search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.66k stars 3k forks source link

Code being interpreted as data in MIPS(el) after 'aav' #7466

Open hummypkg opened 7 years ago

hummypkg commented 7 years ago

With the latest git version, I'm seeing a lot of cases where code is being flagged as data when analysing a MIPS or MIPSel binary. For example, see the four places where this has happened in this small function:

[0x00413aa0]> pdf @ 0x0060b6e8
/ (fcn) fcn.0060b6e8 180
|   fcn.0060b6e8 ();
|           ; var int local_18h @ sp+0x18
|           ; var int local_1ch @ sp+0x1c
|           ; var int local_20h @ sp+0x20
|           0x0060b6e8      d8ffbd27       addiu sp, sp, -0x28
|           0x0060b6ec      1800b0af       sw s0, 0x18(sp)
|           0x0060b6f0      2000bfaf       sw ra, 0x20(sp)
|           0x0060b6f4      1c00b1af       sw s1, 0x1c(sp)
|           0x0060b6f8      14008290       lbu v0, 0x14(a0)
|           0x0060b6fc      21808000       move s0, a0
|       ,=< 0x0060b700      09004510       beq v0, a1, 0x60b728
|       |   0x0060b704      1c00848c       lw a0, 0x1c(a0)
|       |   0x0060b708      01000224       addiu v0, zero, 1
|      ,==< 0x0060b70c      0d00a210       beq a1, v0, 0x60b744
|      ||   0x0060b710      21180000       move v1, zero
|      ||   0x0060b714      e845100c       jal sym.imp.unlink          ; int unlink(const char *path)
|      ||   0x0060b718      00000000       nop
|     ,===< 0x0060b71c      10004014       bnez v0, 0x60b760
|     |||   0x0060b720      00000000       nop
|     |||   0x0060b724      140000a2       sb zero, 0x14(s0)
|    .--`-> 0x0060b728      21180000       move v1, zero
|   .---.-> 0x0060b72c      2000bf8f       lw ra, 0x20(sp)
|  .------> 0x0060b730      1c00b18f       lw s1, 0x1c(sp)
|  ||||||   0x0060b734      1800b08f       lw s0, 0x18(sp)
|  ||||||   0x0060b738      21106000       move v0, v1
|  ||||||   0x0060b73c      0800e003       jr ra
|  ||||||   0x0060b740      2800bd27       addiu sp, sp, 0x28          ; '('
|  ||||`--> 0x0060b744      140005a2       sb a1, 0x14(s0)
|  |||| |   0x0060b748      2000bf8f       lw ra, 0x20(sp)
|  |||| |   0x0060b74c      1c00b18f       lw s1, 0x1c(sp)
|  |||| |   0x0060b750      1800b08f       lw s0, 0x18(sp)
|  |||| |   0x0060b754      21106000       move v0, v1
|  |||| |   0x0060b758      0800e003       jr ra
|  |||| |   0x0060b75c      2800bd27       addiu sp, sp, 0x28          ; '('
|  |||`---> 0x0060b760      a04a100c       jal sym.imp.__errno_location
|  |||  |   0x0060b764      00000000       nop
|  |||  |   0x0060b768      0000518c       lw s1, (v0)
|  |||  |   0x0060b76c      02000224       addiu v0, zero, 2
|  ||`====< 0x0060b770      edff2212       beq s1, v0, 0x60b728
|  ||   |   0x0060b774      21202002       move a0, s1
|  ||   |   0x0060b778      10cf160c       jal fcn.005b3c40
|  ||   |   0x0060b77c      0a080524       addiu a1, zero, 0x80a
|  |`=====< 0x0060b780      eaff4010       beqz v0, 0x60b72c
|  |    |   0x0060b784      21184000       move v1, v0
|  |    |   0x0060b788      05000224       addiu v0, zero, 5
|  `======< 0x0060b78c      e8ff6210       beq v1, v0, 0x60b730
|       |   0x0060b790      2000bf8f       lw ra, 0x20(sp)
|       `=< 0x0060b794      cb2d1808       j 0x60b72c
\           0x0060b798      180011ae       sw s1, 0x18(s0)

