Open tkernelcn opened 1 year ago
aac is not going to analyze everything, you must find the best command for your target or use the generic aaa
. you can also try e anal.hasnext=true;afr
there are some other issue on my build, let aaa crash:
peter@peter-VirtualBox:~/tmp/test_radare2$ /home/peter/bin/r2 -a mips -b 32 -e asm.cpu=micro /mnt/share/AppFW_flash_no_fs.elf
-- Interpret radare2 scripts with '. <path-to-script>'. Similar to the bash source alias command.
[0x98384b0f]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
ERROR: af: Cannot find function at 0x98384b0f
Segmentation fault (core dumped)
peter@peter-VirtualBox:~/tmp/test_radare2$
so try to other command your suggestion
peter@peter-VirtualBox:~/tmp/test_radare2$ /home/peter/bin/r2 -a mips -b 32 -e asm.cpu=micro /mnt/share/AppFW_flash_no_fs.elf
-- Bindiff two files with '$ radiff2 /bin/true /bin/false'
[0x98384b0f]> aac
[0x98384b0f]> afr
[0x98384b0f]> e anal.hasnext=true
[0x98384b0f]> aac
[0x98384b0f]> afr
[0x98384b0f]> s sym.libFS_copy
[0x98541e8c]> s
0x98541e8c
[0x98541e8c]> pdf
ERROR: Cannot find function at 0x98541e8c
[0x98541e8c]> pd 20@sym.libFS_copy
;-- libFS_copy:
0x98541e8c 4fe5 addiusp -0x38
0x98541e8e 22fd unaligned
0x98541e90 d01840e4 andi zero, t8, 0x40e4
0x98541e94 0007ae92 invalid
0x98541e98 0e25 move s1, a1
0x98541e9a 41a4 unaligned
0x98541e9c 9860cc06 invalid
0x98541ea0 30847090 addiu a0, a0, 0x7090
;-- .L88:
0x98541ea4 41a49860 lui a0, 0x9860
0x98541ea8 30847074 addiu a0, a0, 0x7074
;-- .L105:
0x98541eac f41c79a0 jal 0x38f340
0x98541eb0 3220ffff addiu s1, zero, -1
0x98541eb4 0c51 move v0, s1
;-- .L106:
0x98541eb6 22fd unaligned
0x98541eb8 5018470e ori zero, t8, 0x470e
;-- .L103:
0x98541ebc f42a4f00 jal 0x549e00
0x98541ec0 00049290 or s2, a0, zero
0x98541ec4 4042000f bgez v0, 0x1e
0x98541ec8 0e02 move s0, v0
0x98541eca f4 unaligned
[0x98541e8c]>
the problem is disassemble errors also.
try to use apt-get install radare2
software in another linux
p10:~/git_workspace/REPO_FW/common/CP/images$ r2 -a mips -b 32 -e asm.cpu=micro ./AppFW_flash_no_fs.elf
[0x98384b0f]> e anal.hasnext=true
[0x98384b0f]> afr
[0x98384b0f]> aaa
[Cannot find function at 0x98384b0f sym. and entry0 (aa)
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Finding xrefs in noncode section with anal.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x9861a0a0 to 0x9861b000 (aav)
[x] 0x9861a0a0-0x9861b000 in 0x9861a0a0-0x9861b000 (aav)
[x] 0x9861a0a0-0x9861b000 in 0x9c0883e4-0x9c089220 (aav)
[x] 0x9861a0a0-0x9861b000 in 0x9c082400-0x9c0883e4 (aav)
[x] 0x9861a0a0-0x9861b000 in 0x98384b0c-0x98613280 (aav)
[x] 0x9861a0a0-0x9861b000 in 0xb8384a00-0xb8384b0c (aav)
[x] 0x9861a0a0-0x9861b000 in 0x98384000-0x98384a00 (aav)
[x] Value from 0x9c0883e4 to 0x9c089220 (aav)
[x] 0x9c0883e4-0x9c089220 in 0x9861a0a0-0x9861b000 (aav)
[x] 0x9c0883e4-0x9c089220 in 0x9c0883e4-0x9c089220 (aav)
[x] 0x9c0883e4-0x9c089220 in 0x9c082400-0x9c0883e4 (aav)
[x] 0x9c0883e4-0x9c089220 in 0x98384b0c-0x98613280 (aav)
[x] 0x9c0883e4-0x9c089220 in 0xb8384a00-0xb8384b0c (aav)
[x] 0x9c0883e4-0x9c089220 in 0x98384000-0x98384a00 (aav)
[x] Value from 0x9c082400 to 0x9c0883e4 (aav)
[x] 0x9c082400-0x9c0883e4 in 0x9861a0a0-0x9861b000 (aav)
[x] 0x9c082400-0x9c0883e4 in 0x9c0883e4-0x9c089220 (aav)
[x] 0x9c082400-0x9c0883e4 in 0x9c082400-0x9c0883e4 (aav)
[x] 0x9c082400-0x9c0883e4 in 0x98384b0c-0x98613280 (aav)
[x] 0x9c082400-0x9c0883e4 in 0xb8384a00-0xb8384b0c (aav)
[x] 0x9c082400-0x9c0883e4 in 0x98384000-0x98384a00 (aav)
[x] Value from 0x98384b0c to 0x98613280 (aav)
[x] 0x98384b0c-0x98613280 in 0x9861a0a0-0x9861b000 (aav)
[x] 0x98384b0c-0x98613280 in 0x9c0883e4-0x9c089220 (aav)
[x] 0x98384b0c-0x98613280 in 0x9c082400-0x9c0883e4 (aav)
[x] 0x98384b0c-0x98613280 in 0x98384b0c-0x98613280 (aav)
[x] 0x98384b0c-0x98613280 in 0xb8384a00-0xb8384b0c (aav)
[x] 0x98384b0c-0x98613280 in 0x98384000-0x98384a00 (aav)
[x] Value from 0xb8384a00 to 0xb8384b0c (aav)
[x] 0xb8384a00-0xb8384b0c in 0x9861a0a0-0x9861b000 (aav)
