malloc://983040 when running vxhunter_r2_py3.py under OSX Catalina and some leftover function analysis hiccups

[brainstorm]

I'm writing up a blogpost for r2 and vxhunter, currently seeing this right now:

$ r2 -a sh -b 32 VxWorks.bin
 -- This shell has been seized by the Internet's Police.
[0x00000000]> i
fd       4
file     VxWorks.bin
size     0xbd62a0
humansz  11.8M
mode     r-x
format   any
iorw     false
blksz    0x0
block    0x100

[0x00000000]> #!pipe python3 /Users/romanvg/ghidra_scripts/vxhunter/firmware_tools/vxhunter_r2_py3.py
Running with python version: 3.7.1 (default, Dec 14 2018, 13:28:58)
[Clang 4.0.1 (tags/RELEASE_401/final)]
Auto detected VxWorks version: 5
firmware_path: malloc://983040
Traceback (most recent call last):
  File "/Users/romanvg/ghidra_scripts/vxhunter/firmware_tools/vxhunter_r2_py3.py", line 780, in <module>
    firmware = open(firmware_path, 'rb').read()
FileNotFoundError: [Errno 2] No such file or directory: 'malloc://983040'

I am on OSX Catalina 10.15.2 and r2 version:

$ r2 -v
radare2 4.2.0-git 23402 @ darwin-x86-64 git.3.2.1-2852-g2b21d58e8
commit: 2b21d58e898e31477b309f70e6b311df997e3a2c build: 2019-12-31__17:01:08

/cc @trufae

[radare]

And the script is...? Thw problem is cleaely not in r2

[brainstorm]

Sorry man, script is this one:

https://github.com/PAGalaxyLab/vxhunter/blob/master/firmware_tools/vxhunter_r2_py3.py#L780

Hm, must be cmdj further above perhaps? Will debug a bit...

[brainstorm]

Hm, cmdj returns two JSON records/file descriptors for a single file?

[{'raised': False, 'fd': 3, 'uri': 'malloc://983040', 'from': 0, 'writable': True, 'size': 983040}, {'raised': True, 'fd': 4, 'uri': '/Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin', 'from': 0, 'writable': False, 'size': 12411552}]

Went past line 780 with this change:

diff --git a/firmware_tools/vxhunter_r2_py3.py b/firmware_tools/vxhunter_r2_py3.py
index 75e5f5e..2e2e2b4 100755
--- a/firmware_tools/vxhunter_r2_py3.py
+++ b/firmware_tools/vxhunter_r2_py3.py
@@ -773,7 +773,9 @@ if __name__ == '__main__':
         print("vx_version:{}".format(vx_version))

     # only use first file
-    opened_file_data = r2p.cmdj("oj*")[0]
+    opened_file_data = r2p.cmdj("oj*")
+    print(opened_file_data)
+    opened_file_data = opened_file_data[1]
     firmware_path = opened_file_data['uri']
     print("firmware_path: {}".format(firmware_path))

But still there are some issues with anal (af) it seems:

[0x00000000]> #!pipe python3 /Users/romanvg/ghidra_scripts/vxhunter/firmware_tools/vxhunter_r2_py3.py
Running with python version: 3.7.1 (default, Dec 14 2018, 13:28:58)
[Clang 4.0.1 (tags/RELEASE_401/final)]
Auto detected VxWorks version: 5
[{'raised': False, 'fd': 3, 'uri': 'malloc://983040', 'from': 0, 'writable': True, 'size': 983040}, {'raised': True, 'fd': 4, 'uri': '/Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin', 'from': 0, 'writable': False, 'size': 12411552}]
firmware_path: /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin
[INFO    ][vxhunter_r2_py3.find_symbol_table] symbol table start offset: 0xba1eb8
[INFO    ][vxhunter_r2_py3.find_symbol_table] symbol table end offset: 0xbd61c8
[INFO    ][vxhunter_r2_py3._check_vxworks_endian] VxWorks endian: Little endian

###### Start analyze firmware ######
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x80002000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x10000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x1000
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0xf2003fe4
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x100000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x107fe0
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table start address at 0xa90d48
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table end at 0xae60f3
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found a string tab at: 0xa90d4c to 0xae60f3
[INFO    ][vxhunter_r2_py3.find_loading_address] Start analyse
[INFO    ][vxhunter_r2_py3.find_loading_address] load address is :0xbffd998
Found VxWorks image load address: 0x0BFFD998
Found VxWorks symbol table from 0x00BA1EB8 to 0x00BD61C8

###### Rebase current firmware ######
All core files, io, anal and flags info purged.
Rebase with r2 command: o /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin 0xbffd998 r-x

###### Start analyzing functions######
af: Cannot find function at 0x0c40e662
af: Cannot find function at 0x0c40d906
af: Cannot find function at 0x0c4016a0
af: Cannot find function at 0x0c40a320
af: Cannot find function at 0x0c40a2a0
af: Cannot find function at 0x0c40a084
af: Cannot find function at 0x0c40b0c8
(...)
     /\.---./\       .---------------------------------------------------------------.
 '--           --'   |                                                               |
----   ^   ^   ---- <  Finished, VxHunter found 12610 functions and 1962 symbols ^_^ |
  _.-    Y    -._    |                                                               |
                     `---------------------------------------------------------------'

[brainstorm]

@radare, it is indeed an OSX Catalina + r2 issue!:

$ r2 /bin/ls
 -- Heisenbug: A bug that disappears or alters its behavior when one attempts to probe or isolate it.
[0x10000102c]> oj*
[{"raised":false,"fd":3,"uri":"malloc://983040","from":0,"writable":true,"size":983040},{"raised":true,"fd":4,"uri":"/bin/ls","from":0,"writable":false,"size":51888}]
[0x10000102c]>

This behavior is not like that with prior OSX's.

