search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.58k stars 2.99k forks source link

No functions are detected on ARM code due to weak Thumb code recognition #15622

Open enovella opened 4 years ago

enovella commented 4 years ago

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 18.04.3 x64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) ARM32
r2 -v full output, not truncated (mandatory) radare2 4.1.0-git 23788 @ linux-x86-64 git.4.0.0-207-g49e523937 commit: 49e523937ed4627ee36fd84d351af3a088aed4b8 build: 2019-12-13__03:38:33

Expected behavior

Some ARM32/Thumb functions recognized. IDA 7.4 recognizes 34 functions

Actual behavior

No thumb detection when performing normal analysis aaa

Steps to reproduce the behavior

Additional Logs, screenshots, source-code, configuration dump, ...

Sample: libm0vie.so.zip

radare commented 4 years ago

The anal hints taken from the ELF parser seems to mess a bit the analysis, use those commands as a workaround

$ r2 -c 'ah-*;ahb 16;omfg;aac;aflc' libm0vie.so
Cannot analyze at 0x001946be
Cannot analyze at 0x0018fde8
299
[0x00038880]>
radare commented 4 years ago 
$ r2 libm0vie.so
[0x00038880]> ah~?
417
[0x00038880]> pd 2
            ;-- entry0, section..text, pc, r15:
            0x00038880      strlt r4,   [r0,  -0xb0f]                        ; [12] -r-x section size 4096 named .text
            0x00038884      ldmdavs fp,   {r0,  r1,   r3,   r4,   r5,   r6,   sl,   lr}
[0x00038880]> e asm.bits
32
[0x00038880]> e asm.bits=16
[0x00038880]> e asm.bits
16
[0x00038880]> pd 2
            ;-- entry0, section..text, pc, r15:
            0x00038880      strlt r4,   [r0,  -0xb0f]                        ; [12] -r-x section size 4096 named .text
            0x00038884      ldmdavs fp,   {r0,  r1,   r3,   r4,   r5,   r6,   sl,   lr}
[0x00038880]> e asm.bits
32
[0x00038880]> ah-*
[0x00038880]> e asm.bits=16
[0x00038880]> pd 2
            ;-- entry0, section..text, pc, r15:
            0x00038880      strlt r4,   [r0,  -0xb0f]                        ; [12] -r-x section size 4096 named .text
            0x00038884      ldmdavs fp,   {r0,  r1,   r3,   r4,   r5,   r6,   sl,   lr}
[0x00038880]> e asm.bits
32
[0x00038880]> e asm.bits=16
[0x00038880]> pd 2
            ;-- entry0, section..text, pc, r15:
            0x00038880      strlt r4,   [r0,  -0xb0f]                        ; [12] -r-x section size 4096 named .text
            0x00038884      ldmdavs fp,   {r0,  r1,   r3,   r4,   r5,   r6,   sl,   lr}
[0x00038880]> ah~?
0
[0x00038880]>
radare commented 4 years ago

i did another fix for this thumb block issue in a PR, will be merged soon

radare commented 4 years ago

ping @thestr4ng3r

ret2libc commented 4 years ago

@thestr4ng3r I see you are assigned on this issue. Just to know, do you think you'll be able to perform it for next release (let's say, in 2 months)? Not putting any pressure, I just want to organize issues for next release.

thestr4ng3r commented 4 years ago

No, don't count on it.