Basic Blocks issue disassembling Java class file

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset

GNU Lesser General Public License v3.0

20.38k stars 2.97k forks source link

Work environment

Questions	Answers
OS/arch/bits (mandatory)	`openSuse Tumbleweed`
File format of the file you reverse (mandatory)	`Java Class File`
Architecture/bits of the file (mandatory)	`x32`
r2 -v full output, not truncated (mandatory)	`radare2 3.7.1 22665 @ linux-x86-64 git.3.7.1-138-g3113d2aca commit: 3113d2acafca2bf4cca13f508d71dd187a595a9b build: 2019-08-30__09:32:28`

Expected behavior

When viewing a class file with Ghidra, basic blocks are broken up the graph view is rendered like this:

Actual behavior

When opening with Radare2 it seems that each instruction of a function is rendered (and recognized) as a basic block, leading to a confusing graph view.

Here is a screenshot of the same function as shown above:

Steps to reproduce the behavior

Open the following Malware M.zip (password: infected)
aa;s 0x000010c9;VV
Behavior can also be confirmed by running afb, there should only be 5 basic blocks of this function

Additional Information

Basic Block output

[0x000010c9]> afb
0x000010c9 0x000010ca 01:032E 1
0x000010ca 0x000010cb 01:032F 1
0x000010cb 0x000010cc 00:0000 1 j 0x00000459 f 0x000010cc
0x000010cc 0x000010cd 01:0330 1
0x000010cd 0x000010ce 01:0331 1
0x000010ce 0x000010cf 00:0000 1 j 0xffffffffffff8206 f 0x000010cf
0x000010cf 0x000010d0 01:0332 1
0x000010d0 0x000010d1 01:0333 1
0x000010d1 0x000010d2 01:0334 1
0x000010d2 0x000010d3 01:0335 1
0x000010d3 0x000010d4 01:0336 1
0x000010d4 0x000010d5 00:0000 1 j 0x0000055b f 0x000010d5
0x000010d5 0x000010d6 01:0337 1
0x000010d6 0x000010d7 01:0338 1
0x000010d7 0x000010d8 01:0339 1
0x000010d8 0x000010d9 01:033A 1
0x000010d9 0x000010da 01:033B 1
0x000010da 0x000010db 01:033C 1
0x000010db 0x000010de 00:0000 3 j 0x00000011 f 0x000010de
0x000010de 0x000010df 01:033D 1
0x000010df 0x000010e1 00:0000 2
0x000010e1 0x000010e2 01:033E 1
0x000010e2 0x000010e3 01:033F 1
0x000010e3 0x000010e4 01:0340 1
0x000010e4 0x000010e5 01:0341 1
0x000010e5 0x000010e6 01:0342 1
0x000010e6 0x000010e7 01:0343 1
0x000010e7 0x000010e8 01:0344 1
0x000010e8 0x000010e9 01:0345 1
0x000010e9 0x000010ea 01:0346 1
0x000010ea 0x000010eb 01:0347 1
0x000010eb 0x000010ec 01:0348 1
0x000010ec 0x000010ed 00:0000 1 j 0x00005b3e f 0x000010ed
0x000010ed 0x000010ee 01:0349 1
0x000010ee 0x000010ef 01:034A 1
0x000010ef 0x000010f0 01:034B 1
0x000010f0 0x000010f2 01:034C 2
0x000010f2 0x000010f3 01:034D 1
0x000010f3 0x000010f4 01:034E 1
0x000010f4 0x000010f5 01:034F 1
0x000010f5 0x000010f8 00:0000 3 j 0x0000111f f 0x000010f8
0x000010f8 0x000010f9 01:0350 1
0x000010f9 0x000010fa 01:0351 1
0x000010fa 0x000010fb 01:0352 1
0x000010fb 0x000010fc 01:0353 1
0x000010fc 0x000010ff 00:0000 3 j 0x00000015 f 0x000010ff
0x000010ff 0x00001102 01:0354 3
0x00001102 0x00001103 01:0355 1
0x00001103 0x00001104 01:0356 1
0x00001104 0x00001105 01:0357 1
0x00001105 0x00001106 01:0358 1
0x00001106 0x00001107 01:0359 1
0x00001107 0x0000110a 00:0000 3 j 0x0000111f f 0x0000110a
0x0000110a 0x0000110b 01:035A 1
0x0000110b 0x0000110c 01:035B 1
0x0000110c 0x0000110d 01:035C 1
0x0000110d 0x00001110 01:035D 3
0x00001110 0x00001111 01:035E 1
0x00001111 0x00001114 00:0000 3 j 0x00000015 f 0x00001114
0x00001114 0x00001116 01:035F 2
0x00001116 0x00001117 01:0360 1
0x00001117 0x00001118 01:0361 1
0x00001118 0x00001119 01:0362 1
0x00001119 0x0000111a 01:0363 1
0x0000111a 0x0000111d 00:0000 3 j 0x000010f5
0x0000111d 0x0000111e 01:0364 1
0x0000111e 0x0000111f 00:0000 1
0x0000111f 0x00001122 00:0000 3
0x00001122 0x00001123 01:0365 1
0x00001123 0x00001124 01:02BA 1
0x00001124 0x00001127 00:0000 3 j 0x00000019 f 0x00001127
0x00001127 0x00001128 00:0000 1