[dark-lbp]

@radare I am on OSX 10.14.6 and oj* work's fine, so it's OSX Catalina only issue?

➜  VxHunter_test r2 -v
radare2 4.2.0-git 396 @ darwin-x86-64 git.4.2.0-git
commit: 9a6bcce392619171cc2f8e1df1133b4dab4373a6 build: 2020-01-02__21:10:46
➜  VxHunter_test r2 -a sh -b 32 VxWorks_5.5_sh.bin
Module version mismatch /Users/zhuwz/.local/share/radare2/plugins/core_ghidra.dylib (4.1.0-git) vs (4.2.0-git)
 -- Default scripting languages are NodeJS and Python.
[0x00000000]> oj*
[{"raised":true,"fd":3,"uri":"VxWorks_5.5_sh.bin","from":0,"writable":false,"size":66585220}]
[0x00000000]>

And is there any r2 command can read full file data?

[dark-lbp]

@brainstorm This is the patch. I don't have OSX Catalina installed, can you test it for me?

diff --git a/firmware_tools/vxhunter_r2_py3.py b/firmware_tools/vxhunter_r2_py3.py
index 75e5f5e..7988589 100755
--- a/firmware_tools/vxhunter_r2_py3.py
+++ b/firmware_tools/vxhunter_r2_py3.py
@@ -749,6 +749,15 @@ def add_symbol(symbol_name, symbol_name_address, symbol_address, symbol_type):
     return

+def get_r2_opened_file(r2_opened_file_data):
+    for opened_file in r2_opened_file_data:
+        if isinstance(opened_file, dict):
+            if opened_file["raised"] is True and not opened_file["uri"].lower().startswith("malloc"):
+                return opened_file["uri"]
+
+    return None
+
+
 if __name__ == '__main__':
     print("Running with python version: {}".format(sys.version))
     r2p = r2pipe.open()
@@ -773,8 +782,11 @@ if __name__ == '__main__':
         print("vx_version:{}".format(vx_version))

     # only use first file
-    opened_file_data = r2p.cmdj("oj*")[0]
-    firmware_path = opened_file_data['uri']
+    opened_file_data = r2p.cmdj("oj*")
+    firmware_path = get_r2_opened_file(opened_file_data)
+    if firmware_path is None:
+        print("Can't get firmware_path, exit.")
+        sys.exit()
     print("firmware_path: {}".format(firmware_path))

     firmware = open(firmware_path, 'rb').read()

[brainstorm]

Thanks @dark-lbp, it went past that oj* issue fine now:

$ r2 -a sh -b 32 ~/dev/anritsu/firmware/fresh/OS/VxWorks.bin
 -- r2 is meant to be read by machines.
[0x00000000]> #!pipe python3 /Users/romanvg/ghidra_scripts/vxhunter/firmware_tools/vxhunter_r2_py3.py
Running with python version: 3.7.3 | packaged by conda-forge | (default, Jul  1 2019, 14:38:56)
[Clang 4.0.1 (tags/RELEASE_401/final)]
Auto detected VxWorks version: 5
firmware_path: /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin
[INFO    ][vxhunter_r2_py3.find_symbol_table] symbol table start offset: 0xba1eb8
[INFO    ][vxhunter_r2_py3.find_symbol_table] symbol table end offset: 0xbd61c8
[INFO    ][vxhunter_r2_py3._check_vxworks_endian] VxWorks endian: Little endian

###### Start analyze firmware ######
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x80002000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x10000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x1000
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0xf2003fe4
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x100000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x107fe0
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table start address at 0xa90d48
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table end at 0xae60f3
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found a string tab at: 0xa90d4c to 0xae60f3
[INFO    ][vxhunter_r2_py3.find_loading_address] Start analyse
[INFO    ][vxhunter_r2_py3.find_loading_address] load address is :0xbffd998
Found VxWorks image load address: 0x0BFFD998
Found VxWorks symbol table from 0x00BA1EB8 to 0x00BD61C8

###### Rebase current firmware ######
All core files, io, anal and flags info purged.
Rebase with r2 command: o /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin 0xbffd998 r-x