[0x00413aa0]> aav @ 0x0060b6e8
aav: using from to 0x400000 0xa9b990
Using vmin 0x400000 and vmax 0xdcbe3c
[0x00413aa0]> pdf @ 0x0060b6e8

/ (fcn) fcn.0060b6e8 180
|   fcn.0060b6e8 ();
|           ; var int local_18h @ sp+0x18
|           ; var int local_1ch @ sp+0x1c
|           ; var int local_20h @ sp+0x20
|           0x0060b6e8      d8ffbd27       addiu sp, sp, -0x28
|           0x0060b6ec      1800b0af       sw s0, 0x18(sp)
|           0x0060b6f0      2000bfaf       sw ra, 0x20(sp)
|           0x0060b6f4      1c00b1af       sw s1, 0x1c(sp)
|           0x0060b6f8      14008290       lbu v0, 0x14(a0)
|           0x0060b6fc      .dword 0x00808021 ; sym.0x00808021
|           0x0060b700      09004510       beq v0, a1, 0x60b728
|           0x0060b704      1c00848c       lw a0, 0x1c(a0)
|           0x0060b708      01000224       addiu v0, zero, 1
|       ,=< 0x0060b70c      0d00a210       beq a1, v0, 0x60b744
|       |   0x0060b710      21180000       move v1, zero
|       |   0x0060b714      e845100c       jal sym.imp.unlink          ; int unlink(const char *path)
|       |   0x0060b718      00000000       nop
|      ,==< 0x0060b71c      10004014       bnez v0, 0x60b760
|      ||   0x0060b720      00000000       nop
|      ||   0x0060b724      140000a2       sb zero, 0x14(s0)
|     .---> 0x0060b728      21180000       move v1, zero
|   ..----> 0x0060b72c      2000bf8f       lw ra, 0x20(sp)
|  .------> 0x0060b730      1c00b18f       lw s1, 0x1c(sp)
|  ||||||   0x0060b734      1800b08f       lw s0, 0x18(sp)
|  ||||||   0x0060b738      .dword 0x00601021 ; sym.0x00601021
|  ||||||   0x0060b73c      0800e003       jr ra
|  ||||||   0x0060b740      2800bd27       addiu sp, sp, 0x28          ; '('
|  |||||`-> 0x0060b744      140005a2       sb a1, 0x14(s0)
|  |||||    0x0060b748      2000bf8f       lw ra, 0x20(sp)
|  |||||    0x0060b74c      1c00b18f       lw s1, 0x1c(sp)
|  |||||    0x0060b750      1800b08f       lw s0, 0x18(sp)
|  |||||    0x0060b754      .dword 0x00601021 ; sym.0x00601021
|  |||||    0x0060b758      0800e003       jr ra
|  |||||    0x0060b75c      2800bd27       addiu sp, sp, 0x28          ; '('
|  ||||`--> 0x0060b760      a04a100c       jal sym.imp.__errno_location
|  ||||     0x0060b764      00000000       nop
|  ||||     0x0060b768      0000518c       lw s1, (v0)
|  ||||     0x0060b76c      02000224       addiu v0, zero, 2
|  |||`===< 0x0060b770      edff2212       beq s1, v0, 0x60b728
|  |||      0x0060b774      21202002       move a0, s1
|  |||      0x0060b778      10cf160c       jal fcn.005b3c40
|  |||      0x0060b77c      0a080524       addiu a1, zero, 0x80a
|  |`=====< 0x0060b780      eaff4010       beqz v0, 0x60b72c
|  | |      0x0060b784      .dword 0x00401821 ; sym.0x00401821
|  | |      0x0060b788      05000224       addiu v0, zero, 5
|  `======< 0x0060b78c      e8ff6210       beq v1, v0, 0x60b730
|    |      0x0060b790      2000bf8f       lw ra, 0x20(sp)
|    `====< 0x0060b794      cb2d1808       j 0x60b72c
\           0x0060b798      180011ae       sw s1, 0x18(s0)
radare commented 7 years ago

yep thats “expected”. because mips compilers mix code and data pointers in the same section. so… what do you think it would be the best way to remove those false positives of aav?

