XVilka
commented
6 years ago Hi! It's a known bug caused by migrating to siol. Currently ESIL is broken.
Open enovella opened 6 years ago
XVilka
commented
6 years ago Hi! It's a known bug caused by migrating to siol. Currently ESIL is broken.
enovella
commented
6 years ago Hi @XVilka ,
it is not only the read errromessage but the missing xrefs to strings on MIPS binaries.This problem was found a month ago already.
Best, enovella
radare
commented
6 years ago We are doing tons of breaking changes because there is no tomorrow.
Rollback some commits ago and if it was happening its an issue if not just keep calm and wait a bit.
On 19 Aug 2017, at 22:58, Eduardo Novella notifications@github.com wrote:
Hi,
Problem
Apparently, after analysis some MIPS binaries do not contain xrefs to strings.
Radare2 pulled from Git
[22:54 dudu@azucaar tmp] > r2 -v radare2 1.7.0-git 15624 @ linux-x86-64 git.1.6.0-385-g622df1f commit: 622df1fdce6877d214826388cbaa419241031d8f build: 2017-08-19__18:21:31 Analysis
[22:54 dudu@azucaar tmp] > r2 libminiupnpd.so -- r2 talks to you. tries to make you feel well. [0x000017b0]> aaaa [read errro all flags starting with sym. and entry0 (aa) Cannot find function 'entry0' at 0x000017b0 read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro read errro [x] Analyze all flags starting with sym. and entry0 (aa) [ ] [aav: using from to 0x0 0x9a28 Using vmin 0xf4 and vmax 0x18d40 aav: using from to 0x0 0x9a28 Using vmin 0xf4 and vmax 0x18d40 [x] Analyze len bytes of instructions for references (aar) [x] Analyze function calls (aac) [x] Emulate code to find computed references (aae) [read errro consecutive function (aat) [x] Analyze consecutive function (aat) [x] Constructing a function name for fcn. and sym.func. functions (aan) [x] Type matching analysis for all functions (afta) [0x000017b0]> MIPS binary to reproduce
libminiupnpd.so.zip
Cheers
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
enovella
commented
6 years ago Hi @radare,
the issue was indeed happening a while ago. Also, totally understandable other priorities to be fixed first. :)
Cheers, enovella
radare
commented
6 years ago Did you tried just with aav?
On 20 Aug 2017, at 13:14, Eduardo Novella notifications@github.com wrote:
Hi @radare,
the issue was indeed happening a while ago. Also, totally understandable other priorities to be fixed first. :)
Cheers, enovella
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
enovella
commented
6 years ago Hi @radare ,
aav was tried with no luck in an old r2 installation (some months). Xrefs to strings are still missing.
Cheers
radare
commented
6 years ago that’s because anal.gp points to unallocated memory. this depends on the loc._gp symbol, which is wrong.. or needs to be modified somehow. any pointers here? can you check what others tool do in this case?
if i adjust the anal.gp to be 0x18a40 (instead of 0x20a40), which is inside the allocated memory, i get a bunch of string references in the disasselbmy
On 23 Aug 2017, at 17:18, Eduardo Novella notifications@github.com wrote:
Hi @radare https://github.com/radare ,
aav was tried with no luck in an old r2 installation (some months). Xrefs to strings are still missing.
Cheers
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/8245#issuecomment-324369370, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lgkebUMiKw6iOoLHUYb3xZhCHxkpks5sbEK-gaJpZM4O8cP5.
radare
commented
6 years ago 
enovella
commented
6 years ago Hi @radare,
Sorry for my little delay :). There's odd behaviour when printing xrefs in the binary. For instance;
We try to obtain xrefs in the first string, however we do not appreciate XREF in the string below.
Flags in flagspace 'strings'. Press '?' for help.
> 000 0x000075d0 50 str.Failed_to_open_socket_for_receiving_SSDP._EXITING
001 0x00007604 17 str.socket_http_:__m
002 0x00007618 35 str.setsockopt_http__SO_REUSEADDR_:__m
003 0x0000763c 15 str.bind_http_:__m
004 0x0000764c 17 str.listen_http_:__m
005 0x00007660 40 str.Failed_to_open_socket_for_HTTP._EXITING
006 0x00007688 64 str.Failed_to_open_socket_for_sending_SSDP_notify_messages._EXITING
007 0x000076c8 19 str.gettimeofday__:__m
008 0x000076dc 16 str.select_all_:__m
009 0x000076ec 32 str.Failed_to_select_open_sockets.