###### Start analyzing functions######
af: Cannot find function at 0x0c40e662
af: Cannot find function at 0x0c40d906
af: Cannot find function at 0x0c4016a0
af: Cannot find function at 0x0c40a320
af: Cannot find function at 0x0c40a2a0
af: Cannot find function at 0x0c40a084
af: Cannot find function at 0x0c40b0c8
af: Cannot find function at 0x0c40fbc4
af: Cannot find function at 0x0c40fb60
af: Cannot find function at 0x0c40fc64
af: Cannot find function at 0x0c40fbe0
af: Cannot find function at 0x0c40abc0
af: Cannot find function at 0x0c40fa34
af: Cannot find function at 0x0c002180
af: Cannot find function at 0x0c40a410
af: Cannot find function at 0x0c412140
af: Cannot find function at 0x0c40ff70
af: Cannot find function at 0x0c413e1c
af: Cannot find function at 0x0c418434
af: Cannot find function at 0x0c418438
af: Cannot find function at 0x0c41843c
af: Cannot find function at 0x0c418440
af: Cannot find function at 0x0c418444
af: Cannot find function at 0x0c418448
af: Cannot find function at 0x0c41846c
af: Cannot find function at 0x0c41844c
af: Cannot find function at 0x0c418450
af: Cannot find function at 0x0c418454
af: Cannot find function at 0x0c418458
af: Cannot find function at 0x0c41845c
af: Cannot find function at 0x0c418460
af: Cannot find function at 0x0c418464
af: Cannot find function at 0x0c401600
af: Cannot find function at 0x0c413e4e
af: Cannot find function at 0x0c401680
af: Cannot find function at 0x0c401700
af: Cannot find function at 0x0c416684
af: Cannot find function at 0x0c416686
af: Cannot find function at 0x0c416688
af: Cannot find function at 0x0c41668a
af: Cannot find function at 0x0c41668c
af: Cannot find function at 0x0c41668e
af: Cannot find function at 0x0c416650
af: Cannot find function at 0x0c416652
af: Cannot find function at 0x0c416654
af: Cannot find function at 0x0c416656
af: Cannot find function at 0x0c416658
af: Cannot find function at 0x0c41665a
af: Cannot find function at 0x0c416664
af: Cannot find function at 0x0c416666
af: Cannot find function at 0x0c416668
af: Cannot find function at 0x0c416690
af: Cannot find function at 0x0c41666a
af: Cannot find function at 0x0c41666c
af: Cannot find function at 0x0c41666e
af: Cannot find function at 0x0c416670
af: Cannot find function at 0x0c416678
af: Cannot find function at 0x0c41667a
af: Cannot find function at 0x0c41667c
af: Cannot find function at 0x0c41667e
af: Cannot find function at 0x0c416680
af: Cannot find function at 0x0c416692
af: Cannot find function at 0x0c40fcc0

     /\.---./\       .---------------------------------------------------------------.
 '--   =   =   --'   |                                                               |
----     Y     ---- <  Finished, VxHunter found 12610 functions and 1962 symbols ^_^ |
  _.-    U    -._    |                                                               |
                     `---------------------------------------------------------------'

[0x00000000]>

What's left to fix now are those offsets that af chokes with... looking at it right now...

[brainstorm]

The offsets that you reported in private (0x0c38...) about the switch table are not present on my output.

Focusing on one of the reported 0x0c4... offsets above, af seems to complain about that _uss_fpsub() not having a "normal" function prelude & ret, it just seems to find 3 opcodes right before _uss_fpadd():

Ghidra seems to analyze it the same way without complaining much, but still looks a bit weird?:

I'm not sure if this is really a @radare artifact or perhaps the way that _uss_fpsub() function gets detected during vxhunter analysis?

[brainstorm]

Current discussion between me and @dark-lbp revolves around compiler optimisation for the particular case mentioned above: those 3 opcodes prefixing the _uss_fpadd() function might be the difference between substracting and adding :)

... not sure if @radare should bother detecting those very special cases at all and/or not flag them as "function not found"?

[brainstorm]

Following this saga and quickly checking the other offsets, for completeness, 0x0c40d906 are the same as reported above in 0x0c4016a0.

0x0c40a320 -> semQPut comes after a few nops, not a function per se. 0x0c40a2a0 -> semBTake, same story 0x0c40a084 -> semBgive, same

0x0c40fc64:

Overall I suspect that for some functions, VxWorks might just jump there when it needs to execute things like semaphores, exceptions, mmu, fpu ops, etc... those that are inherently time or performance sensitive, perhaps? Again smells like hardcore compiler/OS optimization.

For those there's no typical function prelude that radare2 "likes" therefore goes af: Cannot find function... that's my guess at this point.

@dark-lbp feel free to include the patch you mentioned above (it works!)... and since those outliers do not affect the overall analysis, I would leave it as-is for now and close this issue. Although perhaps vxHunter should warn/print that "the following af errors can be safely ignored"?

If @radare knows a way to handle this better rather than treating as "VxWorks artifacts", I'm all ears ;)

[trufae]

af doesn’t care about function preludes. Its maybe about map permissions lacking the exec bit?

On 4 Jan 2020, at 04:28, Roman Valls Guimera notifications@github.com wrote:

 Following this saga and quickly checking the other offsets, for completeness, 0x0c40d906 are the same as reported above in 0x0c4016a0.

0x0c40a320 -> semQPut comes after a few nops, not a function per se. 0x0c40a2a0 -> semBTake, same story 0x0c40a084 -> semBgive, same

0x0c40fc64:

Overall I suspect that for some functions, VxWorks might just jump there when it needs to execute things like semaphores, exceptions, mmu, fpu ops, etc... those that are inherently time or performance sensitive, perhaps? Again smells like hardcore compiler/OS optimization.

For those there's no typical function prelude that radare2 "likes" therefore goes af: Cannot find function... that's my guess at this point.

@dark-lbp feel free to include the patch you mentioned above (it works!)... and since those outliers do not affect the overall analysis, I would leave it as-is for now and close this issue. Although perhaps vxHunter should warn/print that "the following af errors can be safely ignored"?