[x] 0xb8384a00-0xb8384b0c in 0x9c0883e4-0x9c089220 (aav)
[x] 0xb8384a00-0xb8384b0c in 0x9c082400-0x9c0883e4 (aav)
[x] 0xb8384a00-0xb8384b0c in 0x98384b0c-0x98613280 (aav)
[x] 0xb8384a00-0xb8384b0c in 0xb8384a00-0xb8384b0c (aav)
[x] 0xb8384a00-0xb8384b0c in 0x98384000-0x98384a00 (aav)
[x] Value from 0x98384000 to 0x98384a00 (aav)
[x] 0x98384000-0x98384a00 in 0x9861a0a0-0x9861b000 (aav)
[x] 0x98384000-0x98384a00 in 0x9c0883e4-0x9c089220 (aav)
[x] 0x98384000-0x98384a00 in 0x9c082400-0x9c0883e4 (aav)
[x] 0x98384000-0x98384a00 in 0x98384b0c-0x98613280 (aav)
[x] 0x98384000-0x98384a00 in 0xb8384a00-0xb8384b0c (aav)
[x] 0x98384000-0x98384a00 in 0x98384000-0x98384a00 (aav)
[x] Emulate code to find computed references (aae)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x98384b0f]> s sym.libFS_copy
[0x98541e8c]> s
0x98541e8c
[0x98541e8c]> pdf
p: Cannot find function at 0x98541e8c
[0x98541e8c]> pd 20@sym.libFS_copy
;-- libFS_copy:
0x98541e8c 4fe522fd invalid
0x98541e90 d01840e4 andi zero, t8, 0x40e4
0x98541e94 0007ae92 invalid
0x98541e98 0e2541a4 invalid
0x98541e9c 9860cc06 invalid
0x98541ea0 30847090 addiu a0, a0, 0x7090
;-- .L88:
0x98541ea4 41a49860 lui a0, 0x9860
0x98541ea8 30847074 addiu a0, a0, 0x7074
;-- .L105:
0x98541eac f41c79a0 jal 0x38f340
0x98541eb0 3220ffff addiu s1, zero, -1
0x98541eb4 ~ 0c5122fd invalid
;-- .L106:
0x98541eb6 unaligned
0x98541eb7 unaligned
0x98541eb8 5018470e ori zero, t8, 0x470e
;-- .L103:
0x98541ebc f42a4f00 jal 0x549e00
0x98541ec0 00049290 or s2, a0, zero
0x98541ec4 4042000f bgez v0, 0x1e
0x98541ec8 0e02f42a invalid
0x98541ecc 50003220 ori zero, zero, 0x3220
0x98541ed0 fffe41a4 lw ra, 0x41a4(fp)
[0x98541e8c]>
environment:
p10:~/git_workspace/REPO_FW/common/CP/images$ r2 -v
radare2 4.2.1 0 @ linux-x86-64 git.4.2.1
commit: unknown build:
10:~/git_workspace/REPO_FW/common/CP/images$ uname -ms
Linux x86_64
p10:~/git_workspace/REPO_FW/common/CP/images$
so, I think, some thing configuration wrong maybe.
Thanks.
the point is: a lot of unaligned
and invalid
in disassemble code
;-- libFS_copy:
0x98541e8c 4fe5 addiusp -0x38
0x98541e8e 22fd unaligned
0x98541e90 d01840e4 andi zero, t8, 0x40e4
0x98541e94 0007ae92 invalid
0x98541e98 0e25 move s1, a1
0x98541e9a 41a4 unaligned
0x98541e9c 9860cc06 invalid
0x98541ea0 30847090 addiu a0, a0, 0x7090
but gdb disassemble like:
Dump of assembler code for function libFS_copy:
0x98541e8d <+0>: 4f e5 addiu sp,sp,-56
0x98541e8e <+2>: 22 fd d0 18 swm s0-s6,ra,24(sp)
0x98541e92 <+6>: 40 e4 00 07 beqzc a0,0x98541ea5 <libFS_copy+24>
0x98541e96 <+10>: ae 92 bnez a1,0x98541ebd <libFS_copy+48>
0x98541e98 <+12>: 0e 25 move s1,a1
0x98541e9a <+14>: 41 a4 98 60 lui a0,0x9860
0x98541e9e <+18>: cc 06 b 0x98541ead <libFS_copy+32>
0x98541ea0 <+20>: 30 84 70 90 addiu a0,a0,28816
0x98541ea4 <+24>: 41 a4 98 60 lui a0,0x9860
I don't known how to configure for mips m4k instruction set. Thanks.
i dont think aaa crashes. if you are running /home/peter/bin/r2
without using rpath or forcing ldlibrary path you are probably mixing old and new libraries of r2 which probably have different abi and ends up causing a segfault because of that. Also r2-4.5.1 is super hyper old. there are more than 3 years of changes since that release. So please update from git or last release.
the 'mips' plugin is based on capstone, and capstone didnt supported m4k at the time, but it does now. also, bear in mind that you need to build capstone from git, because the last release of capstone and the one that is shipped in all distros is more than 6 years old and its completely useless for any modern cpu, it misses lot of instructions for arm64 or x64 for example.
You are configuring r2 properly, but you are using the wrong version of r2.
r2 -a mips -e asm.cpu=micro ...
You can confirm the disasm works properly with rasm2:
0$ rasm2 -a mips -b32 -c micro -d 22fdd018
lw t1, 0x18d0(v0)
0$
i'll add micromips support to the gnu plugin today (the code is there, its just not used), and add test for this
@trufae Thanks for your support!
