`axff` didnt work as expected

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset

https://www.radare.org/

GNU Lesser General Public License v3.0

20.43k stars 2.98k forks source link

`axff` didnt work as expected #23096

Open ucgJhe opened 2 months ago

ucgJhe commented 2 months ago

Environment

Sun Jul  7 02:59:40 CST 2024

radare2 5.9.3 32339 @ linux-x86-64
birth: git.5.7.8-3398-g3382a3e231 2024-07-07__02:43:10
commit: 3382a3e231f6a5bbf21facd8fdb2d5377354bdc1
options: gpl -O? cs:5 cl:2 make

Linux x86_64

Description

I want to list all call refs from a function with axff, but it seems not work as expected.

First, open attached file with r2 -A -e bin.cache=true ncc, and thats said I want to list call refs from the function sym.doEventInternal, so I use axff @ sym.doEventInternal~CALL.

But I found that there is no sym.readInfo_log on the list, althought it actually existed in the code.

we can make sure by using aae @ sym.doEventInternal ;axl~sym.readInfo_log~sym.doEventInternal~CALL

This will take some time but will give the result as the picture below:

Test

axff @ sym.doEventInternal~sym.readInfo_log

ncc.zip

ucgJhe commented 2 months ago

@radare hi, i couldn't repro this with any random bin from testbin, so I just attached the file here.

trufae commented 2 months ago

The bin is now in the testbins and i checking for the best way to fix that bug now. thanks for reporting

trufae commented 2 months ago

Some comments here:

the @ modifier does nothing on aa subcommands
the reason why aae find those xrefs and aaa does not is because of function boundaries not handled properly
the boundaries in this function are wrong because jump tables are not implemented for mips (working on it rn) so the coverage is incorrect, and therefor the reference emulation fails

trufae commented 2 months ago

partial fix of the problem is here https://github.com/radareorg/radare2/pull/23099

trufae commented 2 months ago

Can you try again with latest r2 from git?

ucgJhe commented 2 months ago

@trufae Thx for your quick response, after test it again i think the issue still exist.

The command axff @ sym.doEventInternal~CALL now shows function sym.readInfo_log but i found there are more missing functions that should be in the list like sym.runProbe, sym.imp.strcpy, sym.unlockInfo_log etc.

Also aae @ sym.doEventInternal ;axl~sym.readInfo_log~sym.doEventInternal~CALL counldn't found refs about sym.readInfo_log in the lastest version.

And I have one more question here, why the result in the in the picture below show exact same functoin twice ?

again thx for your help on this, i really appreciated

trufae commented 1 month ago

Sorry for the delay, crazy days here and i was busy with several other important bugs in my side . ill try to find some time to dig a little on this issue. im not sure why results are dupped. but could be related to a bug in anal/xrefs.c that permits to register the same ref twice for a reason i ignore. if anyone can dig on this i would appreciate any insights too

thanks for testing