If @radare knows a better way to handle this better rather to treat them as "VxWorks artifacts", I'm all ears ;)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[brainstorm]

Ah, you mean defining omf [mapid] rwx for each map instead of just having one defined?:

[0x00000000]> om
 1 fd: 3 +0x00000000 0x0bffd998 - 0x0cbd3c37 r-x

I need to have a look at the vxhunter the script and see if it changes sections/maps at all, I doubt it... edit, nope, no sections defined:

[0x00000000]> iS
[Sections]

nth paddr  size vaddr  vsize perm name
――――――――――――――――――――――――――――――――――――――

[0x00000000]>

There's a ton of functions that did not have this af error though:

VxHunter found 11368 functions and 1964 symbols ^_^

[dark-lbp]

I think this issue is using af to analyze function uss_fpadd(0x0c378062) inside another function uss_fpsub(0x0c37805c).

[trufae]

The new code analysis based on basic blocks may fix this issue. We may probably merge the anal-blocks pr soon

On 6 Jan 2020, at 00:54, dark-lbp notifications@github.com wrote:

 I think this issue is using af to analyze function uss_fpadd(0x0c378062) inside another function uss_fpsub(0x0c37805c).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[brainstorm]

I went ahead and tested the anal-block branch (from PR https://github.com/radareorg/radare2/pull/15169):

radare2 4.2.0-git 23532 @ darwin-x86-64 git.3.2.1-2979-g5d1cc302a
commit: 5d1cc302aa535806d554e002707dc9d37f79c1bd build: 2020-01-06__16:35:03

And it gets a little bit worse with the errors although it actually detects 10 more functions that it did not detect before:

$ r2 -a sh -b 32 ~/dev/anritsu/firmware/fresh/OS/VxWorks.bin
 -- Try pressing the pigeon-shaped button
[0x00000000]> #!pipe python3 /Users/romanvg/ghidra_scripts/vxhunter/firmware_tools/vxhunter_r2_py3.py
Running with python version: 3.7.1 (default, Dec 14 2018, 13:28:58)
[Clang 4.0.1 (tags/RELEASE_401/final)]
Auto detected VxWorks version: 5
firmware_path: /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin
[INFO    ][vxhunter_r2_py3.find_symbol_table] symbol table start offset: 0xba1eb8
[INFO    ][vxhunter_r2_py3.find_symbol_table] symbol table end offset: 0xbd61c8
[INFO    ][vxhunter_r2_py3._check_vxworks_endian] VxWorks endian: Little endian

###### Start analyze firmware ######
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x80002000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x10000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x1000
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0xf2003fe4
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x100000
[INFO    ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table
[INFO    ][vxhunter_r2_py3.quick_test] load address is not:0x107fe0
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table start address at 0xa90d48
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table end at 0xae60f3
[INFO    ][vxhunter_r2_py3.find_string_table_by_key_function_index] found a string tab at: 0xa90d4c to 0xae60f3
[INFO    ][vxhunter_r2_py3.find_loading_address] Start analyse
[INFO    ][vxhunter_r2_py3.find_loading_address] load address is :0xbffd998
Found VxWorks image load address: 0x0BFFD998
Found VxWorks symbol table from 0x00BA1EB8 to 0x00BD61C8

###### Rebase current firmware ######
All core files, io, anal and flags info purged.
Rebase with r2 command: o /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin 0xbffd998 r-x

