search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.72k stars 363 forks source link

Wrong switch-case analysis on MacOS M1 ARM #3093

Open ret2libc opened 2 years ago

ret2libc commented 2 years ago

Work environment

Questions Answers
OS/arch/bits (mandatory) MacOS 12.6 M1 Max
File format of the file you reverse (mandatory) MachO
Architecture/bits of the file (mandatory) M1 Max
rizin -v full output, not truncated (mandatory) rizin 0.5.0 @ darwin-arm-64 commit: b81d9225fc411c976502fd1c110c2feac0b17c9b

Expected behavior

0x100003c44 0x100003c64 00:0000 32 s 0x100003c64 s 0x1000040f8 s 0x100003ec4 s 0x100003ed4 s [...]

In general, the value from the table at 0x100004638 should be added to 0x100003c58.

Actual behavior

0x100003c44 0x100003c64 00:0000 32 s 0x0000000c s 0x000004a0 s 0x0000026c s 0x0000027c s [...]

Steps to reproduce the behavior

$ rizin -A /bin/ls
> s. 3c44
> afbi

Additional Logs, screenshots, source code, configuration dump, ...

Standard /bin/ls from MacOS binls.zip

> pdb @ 0x100003c44
│           0x100003c44      cmp   x16, 0x5b
│           0x100003c48      csel  x16, x16, xzr, ls
│           0x100003c4c      adr   x17, sym.func.100004638             ; 0x100004638
│           0x100003c50      nop
│           0x100003c54      ldrsw x16, [x17, x16, lsl 2]
│           0x100003c58      adr   x17, 0x100003c58
│           0x100003c5c      add   x16, x17, x16
│           ;-- switch
│           0x100003c60      br    x16                                 ; switch table (92 cases) at 0x100004638
wargio commented 9 months ago

@ret2libc ehm. this bin is x86 not arm.

Rot127 commented 9 months ago

You need to open it with rizin -a arm ls if you are on a x86 machine. Its this weird macho thing that it contains x86 and arm assembly in the same binary.

rizin -a arm -Qc "pd 10" ls 
            ;-- main:
            ;-- entry0:
            ;-- func.100003a90:
            0x100003a90      pacibsp
            0x100003a94      stp   x28, x27, [sp, -0x60]!
            0x100003a98      stp   x26, x25, [sp, 0x10]
            0x100003a9c      stp   x24, x23, [sp, 0x20]
            0x100003aa0      stp   x22, x21, [sp, 0x30]
            0x100003aa4      stp   x20, x19, [sp, 0x40]
            0x100003aa8      stp   fp, lr, [sp, 0x50]
            0x100003aac      add   fp, sp, 0x50
            0x100003ab0      sub   sp, sp, 0x640
            0x100003ab4      mov   x19, x1