av changes

[radare]

[0x1000011ec]> av?
Usage: av[?jr*]   C++ vtables and RTTI
| av                search for vtables in data sections and show results
| avj               like av, but as json
| av*               like av, but as r2 commands
| avr[j@addr]       try to parse RTTI at vtable addr (see anal.cpp.abi)
| avra[j]           search for vtables and try to parse RTTI at each of them
| avrr              recover class info from all findable RTTI (see aC)
| avrD [classname]  demangle a class name from RTTI
[0x1000011ec]> aC
Usage: aC[e] [addr-of-call] # analyze call args (aCe does esil emulation with abte)
[0x1000011ec]>

note the following:

• avra should be renamed to aavt (analyze all virtual tables)
• avrr may be renamed to aavr maybe :?
• the aC command reference is wrong, it is ac
• Is avra run from aaa? may we want to use the bin info for this?

[thestr4ng3r]

"aavt (analyze all virtual tables)" is wrong, the command is about rtti, not just vtables, also it doesn't really analyze, it just reads data and prints it. Does that fit under aa? avrr does in any case though.

[radare]

then i misunderstood. maybe is avrr the one that must be moved into aa? if those vtables thing are just printing commands why are they under analysis? PD: never used that

[thestr4ng3r]

Well where would it fit other than anal? It's partially heuristic search and partially parsing data structures defined by C++ ABI.

[radare]

Is av* executed from aaa? Which are the requirements for it to work? Can you fix the aC help message?

…

On 2 Mar 2019, at 10:59, Florian Märkl ***@***.***> wrote: Well where would it fit other than anal? It's partially heuristic search and partially parsing data structures defined by C++ ABI. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[thestr4ng3r]

Right now there is nothing in aaa, but avrr is something could certainly be added. The requirement for it are xrefs for the vtable search (aar has to be executed before) and rtti in the binary. Maybe there should also be a fallback when there is no rtti, so it just detects vtables and adds classes for them.

Yes, I'll fix the help

[radare]

Cc @Maijin Pls add this in aaa when it matters

…

On 3 Mar 2019, at 12:44, Florian Märkl ***@***.***> wrote: Right now there is nothing in aaa, but avrr is something could certainly be added. The requirement for it are xrefs for the vtable search (aar has to be executed before) and rtti in the binary. Maybe there should also be a fallback when there is no rtti, so it just detects vtables and adds classes for them. Yes, I'll fix the help — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[Maijin]

@thestr4ng3r Do you have an example of binary in r2r I can use to test the aaa integration?

[thestr4ng3r]

Not in r2r, but you can try with this: cpp_sample.exe.gz

[thestr4ng3r]

Here's also the pdb for it:
cpp_sample.pdb.gz

[Maijin]

@thestr4ng3r

[0x14000100f]> avrr
No virtual tables found

Huh?

[thestr4ng3r]

Needs aar first

[Maijin]

ok great!

[radare]

@oddcoder ^ we need to know when an specific analysis has been run already because some depend on others like aao or avrr

…

On 23 Mar 2019, at 23:29, Florian Märkl ***@***.***> wrote: Needs aar first — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[radare]

@thestr4ng3r any comments on the other points?

[thestr4ng3r]

The aC ref is fixed, for the rest my comments above are still valid

[Maijin]

I don't have any opinion on the renaming, won't have impact on the users I think because very few users know about it if not only core so feel free to go ahead :)

[radare]

removing the milesstone, and imho few users know it because most ppl expect things that analyze the whole thing to be under aa. we can also add some alias commands instead of renaming, so not breaking things, what do u think?

[thestr4ng3r]

I don't think we need an alias for this. A fitting name would be aavr, but that kind of clashes with aav, so not too sure about it.