###### Start analyzing functions######
af: Cannot find function at 0x0c40e662
af: Cannot find function at 0x0c40d906
af: Cannot find function at 0x0c4016a0
af: Cannot find function at 0x0c40a320
af: Cannot find function at 0x0c40a2a0
af: Cannot find function at 0x0c40a084
af: Cannot find function at 0x0c40b0c8
af: Cannot find function at 0x0c40fbc4
af: Cannot find function at 0x0c40fb60
af: Cannot find function at 0x0c40fc64
af: Cannot find function at 0x0c40fbe0
af: Cannot find function at 0x0c40abc0
af: Cannot find function at 0x0c40fa34
af: Cannot find function at 0x0c002180
Invalid function name 'vsscanf__14ZafStandardArgPCUwT1P14__gnuc_va_list' at 0x0c22a980
af: Cannot find function at 0x0c22a980
Invalid function name 'vsprintf__14ZafStandardArgPUwPCUwP14__gnuc_va_list' at 0x0c20e400
af: Cannot find function at 0x0c20e400
Invalid function name 'sysOutWord' at 0x0c05a0c0
af: Cannot find function at 0x0c05a0c0
Invalid function name 'sysInWord' at 0x0c05a060
af: Cannot find function at 0x0c05a060
af: Cannot find function at 0x0c40a410
af: Cannot find function at 0x0c412140
Invalid function name 'db_show_arptab' at 0x0c41e280
af: Cannot find function at 0x0c41e280
af: Cannot find function at 0x0c40ff70
Invalid function name 'cplusDemangle' at 0x0c3ea880
af: Cannot find function at 0x0c3ea880
Invalid function name 'arpCmd' at 0x0c41de40
af: Cannot find function at 0x0c41de40
af: Cannot find function at 0x0c413e1c
Invalid function name 'strxfrm' at 0x0c464740
af: Cannot find function at 0x0c464740
af: Cannot find function at 0x0c418434
af: Cannot find function at 0x0c418438
af: Cannot find function at 0x0c41843c
af: Cannot find function at 0x0c418440
af: Cannot find function at 0x0c418444
af: Cannot find function at 0x0c418448
af: Cannot find function at 0x0c41846c
af: Cannot find function at 0x0c41844c
af: Cannot find function at 0x0c418450
af: Cannot find function at 0x0c418454
af: Cannot find function at 0x0c418458
af: Cannot find function at 0x0c41845c
af: Cannot find function at 0x0c418460
af: Cannot find function at 0x0c418464
af: Cannot find function at 0x0c401600
af: Cannot find function at 0x0c413e4e
af: Cannot find function at 0x0c401680
af: Cannot find function at 0x0c401700
af: Cannot find function at 0x0c416684
af: Cannot find function at 0x0c416686
af: Cannot find function at 0x0c416688
af: Cannot find function at 0x0c41668a
af: Cannot find function at 0x0c41668c
af: Cannot find function at 0x0c41668e
af: Cannot find function at 0x0c416650
af: Cannot find function at 0x0c416652
af: Cannot find function at 0x0c416654
af: Cannot find function at 0x0c416656
af: Cannot find function at 0x0c416658
af: Cannot find function at 0x0c41665a
af: Cannot find function at 0x0c416664
af: Cannot find function at 0x0c416666
af: Cannot find function at 0x0c416668
af: Cannot find function at 0x0c416690
af: Cannot find function at 0x0c41666a
af: Cannot find function at 0x0c41666c
af: Cannot find function at 0x0c41666e
af: Cannot find function at 0x0c416670
af: Cannot find function at 0x0c416678
af: Cannot find function at 0x0c41667a
af: Cannot find function at 0x0c41667c
af: Cannot find function at 0x0c41667e
af: Cannot find function at 0x0c416680
af: Cannot find function at 0x0c416692
af: Cannot find function at 0x0c40fcc0
Invalid function name 't9ZafVector1Zl' at 0x0c1e2660
af: Cannot find function at 0x0c1e2660
Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence9CListener' at 0x0c21ae80
af: Cannot find function at 0x0c21ae80
Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence19ConstructedListener' at 0x0c21b520
af: Cannot find function at 0x0c21b520
Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence17ObjectConstructor' at 0x0c21a140
af: Cannot find function at 0x0c21a140
Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence15CompareFunction' at 0x0c21a7e0
af: Cannot find function at 0x0c21a7e0
Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence12UserFunction' at 0x0c21bba0
af: Cannot find function at 0x0c21bba0
Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence10UserObject' at 0x0c21c220
af: Cannot find function at 0x0c21c220
Invalid function name 't9ZafVector1ZP19ZafListenerHookBase' at 0x0c1e2040
af: Cannot find function at 0x0c1e2040
Invalid function name 't9ZafVector1Z22ZafListenerStackStruct' at 0x0c1e2ee0
af: Cannot find function at 0x0c1e2ee0
Invalid function name 'Q2t24__default_alloc_template2b1i0_5_Lock' at 0x0c400c40
af: Cannot find function at 0x0c400c40
Invalid function name '9exception' at 0x0c402600
af: Cannot find function at 0x0c402600
Invalid function name '9ZafBorder' at 0x0c173500
af: Cannot find function at 0x0c173500
Invalid function name '8bad_cast' at 0x0c404320
af: Cannot find function at 0x0c404320
Invalid function name '7filebuf' at 0x0c3f3760
af: Cannot find function at 0x0c3f3760
Invalid function name '7ZafData' at 0x0c18c3e0
af: Cannot find function at 0x0c18c3e0
Invalid function name '23ZafNotebookScrollArrows' at 0x0c2fad20
af: Cannot find function at 0x0c2fad20
Invalid function name '21ZafNotebookTabControl' at 0x0c2f89c0
af: Cannot find function at 0x0c2f89c0
Invalid function name '19ZafUpdateRegionList' at 0x0c228a60
af: Cannot find function at 0x0c228a60
Invalid function name '19ZafListenerHookBase' at 0x0c1dfa60
af: Cannot find function at 0x0c1dfa60
Invalid function name '18ZafLanguageManager' at 0x0c1dc200
af: Cannot find function at 0x0c1dc200
Invalid function name '18ZafI18nReplacement' at 0x0c228f80
af: Cannot find function at 0x0c228f80
Invalid function name '18ZafGeometryManager' at 0x0c1abc80
af: Cannot find function at 0x0c1abc80
Invalid function name '18ZafCodeSetDataStub' at 0x0c189660
af: Cannot find function at 0x0c189660
Invalid function name '17ZafMinimizeButton' at 0x0c1ec280
af: Cannot find function at 0x0c1ec280
Invalid function name '17ZafMaximizeButton' at 0x0c1e7ca0
af: Cannot find function at 0x0c1e7ca0
Invalid function name '17ZafDiskFileSystem' at 0x0c197a60
af: Cannot find function at 0x0c197a60
Invalid function name '15ZafStringEditor' at 0x0c257740
af: Cannot find function at 0x0c257740
Invalid function name '15ZafQueueElement' at 0x0c19e700
af: Cannot find function at 0x0c19e700
Invalid function name '15ZafPullDownMenu' at 0x0c200b80
af: Cannot find function at 0x0c200b80
Invalid function name '15ZafNotification' at 0x0c1fd8a0
af: Cannot find function at 0x0c1fd8a0
Invalid function name '15ZafBitmapStruct' at 0x0c162480
af: Cannot find function at 0x0c162480
Invalid function name '14ZafWcharLookup' at 0x0c1818e0
af: Cannot find function at 0x0c1818e0
Invalid function name '14ZafIntegerData' at 0x0c1cdcc0
af: Cannot find function at 0x0c1cdcc0
Invalid function name '14ZafErrorSystem' at 0x0c19b220
af: Cannot find function at 0x0c19b220
Invalid function name '14ZafDataManager' at 0x0c18e9c0
af: Cannot find function at 0x0c18e9c0
Invalid function name '14ZafComboString' at 0x0c2d2960
af: Cannot find function at 0x0c2d2960
Invalid function name '14ZafComboButton' at 0x0c2d1420
af: Cannot find function at 0x0c2d1420
Invalid function name '13bad_exception' at 0x0c402720
af: Cannot find function at 0x0c402720
Invalid function name '13ZafWindowLink' at 0x0c3523a0
af: Cannot find function at 0x0c3523a0
Invalid function name '13ZafSpinButton' at 0x0c3238a0
af: Cannot find function at 0x0c3238a0
Invalid function name '13ZafRegionList' at 0x0c227900
af: Cannot find function at 0x0c227900
Invalid function name '13ZafLocaleData' at 0x0c1e3f20
af: Cannot find function at 0x0c1e3f20
Invalid function name '13ZafFormatData' at 0x0c19f880
af: Cannot find function at 0x0c19f880
Invalid function name '13ZafFileSystem' at 0x0c1a39a0
af: Cannot find function at 0x0c1a39a0
Invalid function name '13ZafDataRecord' at 0x0c18d1a0
af: Cannot find function at 0x0c18d1a0
Invalid function name '13ZafBignumData' at 0x0c166c80
af: Cannot find function at 0x0c166c80
Invalid function name '12ZafUTimeData' at 0x0c296020
af: Cannot find function at 0x0c296020
Invalid function name '12ZafErrorStub' at 0x0c19a960
af: Cannot find function at 0x0c19a960
Invalid function name '11ZafTimeData' at 0x0c280a80
af: Cannot find function at 0x0c280a80
Invalid function name '11ZafRealData' at 0x0c21d560
af: Cannot find function at 0x0c21d560
Invalid function name '11ZafListener' at 0x0c1e1000
af: Cannot find function at 0x0c1e1000
Invalid function name '11ZafI18nData' at 0x0c1d7180
af: Cannot find function at 0x0c1d7180
Invalid function name '11ZafHelpStub' at 0x0c1b5e00
af: Cannot find function at 0x0c1b5e00
Invalid function name '11ZafDateData' at 0x0c18f9e0
af: Cannot find function at 0x0c18f9e0
Invalid function name '10bad_typeid' at 0x0c404420
af: Cannot find function at 0x0c404420
Invalid function name '10ZafStorage' at 0x0c2445e0
af: Cannot find function at 0x0c2445e0
Invalid function name '10ZafPrinter' at 0x0c306060
af: Cannot find function at 0x0c306060
Invalid function name '10ZafElement' at 0x0c1ddb60
af: Cannot find function at 0x0c1ddb60
Invalid function name '10ZafDisplay' at 0x0c198ce0
af: Cannot find function at 0x0c198ce0

