Closed vadimkotov closed 7 years ago
Tested with IDA, it handles this function correctly.
I do understand that sometimes the situations like this are unavoidable or way too expensive to handle properly (e.g. in obfuscated code specifically designed to confuse disassemblers), but in this case it is genuinely unreachable code.
| pdf disassemble function
Did you try with ?:
| pdr recursive disassemble across the function graph
Yep, that worked a treat. Didn't know there were multiple disassembly algorithms and that default was not recursive. Thanks. False alarm then.
The result of
pdf
command appears to be wrongAttached is Windows 7's 32-bit explorer.exe - a binary in which I came across this issue.
Address of the function in question: 0x1042183
I load the binary in a pretty typical way:
Consider the following conditional jump found in this function at the offset 0x10422e4
0x010422e4 0f859e020000 jne 0x1042588
However the target address of 0x1042588 haven't been decoded correctly:
As you can see in the snippet, it decoded an instruction at 0x1042586, which is the wrong offset.
It happened because a chunk of the function from 0x1042566 to 0x1042587 seems to be unreachable (see. screenshot taken from binary ninja).
From the screenshot you can see that the instruction at 0x1042561 is
jmp
, so the next address, which is 0x1042566 is never reached, the next reachable address is 0x1042588 (it's jumped to from 0x10422e4 as shown in the second snippet).It should have skipped the bytes at 0x1042566 to 0x1042587 and carried on the disassembly at the correct offset - 0x1042588.
I can only conjecture that radare2 is not using traditional recursive traversal, but rather an altered version to, perhaps, save time or avoid deep recursion. Is this conjecture correct?
explorer.zip
PS I used the freshest version of radare2 updated from github
If you guys could point me to the code responsible for function analysis I might be able to fix it or at least debug the issue in more detail. Thanks!