search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.65k stars 355 forks source link

Fail to load ELF ARM binary #1729

Open xrkk opened 3 years ago

xrkk commented 3 years ago 
[i] ℤ rizin 00082bf2fdcd7b7b23905dba6089589285f8e6dcd45841f296ce769cd29e17e7                                                                                                                                                      13:49:09 
WARNING: Unsupported relocation type for imports 21
WARNING: Unsupported relocation type for imports 21

This string is the part of the ELF data - .interp section

[0x44c68000]> om
 1 fd: 4 +0x00000000 0x44ca9e70 - 0x44cab657 r-- vmap.reloc-targets
 2 fd: 3 +0x00000000 0x44c68000 - 0x44ca5a03 r-x fmap.LOAD0
 3 fd: 5 +0x00000000 0x44ca9e10 - 0x44ca9e67 rw- mmap.LOAD1
 4 fd: 6 +0x0003e000 0x44ca6000 - 0x44ca9e0f r-- vmap.LOAD1
[0x44c68000]> iS
paddr      size    vaddr      vsize   align perm name                   type              flags         
--------------------------------------------------------------------------------------------------------
0x00000000 0x0     0x00000000 0x0     0x0   ----                        NULL              
0x00000114 0x13    0x44c68114 0x13    0x0   -r-- .interp                PROGBITS          alloc
0x00000128 0x2340  0x44c68128 0x2340  0x0   -r-- .dynsym                DYNSYM            alloc
0x00002468 0x2804  0x44c6a468 0x2804  0x0   -r-- .dynstr                STRTAB            alloc
0x00004c6c 0x7d4   0x44c6cc6c 0x7d4   0x0   -r-- .gnu.hash              GNU_HASH          alloc
0x00005440 0x468   0x44c6d440 0x468   0x0   -r-- .gnu.version           VERSYM            alloc
0x000058a8 0x38    0x44c6d8a8 0x38    0x0   -r-- .gnu.version_d         VERDEF            alloc
0x000058e0 0x40    0x44c6d8e0 0x40    0x0   -r-- .gnu.version_r         VERNEED           alloc
0x00005920 0x2330  0x44c6d920 0x2330  0x0   -r-- .rel.dyn               REL               alloc
0x00007c50 0xca0   0x44c6fc50 0xca0   0x0   -r-- .rel.plt               REL               alloc
0x000088f0 0xc     0x44c708f0 0xc     0x0   -r-x .init                  PROGBITS          alloc,execute
0x000088fc 0x1304  0x44c708fc 0x1304  0x0   -r-x .plt                   PROGBITS          alloc,execute
0x00009c00 0x2e21c 0x44c71c00 0x2e21c 0x0   -r-x .text                  PROGBITS          alloc,execute
0x00037e1c 0x8     0x44c9fe1c 0x8     0x0   -r-x .fini                  PROGBITS          alloc,execute