     /\.---./\       .---------------------------------------------------------------.
 '--   @   @   --'   |                                                               |
----     Y     ---- <  Finished, VxHunter found 12620 functions and 1962 symbols ^_^ |
  _.-    O    -._    |                                                               |
                     `---------------------------------------------------------------'

[0x00000000]>

[trufae]

Cc @thestr4ng3r

On 6 Jan 2020, at 06:47, Roman Valls Guimera notifications@github.com wrote:

 I went ahead and tested the anal-block branch (from PR radareorg/radare2#15169) and it gets a little bit worse with the errors although it actually detects 10 more functions that it did not detect before:

$ r2 -a sh -b 32 ~/dev/anritsu/firmware/fresh/OS/VxWorks.bin -- Try pressing the pigeon-shaped button [0x00000000]> #!pipe python3 /Users/romanvg/ghidra_scripts/vxhunter/firmware_tools/vxhunter_r2_py3.py Running with python version: 3.7.1 (default, Dec 14 2018, 13:28:58) [Clang 4.0.1 (tags/RELEASE_401/final)] Auto detected VxWorks version: 5 firmware_path: /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin [INFO ][vxhunter_r2_py3.find_symbol_table] symbol table start offset: 0xba1eb8 [INFO ][vxhunter_r2_py3.find_symbol_table] symbol table end offset: 0xbd61c8 [INFO ][vxhunter_r2_py3._check_vxworks_endian] VxWorks endian: Little endian

Start analyze firmware

[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x80002000 [INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table [INFO ][vxhunter_r2_py3.quick_test] load address is not:0x10000 [INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table [INFO ][vxhunter_r2_py3.quick_test] load address is not:0x1000 [INFO ][vxhunter_r2_py3.quick_test] load address is not:0xf2003fe4 [INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table [INFO ][vxhunter_r2_py3.quick_test] load address is not:0x100000 [INFO ][vxhunter_r2_py3._check_load_address] strings at offset didn't match symbol table [INFO ][vxhunter_r2_py3.quick_test] load address is not:0x107fe0 [INFO ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table start address at 0xa90d48 [INFO ][vxhunter_r2_py3.find_string_table_by_key_function_index] found string table end at 0xae60f3 [INFO ][vxhunter_r2_py3.find_string_table_by_key_function_index] found a string tab at: 0xa90d4c to 0xae60f3 [INFO ][vxhunter_r2_py3.find_loading_address] Start analyse [INFO ][vxhunter_r2_py3.find_loading_address] load address is :0xbffd998 Found VxWorks image load address: 0x0BFFD998 Found VxWorks symbol table from 0x00BA1EB8 to 0x00BD61C8

Rebase current firmware

All core files, io, anal and flags info purged. Rebase with r2 command: o /Users/romanvg/dev/anritsu/firmware/fresh/OS/VxWorks.bin 0xbffd998 r-x