It's very strange, I git pull
and $ ./sys/user.sh
to build a latest version
PS: before build r2, I also git clone latest capstone and build install it.
peter@peter-VirtualBox:~/tmp/test_radare2$ git clone -b next https://github.com/capstone-engine/capstone
peter@peter-VirtualBox:~/tmp/test_radare2$ cd capstone/
peter@peter-VirtualBox:~/tmp/test_radare2/capstone$ ./make.sh
peter@peter-VirtualBox:~/tmp/test_radare2/capstone$ sudo ./make.sh install
peter@peter-VirtualBox:~/tmp/test_radare2$ r2 -v
radare2 5.8.1 22 @ linux-x86-64 git.5.8.1
commit: a740698298113d3b4c18c45a9543616d27cd7218 build: 2023-01-12__09:55:27
peter@peter-VirtualBox:~/tmp/test_radare2$ rasm2 -a mips -b32 -c micro -d 22fdd018
lw t1, 0x18d0(v0)
peter@peter-VirtualBox:~/tmp/test_radare2$ rasm2 -a mips -b32 -c micro -d 4fe522fdd01840e40007ae920e2541a49860cc0630847090
invalid
sb a2, -0x1bc0(s0)
addu16 a2, s0, s0
slti s5, t6, 0x250e
invalid
addu16 a1, a2, a0
movep a1, a2, zero, v1
peter@peter-VirtualBox:~/tmp/test_radare2$
attachment for comparition: gdb disassemble:
0x98541e8d <+0>: 4f e5 addiu sp,sp,-56
0x98541e8e <+2>: 22 fd d0 18 swm s0-s6,ra,24(sp)
0x98541e92 <+6>: 40 e4 00 07 beqzc a0,0x98541ea5 <libFS_copy+24>
0x98541e96 <+10>: ae 92 bnez a1,0x98541ebd <libFS_copy+48>
0x98541e98 <+12>: 0e 25 move s1,a1
0x98541e9a <+14>: 41 a4 98 60 lui a0,0x9860
0x98541e9e <+18>: cc 06 b 0x98541ead <libFS_copy+32>
0x98541ea0 <+20>: 30 84 70 90 addiu a0,a0,28816
0x98541ea4 <+24>: 41 a4 98 60 lui a0,0x9860
0x98541ea8 <+28>: 30 84 70 74 addiu a0,a0,28788
0x98541eac <+32>: f4 1c 79 a0 jal 0x9838f341 <puts>
0x98541eb0 <+36>: 32 20 ff ff li s1,-1
t32 disassemble:(not same elf, so not same address, but same instructions)
T:9852F9B4|4FE5 libFS_copy: addiusp #-0x0E
T:9852F9B6|22FDD018 swm32 r16,r17,r18,r19,r20,r21,r22,r31,0x18(r29) ; r16,r17,r18,r19,r20,r21,r22,r31,24(r29)
T:9852F9BA|40E40007 beqzc r4,0x9852F9CC ; fileName,.L88
T:9852F9BE|AE92 bnez16 r5,0x9852F9E4 ; newFileName,.L103
T:9852F9C0|0E25 move16 r17,r5 ; r17,newFileName
T:9852F9C2|41A4985F lui r4,#0x985F ; fileName,#39007
T:9852F9C6|CC06 b16 0x9852F9D4 ; .L105
T:9852F9C8|3084A9C8 addiu r4,r4,#0xA9C8
T:9852F9CC|41A4985F .L88: lui r4,#0x985F ; fileName,#39007
T:9852F9D0|3084A9AC addiu r4,r4,#0xA9AC
T:9852F9D4|F41C79A0 .L105: jal 0x9038F340
T:9852F9D8|3220FFFF addiu r17,r0,#0xFFFF
there are also have invalid in r2
disassemble
Thanks.
This is probably because of missing instructions in capstone. Feel free to test cstool and report the missing instructions there.
i didnt had time to finish the mips.gnu integration of Micromips yesterday. But will finish it today for sure. I will add tests and ping u back when done
you can try with -a mips.gnu -c micro -b 32:
$ rasm2 -a mips.gnu -b32 -c micro -d 4fe522fdd01840e40007ae920e2541a49860cc0630847090
sb a2, -7104(s0)
addu a2, s0, s0
sll v0, s0, 7
lwl a0, 1740(t8)
movep a1,a2, zero, v1
so it works as expected now. I'm closing the ticket, can you please test cstool and report the missing instructions to https://github.com/capstone-engine/capstone?
thanks!
@trufae please see the details instructions, not the same meaning with gdb disassemble result
0x98541e8d <+0>: 4f e5 addiu sp,sp,-56
0x98541e8e <+2>: 22 fd d0 18 swm s0-s6,ra,24(sp)
0x98541e92 <+6>: 40 e4 00 07 beqzc a0,0x98541ea5 <libFS_copy+24>
0x98541e96 <+10>: ae 92 bnez a1,0x98541ebd <libFS_copy+48>
0x98541e98 <+12>: 0e 25 move s1,a1
0x98541e9a <+14>: 41 a4 98 60 lui a0,0x9860
0x98541e9e <+18>: cc 06 b 0x98541ead <libFS_copy+32>
0x98541ea0 <+20>: 30 84 70 90 addiu a0,a0,28816
the instuction 4f e5
is operate on sp
register
so it 's also not expected result yet
Both capstone and gnu plugins do the right thing. I overlooked the issue because i dont have any binary to test it properly. if you could provide one micromips binary for the testsuite i can add some tests and probably fix more bugs.
