboard would follow the call to `sym.imp.__libc_start_main` and therefore, seek at the offset of this symbol.
+In this view, users can scroll through the code, examine function calls, and identify control flow structures. The layout includes address information, machine code, and human-readable assembly instructions. This presentation helps in understanding the program's logic and behavior.
 
-```
-0x00404894      e857dcffff     call sym.imp.__libc_start_main ;[1]
-```
+The visual disassembler mode also offers various keybindings for quick actions such as jumping to specific addresses, adding comments, or setting breakpoints.
 
-Seek back to the previous location using `u`, `U` will allow you to redo the seek.
+In other words, it's like using the `pd` command from the shell but in an interactive way.
 
-## `d` as define
+For example, you can press the `spacebar` key to toggle between the control-flow-graph and linear disassembly listing. Or press the numeric comments `;[1]` in the jump/reference hints next to the instructions to quickly jump there.
 
-`d` can be used to change the type of data of the current block, several basic types/structures are available as well as more advanced one using `pf` template:
+### Navigation
 
-```
-d → ...
-0x004048f7      48c1e83f       shr rax, 0x3f
-d → b
-0x004048f7 .byte 0x48
-d → B
-0x004048f7 .word 0xc148
-d → d
-0x004048f7 hex length=165 delta=0
-0x004048f7  48c1 e83f 4801 c648 d1fe 7415 b800 0000
-...
-```
+Move within the Disassembly using arrow keys or `hjkl`. Use `g` to seek directly to a flag or an offset, type it when requested by the prompt: `[offset]>`.
 
-To improve code readability you can change how radare2 presents numerical values in disassembly, by default most of disassembly display numerical value as hexadecimal. Sometimes you would like to view it as a decimal, binary or even custom defined constant. To change value format you can use `d` following by `i` then choose what base to work in, this is the equivalent to `ahi`:
+Follow a jump or a call using the `number` of your keyboard `[0-9]` and the number on the right in disassembly to follow a call or a jump. In this example typing `1` on the keyboard would follow the call to `sym.imp.__libc_start_main` and therefore, seek at the offset of this symbol.
 
 ```
-d → i → ...
-0x004048f7      48c1e83f       shr rax, 0x3f
-d → i →  10
-0x004048f7      48c1e83f       shr rax, 63
-d → i →  2
-0x004048f7      48c1e83f       shr rax, '?'
+0x00404894      e857dcffff     call sym.imp.__libc_start_main ;[1]
 ```
 
+Seek back to the previous location using `u`, `U` will allow you to redo the seek.
+
 ### Cursor mode
 
 Remember that, to be able to actually edit files loaded in radare2, you have to start it with the `-w` option. Otherwise a file is opened in read-only mode.

diff --git a/src/visual_mode/visual_menus.md b/src/visual_mode/visual_menus.md
@@ -0,0 +1,103 @@
+## Visual Menus
+
+There are a couple of keystrokes in Visual Mode that will lead to some menus with useful actions in a very accessible way. These are some of them:
+
+* Edit bits and decompose an instruction (Vd1)
+* Change function signature (vvs)
+* Rename current function (vdr)
+* Set the current offset as string (Vds)
+* Change base of the immediate in current instruction (Vdi)
+
+### Vv visual analysis
+
+This visual mode can be used to navigate through the program like in the visual disassembly view, but having some extra visual modes to follow references, etc
+
+```
+[0x00000000]> Vv
+.-- functions ----- pdr ---------------------------------.
+| (a)nalyze   (-)delete (x)xrefs (X)refs (j/k) next/prev |
+| (r)ename    (c)alls   (d)efine (Tab)disasm (_) hud     |
+| (d)efine    (v)ars    (?)help  (:)shell    (q) quit    |
+| (s)ignature                                            |
+'--------------------------------------------------------'
+```
+
+Note that all those actions can be done through the `Vd` menu, as well as the commandline, and it is probably that most of these actions will end up being moved into the `Vd` for simplicity reasons and compatibility with Visual Mode and Visual Panels.
+
+### Ve visual config
+
+The `e` command is used to change any configuration option inside radare2, the visual mode have a visual version so you can use it to change settings interactively.
+
+Note that you can also press the `R` key to quickly rotate between different the available color themes.
+
+### Vd as in define
+
+The Vd menu can be used to redefine information in the current function or instruction quickly.
+
+This is the list of actions:
+
+```
+[0x00000000]> Vd
+[Vd]- Define current block as:                                                                   
+ $    define flag size
+ 1    edit bits
+ >    small integer (shift right by 1)
+ a    assembly
+ b    as byte (1 byte)
+ B    define half word (16 bit, 2 byte size)
+ c    as code (unset any data / string / format) in here
+ C    define flag color (fc)
+ d    set as data
+ e    end of function
+ E    esil debugger (aev)
+ f    analyze function
+ F    format
+ h    define hint (for half-word, see 'B')
+ i    (ahi) immediate base (b(in), o(ct), d(ec), h(ex), s(tr))
+ I    (ahi1) immediate base (b(in), o(ct), d(ec), h(ex), s(tr))
+ j    merge down (join this and next functions)
+ k    merge up (join this and previous function)
+ h    define anal hint
+ m    manpage for current call
+ n    rename flag or variable referenced by the instruction in cursor
+ N    edit function signature (afs!)
+ o    opcode string
+ r    rename function
+ s    set string
+ S    set strings in current block
+ t    set opcode type via aht hints (call, nop, jump, ...)
+ u    undefine metadata here
+ v    rename variable at offset that matches some hex digits
+ x    find xrefs to current address (./r)
+ X    find cross references /r
+ w    set as 32bit word
+ W    set as 64bit word
+ q    quit menu
+ z    zone flag
+```
+
+`d` can be used to change the type of data of the current block, several basic types/structures are available as well as more advanced one using `pf` template:
+
+```
+d → ...
+0x004048f7      48c1e83f       shr rax, 0x3f
+d → b
+0x004048f7 .byte 0x48
+d → B
+0x004048f7 .word 0xc148
+d → d
+0x004048f7 hex length=165 delta=0
+0x004048f7  48c1 e83f 4801 c648 d1fe 7415 b800 0000
+...
+```
+
+To improve code readability you can change how radare2 presents numerical values in disassembly, by default most of disassembly display numerical value as hexadecimal. Sometimes you would like to view it as a decimal, binary or even custom defined constant. To change value format you can use `d` following by `i` then choose what base to work in, this is the equivalent to `ahi`:
+
+```
+d → i → ...
+0x004048f7      48c1e83f       shr rax, 0x3f
+d → i →  10
+0x004048f7      48c1e83f       shr rax, 63
+d → i →  2
+0x004048f7      48c1e83f       shr rax, '?'
+```