search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
19.71k stars 2.94k forks source link

Missing some function xrefs using aaa; axt 0xaddr or sym.imp.func_name #22865

Closed foobazjo closed 2 weeks ago

foobazjo commented 2 weeks ago

Environment

Fri 26 Apr 2024 05:36:12 PM EDT radare2 5.9.0 32631 @ linux-x86-64 birth: git.5.9.0 2024-04-25__20:00:37 commit: 4a07098809c71c21515d0f862ac4ca044ae95e95 options: gpl -O? cs:5 cl:2 make Linux x86_64

Description

I have this script I'm making using r2pipe to count the number of time certain imported functions are being called within a binary (e.g. system(), printf(), memcpy() etc.)

After "aaa" I'm using "axt 0x" (often more successful) or "axt sym.imp.func" to list all the xrefs to a given function. Sometimes axt won't return anything for a function while being successful for others in the same binary. I tried using "aae" before "aaa", it wasn't successful.

Test

(Use attached aewDebug binary)

[0x00008b8c]> aaa INFO: Analyze all flags starting with sym. and entry0 (aa) INFO: Analyze imports (af@@@i) INFO: Analyze entrypoint (af@ entry0) INFO: Analyze symbols (af@@@s) INFO: Recovering variables INFO: Analyze all functions arguments/locals (afva@@@F) INFO: Analyze function calls (aac) INFO: Analyze len bytes of instructions for references (aar) INFO: Finding and parsing C++ vtables (avrr) INFO: Analyzing methods INFO: Finding xrefs in noncode section (e anal.in=io.maps.x) INFO: Emulate functions to find computed references (aaef) ERROR: Invalid reftype mask '' (0x01) INFO: Recovering local variables (afva) INFO: Type matching analysis for all functions (aaft) INFO: Propagate noreturn information (aanr) INFO: Use -AA or aaaa to perform additional experimental analysis aewDebug.zip

[0x00008b8c]> axt sym.imp.s sym.imp.strncpy sym.imp.strtol sym.imp.snprintf sym.imp.strcmp
[0x00008b8c]> axt sym.imp.snprintf [0x00008b8c]> axt 0x8824 [0x00008b8c]> axi 0x8824

With Ghidra I see one xref for that snprintf

image

trufae commented 2 weeks ago

this is because r2 is not detecting that main is a thumb function. as a workaround you can do this: ahb 16 @ main and then aaa will work well. but im cooking a fix to make that work

trufae commented 2 weeks ago

can i use this aewDebug binary in the testsuite? (it is distributable?)

trufae commented 2 weeks ago

fixed here https://github.com/radareorg/radare2/pull/22876

foobazjo commented 2 weeks ago

can i use this aewDebug binary in the testsuite? (it is distributable?)

Probably, but I will check for another "open" binary in the firmware, something like busybox. I just grabbed the first one I saw was failing to get the function xrefs. I will also keep an eye if it works for all the binaries I'm using. I have a whole pile of firmware root filesystems of mixed architectures.

trufae commented 2 weeks ago

thanks! feel free to submit a pr to the testbins repo with that binary (place it in the elf directory) and if you are in the mood, also make a pr in this repo with the test itself, so we ensure it wont break in the future