Check the -e flag to fix the endianness issue, after merging #21253 it should be fine, please re-try and thanks for the patience
hello @trufae, due to company policy can't provide the entire elf binary file, sorry for that.
is it suitable that use the instructions string: 4fe522fdd01840e40007ae920e2541a49860cc0630847090
(If needed, I can dump a bigger instructions binary file for your CI test)
I test the -e flag:
$ rasm2 -a mips.gnu -b32 -c micro -e -d 4fe522fdd01840e40007ae920e2541a49860cc0630847090
addiu sp, sp, -56
andi zero, t8, 0x40e4
cop2 0xf5d2
move s1, a1
swc1 $f3, -13306(zero)
addiu a0, a0, 28816
looks better than before, but compare with gdb's result: (also have more difference)
0x98541e8d <+0>: 4f e5 addiu sp,sp,-56
0x98541e8e <+2>: 22 fd d0 18 swm s0-s6,ra,24(sp)
0x98541e92 <+6>: 40 e4 00 07 beqzc a0,0x98541ea5 <libFS_copy+24>
0x98541e96 <+10>: ae 92 bnez a1,0x98541ebd <libFS_copy+48>
0x98541e98 <+12>: 0e 25 move s1,a1
0x98541e9a <+14>: 41 a4 98 60 lui a0,0x9860
0x98541e9e <+18>: cc 06 b 0x98541ead <libFS_copy+32>
0x98541ea0 <+20>: 30 84 70 90 addiu a0,a0,28816
so maybe have other missing?
Thanks a lot.
what is missing is that the PR fixing the bug wasnt merged so you had to test the branch, not master. please try again on master
if you find any binary, even a hello world (or compile radareorg/r0 for example) using the micromips toolchain send it for the testsuite, and i'll add tests around it. to improve the quality of the analysis and avoid breaking changes in the near fuiture when i move this plugin into the arch
cool, It works, Thanks your great effort!
$ rasm2 -a mips.gnu -b32 -c micro -e -d 4fe522fdd01840e40007ae920e2541a49860cc0630847090
addiu sp, sp, -56
swm s0-s6,ra, 24(sp)
beqzc a0, 0x00000019
bnez a1, 0x00000031
move s1, a1
lui a0, 0x9860
b 0x00000021
addiu a0, a0, 28816
same with gdb result:
0x98541e8d <+0>: 4f e5 addiu sp,sp,-56
0x98541e8e <+2>: 22 fd d0 18 swm s0-s6,ra,24(sp)
0x98541e92 <+6>: 40 e4 00 07 beqzc a0,0x98541ea5 <libFS_copy+24>
0x98541e96 <+10>: ae 92 bnez a1,0x98541ebd <libFS_copy+48>
0x98541e98 <+12>: 0e 25 move s1,a1
0x98541e9a <+14>: 41 a4 98 60 lui a0,0x9860
0x98541e9e <+18>: cc 06 b 0x98541ead <libFS_copy+32>
0x98541ea0 <+20>: 30 84 70 90 addiu a0,a0,28816
I will upload a binary or investigate the compiler Thanks again.
also have confusion on r2 disassemble display:(many unaligned
error instructions)
$ r2 -a mips.gnu -b 32 -e asm.cpu=micro -e cfg.bigendian=true /mnt/share/AppFW_flash_no_fs.elf
[0x98384b0f]> aaa
[0x98384b0f]> s sym.libFS_copy
[0x98541e8c]> s
0x98541e8c
[0x98541e8c]> pdf
┌ 348: sym.libFS_copy ();
│ ╎ 0x98541e8c 4fe5 addiu sp, sp, -56
│ ╎ 0x98541e8e 22 unaligned
│ ╎ 0x98541e8f fd unaligned
│ ╎ 0x98541e90 d01840e4 andi zero, t8, 0x40e4
│ ╎ 0x98541e94 0007ae92 cop2 0xf5d2
│ ╎ 0x98541e98 0e25 move s1, a1
│ ╎ 0x98541e9a 41 unaligned
│ ╎ 0x98541e9b a4 unaligned
│ ╎ 0x98541e9c 9860cc06 swc1 fv1f, -13306(zero)
│ ╎ 0x98541ea0 30847090 addiu a0, a0, 28816
│ ╎ ;-- .L88:
│ ╎ 0x98541ea4 41a49860 lui a0, 0x9860
│ ╎ 0x98541ea8 30847074 addiu a0, a0, 28788
│ ╎ ;-- .L105:
│ ╎ 0x98541eac f41c79a0 jal 0x9838f341
│ ╎ 0x98541eb0 3220ffff li s1, -1
│ ╎ 0x98541eb4 0c51 move v0, s1
│ ╎ ;-- .L106:
│ ╎ 0x98541eb6 22 unaligned
│ ╎ 0x98541eb7 fd unaligned
.......
[0x98541e8c]> pd 20@sym.libFS_copy
┌ 348: sym.libFS_copy ();
│ 0x98541e8c 4fe5 addiu sp, sp, -56
│ 0x98541e8e 22fd unaligned
│ 0x98541e90 d01840e4 andi zero, t8, 0x40e4
│ 0x98541e94 0007ae92 cop2 0xf5d2
│ 0x98541e98 0e25 move s1, a1
│ 0x98541e9a 41a4 unaligned
│ 0x98541e9c 9860cc06 swc1 fv1f, -13306(zero)
│ 0x98541ea0 30847090 addiu a0, a0, 28816
│ ;-- .L88:
│ 0x98541ea4 41a49860 lui a0, 0x9860
│ 0x98541ea8 30847074 addiu a0, a0, 28788
│ ;-- .L105:
│ 0x98541eac f41c79a0 jal 0x9838f341
│ 0x98541eb0 3220ffff li s1, -1
│ 0x98541eb4 0c51 move v0, s1
so any other configurations needed? Thanks.
