16.3 Opcode emulation

The 'av' stands for 'Analyze' using 'Virtual machine'. It is used to emulate machine code to determine values of registers at a certain part of the program. This is used to resolve register branches and similar stuff.

Here is the help of the command:

[0x4A13B8C0]> av?
Usage: av[ier] [arg]
 ave eax=33   ; evaluate expression in vm
 avf file     ; evaluate expressions from file
 avi          ; import register values from flags
 avm          ; select MMU (default current one)
 avo op expr  ; define new opcode (avo? for help)
 avr          ; show registers
 avx N        ; execute N instructions from cur seek
 av-          ; restart vm using asm.arch
 avr eax      ; show register eax
 avra         ; show register aliases
 avra al eax=0xff ; define 'get' alias for register 'al'
 avrt         ; list valid register types
 e vm.realio  ; if true enables real write changes
Note: The prefix '"' quotes the command and does not parses pipes and so

The virtual machine implemented in radare permits to define opcodes and registers and then execute them. Real code can be converted into radare virtual machine expressions by using the 'pas' (codename) engine that parses ascii representations of opcodes to extract data from them and generate evaluable strings for the virtual machine.