Closed Maijin closed 7 years ago
This will only be catched with esil or radeco analysis. Thats similar to how jump tables are constructed. Can you cook a sample c to reproduce the issue and push it to the r2r repo?
On 05 Sep 2015, at 18:47, Maijin notifications@github.com wrote:
At offset 0x0805d120:
str.192.3.207.242:7632: section..rodata: .string "192.3.207.242:7632" ; len=19 xor dword [ecx], edi ; [3] va=0x0805d120 pa=0x00015120 sz=10688 vsz=10688 rwx=-r-- .rodata
In IDA pro, the string is referenced at offset 0x08060B40 (commServer) which is itself referenced by 0x0804D889 (mov eax, commServer[eax*4])
http://rghost.net/private/7ftwchW7T/4278a59274295165d33b6b63b3c31e6a
— Reply to this email directly or view it on GitHub.
@futex ^
See the code sample in #3238
A quick and dirty C example inspired by the malware code
#include#include #include char *usernames[] = {"root\0", "\0", "admin\0", "user\0", "login\0", "guest\0", "user\0", "ftp\0", "tech\0", "tech\0", "monitor\0", "volition\0", "kermit\0", "dhs3mt\0", "at4400\0", "mtch\0", "diag\0", "manager\0", "device\0", "apc\0", "super\0", "HTTP\0", "xbox\0"}; char *passwords[] = {"root\0", "\0", "toor\0", "admin\0", "user\0", "guest\0", "login\0", "changeme\0", "1234\0", "12345\0", "123456\0", "default\0", "pass\0", "password\0", "ftp\0", "synnet\0", "tech\0", "monitor\0", "volition\0", "kermit\0", "dhs3mt\0", "at4400\0", "mtch\0", "switch\0", "permit\0", "manager\0", "apc\0", "epicrouter\0", "atlantis\0", "super\0", "HTTP\0", "xbox\0", "smcadmin\0"}; int main(int argc, unsigned char *argv[]) { size_t size_usernames = strlen(usernames); size_t size_passwords = strlen(passwords); printf ("size of username: %d, size of password: %d\n", size_usernames, size_passwords); return 0; }
When i analyse it in IDA i find "passwords" (with a s) object at address 080ED140 in .data but in radare2:
[0x08048a8d]> izz | grep passwords vaddr=0x000072c8 paddr=0x000b5254 ordinal=9014 sz=10 len=9 section=.strtab type=ascii string=passwords
strange vaddr.. so axt failed
[0x08048a8d]> axt 0x000072c8
But with the IDA address it run nice
[0x08048a8d]> axt 0x080ED140 d 0x8048be3 push obj.passwords
This is fixed in fact, but jumptabl need to be tested then enabled by default both in anal and graph, there are other tracking this.
At offset 0x0805d120:
In IDA pro, the string is referenced at offset 0x08060B40 (commServer) which is itself referenced by 0x0804D889 (mov eax, commServer[eax*4])
http://rghost.net/private/7ftwchW7T/4278a59274295165d33b6b63b3c31e6a (passwd: "infected", is a malware) [ca2fa3de6da0dfe579410f76cad26fcc]