Export error

[ghost]

Hi montyly,

(sorry, couldn't think of a better title)

on a fresh installed VM, I have a rather strange problem with the export GUI

Setup:

• debian experimental
• ocaml/opam/building went all fine
• tried both openjdk8 and oracle-jdk 1.8_101 (build and installed with make-jpkg)
• tried both jython 2.5.x (distro) and self-installed jython 2.7.0
• python2.7
• tried with both binnavi 6.0 and 6.1 (binnavi-all.jar)
• tried with both protobuf-3.0.0-pre (shipped) and protobuf-3.0.0-release
• a sample test case (malloc + free, compiled with gcc 6.1.1, imported into binnavi 6.0.0 via IDA Pro)

in Gueb Export:

• Loaded module "malloc"
• Select only malloc as alloc func
• Select only free as free func

When done, I get the following error & stack-trace:

[...]
Module selected malloc
Start exporting
_init_proc
-----^-------- this is what's bothering me
Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException: IE02052: Instruction argument can not be null
        at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:226)
        at com.google.security.zynamics.binnavi.REIL.InstructionFinders.findInstruction(InstructionFinders.java:97)
        at com.google.security.zynamics.binnavi.API.disassembly.Function.getReilCode(Function.java:337)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
        at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
        at org.python.core.PyObject.__call__(PyObject.java:461)
        at org.python.core.PyObject.__call__(PyObject.java:465)
        at org.python.core.PyMethod.__call__(PyMethod.java:126)
        at export_protobuf$py.exportLib$1(/home/daniel/gueb/export/export_protobuf.py:107)
                                nevermind the line#, this is "p.addFunctions(func)" ----^
        at export_protobuf$py.call_function(/home/daniel/gueb/export/export_protobuf.py)
        at org.python.core.PyTableCode.call(PyTableCode.java:167)
        at org.python.core.PyBaseCode.call(PyBaseCode.java:170)
        at org.python.core.PyFunction.__call__(PyFunction.java:434)
        at export_protobuf$py.export_mod$10(/home/daniel/gueb/export/export_protobuf.py:211)
        at export_protobuf$py.call_function(/home/daniel/gueb/export/export_protobuf.py)
        at org.python.core.PyTableCode.call(PyTableCode.java:167)
        at org.python.core.PyBaseCode.call(PyBaseCode.java:170)
        at org.python.core.PyFunction.__call__(PyFunction.java:434)
        at org.python.pycode._pyx0.listSelect$2(gui.py:28)
        at org.python.pycode._pyx0.call_function(gui.py)
        at org.python.core.PyTableCode.call(PyTableCode.java:167)
        at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
        at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
        at org.python.core.PyFunction.__call__(PyFunction.java:482)
        at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
        at org.python.core.PyMethod.__call__(PyMethod.java:228)
        at org.python.core.PyMethod.__call__(PyMethod.java:223)
        at org.python.core.PyCompoundCallable.__call__(PyCompoundCallable.java:26)
        at org.python.core.PyObject.__call__(PyObject.java:431)
        at org.python.core.PyObject._jcallexc(PyObject.java:3626)
        at org.python.core.PyObject._jcall(PyObject.java:3658)
        at org.python.proxies.java.awt.event.ActionListener.actionPerformed(Unknown Source)
        at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
        at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
        at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
        at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
        at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
        at java.awt.Component.processMouseEvent(Component.java:6533)
        at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
        at java.awt.Component.processEvent(Component.java:6298)
        at java.awt.Container.processEvent(Container.java:2236)
        at java.awt.Component.dispatchEventImpl(Component.java:4889)
        at java.awt.Container.dispatchEventImpl(Container.java:2294)
        at java.awt.Component.dispatchEvent(Component.java:4711)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
        at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
        at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
        at java.awt.Container.dispatchEventImpl(Container.java:2280)
        at java.awt.Window.dispatchEventImpl(Window.java:2746)
        at java.awt.Component.dispatchEvent(Component.java:4711)
        at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
        at java.awt.EventQueue.access$500(EventQueue.java:97)
        at java.awt.EventQueue$3.run(EventQueue.java:709)
        at java.awt.EventQueue$3.run(EventQueue.java:703)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:76)
        at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.awt.EventQueue$4.run(EventQueue.java:731)
        at java.awt.EventQueue$4.run(EventQueue.java:729)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:76)
        at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
        at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
        at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
        at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
        at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

I don't think _init_proc should be in here at all if it wasn't selected? Or did I get lost somehow interpreting this error?

