radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.81k stars 3.02k forks source link

Failing to do CFG recovery of bf interpreter #10259

Closed felberj closed 6 years ago

felberj commented 6 years ago

Work environment

Questions Answers
OS/arch/bits (mandatory) macOS HighSierra arm 64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86_64
r2 -v full output, not truncated (mandatory) radare2 2.7.0-git 18339 @ darwin-x86-64 git.2.6.0-130-ga20078d17

commit: a20078d17137e3bc9930e47c51c4674da3c39f83 build: 2018-06-04__20:29:14

Expected behavior

the basic block at 0xf34 jumps to fcn.00001144, as it is the last instruction of it.

Actual behavior

The basic block ends there.

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

Echo.zip

XVilka commented 6 years ago

Please create a pull request to https://github.com/radare/radare2-regressions with a testcase.

felberj commented 6 years ago

Done https://github.com/radare/radare2-regressions/pull/1339

radare commented 6 years ago

aab works fine. This issue appears in just “aa”

On 4 Jun 2018, at 20:42, Jonas notifications@github.com wrote:

Work environment

Questions Answers OS/arch/bits (mandatory) macOS HighSierra arm 64 File format of the file you reverse (mandatory) ELF Architecture/bits of the file (mandatory) x86_64 r2 -v full output, not truncated (mandatory) radare2 2.7.0-git 18339 @ darwin-x86-64 git.2.6.0-130-ga20078d17 commit: a20078d build: 2018-06-04__20:29:14
Expected behavior

the basic block at 0xf34 jumps to fcn.00001144, as it is the last instruction of it.

Actual behavior

The basic block ends there.

Steps to reproduce the behavior

radare2 ./Echo aaa s main VV find the BB in question, there is only one BB between the entry of main and the one in question. Additional Logs, screenshots, source-code, configuration dump, ...

Echo.zip

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

felberj commented 6 years ago

Are you sure? If I modify the test to do "aab" at the beginning, the output stays the same.

radare commented 6 years ago

Just do aab. Nothing more. Maybe i checked a different issue in the cfg. But aa was producing bad results indeed. Whwres this bin from? It have some strange constructions

On 7 Jun 2018, at 10:51, Jonas notifications@github.com wrote:

Are you sure? If I modify the test to do "aab" at the beginning, the output stays the same.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

felberj commented 6 years ago

The binary is from asictf 2018 and contains a brainfuck interpreter. Just to be sure: You ran the regression test and it passes?

felberj commented 6 years ago

Update: You are right, it works. I must have been fixed in the last few days. I will look at it again!

felberj commented 6 years ago

Update2: If I do

aab

it works

if I do

aaa
aab

it does not work

felberj commented 6 years ago

Ok, so I found the next problem:

aab
aaa
s 0x00001025

It does not handle the jmp rax. Should I update the regression test? If so, how (what is the expected output?)?

image
radare commented 6 years ago

it should do if you enable anal.jmptbl=true

On 7 Jun 2018, at 11:47, Jonas notifications@github.com wrote:

Ok, so I found the next problem:

aab aaa s 0x00001025 It does not handle the jmp rax. Should I update the regression test? If so, how (what is the expected output?)? https://user-images.githubusercontent.com/6639926/41092113-6b96ba24-6a48-11e8-994e-976d01cf954e.png — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/10259#issuecomment-395361213, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-luVupI8BxUQ0dYiuIkc1w9SzFVWTks5t6PbNgaJpZM4UZla3.

felberj commented 6 years ago

It does not, I just tried it:

anal.jmptbl=true
aab
aaa
s 0x00001025
afb.
VV
radare commented 6 years ago

why did you run aaa after aab? i said to just run aab, nothing more , anyway it’s a bug and must be fixed, also which compiler generated this bin or where it is coming from ? it have some strange constructions

On 8 Jun 2018, at 20:56, Jonas notifications@github.com wrote:

It does not, I just tried it:

anal.jmptbl=true aab aaa s 0x00001025 afb. VV — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/10259#issuecomment-395856205, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lrz1l2K7shnm6XSZdtULd64DuWx1ks5t6sjIgaJpZM4UZla3.

felberj commented 6 years ago

why did you run aaa after aab?

Because I have never used radare2 and have no clue what I am doing. Currently waiting for a r2 developer that is coming to my place to manually analyze this program.

also which compiler generated this bin or where it is coming from ?

It was a challenge from ASIS CTF Quals 2018: https://ctftime.org/task/6033

felberj commented 6 years ago

I am interested on how I could fix this manually. My idea was to use afu to manually resize the function and run the analysis. IDA claims that main goes until 0x0001162. If I try to resize main with afu 0x0001162 the functions between main and 0x0001162 are still there. Any hints how to fix it? Do I need to edit the basic blocks (adding jumps to it?)?

radare commented 6 years ago

The way to debug the analysis loop is by adding printfs here and therr and see the reason why it doesnt reaches forward the stop point. Try to find the easiest way to test it (seek near that place and type af) and see why the anal loop behaves incorrectly. Im afk now so cant help

On 23 Jun 2018, at 16:46, Jonas notifications@github.com wrote:

I am interested on how I could fix this manually. My idea was to use afu to manually resize the function and run the analysis. IDA claims that main goes until 0x0001162. If I try to resize main with afu 0x0001162 the functions between main and 0x0001162 are still there. Any hints how to fix it? Do I need to edit the basic blocks (adding jumps to it?)?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

radare commented 6 years ago
screen shot 2018-06-24 at 20 48 41

@cyanpencil ^ can you have a look at this edge layout glitch? (run aaa and then s 0x1025)

radare commented 6 years ago

I have fixed this analysis bug in this pr https://github.com/radare/radare2/pull/10475

ret2libc commented 6 years ago

| aab aab across bin.sections.rx

The help message is not really helpful to understand what this command does.