search

radareorg / sdb

Simple and fast string based key-value database with support for arrays and json
https://www.radare.org/
MIT License
217 stars 62 forks source link

sdb_get() includes carriage return #121

Closed Dax89 closed 2 years ago

Dax89 commented 7 years ago

I have noticed a weird issue in radare2, basically all ordinal imports (at least in PE files) have its address equals to 0:

rabin2 -ii ~/Reversing/PEiD/PEiD.exe
[Imports]
ordinal=001 plt=0x00499b74 bind=NONE type=FUNC name=KERNEL32.DLL_LoadLibraryA
ordinal=002 plt=0x00499b78 bind=NONE type=FUNC name=KERNEL32.DLL_GetProcAddress
ordinal=003 plt=0x00499b7c bind=NONE type=FUNC name=KERNEL32.DLL_VirtualProtect
ordinal=004 plt=0x00499b80 bind=NONE type=FUNC name=KERNEL32.DLL_VirtualAlloc
ordinal=005 plt=0x00499b84 bind=NONE type=FUNC name=KERNEL32.DLL_VirtualFree
ordinal=006 plt=0x00499b88 bind=NONE type=FUNC name=KERNEL32.DLL_ExitProcess
ordinal=001 plt=0x00499b90 bind=NONE type=FUNC name=ADVAPI32.dll_EqualSid

!!! this !!!
ordinal=017 plt=0x00000000 bind=NONE type=FUNC name=COMCTL32.dll_InitCommonControls

ordinal=001 plt=0x00499ba0 bind=NONE type=FUNC name=COMDLG32.dll_GetOpenFileNameA
ordinal=001 plt=0x00499ba8 bind=NONE type=FUNC name=GDI32.dll_BitBlt
ordinal=001 plt=0x00499bb0 bind=NONE type=FUNC name=SHELL32.dll_DragFinish
ordinal=001 plt=0x00499bb8 bind=NONE type=FUNC name=USER32.dll_GetDC

instead if I rename comctl32.sdb in order to get the plain "ordinal named" import I get the correct address:

rabin2 -ii ~/Reversing/PEiD/PEiD.exe
[Imports]
ordinal=001 plt=0x00499b74 bind=NONE type=FUNC name=KERNEL32.DLL_LoadLibraryA
ordinal=002 plt=0x00499b78 bind=NONE type=FUNC name=KERNEL32.DLL_GetProcAddress
ordinal=003 plt=0x00499b7c bind=NONE type=FUNC name=KERNEL32.DLL_VirtualProtect
ordinal=004 plt=0x00499b80 bind=NONE type=FUNC name=KERNEL32.DLL_VirtualAlloc
ordinal=005 plt=0x00499b84 bind=NONE type=FUNC name=KERNEL32.DLL_VirtualFree
ordinal=006 plt=0x00499b88 bind=NONE type=FUNC name=KERNEL32.DLL_ExitProcess
ordinal=001 plt=0x00499b90 bind=NONE type=FUNC name=ADVAPI32.dll_EqualSid

!!! this !!!
ordinal=017 plt=0x00499b98 bind=NONE type=FUNC name=COMCTL32.dll_Ordinal_17

ordinal=001 plt=0x00499ba0 bind=NONE type=FUNC name=COMDLG32.dll_GetOpenFileNameA
ordinal=001 plt=0x00499ba8 bind=NONE type=FUNC name=GDI32.dll_BitBlt
ordinal=001 plt=0x00499bb0 bind=NONE type=FUNC name=SHELL32.dll_DragFinish
ordinal=001 plt=0x00499bb8 bind=NONE type=FUNC name=USER32.dll_GetDC

The issue is that sdb_get() includes the carriage return character when reading SDB file and a lookup fails to get the right symbol, in fact, by printing the returned value I get:

HEX 49 6E 69 74 43 6F 6D 6D 6F 6E 43 6F 6E 74 72 6F 6C 73 0D InitCommonControls.

Just for info, I have tested the result in https://github.com/radare/radare2/blob/master/libr/bin/format/pe/pe.c#L210 file by adding some extra code:

if (db) {
    symname = resolveModuleOrdinal (db, symdllname, import_ordinal);
    if (symname) {
    snprintf (import_name, PE_NAME_LENGTH, "%s_%s", dll_name, symname);

    printf("HEX");

    for(int i = 0; i < strlen(symname); i++)
        printf(" %02X", symname[i]);

    printf("\n");
    }
} else {
    eprintf ("Cannot find %s\n", filename);
trufae commented 2 years ago

i dont think this belongs to sdb and sdb_get doesnt appens any \x0d, not sure where the bug was, but r2 works fine.

if this is still an issue for you please reopen the ticket in the r2 repo