Any pointer in the right direction would be greatly appreciated, thanks!

[montyly]

Hi,

Thanks for the detailed report!

The GUI exports all the functions of the module (including _start, _init_proc, etc.) into the protobuf file, so that's fine. The two first windows are here to select what are the alloc and free functions (it's useful if there are wrappers or custom allocators).

From BinNavi, can you navigate through the module and open all the functions? Sometimes I got errors during the importation of .idb files to the BinNavi database.

Best,

[ghost]

Oh, right. So I was looking in the wrong direction ;-)

I was loading a large binary at first with the same error, so I retried with a simple, non-optimized

#include <stdio.h>
#include <stdlib.h>

int main() {
  int *p = (int *)malloc(sizeof(int));
  if (p == 0) {
    printf("OOM\n");
    return 1;
  }

  *p = 42;

  free(p);
  return 0;
}

just so see if that works. In BinNavi, I can navigate through all functions, except imported ones.

So, just to make sure, I imported the binary as a new project in IDA, dropped the imported functions, re-imported the module to BinNavi, now the table looks like this:

But still, the export error remains :-(

[montyly]

hum, strange.

Could you try to replace export_protobuf.py by https://gist.github.com/montyly/3482a8feb7727e2dc936a6e7cdccfca8 ? It is exactly the same file, except for this check: https://gist.github.com/montyly/3482a8feb7727e2dc936a6e7cdccfca8#file-export_protobuf-L137 , which makes the script exporting only the main function.

Do not forget to replace again the first variables of the script (path_binnavi, path_dependency, ..) ;)

Thanks

[ghost]

Yep, very strange.

The same error occurs, just with main now as expected.

in the for f in mod.getFunctions() : loop, elif f.getType() == FunctionType.Normal : is reached, the value of f.getAddress().toLong() is 4195702, then exportLib() is called. I tried some non-null checks in that def before (the last reference to export_protobuf.py in the stacktrace goes to p.addFunctions(func)), but no success yet :-/

[ghost]

I just love debugging by using print ;-)

Getting somewhere:

// edit: I'm using BinNavi 6.0 with BinExport8 (had some issues with 6.1 & BinExport9 before), and I tried both 6.0 and 6.1 binnavi-all.jar in GUEB.

[montyly]

I just tried with both BinNavi 6.0 and BinNavi 6.1 (and so binexport 8 / 9), everything works fine on my setup (using the same database).

The strange thing is that export_probotuf.py is only using the API of BinNavi and protobuf, and getReilCode() is part of this API.

In BinNavi, could you open a function, and try this script? (menu Plugins -> New Scripting Windows)

reil_function = cg.view.reilCode
print reil_function.graph.nodes

(ctrl + E, to execute the script)

[ghost]

Hm, no.

Tried

• BinNavi.jar from the binnavi600-win-x86.msi installer (~25MB)
• binnavi-all.jar 6.1 (~58MB)
• binnavi-all.jar 6.0 (~52MB)

func main:

>>> reil_function = cg.view.reilCode
CTRL+ENTER

java.lang.NullPointerException: java.lang.NullPointerException: IE02060: Instruction argument can not be null in <script> at line number 4

Which Version of BinNavi & BinExport are you using?

[montyly]

BinNavi 6.1/BinExport 9 (from github, the last commit: 356eaa8). But it's also working with BinNavi 6.0./BinExport 8. Both on Ubuntu 16.04

Have you tried to compile BinNavi from the github directly ?

From a function in BinNavi, can you translate the graph into the REIL representation ? Graph -> Transform -> Show REIL code

[ghost]

No, that did not work, though I "kinda" narrowed it down.

SEVERE: Reason: Could not translate instruction from unknown architecture x86-64

So, kicked binnavi6 + binexport8 completely from my system, ran a fresh binnavi6.1, put the binexport9 plugin files into IDA's plugin folder - doesn't work either. error: The specified module could not be found. (zynamics_binexport_9.p64). Since this is some f*\ up IDA/BinNavi/BinExport problem, I'm gonna close the issue here and try to find some motivation to get this fixed tomorrow someday. :-/

[montyly]

aahh you are using 64bits binaries. The branch master of BinNavi does not support x86-64. You need to compile your program in 32 bits :)

They are working on the x86-64 support, more info here: https://github.com/google/binnavi/issues/76

[ghost]

Aww snap! I totally forgot about that, thanks for reminding me ;-)