search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.61k stars 3k forks source link

Define an address as a function and use cmd "VV" when so file by ollvm protected #17283

Closed allen2015555 closed 4 years ago

allen2015555 commented 4 years ago

Englis is not my native languge, hope you guys undertand my word. I analyze a android so file, it protected by ollvm. I get some important function address that print address with adb logcat after modify the android aosp source code. It can by normal display the function When I use IDA Pro. That like this:

.text:C723B170             var_208= -0x208
.text:C723B170             var_200= -0x200
.text:C723B170             var_10= -0x10
.text:C723B170
.text:C723B170             ; __unwind {
.text:C723B170 2D E9 F0 4F PUSH.W          {R4-R11,LR}
.text:C723B174 03 AF       ADD             R7, SP, #0xC
.text:C723B176 AD F5 27 7D SUB.W           SP, SP, #0x29C
.text:C723B17A DF F8 38 0E LDR.W           R0, =(__stack_chk_guard_ptr - 0xC723B18C)
.text:C723B17E 38 21       MOVS            R1, #0x38 ; '8'
.text:C723B180 DF F8 34 CE LDR.W           R12, =(dword_C72F1BC0 - 0xC723B190)
.text:C723B184 40 F6 E3 09 MOVW            R9, #0x8E3
.text:C723B188 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C723B18A 01 22       MOVS            R2, #1
.text:C723B18C FC 44       ADD             R12, PC                 ; dword_C72F1BC0

However, it't not a normal function when I seek the address with r2. I seek to the offset and use CMD "VV", r2 prompt "Not in a function. Type 'df' to define it here". how to use "df" cmd? I find many page by google and founded use cmd "f c_p_ab @ 0x1cb170" can define the address to a flag. I used it and input cmd "pd 10", r2 display:

[0x001cb170]> pd 10
            ;-- c_p_ab:
            0x001cb170      2de9f04f       push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr}
            0x001cb174      03af           add r7, sp, 0xc
            0x001cb176      adf5277d       sub.w sp, sp, 0x29c
            0x001cb17a      dff8380e       ldr.w r0, [aav.aav.0x000bcba0] ; [0x1cbfb4:4]=0xbcba0 aav.0x000bcba0
            0x001cb17e      3821           movs r1, 0x38
            0x001cb180      dff834ce       ldr.w ip, [aav.aav.0x000b6a30] ; [0x1cbfb8:4]=0xb6a30 aav.0x000b6a30
            0x001cb184      40f6e309       movw sb, 0x8e3
            0x001cb188      7844           add r0, pc                  ; 0x287d2c
                                                                       ; reloc.__stack_chk_guard
            0x001cb18a      0122           movs r2, 1
            0x001cb18c      fc44           add ip, pc

After that, input "VV", r2 still prompt "Not in a function. Type 'df' to define it here". Is this a bug? Another question, r2 can discern the JNI function like IDA Pro? like this:

 v52 = ((int (__fastcall *)(JNIEnv *))(*v16)->FindClass)(v16);
 if ( ((int (__fastcall *)(JNIEnv *))(*v16)->ExceptionCheck)(v16) )
{
     ((void (__fastcall *)(JNIEnv *))(*v16)->ExceptionClear)(v16);
     v53 = -1;
}

Hope r2 can complete instead of IDA Pro some days in the futrue.

ret2libc commented 4 years ago

Have you used radare2 -A ./mybinary? If not, have you used aaa to analyze the binary. If not, you can use af @ <function-address> to define a function at a given address.

Another question, r2 can discern the JNI function like IDA Pro? like this:

What you showed looks like a decompiler output. radare2 can be integrated with some existing decompilers. However, I suggest you first read https://book.rada.re/index.html if you haven't already done so.

trufae commented 4 years ago

Can you provide the executable you are trying to disassemble and reword the issue title to be an issue and not a question? This is not a forum.