Thats a regression. You can probably try to see what happens if you do a2f instead of af. But the java support have been unmaintained for so much time already so it may be good to get some more tests and love

On 30 Aug 2019, at 16:03, Nick Hoffman notifications@github.com wrote:

Work environment

Questions Answers OS/arch/bits (mandatory) openSuse Tumbleweed File format of the file you reverse (mandatory) Java Class File Architecture/bits of the file (mandatory) x32 r2 -v full output, not truncated (mandatory) radare2 3.7.1 22665 @ linux-x86-64 git.3.7.1-138-g3113d2aca commit: 3113d2acafca2bf4cca13f508d71dd187a595a9b build: 2019-08-30__09:32:28 Expected behavior

When viewing a class file with Ghidra, basic blocks are broken up the graph view is rendered like this:

Actual behavior

When opening with Radare2 it seems that each instruction of a function is rendered (and recognized) as a basic block, leading to a confusing graph view.

Here is a screenshot of the same function as shown above:

Steps to reproduce the behavior

Open the following Malware M.zip (password: infected) aa;s 0x000010c9;VV Behavior can also be confirmed by running afb, there should only be 5 basic blocks of this function Additional Information

Basic Block output

[0x000010c9]> afb 0x000010c9 0x000010ca 01:032E 1 0x000010ca 0x000010cb 01:032F 1 0x000010cb 0x000010cc 00:0000 1 j 0x00000459 f 0x000010cc 0x000010cc 0x000010cd 01:0330 1 0x000010cd 0x000010ce 01:0331 1 0x000010ce 0x000010cf 00:0000 1 j 0xffffffffffff8206 f 0x000010cf 0x000010cf 0x000010d0 01:0332 1 0x000010d0 0x000010d1 01:0333 1 0x000010d1 0x000010d2 01:0334 1 0x000010d2 0x000010d3 01:0335 1 0x000010d3 0x000010d4 01:0336 1 0x000010d4 0x000010d5 00:0000 1 j 0x0000055b f 0x000010d5 0x000010d5 0x000010d6 01:0337 1 0x000010d6 0x000010d7 01:0338 1 0x000010d7 0x000010d8 01:0339 1 0x000010d8 0x000010d9 01:033A 1 0x000010d9 0x000010da 01:033B 1 0x000010da 0x000010db 01:033C 1 0x000010db 0x000010de 00:0000 3 j 0x00000011 f 0x000010de 0x000010de 0x000010df 01:033D 1 0x000010df 0x000010e1 00:0000 2 0x000010e1 0x000010e2 01:033E 1 0x000010e2 0x000010e3 01:033F 1 0x000010e3 0x000010e4 01:0340 1 0x000010e4 0x000010e5 01:0341 1 0x000010e5 0x000010e6 01:0342 1 0x000010e6 0x000010e7 01:0343 1 0x000010e7 0x000010e8 01:0344 1 0x000010e8 0x000010e9 01:0345 1 0x000010e9 0x000010ea 01:0346 1 0x000010ea 0x000010eb 01:0347 1 0x000010eb 0x000010ec 01:0348 1 0x000010ec 0x000010ed 00:0000 1 j 0x00005b3e f 0x000010ed 0x000010ed 0x000010ee 01:0349 1 0x000010ee 0x000010ef 01:034A 1 0x000010ef 0x000010f0 01:034B 1 0x000010f0 0x000010f2 01:034C 2 0x000010f2 0x000010f3 01:034D 1 0x000010f3 0x000010f4 01:034E 1 0x000010f4 0x000010f5 01:034F 1 0x000010f5 0x000010f8 00:0000 3 j 0x0000111f f 0x000010f8 0x000010f8 0x000010f9 01:0350 1 0x000010f9 0x000010fa 01:0351 1 0x000010fa 0x000010fb 01:0352 1 0x000010fb 0x000010fc 01:0353 1 0x000010fc 0x000010ff 00:0000 3 j 0x00000015 f 0x000010ff 0x000010ff 0x00001102 01:0354 3 0x00001102 0x00001103 01:0355 1 0x00001103 0x00001104 01:0356 1 0x00001104 0x00001105 01:0357 1 0x00001105 0x00001106 01:0358 1 0x00001106 0x00001107 01:0359 1 0x00001107 0x0000110a 00:0000 3 j 0x0000111f f 0x0000110a 0x0000110a 0x0000110b 01:035A 1 0x0000110b 0x0000110c 01:035B 1 0x0000110c 0x0000110d 01:035C 1 0x0000110d 0x00001110 01:035D 3 0x00001110 0x00001111 01:035E 1 0x00001111 0x00001114 00:0000 3 j 0x00000015 f 0x00001114 0x00001114 0x00001116 01:035F 2 0x00001116 0x00001117 01:0360 1 0x00001117 0x00001118 01:0361 1 0x00001118 0x00001119 01:0362 1 0x00001119 0x0000111a 01:0363 1 0x0000111a 0x0000111d 00:0000 3 j 0x000010f5 0x0000111d 0x0000111e 01:0364 1 0x0000111e 0x0000111f 00:0000 1 0x0000111f 0x00001122 00:0000 3 0x00001122 0x00001123 01:0365 1 0x00001123 0x00001124 01:02BA 1 0x00001124 0x00001127 00:0000 3 j 0x00000019 f 0x00001127 0x00001127 0x00001128 00:0000 1 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

radareorg / radare2