axt not working on this sample (elf32)

Maijin commented 9 years ago

At offset 0x0805d120:

            str.192.3.207.242:7632:                                                                                                                                                                                                            
            section..rodata:                                                                                                                                                                                                                   
                .string "192.3.207.242:7632" ; len=19  xor dword [ecx], edi ; [3] va=0x0805d120 pa=0x00015120 sz=10688 vsz=10688 rwx=-r-- .rodata

In IDA pro, the string is referenced at offset 0x08060B40 (commServer) which is itself referenced by 0x0804D889 (mov eax, commServer[eax*4])

http://rghost.net/private/7ftwchW7T/4278a59274295165d33b6b63b3c31e6a (passwd: "infected", is a malware) [ca2fa3de6da0dfe579410f76cad26fcc]

radare commented 9 years ago

This will only be catched with esil or radeco analysis. Thats similar to how jump tables are constructed. Can you cook a sample c to reproduce the issue and push it to the r2r repo?

On 05 Sep 2015, at 18:47, Maijin notifications@github.com wrote:

At offset 0x0805d120:

        str.192.3.207.242:7632:                                                                                                                                                                                                            
        section..rodata:                                                                                                                                                                                                                   
            .string "192.3.207.242:7632" ; len=19  xor dword [ecx], edi ; [3] va=0x0805d120 pa=0x00015120 sz=10688 vsz=10688 rwx=-r-- .rodata

In IDA pro, the string is referenced at offset 0x08060B40 (commServer) which is itself referenced by 0x0804D889 (mov eax, commServer[eax*4])

http://rghost.net/private/7ftwchW7T/4278a59274295165d33b6b63b3c31e6a

— Reply to this email directly or view it on GitHub.

Maijin commented 9 years ago

@futex ^

Maijin commented 9 years ago

See the code sample in #3238

futex commented 9 years ago

A quick and dirty C example inspired by the malware code

#include 
#include 
#include 
char *usernames[] = {"root\0", "\0", "admin\0", "user\0", "login\0", "guest\0", "user\0", "ftp\0", "tech\0", "tech\0", "monitor\0", "volition\0", "kermit\0", "dhs3mt\0", "at4400\0", "mtch\0", "diag\0", "manager\0", "device\0", "apc\0", "super\0", "HTTP\0", "xbox\0"};
char *passwords[] = {"root\0", "\0", "toor\0", "admin\0", "user\0", "guest\0", "login\0", "changeme\0", "1234\0", "12345\0", "123456\0", "default\0", "pass\0", "password\0", "ftp\0", "synnet\0", "tech\0", "monitor\0", "volition\0", "kermit\0", "dhs3mt\0", "at4400\0", "mtch\0", "switch\0", "permit\0", "manager\0", "apc\0", "epicrouter\0", "atlantis\0", "super\0", "HTTP\0", "xbox\0", "smcadmin\0"};
int main(int argc, unsigned char *argv[])
{
    size_t size_usernames = strlen(usernames);
    size_t size_passwords = strlen(passwords);
    printf ("size of username: %d, size of password: %d\n", size_usernames, size_passwords);
        return 0;
}

When i analyse it in IDA i find "passwords" (with a s) object at address 080ED140 in .data but in radare2:

[0x08048a8d]> izz | grep passwords
vaddr=0x000072c8 paddr=0x000b5254 ordinal=9014 sz=10 len=9 section=.strtab type=ascii string=passwords

strange vaddr.. so axt failed

[0x08048a8d]> axt 0x000072c8

But with the IDA address it run nice

[0x08048a8d]> axt 0x080ED140
d 0x8048be3 push obj.passwords

Maijin commented 7 years ago

This is fixed in fact, but jumptabl need to be tested then enabled by default both in anal and graph, there are other tracking this.

radareorg / radare2

axt not working on this sample (elf32) #3234