MIPS issues

[jvoisin]

I've got some issues with this MIPS binary. It's a httpd from my WAP834G.

$ r2 ./httpd
[0x00402480]> aa
FUNC 0x00404b78 > 0x00404ba0

It gets stuck.

Also:

[0x00402480]> pd 1@0x0040bd94
         0x0040bd94    14a7a524     addiu a1, a1, -22764

In IDA:

.text:0040BD94 14 A7 A5 24                 addiu   $a1, (aGemtek - 0x420000)  # "Gemtek

I'm a little bit sad, since I wanted to use this binary for my talk at PSES.

[radare]

On 18 Jun 2014, at 17:09, jvoisin notifications@github.com wrote:

I've got some issues with this MIPS binary. It's a httpd from my WAP834G.

$ r2 ./httpd [0x00402480]> aa FUNC 0x00404b78 > 0x00404ba0 It gets stuck.

probably because of the ‘return’ thing we have been discusing. can you try removeing the line we have been discussing about keeping it with return or not? b61a3772b21541403d5c6c9de3af24c05a0c4937 <— revert this patch Also:

[0x00402480]> pd 1@0x0040bd94 0x0040bd94 14a7a524 addiu a1, a1, -22764 In IDA:

.text:0040BD94 addiu $a1, (aGemtek - 0x420000) # "Gemtek" —

that’s normal mips magic, we need to ‘asume’ some default base value for the global pointer, follow the analysis to determine the value of a1 at this point and substract -22764 to determine the pointer. mainly because the ‘gp’ reg is set by the kernel you cant determine its original value, and if the program is modified can change the value at runtime breaking all the analysis by any app. this is why i didnt wanted to asume more stuff in r2 and left this responsability of the reverser.

[jvoisin]

It terminates if I revert b61a377.

I guess that I must switch to dynamic analysis to get the value of a1 at this point?

[radare]

It can be calculated statically because it usually points to the begining of a section plus some delta iirc. Too many years without reversing mips :p

On 18 Jun 2014, at 19:15, jvoisin notifications@github.com wrote:

It terminates if I revert b61a377.

I guess that I must switch to dynamic analysis to get the value of a1 at this point?

— Reply to this email directly or view it on GitHub.

[jvoisin]

The intertubes are telling me that gp points to middle of 64K block in static data segment.

[jvoisin]

Also, some wrong disassembly:

 ││  │   0x00416cb4    2600013c     lui at, 0x26
 ││  │   0x00416cb8    c39e2134     ori at, at, 0x9ec3

In IDA:

.text:00416CB4 26 00 01 3C+                li      $at, 0x269EC3
.text:00416CBC 21 28 25 00                 addu    $a1, $at, $a1

[radare]

both, gnu and capstone report the same disasm, maybe it’s related to relocs

On 19 Jun 2014, at 01:32, jvoisin notifications@github.com wrote:

Also, some wrong disassembly:

││ │ 0x00416cb4 2600013c lui at, 0x26 ││ │ 0x00416cb8 c39e2134 ori at, at, 0x9ec3 In IDA:

.text:00416CB4 26 00 01 3C+ li $at, 0x269EC3 .text:00416CBC 21 28 25 00 addu $a1, $at, $a1 — Reply to this email directly or view it on GitHub.

[jvoisin]

Seems so.

[pastcompute]

Hi, and sorry :-( I keep seeming to cause breakage, for which I apologise, I have been making sure I run the regression test suite before proposing changes and the pass set is not affected by my changes... Perhaps to help avoid this I can in fact provide a copy of the binary I have been working with for testing on a temporary URL over the weekend, which is a bootloader for a different router device (that I have been analysing for a hopeful talk of my own at a future conference :-) Do you have email addresses or somewhere else I can DM a URL? @jvoisin does your MIPs disassembly properly calculate the length of functions?

[pastcompute]

@jvoisin That disassembly could actually be correct - I think IDA is 'optimising' by combining the results of a successive load and or as a 'shortcut' for a human reading the output (see the + at the end) -- look at the address offsets (does the next line of assembly in r2 still the same add instruction?)

lui loads the 16 bits to the upper word and zeros the lower word, and ori then fills the lower word, IDA treats the pair as a pseudo instruction

[pastcompute]

See about half way down http://fog.ccsf.edu/~gboyd/cs270/online/mipsI/mips_basics.html

(note - I could still be wrong I am still learning MIPS. I also highly recommend the book See MIPS run )

[pastcompute]

One problem I hit a lot, is that optimised code sometimes doesnt put the instructions in direct succession, which means that the basic analyser in r2 is not currently smart enough to provide a pseudo instruction

[pastcompute]

@jvoisin I have been trying to write some r2 macros that can be used to do the "magic" needed to find strings - I'll post my latest version of that somewhere when I'm home again, maybe you can adapt them for your case.

[jvoisin]

@radare This would make a wonderful showcase for ESIL ;)

[pastcompute]

@jvoisin Macros (work in progress) here: https://gist.github.com/pastcompute/8b3788b9263c515a3d97

[jvoisin]

This capstone issues is related (adding pseudo-instructions).

[jvoisin]

Let's close this until capstone implements pseudo-instructions.