BTW: a lot of warning show when aaa
like:
WARN: Analysis of 0x98384d28 stopped at 0x983b241c, use a higher anal.depth to continue
WARN: Analysis of 0x98384d28 stopped at 0x983a10b8, use a higher anal.depth to continue
WARN: Analysis of 0x98384d28 stopped at 0x983a1e6c, use a higher anal.depth to continue
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
Ill take the bytes of this disassembly as a sample and fix all those warnings today. Thanks for reporting!
upload the memory instructions binary for your CI test compare with the gdb results:
Dump of assembler code for function libFS_copy:
0x98542285 <+0>: 4f e5 addiu sp,sp,-56
0x98542286 <+2>: 22 fd d0 18 swm s0-s6,ra,24(sp)
0x9854228a <+6>: 40 e4 00 07 beqzc a0,0x9854229d <libFS_copy+24>
0x9854228e <+10>: ae 92 bnez a1,0x985422b5 <libFS_copy+48>
0x98542290 <+12>: 0e 25 move s1,a1
0x98542292 <+14>: 41 a4 98 60 lui a0,0x9860
0x98542296 <+18>: cc 06 b 0x985422a5 <libFS_copy+32>
0x98542298 <+20>: 30 84 75 58 addiu a0,a0,30040
0x9854229c <+24>: 41 a4 98 60 lui a0,0x9860
0x985422a0 <+28>: 30 84 75 3c addiu a0,a0,30012
0x985422a4 <+32>: f4 1c 79 a0 jal 0x9838f341 <puts>
0x985422a8 <+36>: 32 20 ff ff li s1,-1
0x985422ac <+40>: 0c 51 move v0,s1
0x985422ae <+42>: 22 fd 50 18 lwm s0-s6,ra,24(sp)
0x985422b2 <+46>: 47 0e jraddiusp 56
0x985422b4 <+48>: f4 2a 50 fc jal 0x9854a1f9 <fsm_filelength>
0x985422b8 <+52>: 00 04 92 90 move s2,a0
0x985422bc <+56>: 40 42 00 0f bgez v0,0x985422df <libFS_copy+90>
0x985422c0 <+60>: 0e 02 move s0,v0
0x985422c2 <+62>: f4 2a 51 fc jal 0x9854a3f9 <fsm_getlasterror>
0x985422c6 <+66>: 32 20 ff fe li s1,-2
0x985422ca <+70>: 41 a4 98 60 lui a0,0x9860
0x985422ce <+74>: 85 4a movep a2,a3,s2,s0
0x985422d0 <+76>: 0c a2 move a1,v0
0x985422d2 <+78>: f4 1c 79 06 jal 0x9838f20d <printf>
0x985422d6 <+82>: 30 84 75 78 addiu a0,a0,30072
0x985422da <+86>: cf e9 b 0x985422af <libFS_copy+42>
0x985422dc <+88>: 0c 51 move v0,s1
0x985422de <+90>: 41 a5 98 61 lui a1,0x9861
0x985422e2 <+94>: 30 a5 36 54 addiu a1,a1,13908
0x985422e6 <+98>: f4 27 be d0 jal 0x984f7da1 <__wrap_fopen>
0x985422ea <+102>: 00 12 22 90 move a0,s2
0x985422ee <+106>: ad 0e bnez v0,0x9854230d <libFS_copy+136>
0x985422f0 <+108>: 0e 82 move s4,v0
0x985422f2 <+110>: f4 2a 51 fc jal 0x9854a3f9 <fsm_getlasterror>
0x985422f6 <+114>: 32 20 ff fd li s1,-3
0x985422fa <+118>: 41 a4 98 60 lui a0,0x9860
0x985422fe <+122>: 84 54 movep a1,a2,v0,s2
0x98542300 <+124>: f4 1c 79 06 jal 0x9838f20d <printf>
0x98542304 <+128>: 30 84 75 a8 addiu a0,a0,30120
0x98542308 <+132>: cf d2 b 0x985422af <libFS_copy+42>
0x9854230a <+134>: 0c 51 move v0,s1
0x9854230c <+136>: 41 a5 98 5d lui a1,0x985d
0x98542310 <+140>: 30 a5 b9 40 addiu a1,a1,-18112
0x98542314 <+144>: f4 27 be d0 jal 0x984f7da1 <__wrap_fopen>
0x98542318 <+148>: 00 11 22 90 move a0,s1
0x9854231c <+152>: ad 14 bnez v0,0x98542347 <libFS_copy+194>
0x9854231e <+154>: 0e a2 move s5,v0
0x98542320 <+156>: f4 2a 51 fc jal 0x9854a3f9 <fsm_getlasterror>
0x98542324 <+160>: 00 00 00 00 nop
0x98542328 <+164>: 41 a4 98 60 lui a0,0x9860
0x9854232c <+168>: 84 14 movep a1,a2,v0,s1
0x9854232e <+170>: f4 1c 79 06 jal 0x9838f20d <printf>
0x98542332 <+174>: 30 84 75 cc addiu a0,a0,30156
