Syscalls

    Syscalls detection is driven by asm.os, asm.bits, and asm.arch. Be sure to setup those configuration options accordingly. You can use asl command to check if syscalls’ support is set up properly and as you expect. The command lists syscalls supported for your platform.

    1. [0x0001ece0]> asl
    2. ...
    3. sd_softdevice_enable = 0x80.16
    4. sd_softdevice_disable = 0x80.17
    5. sd_softdevice_is_enabled = 0x80.18
    6. ...

    If you setup ESIL stack with aei or aeim, you can use command to search the addresses where particular syscalls were found and list them.

    Using the radare2 can print syscall arguments in the disassembly output. To enable the linear (but very rough) emulation use asm.emu configuration variable:

    1. [0x0001ece0]> e asm.emu=true
    2. [0x000187c2]> pdf~svc
    3.    0x000187c2   svc 0x76  ; 118 = sd_ble_gap_disconnect
    4. [0x000187c2]>

    In case of executing aae (or aaaa which calls aae) command radare2 will push found syscalls to a special syscall. flagspace, which can be useful for automation purpose:

    1. 0> syscall.sd_ble_gap_disconnect
    3.    0x000187c2  syscall.sd_ble_gap_disconnect.0
    4.    0x00018a16  syscall.sd_ble_gap_disconnect.1
    5.    0x0002ac36  syscall.sd_ble_gap_disconnect.3

    When debugging in radare2, you can use dcs to continue execution until the next syscall. You can also run dcs* to trace all syscalls.

    radare2 also has a syscall name to syscall number utility. You can return the syscall name of a given syscall number or vice versa, without leaving the shell.

    1. [0x08048436]> asl 1
    2. exit
    3. [0x08048436]> asl write
    4. 4
    5. [0x08048436]> ask write
    6. 0x80,4,3,iZi