I know jnienv is not automatically set and thumb analysis is far from perfect. But i dont see a reason why this function is not being analyzed

allen2015555 commented 4 years ago

Have you used radare2 -A ./mybinary? If not, have you used aaa to analyze the binary. If not, you can use af @ <function-address> to define a function at a given address.

Another question, r2 can discern the JNI function like IDA Pro? like this:

What you showed looks like a decompiler output. radare2 can be integrated with some existing decompilers. However, I suggest you first read https://book.rada.re/index.html if you haven't already done so.

r2 can normal display view by cmd "VV" after I used cmd "af /fun_name/ $$" in the function address. I never read "https://book.rada.re/index.html", i will read it. Thank you very much!

allen2015555 commented 4 years ago

Can you provide the executable you are trying to disassemble and reword the issue title to be an issue and not a question? This is not a forum.

I know jnienv is not automatically set and thumb analysis is far from perfect. But i dont see a reason why this function is not being analyzed

This is the apk file link "https://weixin.qq.com/cgi-bin/readtemplate?lang=zh_CN&t=page/faq/android/7015/index&faq=android_7015" You can click "立即下载" and get the apk. so_file.zip

" 

base: C4ACF000
baseInFile: C7070000 // in IDA Pro

c$p name:ea sig:(I)[B fnPtr: c4cde82d base: C4ACF000 offset: 20F82D baseInFile: C7070000 offsetInFile: C727F82D
c$p name:eb sig:([BII)Z fnPtr: c4d1494d base: C4ACF000 offset: 24594D baseInFile: C7070000 offsetInFile: C72B594D
c$p name:ec sig:()Z fnPtr: c4d1c4bd base: C4ACF000 offset: 24D4BD baseInFile: C7070000 offsetInFile: C72BD4BD
c$p name:ed sig:()[B fnPtr: c4d1c92d base: C4ACF000 offset: 24D92D baseInFile: C7070000 offsetInFile: C72BD92D
c$p name:ba sig:(I)Ljava/lang/String; fnPtr: c4b2520d base: C4ACF000 offset: 5620D baseInFile: C7070000 offsetInFile: C70C620D
c$p name:bb sig:(I)Ljava/lang/String; fnPtr: c4b26e09 base: C4ACF000 offset: 57E09 baseInFile: C7070000 offsetInFile: C70C7E09
c$p name:bc sig:(I[BIILcom/tencent/mm/normsg/PValue;Lcom/tencent/mm/normsg/PValue;Lcom/tencent/mm/normsg/PValue;)Z fnPtr: c4b2a905 base: C4ACF000 offset: 5B905 baseInFile: C7070000 offsetInFile: C70CB905
c$p name:bd sig:([BIILcom/tencent/mm/normsg/PValue;Lcom/tencent/mm/normsg/PValue;)Z fnPtr: c4b7e7e1 base: C4ACF000 offset: AF7E1 baseInFile: C7070000 offsetInFile: C711F7E1
c$p name:be sig:([BIILcom/tencent/mm/normsg/PValue;Lcom/tencent/mm/normsg/PValue;)Z fnPtr: c4b8ae1d base: C4ACF000 offset: BBE1D baseInFile: C7070000 offsetInFile: C712BE1D
c$p name:ab sig:()Z fnPtr: c4c9a171 base: C4ACF000 offset: 1CB171 baseInFile: C7070000 offsetInFile: C723B171
c$p name:ac sig:(Ljava/lang/String;Z)Ljava/lang/String; fnPtr: c4c9afe1 base: C4ACF000 offset: 1CBFE1 baseInFile: C7070000 offsetInFile: C723BFE1
