search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.69k stars 3.01k forks source link

String references in powerpc architecture #10717

Closed m-1-k-3 closed 6 years ago

m-1-k-3 commented 6 years ago

Hi guys,

Currently I poke around with some PPC binaries. While it is possible to disassemble it quite nice, the string references are not resolved. I have attached the output of IDA pro as expected behavior.

Work environment

Questions Answers
OS/arch/bits (mandatory) 3.13.0-135-generic #184-Ubuntu SMP Wed Oct 18 11:56:31 UTC 2017 i686 i686 i686 GNU/Linux
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) PPC
r2 -v full output, not truncated (mandatory) radare2 2.4.0-git 17284 @ darwin-x86-64 git.2.2.0-476-gf8cf84e06 commit: f8cf84e0653642d9ad34e760e0e56dd81860e799 build: 2018-02-17__11:08:27

Expected behavior

IDA pro is able to resolve the string references:

.text:10008D38 loc_10008D38:                           # CODE XREF: sub_10007E60+CAC↑j
.text:10008D38                 lis       r3, aQsthreadinfo@ha
.text:10008D3C                 mr        r4, r27
.text:10008D40                 addi      r3, r3, aQsthreadinfo@l # "qsThreadInfo"
.text:10008D44                 bl        sub_100319C4

Actual behavior

Output of file:

root@EVE01:~/git/radare2# file /opt/gdb/powerpc/bin/gdbserver
/opt/gdb/powerpc/bin/gdbserver: ELF 32-bit MSB  executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped

Infos in r2:

[0x100000e0]> i
blksz    0x0
block    0x100
fd       3
file     /opt/gdb/powerpc/bin/gdbserver
format   elf
iorw     false
mode     r-x
size     0x519d0
humansz  326.5K
type     EXEC (Executable file)
arch     ppc
binsz    333486
bintype  elf
bits     32
canary   false
class    ELF32
crypto   false
endian   big
havecode true
lang     c
linenum  false
lsyms    false
machine  PowerPC
maxopsz  4
minopsz  4
nx       true
os       linux
pcalign  4
pic      false
relocs   false
rpath    NONE
static   true
stripped true
subsys   linux
va       true

It is possible to find the string in r2:

[0x100000e0]> izzz~qsThreadInfo
2224 0x0003b9c4 0x1003b9c4  12  13 (.rodata) ascii qsThreadInfo

The disassembly shows the lis and addi instructions but does not resolve it:

[0x100000e0]> pd 10 @0x10008D34
|      `==< 0x10008d34      4bfff550       b 0x10008284
|       :   ; CODE XREF from 0x10008b0c (fcn.10007e60)
|       :   0x10008d38      3c601004       lis r3, 0x1004
|       :   0x10008d3c      7f64db78       mr r4, r27
|       :   0x10008d40      3863b9c4       addi r3, r3, -0x463c
|       :   0x10008d44      48028c81       bl fcn.100319c4
xarkes commented 6 years ago

Hi, how did you analyze the binary? Did you try with e asm.emu=true; aeim; aae? Btw you might want to consider updating your radare2 version (2.4.0 is very old)

m-1-k-3 commented 6 years ago

w00t ... thanks a lot for this hint. Now the output is as expected (and awesome):

# radare2 /opt/gdb/powerpc/bin/gdbserver 
Warning: Cannot initialize dynamic strings
 -- what happens in #radare, stays in #radare
[0x100000e0]> e asm.emu=true
[0x100000e0]> aeim
[0x100000e0]> aae
[0x100000e0]> pd 10 @0x10008454
            0x10008454      3ae00000       li r23, 0                   ; r23=0x0
            ; CODE XREF from 0x10008fbc (entry0 + 36572)
            0x10008458      3c801004       lis r4, 0x1004              ; r4=0x10040000 "ree=%d"
            0x1000845c      7f63db78       mr r3, r27                  ; r3=0x0
            0x10008460      3884ba24       addi r4, r4, -0x45dc        ; r4=0x1003ba24 "PacketSize=%x;QPassSignals+" str.PacketSize__x_QPassSignals
            0x10008464      38a03fff       li r5, 0x3fff               ; r5=0x3fff
            0x10008468      4cc63182       crclr 6
            0x1000846c      480262c5       bl 0x1002e730               ; lr=0x10008470 -> 0x3981 ; pc=0x1002e730 -> 0xa602087c ; CALL: 0x0, 0x0, 0x0, 0x0
            0x10008470      81390000       lwz r9, 0(r25)              ; r9=0xffffffff
            0x10008474      800900c4       lwz r0, 0xc4(r9)            ; r0=0xffffffff
            0x10008478      2f800000       cmpwi cr7, r0, 0            ; cr7=0xff
[0x100000e0]> pd 10 @0x10008008
            0x10008008      3c601004       lis r3, 0x1004              ; r3=0x10040000 "ree=%d"
            0x1000800c      7f64db78       mr r4, r27                  ; r4=0x0
            0x10008010      3863b9b4       addi r3, r3, -0x464c        ; r3=0x1003b9b4 "qSymbol::" str.qSymbol::
            0x10008014      480299b1       bl 0x100319c4               ; lr=0x10008018 -> 0x832f ; pc=0x100319c4 -> 0x388 ; CALL: 0x0, 0x0, 0x0, 0x0
            0x10008018      2f830000       cmpwi cr7, r3, 0            ; cr7=0xb4
        ,=< 0x1000801c      419e0090       beq cr7, 0x100080ac         ; unlikely
        |   0x10008020      3d201006       lis r9, 0x1006              ; r9=0x10060000 -> 0x800f0000
        |   0x10008024      8009165c       lwz r0, 0x165c(r9)          ; r0=0x0
        |   0x10008028      2f800000       cmpwi cr7, r0, 0            ; cr7=0x0
       ,==< 0x1000802c      419e0acc       beq cr7, 0x10008af8         ; pc=0x10008af8 -> 0x410603c ; likely