0x98542336 <+178>: 32 20 ff fc li s1,-4
0x9854233a <+182>: f4 27 be ec jal 0x984f7dd9 <__wrap_fclose>
0x9854233e <+186>: 00 14 22 90 move a0,s4
0x98542342 <+190>: cf b5 b 0x985422af <libFS_copy+42>
0x98542344 <+192>: 0c 51 move v0,s1
0x98542346 <+194>: 8c 10 beqz s0,0x98542369 <libFS_copy+228>
0x98542348 <+196>: 0e 20 move s1,zero
0x9854234a <+198>: f4 27 c6 fa jal 0x984f8df5 <pvPortMalloc>
0x9854234e <+202>: 00 10 22 90 move a0,s0
0x98542352 <+206>: ad 10 bnez v0,0x98542375 <libFS_copy+240>
0x98542354 <+208>: 0e 62 move s3,v0
0x98542356 <+210>: 41 a4 98 60 lui a0,0x9860
0x9854235a <+214>: 0c b0 move a1,s0
0x9854235c <+216>: f4 1c 79 06 jal 0x9838f20d <printf>
0x98542360 <+220>: 30 84 75 f4 addiu a0,a0,30196
0x98542364 <+224>: 32 20 ff fb li s1,-5
0x98542368 <+228>: f4 27 be ec jal 0x984f7dd9 <__wrap_fclose>
0x9854236c <+232>: 00 15 22 90 move a0,s5
0x98542370 <+236>: cf e4 b 0x9854233b <libFS_copy+182>
0x98542372 <+238>: 0c 00 nop
0x98542374 <+240>: 85 78 movep a2,a3,s0,s4
0x98542376 <+242>: ee 81 li a1,1
0x98542378 <+244>: f4 27 bf 06 jal 0x984f7e0d <__wrap_fread>
0x9854237c <+248>: 00 02 22 90 move a0,v0
0x98542380 <+252>: 0e c2 move s6,v0
0x98542382 <+254>: 02 02 13 50 slt v0,v0,s0
0x98542386 <+258>: 8d 15 beqz v0,0x985423b3 <libFS_copy+302>
0x98542388 <+260>: 0c f5 move a3,s5
0x9854238a <+262>: f4 2a 51 fc jal 0x9854a3f9 <fsm_getlasterror>
0x9854238e <+266>: 32 20 ff fa li s1,-6
0x98542392 <+270>: 41 a4 98 60 lui a0,0x9860
0x98542396 <+274>: 85 58 movep a2,a3,s0,s2
0x98542398 <+276>: 0c a2 move a1,v0
0x9854239a <+278>: 30 84 76 18 addiu a0,a0,30232
0x9854239e <+282>: f4 1c 79 06 jal 0x9838f20d <printf>
0x985423a2 <+286>: fa dd 00 10 sw s6,16(sp)
0x985423a6 <+290>: f4 27 c7 44 jal 0x984f8e89 <vPortFree>
0x985423aa <+294>: 00 13 22 90 move a0,s3
0x985423ae <+298>: cf dc b 0x98542369 <libFS_copy+228>
0x985423b0 <+300>: 0c 00 nop
0x985423b2 <+302>: 0c d0 move a2,s0
0x985423b4 <+304>: ee 81 li a1,1
0x985423b6 <+306>: f4 27 bf 26 jal 0x984f7e4d <__wrap_fwrite>
0x985423ba <+310>: 00 13 22 90 move a0,s3
0x985423be <+314>: 94 50 ff f2 beq s0,v0,0x985423a7 <libFS_copy+290>
0x985423c2 <+318>: 0e c2 move s6,v0
0x985423c4 <+320>: f4 2a 51 fc jal 0x9854a3f9 <fsm_getlasterror>
0x985423c8 <+324>: 32 20 ff f9 li s1,-7
0x985423cc <+328>: 41 a4 98 60 lui a0,0x9860
0x985423d0 <+332>: 85 58 movep a2,a3,s0,s2
0x985423d2 <+334>: 0c a2 move a1,v0
0x985423d4 <+336>: 30 84 76 60 addiu a0,a0,30304
0x985423d8 <+340>: f4 1c 79 06 jal 0x9838f20d <printf>
0x985423dc <+344>: fa dd 00 10 sw s6,16(sp)
0x985423e0 <+348>: cf e2 b 0x985423a7 <libFS_copy+290>
0x985423e2 <+350>: 0c 00 nop
0x985423e4 <+0>: 09 c0 lbu v1,0(a0)
End of assembler dump.
test_micro-mips.zip can compare the result with gdb output
Dump of assembler code for function main:
0x004000d1 <+0>: lui gp,0x2
0x004000d5 <+4>: addiu gp,gp,-32225
0x004000d9 <+8>: addu gp,gp,t9
0x004000dd <+12>: addiu sp,sp,-40
0x004000df <+14>: lw t9,-32740(gp)
0x004000e3 <+18>: sw gp,16(sp)
0x004000e7 <+22>: sw ra,36(sp)
0x004000e9 <+24>: addiu a1,sp,24
0x004000eb <+26>: jalr t9
0x004000ed <+28>: li a0,5
0x004000f1 <+32>: lw ra,36(sp)
0x004000f3 <+34>: jraddiusp 40
End of assembler dump.