Start analyzing functions

af: Cannot find function at 0x0c40e662 af: Cannot find function at 0x0c40d906 af: Cannot find function at 0x0c4016a0 af: Cannot find function at 0x0c40a320 af: Cannot find function at 0x0c40a2a0 af: Cannot find function at 0x0c40a084 af: Cannot find function at 0x0c40b0c8 af: Cannot find function at 0x0c40fbc4 af: Cannot find function at 0x0c40fb60 af: Cannot find function at 0x0c40fc64 af: Cannot find function at 0x0c40fbe0 af: Cannot find function at 0x0c40abc0 af: Cannot find function at 0x0c40fa34 af: Cannot find function at 0x0c002180 Invalid function name 'vsscanf14ZafStandardArgPCUwT1P14gnuc_va_list' at 0x0c22a980 af: Cannot find function at 0x0c22a980 Invalid function name 'vsprintf14ZafStandardArgPUwPCUwP14gnuc_va_list' at 0x0c20e400 af: Cannot find function at 0x0c20e400 Invalid function name 'sysOutWord' at 0x0c05a0c0 af: Cannot find function at 0x0c05a0c0 Invalid function name 'sysInWord' at 0x0c05a060 af: Cannot find function at 0x0c05a060 af: Cannot find function at 0x0c40a410 af: Cannot find function at 0x0c412140 Invalid function name 'db_show_arptab' at 0x0c41e280 af: Cannot find function at 0x0c41e280 af: Cannot find function at 0x0c40ff70 Invalid function name 'cplusDemangle' at 0x0c3ea880 af: Cannot find function at 0x0c3ea880 Invalid function name 'arpCmd' at 0x0c41de40 af: Cannot find function at 0x0c41de40 af: Cannot find function at 0x0c413e1c Invalid function name 'strxfrm' at 0x0c464740 af: Cannot find function at 0x0c464740 af: Cannot find function at 0x0c418434 af: Cannot find function at 0x0c418438 af: Cannot find function at 0x0c41843c af: Cannot find function at 0x0c418440 af: Cannot find function at 0x0c418444 af: Cannot find function at 0x0c418448 af: Cannot find function at 0x0c41846c af: Cannot find function at 0x0c41844c af: Cannot find function at 0x0c418450 af: Cannot find function at 0x0c418454 af: Cannot find function at 0x0c418458 af: Cannot find function at 0x0c41845c af: Cannot find function at 0x0c418460 af: Cannot find function at 0x0c418464 af: Cannot find function at 0x0c401600 af: Cannot find function at 0x0c413e4e af: Cannot find function at 0x0c401680 af: Cannot find function at 0x0c401700 af: Cannot find function at 0x0c416684 af: Cannot find function at 0x0c416686 af: Cannot find function at 0x0c416688 af: Cannot find function at 0x0c41668a af: Cannot find function at 0x0c41668c af: Cannot find function at 0x0c41668e af: Cannot find function at 0x0c416650 af: Cannot find function at 0x0c416652 af: Cannot find function at 0x0c416654 af: Cannot find function at 0x0c416656 af: Cannot find function at 0x0c416658 af: Cannot find function at 0x0c41665a af: Cannot find function at 0x0c416664 af: Cannot find function at 0x0c416666 af: Cannot find function at 0x0c416668 af: Cannot find function at 0x0c416690 af: Cannot find function at 0x0c41666a af: Cannot find function at 0x0c41666c af: Cannot find function at 0x0c41666e af: Cannot find function at 0x0c416670 af: Cannot find function at 0x0c416678 af: Cannot find function at 0x0c41667a af: Cannot find function at 0x0c41667c af: Cannot find function at 0x0c41667e af: Cannot find function at 0x0c416680 af: Cannot find function at 0x0c416692 af: Cannot find function at 0x0c40fcc0 Invalid function name 't9ZafVector1Zl' at 0x0c1e2660 af: Cannot find function at 0x0c1e2660 Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence9CListener' at 0x0c21ae80 af: Cannot find function at 0x0c21ae80 Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence19ConstructedListener' at 0x0c21b520 af: Cannot find function at 0x0c21b520 Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence17ObjectConstructor' at 0x0c21a140 af: Cannot find function at 0x0c21a140 Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence15CompareFunction' at 0x0c21a7e0 af: Cannot find function at 0x0c21a7e0 Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence12UserFunction' at 0x0c21bba0 af: Cannot find function at 0x0c21bba0 Invalid function name 't9ZafVector1ZQ220ZafObjectPersistence10UserObject' at 0x0c21c220 af: Cannot find function at 0x0c21c220 Invalid function name 't9ZafVector1ZP19ZafListenerHookBase' at 0x0c1e2040 af: Cannot find function at 0x0c1e2040 Invalid function name 't9ZafVector1Z22ZafListenerStackStruct' at 0x0c1e2ee0 af: Cannot find function at 0x0c1e2ee0 Invalid function name 'Q2t24__default_alloc_template2b1i0_5_Lock' at 0x0c400c40 af: Cannot find function at 0x0c400c40 Invalid function name '9exception' at 0x0c402600 af: Cannot find function at 0x0c402600 Invalid function name '9ZafBorder' at 0x0c173500 af: Cannot find function at 0x0c173500 Invalid function name '8bad_cast' at 