Fork me on GitHub

Searching for rdtsc in binaries

This snippet will search for all occurence of the use of rdtsc inside a given binary. To see if the spot is valid we also print 10 following opcodes.

pd 10 @@/c rdtsc

/c rdtsc searches all occurence of rdtsc. The @@ command iterates over all results of the search command. The part before the @@ is used on every match.

[0x00000000]> pd 10 @@/c rdtsc
            0x0004ee4f      rdtsc
            0x0004ee51      rcr dword [0xc7542838], cl
            0x0004ee57      sal dword [esi + 0x2e], 1
        ┌─< 0x0004ee5a      jmp 0x4e437e3b
        │   0x0004ee5f      xchg eax, ebx
        │   0x0004ee60      pop ds
       ┌──< 0x0004ee61      jno 0x4ee8d
       ││   0x0004ee63      cmp byte [ebx], bl
       ││   0x0004ee65      salc
       ││   0x0004ee67      mov ch, 0x5a
0x0004ee4f   # 2: rdtsc
        |   0x00051f35      rdtsc
        |   0x00051f37      out 0x8b, al
        |   0x00051f39      popfd
        |   0x00051f3a      mov esi, 0x6b44034d
        |   0x00051f3f      imul edi, esp, 0xffffffffffffffca
        |   0x00051f42      invalid
        |   0x00051f43      popfd
        └─< 0x00051f44      jmp 0x51f13
            0x00051f46      test byte [ebx - 0x3a], ch
            0x00051f49      mov eax, dword [0x38a479ad]
0x00051f35   # 2: rdtsc
            0x00058746      rdtsc
            0x00058748      rcl ebx, 1
            0x0005874a      fild dword [edi - 0x39]
            0x0005874d      int1
            0x0005874e      shl byte [edi - 8], cl
            0x00058751      mov esi, 0x112acd52
            0x00058756      mov dword [0x62854d50], eax
            0x0005875b      arpl word [edi + ecx*4], di
            0x0005875e      lodsb al, byte [esi]
            0x0005875f      adc dword [ecx - 0x12], ecx
0x00058746   # 2: rdtsc
            0x00058e92      rdtsc
            0x00058e94      imul edx, ecx, 0xe9e3e31a
            0x00058e9a      and eax, 0xd0a046a1
            0x00058e9f      adc edi, dword [edx - 0x57791cc8]
            0x00058ea5      push edi
            0x00058ea6      out dx, al
            0x00058ea7      retf 0xf35
        ┌─< 0x00058eaa      jp 0x58ece
        │   0x00058eac      invalid
        │   0x00058ead      daa
0x00058e92   # 2: rdtsc

Its also possible to add a

~..

at the end to use the radare builtin less on the result.

links

social