On 10 May 2017, at 11:06, hummypkg notifications@github.com wrote:

With the latest git version, I'm seeing a lot of cases where code is being flagged as data when analysing a MIPS or MIPSel binary. For example, see the four places where this has happened in this small function:

[0x00413aa0]> pdf @ 0x0060b6e8 / (fcn) fcn.0060b6e8 180 | fcn.0060b6e8 (); | ; var int local_18h @ sp+0x18 | ; var int local_1ch @ sp+0x1c | ; var int local_20h @ sp+0x20 | 0x0060b6e8 d8ffbd27 addiu sp, sp, -0x28 | 0x0060b6ec 1800b0af sw s0, 0x18(sp) | 0x0060b6f0 2000bfaf sw ra, 0x20(sp) | 0x0060b6f4 1c00b1af sw s1, 0x1c(sp) | 0x0060b6f8 14008290 lbu v0, 0x14(a0) | 0x0060b6fc 21808000 move s0, a0 | ,=< 0x0060b700 09004510 beq v0, a1, 0x60b728 | | 0x0060b704 1c00848c lw a0, 0x1c(a0) | | 0x0060b708 01000224 addiu v0, zero, 1 | ,==< 0x0060b70c 0d00a210 beq a1, v0, 0x60b744 | || 0x0060b710 21180000 move v1, zero | || 0x0060b714 e845100c jal sym.imp.unlink ; int unlink(const char *path) | || 0x0060b718 00000000 nop | ,===< 0x0060b71c 10004014 bnez v0, 0x60b760 | ||| 0x0060b720 00000000 nop | ||| 0x0060b724 140000a2 sb zero, 0x14(s0) | .---> 0x0060b728 21180000 move v1, zero | .---.-> 0x0060b72c 2000bf8f lw ra, 0x20(sp) | .------> 0x0060b730 1c00b18f lw s1, 0x1c(sp) | |||||| 0x0060b734 1800b08f lw s0, 0x18(sp) | |||||| 0x0060b738 21106000 move v0, v1 | |||||| 0x0060b73c 0800e003 jr ra | |||||| 0x0060b740 2800bd27 addiu sp, sp, 0x28 ; '(' | ||||--> 0x0060b744 140005a2 sb a1, 0x14(s0) | |||| | 0x0060b748 2000bf8f lw ra, 0x20(sp) | |||| | 0x0060b74c 1c00b18f lw s1, 0x1c(sp) | |||| | 0x0060b750 1800b08f lw s0, 0x18(sp) | |||| | 0x0060b754 21106000 move v0, v1 | |||| | 0x0060b758 0800e003 jr ra | |||| | 0x0060b75c 2800bd27 addiu sp, sp, 0x28 ; '(' | |||---> 0x0060b760 a04a100c jal sym.imp.__errno_location | ||| | 0x0060b764 00000000 nop | ||| | 0x0060b768 0000518c lw s1, (v0) | ||| | 0x0060b76c 02000224 addiu v0, zero, 2 | ||====< 0x0060b770 edff2212 beq s1, v0, 0x60b728 | || | 0x0060b774 21202002 move a0, s1 | || | 0x0060b778 10cf160c jal fcn.005b3c40 | || | 0x0060b77c 0a080524 addiu a1, zero, 0x80a | |=====< 0x0060b780 eaff4010 beqz v0, 0x60b72c | | | 0x0060b784 21184000 move v1, v0 | | | 0x0060b788 05000224 addiu v0, zero, 5 |======< 0x0060b78c e8ff6210 beq v1, v0, 0x60b730 | | 0x0060b790 2000bf8f lw ra, 0x20(sp) | `=< 0x0060b794 cb2d1808 j 0x60b72c \ 0x0060b798 180011ae sw s1, 0x18(s0)

[0x00413aa0]> aav @ 0x0060b6e8 aav: using from to 0x400000 0xa9b990 Using vmin 0x400000 and vmax 0xdcbe3c [0x00413aa0]> pdf @ 0x0060b6e8

