0.9.7 adds support for boomerang to be able to decompile specific functions of a binary program from the debugger or the dissassembler.
Here's a little example usage:
Code:
$ radare -e dbg.bep=main -d /bin/ls
argv = '/bin/ls', ]
entry at: 0x8049a80
cont: breakpoint stop (0x8049a80)
main at: 0x804e880
cont: breakpoint stop (0x804e880)
Program '/bin/ls' loaded.
Warning: sysctl -w kernel.randomize_va_space=0
open debugger ro /bin/ls
96 symbols added.
[0x0804E884]> s 0x8059ED0
Let's disassemble the unknown call from the main (the fourth one)
[0x08059ED0]> pD 60
0x08059ED0, 55 push ebp
0x08059ED1 31c0 eax ^= eax
0x08059ED3 89e5 ebp = esp
0x08059ED5 53 push ebx
0x08059ED6 e8efffffff ^ call 0x8059ECA ; [1]
0x08059EDB 81c329420000 ebx += 0x4229
0x08059EE1 83ec0c esp -= 0xc ; 12 ' ' ; eax+0xb
0x08059EE4, 8b93fcffffff edx = [ebx-0x4]
0x08059EEA 85d2 test edx, edx
.==< 0x08059EEC, 7402 v jz 0x8059EF0 ; [2]
| 0x08059EEE 8b02 eax = [edx]
`--> 0x08059EF0, 89442408 [esp+0x8] = eax
0x08059EF4, 8b4508 eax = [ebp+0x8]
0x08059EF7 c7442404000000. dword [esp+0x4] = 0x0
0x08059EFF 890424 [esp] = eax
0x08059F02 e819f6feff ^ call 0x8049520 ; sym___cxa_atexit [3]
0x08059F07 83c40c esp += 0xc ; 12 ' ' ; eax+0xb
0x08059F0A 5b pop ebx
0x08059F0B 5d pop ebp
0x08059F0C, c3 ret ;--
0x08059F0C ; ------------------------------------
And now...time for decompilation! :D
[0x08059ED0]> !rsc boomerang $FILE $XOFFSET
decompiling entry point proc1
void proc2();
// address: 0x8059ed0
void proc1() {
__size32 eax; // r24
__size32 ebp; // r29
__size32 ebx; // r27
__size32 edx; // r26
int esp; // r28
unsigned int local0; // m[esp - 12]
__size32 local1; // m[esp - 8]
__size32 local2; // m[esp - 4]
eax = proc2(pc, ebx, ebp, 0, ebx, esp - 4, LOGICALFLAGS32(0), LOGICALFLAGS32(0), LOGICALFLAGS32(0)); /* Warning: also results in ebx, esp, ebp */
edx = *(ebx + 0x4225);
if (edx != 0) {
eax = *edx;
}
local2 = eax;
eax = *(ebp + 8);
local1 = 0;
local0 = eax;
__cxa_atexit();
return;
}