c$p name:ad sig:()[B fnPtr: c4ca2421 base: C4ACF000 offset: 1D3421 baseInFile: C7070000 offsetInFile: C7243421
c$p name:ae sig:(I)[B fnPtr: c4ca78fd base: C4ACF000 offset: 1D88FD baseInFile: C7070000 offsetInFile: C72488Fa
c$p name:af sig:(I)[B fnPtr: c4ca8bd5 base: C4ACF000 offset: 1D9BD5 baseInFile: C7070000 offsetInFile: C7249BD5
c$p name:ag sig:()Z fnPtr: c4caf5c9 base: C4ACF000 offset: 1E05C9 baseInFile: C7070000 offsetInFile: C72505C9
c$p name:ah sig:()Z fnPtr: c4cb00d1 base: C4ACF000 offset: 1E10D1 baseInFile: C7070000 offsetInFile: C72510D1
c$p name:ai sig:()Z fnPtr: c4cb1ff5 base: C4ACF000 offset: 1E2FF5 baseInFile: C7070000 offsetInFile: C7252FF5
c$p name:aj sig:()Z fnPtr: c4cb2015 base: C4ACF000 offset: 1E3015 baseInFile: C7070000 offsetInFile: C7253015
c$p name:ak sig:()V fnPtr: c4cb6b99 base: C4ACF000 offset: 1E7B99 baseInFile: C7070000 offsetInFile: C7257B99
c$p name:al sig:()Z fnPtr: c4cc54ad base: C4ACF000 offset: 1F64AD baseInFile: C7070000 offsetInFile: C72664AD
c$p name:da sig:(Ljava/lang/String;)V fnPtr: c4cc6ccd base: C4ACF000 offset: 1F7CCD baseInFile: C7070000 offsetInFile: C7267CCD
c$p name:db sig:(Ljava/lang/String;)V fnPtr: c4cc6fdd base: C4ACF000 offset: 1F7FDD baseInFile: C7070000 offsetInFile: C7267FDD
c$p name:dc sig:(Ljava/lang/String;)V fnPtr: c4cc72e1 base: C4ACF000 offset: 1F82E1 baseInFile: C7070000 offsetInFile: C72682E1
c$p name:dd sig:(Ljava/lang/String;)Z fnPtr: c4cc7999 base: C4ACF000 offset: 1F8999 baseInFile: C7070000 offsetInFile: C7268999
c$p name:de sig:(Ljava/lang/String;)[B fnPtr: c4cc80b9 base: C4ACF000 offset: 1F90B9 baseInFile: C7070000 offsetInFile: C72690B9
c$p name:df sig:(Ljava/lang/String;Ljava/lang/String;)V fnPtr: c4cc8629 base: C4ACF000 offset: 1F9629 baseInFile: C7070000 offsetInFile: C7269629
c$p name:dg sig:(Ljava/lang/String;Landroid/view/MotionEvent;)V fnPtr: c4cc8c21 base: C4ACF000 offset: 1F9C21 baseInFile: C7070000 offsetInFile: C7269C21
c$p name:dh sig:(Ljava/lang/String;)V fnPtr: c4ccc635 base: C4ACF000 offset: 1FD635 baseInFile: C7070000 offsetInFile: C726D635
c$p name:di sig:(Ljava/lang/String;)Z fnPtr: c4ccc915 base: C4ACF000 offset: 1FD915 baseInFile: C7070000 offsetInFile: C726D915
c$p name:dj sig:(Ljava/lang/String;)[B fnPtr: c4cccfbd base: C4ACF000 offset: 1FDFBD baseInFile: C7070000 offsetInFile: C726DFBD
c$p name:ca sig:(Ljava/lang/Object;Ljava/lang/Class;)Z fnPtr: c4cd7f69 base: C4ACF000 offset: 208F69 baseInFile: C7070000 offsetInFile: C7278F69
c$p name:cb sig:(Ljava/lang/Object;)Z fnPtr: c4cda885 base: C4ACF000 offset: 20B885 baseInFile: C7070000 offsetInFile: C727B885

The "offset" is the function address. In r2, you cat seek to the "offset". The "offset" need sub one. Example: " offset: 20B885" r2> s 0x20B884 r2> VV // you will get "Not in a function. Type 'df' to define it here"

google-mirror commented 3 years ago

normsg has vmp protected