0x0c404320 af: Cannot find function at 0x0c404320 Invalid function name '7filebuf' at 0x0c3f3760 af: Cannot find function at 0x0c3f3760 Invalid function name '7ZafData' at 0x0c18c3e0 af: Cannot find function at 0x0c18c3e0 Invalid function name '23ZafNotebookScrollArrows' at 0x0c2fad20 af: Cannot find function at 0x0c2fad20 Invalid function name '21ZafNotebookTabControl' at 0x0c2f89c0 af: Cannot find function at 0x0c2f89c0 Invalid function name '19ZafUpdateRegionList' at 0x0c228a60 af: Cannot find function at 0x0c228a60 Invalid function name '19ZafListenerHookBase' at 0x0c1dfa60 af: Cannot find function at 0x0c1dfa60 Invalid function name '18ZafLanguageManager' at 0x0c1dc200 af: Cannot find function at 0x0c1dc200 Invalid function name '18ZafI18nReplacement' at 0x0c228f80 af: Cannot find function at 0x0c228f80 Invalid function name '18ZafGeometryManager' at 0x0c1abc80 af: Cannot find function at 0x0c1abc80 Invalid function name '18ZafCodeSetDataStub' at 0x0c189660 af: Cannot find function at 0x0c189660 Invalid function name '17ZafMinimizeButton' at 0x0c1ec280 af: Cannot find function at 0x0c1ec280 Invalid function name '17ZafMaximizeButton' at 0x0c1e7ca0 af: Cannot find function at 0x0c1e7ca0 Invalid function name '17ZafDiskFileSystem' at 0x0c197a60 af: Cannot find function at 0x0c197a60 Invalid function name '15ZafStringEditor' at 0x0c257740 af: Cannot find function at 0x0c257740 Invalid function name '15ZafQueueElement' at 0x0c19e700 af: Cannot find function at 0x0c19e700 Invalid function name '15ZafPullDownMenu' at 0x0c200b80 af: Cannot find function at 0x0c200b80 Invalid function name '15ZafNotification' at 0x0c1fd8a0 af: Cannot find function at 0x0c1fd8a0 Invalid function name '15ZafBitmapStruct' at 0x0c162480 af: Cannot find function at 0x0c162480 Invalid function name '14ZafWcharLookup' at 0x0c1818e0 af: Cannot find function at 0x0c1818e0 Invalid function name '14ZafIntegerData' at 0x0c1cdcc0 af: Cannot find function at 0x0c1cdcc0 Invalid function name '14ZafErrorSystem' at 0x0c19b220 af: Cannot find function at 0x0c19b220 Invalid function name '14ZafDataManager' at 0x0c18e9c0 af: Cannot find function at 0x0c18e9c0 Invalid function name '14ZafComboString' at 0x0c2d2960 af: Cannot find function at 0x0c2d2960 Invalid function name '14ZafComboButton' at 0x0c2d1420 af: Cannot find function at 0x0c2d1420 Invalid function name '13bad_exception' at 0x0c402720 af: Cannot find function at 0x0c402720 Invalid function name '13ZafWindowLink' at 0x0c3523a0 af: Cannot find function at 0x0c3523a0 Invalid function name '13ZafSpinButton' at 0x0c3238a0 af: Cannot find function at 0x0c3238a0 Invalid function name '13ZafRegionList' at 0x0c227900 af: Cannot find function at 0x0c227900 Invalid function name '13ZafLocaleData' at 0x0c1e3f20 af: Cannot find function at 0x0c1e3f20 Invalid function name '13ZafFormatData' at 0x0c19f880 af: Cannot find function at 0x0c19f880 Invalid function name '13ZafFileSystem' at 0x0c1a39a0 af: Cannot find function at 0x0c1a39a0 Invalid function name '13ZafDataRecord' at 0x0c18d1a0 af: Cannot find function at 0x0c18d1a0 Invalid function name '13ZafBignumData' at 0x0c166c80 af: Cannot find function at 0x0c166c80 Invalid function name '12ZafUTimeData' at 0x0c296020 af: Cannot find function at 0x0c296020 Invalid function name '12ZafErrorStub' at 0x0c19a960 af: Cannot find function at 0x0c19a960 Invalid function name '11ZafTimeData' at 0x0c280a80 af: Cannot find function at 0x0c280a80 Invalid function name '11ZafRealData' at 0x0c21d560 af: Cannot find function at 0x0c21d560 Invalid function name '11ZafListener' at 0x0c1e1000 af: Cannot find function at 0x0c1e1000 Invalid function name '11ZafI18nData' at 0x0c1d7180 af: Cannot find function at 0x0c1d7180 Invalid function name '11ZafHelpStub' at 0x0c1b5e00 af: Cannot find function at 0x0c1b5e00 Invalid function name '11ZafDateData' at 0x0c18f9e0 af: Cannot find function at 0x0c18f9e0 Invalid function name '10bad_typeid' at 0x0c404420 af: Cannot find function at 0x0c404420 Invalid function name '10ZafStorage' at 0x0c2445e0 af: Cannot find function at 0x0c2445e0 Invalid function name '10ZafPrinter' at 0x0c306060 af: Cannot find function at 0x0c306060 Invalid function name '10ZafElement' at 0x0c1ddb60 af: Cannot find function at 0x0c1ddb60 Invalid function name '10ZafDisplay' at 0x0c198ce0 af: Cannot find function at 0x0c198ce0

 /\.---./\       .---------------------------------------------------------------.

'-- @ @ --' | | ---- Y ---- < Finished, VxHunter found 12620 functions and 1962 symbols ^^ | .- O -._ | | `---------------------------------------------------------------'

[0x00000000]> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.