0x00037e24 0x5bd4  0x44c9fe24 0x5bd4  0x0   -r-- .rodata                PROGBITS          alloc
0x0003d9f8 0x4     0x44ca59f8 0x4     0x0   -r-- .eh_frame              PROGBITS          alloc
0x0003d9fc 0x8     0x44ca59fc 0x8     0x0   -r-- .eh_frame_hdr          PROGBITS          alloc
0x0003e000 0x108   0x44ca6000 0x108   0x0   -rw- .dynamic               DYNAMIC           write,alloc
0x0003e108 0x2194  0x44ca6108 0x2194  0x0   -rw- .data                  PROGBITS          write,alloc
0x0004029c 0x4     0x44ca829c 0x4     0x0   -rw- .init_array            INIT_ARRAY        write,alloc
0x000402a0 0x4     0x44ca82a0 0x4     0x0   -rw- .fini_array            FINI_ARRAY        write,alloc
0x000402a4 0x4     0x44ca82a4 0x4     0x0   -rw- .jcr                   PROGBITS          write,alloc
0x000402a8 0x6cc   0x44ca82a8 0x6cc   0x0   -rw- .data.rel.ro           PROGBITS          write,alloc
0x00040974 0xdec   0x44ca8974 0xdec   0x0   -rw- .data.rel.ro.local     PROGBITS          write,alloc
0x00041760 0x6b0   0x44ca9760 0x6b0   0x0   -rw- .got                   PROGBITS          write,alloc
0x00041e10 0x0     0x44ca9e10 0x58    0x0   -rw- .bss                   NOBITS            write,alloc
0x00041e10 0x1c    0x00000000 0x1c    0x0   ---- .note.gnu.gold-version NOTE              
0x00041e2c 0x33    0x00000000 0x33    0x0   ---- .ARM.attributes        LOPROC+0x00000003 
0x00041e5f 0x14    0x00000000 0x14    0x0   ---- .gnu_debuglink         PROGBITS          
0x00041e74 0x64    0x00000000 0x64    0x0   ---- .gnu.liblist           GNU_LIBLIST       
0x00041ed8 0x4a    0x00000000 0x4a    0x0   ---- .gnu.libstr            STRTAB            
0x00041f24 0x59c   0x00000000 0x59c   0x0   ---- .gnu.prelink_undo      PROGBITS          
0x000424c0 0x153   0x00000000 0x153   0x0   ---- .shstrtab              STRTAB            
[0x44c68000]> iSS
paddr      size    vaddr      vsize   align  perm name         
---------------------------------------------------------------
0x00000034 0xe0    0x44c68034 0xe0    0x4    -r-- PHDR
0x00000114 0x13    0x44c68114 0x13    0x1    -r-- INTERP
0x00000000 0x3da04 0x44c68000 0x3da04 0x1000 -r-x LOAD0
0x0003e000 0x3e10  0x44ca6000 0x3e68  0x1000 -rw- LOAD1
0x0003e000 0x108   0x44ca6000 0x108   0x4    -rw- DYNAMIC
0x0003d9fc 0x8     0x44ca59fc 0x8     0x4    -r-- GNU_EH_FRAME
0x00000000 0x0     0x00000000 0x0     0x0    -rw- GNU_STACK
0x00000000 0x34    0x44c68000 0x34    0x0    -rw- ehdr

