Jumptables detected as functions in twain_32.dll

[pinkflawd]

When analyzing twain_32.dll with the config anal.hasnext = true, a lot more legitimate functions are detected than without; however also a jumptable is analyzed as a function. See below, 0x66204a6d is the jumptable offset.

Have seen this happen with a number of binaries & jumptables more.

[0x6620b550]> pd 10 @ 0x66204a6d
/ (fcn) fcn.66204a6d 80
|   fcn.66204a6d ();
|              ; JMP XREF from 0x66204971 (fcn.6620494d)
|              ; DATA XREF from 0x66204971 (fcn.6620494d)
|       ,=< 0x66204a6d      7849           js 0x66204ab8
|       |   0x66204a6f      206697         and byte [esi - 0x69], ah
|       |   0x66204a72      49             dec ecx
|       |   0x66204a73      20669e         and byte [esi - 0x62], ah
|       |   0x66204a76      49             dec ecx
|       |   0x66204a77      2066a5         and byte [esi - 0x5b], ah
|       |   0x66204a7a      49             dec ecx
|       |   0x66204a7b      2066ac         and byte [esi - 0x54], ah
|       |   0x66204a7e      49             dec ecx
|       |   0x66204a7f      2066b3         and byte [esi - 0x4d], ah
[0x6620b550]> axt @ 0x66204a6d
code 0x66204971 jmp dword [eax*4 + fcn.66204a6d] in fcn.6620494d
data 0x66204971 jmp dword [eax*4 + fcn.66204a6d] in fcn.6620494d

password infected twain_32.dll.zip

[pinkflawd]

Same case at 0x66203e5d

[alvarofe]

Try with e anal.jmptbl=true is gonna spit r2 commands. This was an experiment by pancake that must be improved. I will try to take a look in the following days since I need this as well for other stuff. However, 0x66204a6d is still a function.

[pinkflawd]

Yup, tried jmptbl, doesn't change the issue, e anal.hasnext = true is the troublemaker in this case :)

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. Considering a lot has changed since its creation, we kindly ask you to check again if the issue you reported is still relevant in the current version of radare2. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.

[trufae]

The analysis issue for this binary has been fixed already, i have tried with hasnext enabled and disabled, and in both cases the control flow is correct. We will need to add 2 tests for this (with and without hasnext), but i have some questions here:

• Why a 56KB binary takes so much time to load?
  • @pinkflawd would you like to submit a PR adding those tests? I can help you on any question if needed
• I understand this binary comes from Windows and we can't distribute it in the testsuite, so which is the right solution?

Thanks for reporting!!

Also i have the idea that if we submit and associate tests to specific issues it will be possible to automatically add feedback to the issues when the specific test is fixed. because like in this case, the analysis bug was fixed by fixing another problem