010 0x0000770c 17 str.accept_http_:__m
011 0x00007720 27 str.HTTP_connection_from__s:_d
012 0x0000773c 22 str.New_upnphttp___failed
013 0x00007754 43 str.Failed_to_broadcast_good_bye_notifications
Selected: str.Failed_to_open_socket_for_receiving_SSDP._EXITING
;-- str.Failed_to_open_socket_for_receiving_SSDP._EXITING:
;-- section_end..fini:
;-- section..rodata:
0x000075d0 .string "Failed to open socket for receiving SSDP. EXITING" ; len=50 ; section 13 va=0x000075d0 pa=0x000075d0 sz=5152 vsz=5152 rwx=--r-- .rodata
0x00007602 0000 unaligned
0x00007603 00 unaligned
;-- str.socket_http_:__m:
0x00007604 .string "socket(http): %m" ; len=17
0x00007615 000000 unaligned
0x00007616 0000 unaligned
0x00007617 00 unalignedHowever, when manually jumping into the code that should have the xref, we see the xref in there:
[0x000075d0]> s 0x000022f8
[0x000022f8]> pd 5
| 0x000022f8 24a575d0 addiu a1, a1, str.Failed_to_open_socket_for_receiving_SSDP._EXITING
| 0x000022fc 24020001 addiu v0, zero, 1
| 0x00002300 8fbf01ac lw ra, 0x1ac(sp)
| 0x00002304 8fbe01a8 lw fp, 0x1a8(sp)
| 0x00002308 8fb701a4 lw s7, 0x1a4(sp)Regarding the global pointer pointing to unallocated memory, I need more time to analyze it. But I can confirm you that the strings you were showing me in the screenshot, they appear without adjusting the $gp and they are shown just analyzing the binary with aa.
Will try to find some time to clearly spot the issue. Also, checking other binaries (attached goahead.zip) prove that xrefs are missing.
Cheers.
radare
commented
6 years ago then its just a matter to solve the refs, but if they are shown in the disasm its just 50% of the issue :P
im quite busy right now, but that shuold be easy to fix, maybe it gets fixed with other regressions in io.
On 29 Aug 2017, at 08:49, Eduardo Novella notifications@github.com wrote:
Hi @radare https://github.com/radare,
Sorry for my little delay :). There's odd behaviour when printing xrefs in the binary. For instance;
We try to obtain xrefs in the first string, however we do not appreciate XREF in the string below.
Flags in flagspace 'strings'. Press '?' for help.
000 0x000075d0 50 str.Failed_to_open_socket_for_receiving_SSDP._EXITING 001 0x00007604 17 str.sockethttp:m 002 0x00007618 35 str.setsockopt_httpSOREUSEADDR:m 003 0x0000763c 15 str.bindhttp:m 004 0x0000764c 17 str.listenhttp:m 005 0x00007660 40 str.Failed_to_open_socket_for_HTTP._EXITING 006 0x00007688 64 str.Failed_to_open_socket_for_sending_SSDP_notify_messages._EXITING 007 0x000076c8 19 str.gettimeofday:m 008 0x000076dc 16 str.selectall:m 009 0x000076ec 32 str.Failed_to_select_open_sockets. 010 0x0000770c 17 str.accepthttp:m 011 0x00007720 27 str.HTTP_connection_froms:_d 012 0x0000773c 22 str.New_upnphttp___failed 013 0x00007754 43 str.Failed_to_broadcast_good_bye_notifications
Selected: str.Failed_to_open_socket_for_receiving_SSDP._EXITING
;-- str.Failed_to_open_socket_for_receiving_SSDP._EXITING: ;-- section_end..fini: ;-- section..rodata: 0x000075d0 .string "Failed to open socket for receiving SSDP. EXITING" ; len=50 ; section 13 va=0x000075d0 pa=0x000075d0 sz=5152 vsz=5152 rwx=--r-- .rodata 0x00007602 0000 unaligned 0x00007603 00 unaligned ;-- str.socket_http_:__m: 0x00007604 .string "socket(http): %m" ; len=17 0x00007615 000000 unaligned 0x00007616 0000 unaligned 0x00007617 00 unalignedHowever, when jumping into the code that should have the xref, we see the xref in there:
[0x000075d0]> s 0x000022f8 [0x000022f8]> pd 5 | 0x000022f8 24a575d0 addiu a1, a1, str.Failed_to_open_socket_for_receiving_SSDP._EXITING | 0x000022fc 24020001 addiu v0, zero, 1 | 0x00002300 8fbf01ac lw ra, 0x1ac(sp) | 0x00002304 8fbe01a8 lw fp, 0x1a8(sp) | 0x00002308 8fb701a4 lw s7, 0x1a4(sp) Regarding the global pointer pointing to unallocated memory, I need more time to analyze it. But I can confirm you that the strings you were showing me in the screenshot, they appear without adjusting the $gp and they are shown just analyzing the binary with aa.
Will try to find some time to clearly spot the issue. Also, checking other binaries (attached goahead.zip) prove that xrefs are missing.
Cheers.
goahead.zip https://github.com/radare/radare2/files/1259322/goahead.zip — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/8245#issuecomment-325571304, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmJILEJuVOMgJYKmImMpMXc89OWvks5sc7RzgaJpZM4O8cP5.
enovella
commented
6 years ago I realized that the same issue occurs on ARM32 binaries. At least, when r2-ing the crackme "validate" of the OWASP crackmes.