Dump of assembler code for function nthFibonacciTerm:
0x00400221 <+0>: lui gp,0x2
0x00400225 <+4>: addiu gp,gp,-32561
0x00400229 <+8>: addu gp,gp,t9
0x0040022d <+12>: addiu sp,sp,-56
0x0040022f <+14>: sw gp,16(sp)
0x00400233 <+18>: swm s0-s6,ra,24(sp)
0x00400237 <+22>: beqz a1,0x400243 <nthFibonacciTerm+34>
0x00400239 <+24>: move s0,zero
0x0040023b <+26>: bgez a0,0x40024b <nthFibonacciTerm+42>
0x0040023f <+30>: li v0,-1
0x00400241 <+32>: sw v0,0(a1)
0x00400243 <+34>: move v0,s0
0x00400245 <+36>: lwm s0-s6,ra,24(sp)
0x00400249 <+40>: jraddiusp 56
0x0040024b <+42>: beqz a0,0x4002a5 <nthFibonacciTerm+132>
0x0040024d <+44>: move s1,a1
0x0040024f <+46>: move s2,a0
0x00400251 <+48>: li s5,2
0x00400255 <+52>: move s4,zero
0x00400257 <+54>: li s0,1
0x00400259 <+56>: li s3,1
0x0040025d <+60>: li s6,1
0x00400261 <+64>: sw zero,0(a1)
0x00400263 <+66>: slt v0,s5,s2
0x00400267 <+70>: bnez v0,0x400279 <nthFibonacciTerm+88>
0x00400269 <+72>: lw t9,-32744(gp)
0x0040026d <+76>: li v0,1
0x0040026f <+78>: beqz s4,0x400243 <nthFibonacciTerm+34>
0x00400273 <+82>: sw v0,0(s1)
0x00400275 <+84>: b 0x400243 <nthFibonacciTerm+34>
0x00400277 <+86>: move s0,s3
0x00400279 <+88>: movep a0,a1,s3,s0
0x0040027b <+90>: jalr t9
0x0040027d <+92>: nop
0x00400281 <+96>: bne v0,s6,0x40028d <nthFibonacciTerm+108>
0x00400285 <+100>: lw gp,16(sp)
0x00400287 <+102>: li s0,-1
0x00400289 <+104>: b 0x400243 <nthFibonacciTerm+34>
0x0040028b <+106>: sw zero,0(s1)
0x0040028d <+108>: bnez s4,0x40029f <nthFibonacciTerm+126>
0x00400291 <+112>: addu v0,s3,s0
0x00400295 <+116>: move s3,v0
0x00400297 <+118>: li s4,1
0x0040029b <+122>: b 0x400263 <nthFibonacciTerm+66>
0x0040029d <+124>: addiu s5,s5,1
0x0040029f <+126>: move s0,v0
0x004002a1 <+128>: b 0x40029b <nthFibonacciTerm+122>
0x004002a3 <+130>: move s4,zero
0x004002a5 <+132>: li v0,1
0x004002a7 <+134>: move s0,zero
0x004002a9 <+136>: b 0x400243 <nthFibonacciTerm+34>
0x004002ab <+138>: sw v0,0(a1)
End of assembler dump.
this elf for your CI test
please also try to use radare2
to parser the test.elf
, Thanks.
I try the upstairs uploaded test.elf, also have many unaligned
in disassemble
$ r2 -a mips.gnu -b 32 -e asm.cpu=micro -e cfg.bigendian=true ./test.elf
-- Pass '-j' to rabin2 to get the information of the binary in JSON format.
[0x004000d0]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Finding xrefs in noncode section (e anal.in=io.maps.x)
INFO: Analyze value pointers (aav)
INFO: aav: 0x00400000-0x004002ec in 0x400000-0x4002ec
INFO: Emulate functions to find computed references (aaef)
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
WARN: No SN reg alias for 'mips.gnu'
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Integrate dwarf function information
INFO: Use -AA or aaaa to perform additional experimental analysis
[0x004000d0]> s sym.main
[0x004000d0]> s
0x4000d0
[0x004000d0]> pdf
;-- section..text:
;-- .text:
;-- main:
;-- entry0:
;-- _ftext:
┌ 36: int dbg.main (int argc, char **argv, char **envp);
│ ; var int success @ fp+0x0
│ 0x004000d0 41bc0002 lui gp, 0x2 ; int main(int argc,char ** argv);
│ 0x004000d4 339c821f addiu gp, gp, -32225
│ 0x004000d8 033ce150 addu gp, gp, t9
│ 0x004000dc 4fed addiu sp, sp, -40
│ 0x004000de ff unaligned
│ 0x004000df 3c unaligned ; main.c:65
│ 0x004000e0 801cfb9d 0x801cfb9d
│ 0x004000e4 0010cbe9 0x10cbe9
│ 0x004000e8 6e8d addiu a1, sp, 24
│ 0x004000ea 45 unaligned
│ 0x004000eb d9 unaligned ; main.c:62
│ 0x004000ec 30800005 li a0, 5
│ 0x004000f0 4be9 lw ra, 36(sp)
└ 0x004000f2 47 unaligned
└ 0x004000f3 0a unaligned ; main.c:65
[0x004000d0]>
everything should be fixed here https://github.com/radareorg/radare2/pull/21262
thanks for the snippets and the test binary!! i can finally test it properly and i think after merging this it will be good :) 🤞
i have also extended the ELF parser to set the right asm.cpu when loading a micromips binary 👍
I git pull
and rebuild
$ r2 -v
radare2 5.8.1 44 @ linux-x86-64 git.5.8.1
commit: 9fac6494957d9bd41fcb8dc34b6d3fe444a05378 build: 2023-01-18__09:51:20
the disassemble result not same with upstairs GDB result: (with a lot of unaligned
instructions)
$ r2 -a mips.gnu -b 32 -e asm.cpu=micro -e cfg.bigendian=true ./test.elf
-- Pass '-j' to rabin2 to get the information of the binary in JSON format.
[0x004000d0]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Finding xrefs in noncode section (e anal.in=io.maps.x)
INFO: Analyze value pointers (aav)
INFO: aav: 0x00400000-0x004002ec in 0x400000-0x4002ec
INFO: Emulate functions to find computed references (aaef)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Integrate dwarf function information
INFO: Use -AA or aaaa to perform additional experimental analysis
[0x004000d0]> pdf@sym.main
;-- section..text:
;-- .text:
;-- main:
;-- entry0:
;-- _ftext:
┌ 36: int dbg.main (int argc, char **argv, char **envp);
│ ; var int success @ fp+0x0
│ 0x004000d0 41bc0002 lui gp, 0x2 ; int main(int argc,char ** argv);
│ 0x004000d4 339c821f addiu gp, gp, -32225
│ 0x004000d8 033ce150 addu gp, gp, t9
│ 0x004000dc 4fed addiu sp, sp, -40
..