image

XVilka commented 3 years ago

It's indeed string, so it should not be the code. It looks like some ELF file loading failed instead. cc @08A 

[i] ℤ rizin 00082bf2fdcd7b7b23905dba6089589285f8e6dcd45841f296ce769cd29e17e7                                                                                                                                                      13:49:09 
WARNING: Unsupported relocation type for imports 21
WARNING: Unsupported relocation type for imports 21

This string is the part of the ELF data - .interp section

[0x44c68000]> om
 1 fd: 4 +0x00000000 0x44ca9e70 - 0x44cab657 r-- vmap.reloc-targets
 2 fd: 3 +0x00000000 0x44c68000 - 0x44ca5a03 r-x fmap.LOAD0
 3 fd: 5 +0x00000000 0x44ca9e10 - 0x44ca9e67 rw- mmap.LOAD1
 4 fd: 6 +0x0003e000 0x44ca6000 - 0x44ca9e0f r-- vmap.LOAD1
[0x44c68000]> iS
paddr      size    vaddr      vsize   align perm name                   type              flags         
--------------------------------------------------------------------------------------------------------
0x00000000 0x0     0x00000000 0x0     0x0   ----                        NULL              
0x00000114 0x13    0x44c68114 0x13    0x0   -r-- .interp                PROGBITS          alloc
0x00000128 0x2340  0x44c68128 0x2340  0x0   -r-- .dynsym                DYNSYM            alloc
0x00002468 0x2804  0x44c6a468 0x2804  0x0   -r-- .dynstr                STRTAB            alloc
0x00004c6c 0x7d4   0x44c6cc6c 0x7d4   0x0   -r-- .gnu.hash              GNU_HASH          alloc
0x00005440 0x468   0x44c6d440 0x468   0x0   -r-- .gnu.version           VERSYM            alloc
0x000058a8 0x38    0x44c6d8a8 0x38    0x0   -r-- .gnu.version_d         VERDEF            alloc
0x000058e0 0x40    0x44c6d8e0 0x40    0x0   -r-- .gnu.version_r         VERNEED           alloc
0x00005920 0x2330  0x44c6d920 0x2330  0x0   -r-- .rel.dyn               REL               alloc
0x00007c50 0xca0   0x44c6fc50 0xca0   0x0   -r-- .rel.plt               REL               alloc
0x000088f0 0xc     0x44c708f0 0xc     0x0   -r-x .init                  PROGBITS          alloc,execute
0x000088fc 0x1304  0x44c708fc 0x1304  0x0   -r-x .plt                   PROGBITS          alloc,execute
0x00009c00 0x2e21c 0x44c71c00 0x2e21c 0x0   -r-x .text                  PROGBITS          alloc,execute
0x00037e1c 0x8     0x44c9fe1c 0x8     0x0   -r-x .fini                  PROGBITS          alloc,execute
0x00037e24 0x5bd4  0x44c9fe24 0x5bd4  0x0   -r-- .rodata                PROGBITS          alloc
0x0003d9f8 0x4     0x44ca59f8 0x4     0x0   -r-- .eh_frame              PROGBITS          alloc
0x0003d9fc 0x8     0x44ca59fc 0x8     0x0   -r-- .eh_frame_hdr          PROGBITS          alloc
0x0003e000 0x108   0x44ca6000 0x108   0x0   -rw- .dynamic               DYNAMIC           write,alloc
0x0003e108 0x2194  0x44ca6108 0x2194  0x0   -rw- .data                  PROGBITS          write,alloc
0x0004029c 0x4     0x44ca829c 0x4     0x0   -rw- .init_array            INIT_ARRAY        write,alloc
0x000402a0 0x4     0x44ca82a0 0x4     0x0   -rw- .fini_array            FINI_ARRAY        write,alloc
0x000402a4 0x4     0x44ca82a4 0x4     0x0   -rw- .jcr                   PROGBITS          write,alloc
0x000402a8 0x6cc   0x44ca82a8 0x6cc   0x0   -rw- .data.rel.ro           PROGBITS          write,alloc
0x00040974 0xdec   0x44ca8974 0xdec   0x0   -rw- .data.rel.ro.local     PROGBITS          write,alloc
0x00041760 0x6b0   0x44ca9760 0x6b0   0x0   -rw- .got                   PROGBITS          write,alloc
0x00041e10 0x0     0x44ca9e10 0x58    0x0   -rw- .bss                   NOBITS            write,alloc
0x00041e10 0x1c    0x00000000 0x1c    0x0   ---- .note.gnu.gold-version NOTE              
0x00041e2c 0x33    0x00000000 0x33    0x0   ---- .ARM.attributes        LOPROC+0x00000003 
0x00041e5f 0x14    0x00000000 0x14    0x0   ---- .gnu_debuglink         PROGBITS          
0x00041e74 0x64    0x00000000 0x64    0x0   ---- .gnu.liblist           GNU_LIBLIST       
0x00041ed8 0x4a    0x00000000 0x4a    0x0   ---- .gnu.libstr            STRTAB            
0x00041f24 0x59c   0x00000000 0x59c   0x0   ---- .gnu.prelink_undo      PROGBITS          
0x000424c0 0x153   0x00000000 0x153   0x0   ---- .shstrtab              STRTAB            
[0x44c68000]> iSS
paddr      size    vaddr      vsize   align  perm name         
---------------------------------------------------------------
0x00000034 0xe0    0x44c68034 0xe0    0x4    -r-- PHDR
0x00000114 0x13    0x44c68114 0x13    0x1    -r-- INTERP
0x00000000 0x3da04 0x44c68000 0x3da04 0x1000 -r-x LOAD0
0x0003e000 0x3e10  0x44ca6000 0x3e68  0x1000 -rw- LOAD1
0x0003e000 0x108   0x44ca6000 0x108   0x4    -rw- DYNAMIC
0x0003d9fc 0x8     0x44ca59fc 0x8     0x4    -r-- GNU_EH_FRAME
0x00000000 0x0     0x00000000 0x0     0x0    -rw- GNU_STACK
0x00000000 0x34    0x44c68000 0x34    0x0    -rw- ehdr