Binary: validate https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android/License_01
enovella
commented
6 years ago Any progress so far on this topic? I see similar issue at https://github.com/radare/radare2/issues/8795
Maijin
commented
6 years ago https://github.com/radare/radare2-regressions/blob/master/t.anal/mips/mips-ref#L31 Creating test would speed-up process and ensure no regression @enovella
SrimantaBarua
commented
6 years ago aa, aar etc don't handle R_ANAL_OP_TYPE_ADD and so on for refs. So addui etc aren't resolved correctly, if at all.
iirc disasm checks refs, then falls back to checking the immediate value for a null-terminated string. That's why strings are seen in disasm.
Should this be added to aa? Problem with adding this is that lots of incorrect refs will be generated for all add-type ops.
radare
commented
6 years ago Add by itself is useless. You need more context to do so, and this context is provided by esil emulation. Aka aae, /re, and others
On 29 Nov 2017, at 19:29, Srimanta Barua notifications@github.com wrote:
aa, aar etc don't handle R_ANAL_OP_TYPE_ADD and so on for refs. So addui etc aren't resolved correctly, if at all. iirc disasm checks refs, then falls back to checking the immediate value for a null-terminated string.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
SrimantaBarua
commented
6 years ago In this case, the immediate value in the addui points to the string. Esil emulation helps with indirect references, but I don't see why it's needed here.
radare
commented
6 years ago Wat? Addui sums a delta to a base address. If u dont know that base address computed in previous instructions it will not work
On 30 Nov 2017, at 14:01, Srimanta Barua notifications@github.com wrote:
In this case, the immediate value in the addui points to the string. Esil emulation helps with indirect references, but I don't see why it's needed here.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
SrimantaBarua
commented
6 years ago Yep. I was talking about the examples by @enovella
At 0x2ff8, the instruction is addiu a1, a1, 0x75d0. 0x75d0 points to the string "Failed to open ... ". The disassembly resolves it to addiu a1, a1, str.Failed... But doesn't generate a ref.
Agreed that it makes more sense to generate a ref if the result of the add points to a string. But should this generate a ref too? If yes, then this case doesn't need emulation since it's in the immediate value.
ret2libc
commented
4 years ago Hi! A lot has changed since you opened this issue. Could you please double-check whether the problem is still there? If not, please close this issues, otherwise just leave a comment here. Thanks again for opening this.
ret2libc
commented
4 years ago I'm closing this as this is the current output:
[0x000075d0]> pd 5
; DATA XREF from sym.miniupnp_deamon @ 0x22f8
;-- str.Failed_to_open_socket_for_receiving_SSDP._EXITING:
;-- section..rodata:
;-- pc:
0x000075d0 .string "Failed to open socket for receiving SSDP. EXITING" ; len=50 ; [13] -r-- section size 5152 named .rodata
0x00007602 unaligned
0x00007603 unaligned
; DATA XREF from sym.miniupnp_deamon @ 0x23e4
; CODE XREF from str.Failed_to_open_socket_for_receiving_SSDP._EXITING @ +0x30
;-- str.socket_http_:__m:
0x00007604 .string "socket(http): %m" ; len=17
0x00007615 unalignedPlease re-open if you feel this is not fixed yet or open a new issue if something else is happening now. Thanks for reporting this!
radare
commented
4 years ago @ret2libc can you add a test with the output you are showing here?
ret2libc
commented
4 years ago @ret2libc can you add a test with the output you are showing here?
Actually no, sorry. I'm reading, reviewing, moving, reproducing a lot of issues lately. Issues that have been accumulated in the last ~7 years and I don't intend to spend 2 months just to read, review, add reproducers for each one of them. If we were in a manageable state with regard to issues I'd be more than happy to add test cases for each one of them, but with so many that were forgotten here honestly I have no will/time to create test cases (with prs and such) for each one of them. Of course if the reporter (cc @enovella ) would like to help with this and create a PR with the given test case we can happily merge it, but 1/2 persons can't be the single point of failure. We should try to distribute a bit more the work by asking reporters to help us.
trufae
commented
4 years ago I'm not asking you to do that for every single issue, but for the few that matter we should, and this one is important because we don't like analysis regressions and despite it's tedious, boring and such is necessary if we want issues to not come back again, otherwise i would read, review, write fixes and tests for the 1200 mails i got in my inbox last weeks.
Ideally @enovella should make that PR, but as long as you tested it you are probably more in context than him right now, and probably you have more time than he or me have right now. Anyway, ill do that PR in case edu can't make it.
So keeping this issue open until we have a test is the way to go, though having tests and reproducers was also important for you
trufae
commented
4 years ago Also the issue is assigned to me
Hi,
Problem
Apparently, after analysis some MIPS binaries do not contain xrefs to strings.
Radare2 pulled from Git
Analysis
Missing xrefs to strings
MIPS binary to reproduce
libminiupnpd.so.zip
Cheers