search

HexHive / retrowrite

RetroWrite -- Retrofitting compiler passes through binary rewriting
Other
655 stars 78 forks source link

Compilation fail on reassembled code #16

Open ZhangZhuoSJTU opened 3 years ago

ZhangZhuoSJTU commented 3 years ago

Hi, I have a binary failed to be reassembled. It is bsdtar in libarchive.

The git version of retrowrite is b842aca0d1ff3ad10b4df71c5f4a2944bae18580

The binary information is:

$ file bsdtar
bsdtar: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c1d62fbb71cec37b6ce7089b476513fb3bc4146e, not stripped

$ checksec bsdtar
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : ENABLED
RELRO     : Partial

I tried following commands to get the reassembled code:

$ retrowrite bsdtar a.s
[*] Relocations for a section that's not loaded: .rela.plt
[*] Relocations for a section that's not loaded: .rela.dyn
[x] Could not replace value in .init_array
[x] Couldn't find valid section 308230
[x] Couldn't find valid section 30afd0
[x] Couldn't find valid section 30afd8
[x] Couldn't find valid section 30afe0
[x] Couldn't find valid section 30afe8
[x] Couldn't find valid section 30aff0

$ gcc a.s -llzma -lcrypto -lz -lxml2 -lbz2 -lacl -llz4 -o a.out
/tmp/ccZthWQk.o:(.data+0x30): undefined reference to `.LC0'
/tmp/ccZthWQk.o:(.data+0x38): undefined reference to `.LC0'
collect2: error: ld returned 1 exit status

Then I checked the bug. In a.s, the error happens here:

.type   memset_v.3282_30b8d8,@object
.globl memset_v.3282_30b8d8
memset_v.3282_30b8d8: # 30b8d8 -- 30b8e0
.LC30b8d8:
        .quad .LC0
.type   memset_v.2768_30b8e0,@object
.globl memset_v.2768_30b8e0
memset_v.2768_30b8e0: # 30b8e0 -- 30b8e8
.LC30b8e0:
        .quad .LC0
.section .bss
.align 32
.type   stdout_30b900,@object
.globl stdout_30b900
stdout_30b900: # 30b900 -- 30b908

The label LC0 is an invalid label. The r2 output of these code is:

            ;-- memset_v.3282:
            ; DATA XREF from sym.secure_zero_memory (0xb4e91)
            0x0030b8d8      .qword 0x0000000000000000                  ; RELOC 64 memset
            ;-- reloc.memset:
            ;-- memset_v.2768:
            ; DATA XREF from sym.secure_zero_memory_1 (0xd3afd)
            0x0030b8e0      .qword 0x0000000000000000                  ; RELOC 64 memset
            ;-- _edata:
            ;-- __bss_start:

When I manual replace the lable LC0 as a numerical value 0, It passes compilation.

It looks like retrowrite fails to symbolize the numerical value 0, but I guess it may be some implementation bugs.

All the files are attached here.

diagprov commented 3 years ago

Hello, thanks for the bug report and the file, we'll look into what is going on.

Liblor commented 3 years ago

I think I have come across the same or a similar issue: reproducible.tar.gz