│ 0x004000df 3c unaligned ; main.c:65
│ 0x004000e0 801cfb9d 0x801cfb9d
│ 0x004000e4 0010cbe9 0x10cbe9
│ 0x004000e8 6e8d addiu a1, sp, 24
..
│ 0x004000eb d9 unaligned ; main.c:62
│ 0x004000ec 30800005 li a0, 5
│ 0x004000f0 4be9 lw ra, 36(sp)
..
└ 0x004000f3 0a unaligned ; main.c:65
[0x004000d0]> pdf@sym.nthFibonacciTerm
┌ 140: sym.nthFibonacciTerm ();
│ ╎ 0x00400220 41bc0002 lui gp, 0x2 ; main.c:12
│ ╎ 0x00400224 339c80cf addiu gp, gp, -32561
│ ╎ 0x00400228 033ce150 addu gp, gp, t9
│ ╎ 0x0040022c 4fe5 addiu sp, sp, -56
..
│ ╎ 0x0040022f 9d unaligned
│ ╎ 0x00400230 001022fd 0x1022fd
│ ╎ 0x00400234 d0188e85 andi zero, t8, 0x8e85
│ ╎ 0x00400238 0e00 move s0, zero
..
│ ╎ 0x0040023b 44 unaligned ; main.c:22
│ ╎ 0x0040023c 0006ed7f 0x6ed7f
│ ╎ 0x00400240 e950 sw v0, 0(a1)
│ ╎ ;-- .L2:
..
│ ╎ 0x00400243 50 unaligned ; main.c:59
│ ╎ 0x00400244 22fd5018 lwm s0-s6,ra, 24(sp)
│ ╎ ; CODE XREF from sym.register_tm_clones @ 0x400130(x)
│ ╎ 0x00400248 470e jraddiusp 56
│ ╎ ;-- .L4:
..
│ ╎ 0x0040024b 2c unaligned ; main.c:27
│ ╎ 0x0040024c 0e25 move s1, a1
..
│ ╎ 0x0040024f 44 unaligned
│ ╎ 0x00400250 32a00002 li s5, 2
│ ╎ 0x00400254 0e80 move s4, zero
..
│ ╎ 0x00400257 01 unaligned
│ ╎ 0x00400258 32600001 li s3, 1
│ ╎ 0x0040025c 32c00001 li s6, 1
│ ╎ 0x00400260 e850 sw zero, 0(a1)
│ ╎ ;-- .L6:
..
│ ╎ 0x00400263 55 unaligned ; main.c:37
│ └─< 0x00400264 1350ad08 addi k0, s0, -21240
│ 0x00400268 ff3c8018 lw t9, -32744(gp)
│ 0x0040026c ed01 li v0, 1
..
│ 0x0040026f 14 unaligned ; main.c:52
│ 0x00400270 ffe8e910 lw ra, -5872(t0)
│ 0x00400274 cfe6 b 0x00400243
..
│ 0x00400277 13 unaligned
│ ;-- .L10:
│ 0x00400278 86cc movep a0,a1, s3, s0 ; [0x45d9:2]=0xffff
..
│ 0x0040027b d9 unaligned
│ 0x0040027c 00000000 nop
│ 0x00400280 b6c20004 bne v0, s6, 0x0040028d
│ 0x00400284 4b84 lw gp, 16(sp)
..
│ 0x00400287 7f unaligned ; main.c:40
│ 0x00400288 cfdc b 0x00400243
..
│ 0x0040028b 10 unaligned
│ ;-- .L7:
│ 0x0040028c b4140007 bnez s4, 0x0040029f
│ 0x00400290 02131150 addu v0, s3, s0
│ 0x00400294 0e62 move s3, v0
..
│ 0x00400297 80 unaligned ; main.c:45
│ 0x00400298 ~ 0001cfe3 0x1cfe3
│ ;-- .L9:
..
│ 0x0040029b e3 unaligned ; main.c:37
│ 0x0040029c 4ea2 addiu s5, s5, 1
│ ;-- .L8:
..
│ 0x0040029f 02 unaligned ; main.c:47
│ 0x004002a0 cffc b 0x0040029b
..
│ 0x004002a3 80 unaligned
│ ;-- .L5:
│ 0x004002a4 ed01 li v0, 1
..
│ 0x004002a7 00 unaligned ; main.c:29
│ 0x004002a8 cfcc b 0x00400243
..
└ 0x004002ab 50 unaligned
[0x004000d0]>
is there any other PR
pending or needed be Merge?
Thanks.
that looks correct to me, also from rasm2
$ rasm2 -a mips.gnu -b32 -e -c micro -d 4fe522fdd01840e40007ae920e2541a49860cc0630847090
addiu sp, sp, -56
swm s0-s6,ra, 24(sp)
beqzc a0, 0x00000019
bnez a1, 0x00000031
move s1, a1
lui a0, 0x9860
b 0x00000021
addiu a0, a0, 28816
$
The output from capstone is different from the gnu one, but you are free to use the one you like. Also i dont have much more time to improve the mips support before this release, and the remaining things should be easy to do, so i would appreciate if you try to extend the current implementation by sending PRs with your findings, test capstone and report bugs in there.
Maybe on sunday i have some spare time to get my hands on this again, but i have other priorities in my plate right now. please confirm you have the same behaviour as i do
i found the reason of the invalid instructions in the middle of the disasm and should be fixed in master
the red instructions in the mips.gnu plugin is because the analysis is not as complete as in the capstone plugin
already got great achievement now, seems pd
works well but pdf
not
1,missing some instructions bytes let unaligned
error
2, command axt
and axf
also not work, no result output
Environment
Description
compare with gdb disassemble output: (sorry for gdb alignment)
so, is it a issue of radare2 or how to configure it correctly? Thanks in advance.