image

XVilka commented 3 years ago

Curiosly, it seems that the culprit is the wrong value of the entrypoint - it points to the file beginning:

[0x44c70b94]> iH
0x00000000  ELF MAGIC   0x464c457f
0x00000010  Type        0x0003
0x00000012  Machine     0x0028
0x00000014  Version     0x00000001
0x00000018  Entrypoint  0x44c68000
0x0000001c  PhOff       0x00000034
0x00000020  ShOff       0x00042614
0x00000024  Flags       0x05000000
0x00000028  EhSize      52
0x0000002a  PhentSize   32
0x0000002c  PhNum       7
0x0000002e  ShentSize   40
0x00000030  ShNum       33
0x00000032  ShrStrndx   32
[0x44c70b94]>

image

We probably should mark headers as the data-only specifically, if they don't have x bits.

image

ret2libc commented 3 years ago

@XVilka the original issue was "Empty operands when analyzing some ARM binary", so I restored the title. That's the problem reported by @xrkk .

@xrkk could you test the fix in https://github.com/rizinorg/rizin/pull/1730 to see if it works for other instructions as well? I think it makes sense, but if you have some spare time to double check that would be awesome. Thanks!

XVilka commented 3 years ago

@ret2libc are you sure the issue is about that? It is essentially about ELF loading process.

ret2libc commented 3 years ago

@ret2libc are you sure the issue is about that? It is essentially about ELF loading process.

Well, this is what @xrkk reported

With rizin version built from source, when analyzing one ARM32 binary, command aoj~{} does not return the 2nd operand.

The 2nd operand is part of the opex structure returned by aoj. Now, there may be other problems with the binary, but let's open separate issues for that. This issue was specifically about the missing operand in opex.

XVilka commented 3 years ago

@ret2libc it's not even the actual code, it's a string.

ret2libc commented 3 years ago

@ret2libc it's not even the actual code, it's a string.

Yep, I got it. But that's a separate problem.

xrkk commented 3 years ago

@ret2libc Pull #1730 did fix the 2nd operand problem. 

[0x44c68118]> aoj~{}
[
  {
    "opcode": "stclhs p12, c6, [r4, -0xbc]!",
    "disasm": "stclhs p12, c6, [r4, -0xbc]!",
    "pseudo": "asm(\"stclhs p12, c6, [r4, -0xbc]!\")",
    "mnemonic": "stclhs",
    "mask": "ffffffff",
    "esil": "cf,?{,,}",
    "sign": false,
    "prefix": 0,
    "id": 191,
    "opex": {
      "operands": [
        {
          "type": "pimm",
          "value": 12
        },
        {
          "type": "cimm",
          "value": 6
        },
        {
          "type": "mem",
          "base": "r4",
          "scale": 1,
          "disp": -188
        }
      ],
      "writeback": true,
      "cc": "hs"
    },
    "addr": 1153859864,
    "bytes": "2f6c642d",
    "size": 4,
    "type": "null",
    "esilcost": 0,
    "scale": 0,
    "refptr": 0,
    "cycles": 1,
    "failcycles": 0,
    "delay": 0,
    "stackptr": 0,
    "family": "cpu"
  }
]
[0x44c68118]>

Thank you.