"black hole" in hex string search with mask (MIPS)

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset

https://www.radare.org/

GNU Lesser General Public License v3.0

20.77k stars 3.01k forks source link

"black hole" in hex string search with mask (MIPS) #2541

Closed mrmacete closed 9 years ago

mrmacete commented 9 years ago

Using this binary (uuencoded): http://paste.kolibrios.org/show/385/

$ r2 upnpd
Warning: Cannot initialize dynamic section
 -- Heisenbug: A bug that disappears or alters its behavior when one attempts to probe or isolate it.
[0x00404a90]> s 0x0041401c
[0x0041401c]> pd 3
           0x0041401c    2080998f       lw t9, -0x7fe0(gp)
           0x00414020    00000000       nop
           0x00414024    d4a22527       addiu a1, t9, -0x5d2c ; this should match
[0x0041401c]> e search.from=0x0041401c
[0x0041401c]> e search.to=0x41409c
[0x0041401c]> s/x 00002027:0000f0ff
Searching 4 bytes...
#6 [0x41401d-0x41409c]
hits: 0  hit0_0 .. hit0_1
[0x00000000]>

In the above r2 session, i expected 0x00414024 to match the search.

These are my search settings:

[0x00000000]> e~search
search.align = 0
search.chunk = 0
search.contiguous = true
search.count = 0
search.distance = 0
search.esilcombo = 8
search.flags = true
search.from = 4276252
search.in = file
search.kwidx = 1
search.maxhits = 0
search.prefix = hit
search.show = true
search.to = 0x41409c

jjdredd commented 9 years ago

make a test out of this, perhaps?

mrmacete commented 9 years ago

i imagine something like:

NAME='binmask seek (mips)'
FILE='malloc://1024'
ARGS=
BROKEN=
CMDS='
e asm.arch = mips
e scr.color=false
"wx 2080998f00000000d4a22527"
e search.from=0
e search.to=12
s/x 00002027:0000f0ff
?v $$
q
'
EXPECT='0x00000008 hit0_0 d4a22527
0x8
'
run_test

radare commented 9 years ago

Iirc this hit0_0 line is in stderr, not out

On 10 May 2015, at 11:47, mrmacete notifications@github.com wrote:

i imagine something like:

NAME='binmask seek (mips)' FILE='malloc://1024' ARGS= BROKEN= CMDS=' e asm.arch = mips e scr.color=false "wx 2080998f00000000d4a22527" e search.from=0 e search.to=12 s/x 00002027:0000f0ff ?v $$ q ' EXPECT='0x00000008 hit0_0 d4a22527 0x8 ' run_test — Reply to this email directly or view it on GitHub.

mrmacete commented 9 years ago

i tested it by forking radare2-regressions

if i replace the line

s/x 00002027:0000f0ff

with the line

s/x d4a22527

the test passes, otherwise "correctly" fails.

radare commented 9 years ago

I guess /x fails in the same way, and the error is only related when using binary masks. I bet this can be an issue in the command parse, adding some printfs should be enough to spot the issue

radare commented 9 years ago

Works fine if you skip the 00's: s/x 2027:f0ff

mrmacete commented 9 years ago

Actually, removing 00's works but doesn't play well with alignment. In fact, if i wanted to search for patterns in MIPS opcodes (all 32 bits wide), i would have set search.align=4 and the 00's purpose was to focus the search on the last 2 bytes of 4-bytes words. Am i wrong?

radare commented 9 years ago

Yes i am aware that this is not a solution, just a note to keep in mind that the bitmask seems to work on some cases. I will try to find some time this week to fix this issue

On 24 May 2015, at 11:05, mrmacete notifications@github.com wrote:

Actually, removing 00's works but doesn't play well with alignment. In fact, if i wanted to search for patterns in MIPS opcodes (all 32 bits wide), i would have set search.align=4 and the 00's purpose was to focus the search on the last 2 bytes of 4-bytes words. Am i wrong?

— Reply to this email directly or view it on GitHub.