/ (fcn) fcn.0060b6e8 180 | fcn.0060b6e8 (); | ; var int local_18h @ sp+0x18 | ; var int local_1ch @ sp+0x1c | ; var int local_20h @ sp+0x20 | 0x0060b6e8 d8ffbd27 addiu sp, sp, -0x28 | 0x0060b6ec 1800b0af sw s0, 0x18(sp) | 0x0060b6f0 2000bfaf sw ra, 0x20(sp) | 0x0060b6f4 1c00b1af sw s1, 0x1c(sp) | 0x0060b6f8 14008290 lbu v0, 0x14(a0) | 0x0060b6fc .dword 0x00808021 ; sym.0x00808021 | 0x0060b700 09004510 beq v0, a1, 0x60b728 | 0x0060b704 1c00848c lw a0, 0x1c(a0) | 0x0060b708 01000224 addiu v0, zero, 1 | ,=< 0x0060b70c 0d00a210 beq a1, v0, 0x60b744 | | 0x0060b710 21180000 move v1, zero | | 0x0060b714 e845100c jal sym.imp.unlink ; int unlink(const char *path) | | 0x0060b718 00000000 nop | ,==< 0x0060b71c 10004014 bnez v0, 0x60b760 | || 0x0060b720 00000000 nop | || 0x0060b724 140000a2 sb zero, 0x14(s0) | .---> 0x0060b728 21180000 move v1, zero | ..----> 0x0060b72c 2000bf8f lw ra, 0x20(sp) | .------> 0x0060b730 1c00b18f lw s1, 0x1c(sp) | |||||| 0x0060b734 1800b08f lw s0, 0x18(sp) | |||||| 0x0060b738 .dword 0x00601021 ; sym.0x00601021 | |||||| 0x0060b73c 0800e003 jr ra | |||||| 0x0060b740 2800bd27 addiu sp, sp, 0x28 ; '(' | |||||-> 0x0060b744 140005a2 sb a1, 0x14(s0) | ||||| 0x0060b748 2000bf8f lw ra, 0x20(sp) | ||||| 0x0060b74c 1c00b18f lw s1, 0x1c(sp) | ||||| 0x0060b750 1800b08f lw s0, 0x18(sp) | ||||| 0x0060b754 .dword 0x00601021 ; sym.0x00601021 | ||||| 0x0060b758 0800e003 jr ra | ||||| 0x0060b75c 2800bd27 addiu sp, sp, 0x28 ; '(' | ||||--> 0x0060b760 a04a100c jal sym.imp.__errno_location | |||| 0x0060b764 00000000 nop | |||| 0x0060b768 0000518c lw s1, (v0) | |||| 0x0060b76c 02000224 addiu v0, zero, 2 | |||===< 0x0060b770 edff2212 beq s1, v0, 0x60b728 | ||| 0x0060b774 21202002 move a0, s1 | ||| 0x0060b778 10cf160c jal fcn.005b3c40 | ||| 0x0060b77c 0a080524 addiu a1, zero, 0x80a | |=====< 0x0060b780 eaff4010 beqz v0, 0x60b72c | | | 0x0060b784 .dword 0x00401821 ; sym.0x00401821 | | | 0x0060b788 05000224 addiu v0, zero, 5 | ======< 0x0060b78c e8ff6210 beq v1, v0, 0x60b730 | | 0x0060b790 2000bf8f lw ra, 0x20(sp) |====< 0x0060b794 cb2d1808 j 0x60b72c \ 0x0060b798 180011ae sw s1, 0x18(s0) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/7466, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lu7BvyoA2mvN4BVKU75_elX7E7Tdks5r4X4hgaJpZM4NWYFl.

hummypkg commented 7 years ago

I think that would take heuristics to see if it's just one reference in the middle of a function that isn't jumped over. anal.vinfun=false will do me for now though, thanks for the response.

Maijin commented 7 years ago

Can you share the binary

Maijin commented 7 years ago

at least

hummypkg commented 7 years ago

http://hpkg.tv/misc/7466.gz

radare commented 7 years ago

Dont close it. Its a false positive that must be fixed

On 10 May 2017, at 16:45, Maijin notifications@github.com wrote:

Closed #7466.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

Maijin commented 7 years ago

Use github to upload next time 7466.gz

radare commented 7 years ago

ping? any idea?

alvarofe commented 7 years ago

This is similar to https://github.com/radare/radare2/issues/6653 where in that case vinfun=true was the solution. I would say is not that easy to fix, but would be great to have a binary to test.

Maijin commented 7 years ago

@alvarofe the binary is in the issue

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. Considering a lot has changed since its creation, we kindly ask you to check again if the issue you reported is still relevant in the current version of radare2. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.