search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.71k stars 363 forks source link

The disassembly from pdr is not consistent with the disassembly from pdrj. #3367

Open sidra-asa opened 1 year ago

sidra-asa commented 1 year ago

Work environment

Questions Answers
OS/arch/bits (mandatory) MacOS Big Sur version 11.6.8
File format of the file you reverse (mandatory) APK
Architecture/bits of the file (mandatory) Dalvik
rizin -v full output, not truncated (mandatory) rizin 0.5.0 @ darwin-x86-64 commit: d20f68d7aba22a8e5c61dcd1d74c32fe51f2deb0

Expected behavior

The disassembly from command pdr and pdrj should be consistent.

Actual behavior

When I analyzing an APK(SHA1: 42b25b60aa7d6d9f0b388c10a45e8a8f8c1fc718), the disassembly from command pdr and pdrj are not consistent.

Take address 4295070996 as an example. After I run aaaa command, pdr returns the method ended with goto instruction but pdrj returns extra instructions which are not showed in pdr.

# pdr @ 4295070996

│ 0x100019736      invoke-static {v3, v4}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I ; sym.Landroid_util_Log_.e_Ljava_lang_String_Ljava_lang_String__I
│ 0x10001973c      goto  0x10001966e
| ----------- true: 0x10001966e
│ 0x100039610     .string "Lcom/google/progress/AndroidClientService$17;" ; len=45
# pdrj @ 4295070996 ~{}

{
    "offset": 4295071542,
    "esil": "8,sp,-=,0x10001973c,sp,=[8],0x800000013e,ip,=",
    "refptr": false,
    "fcn_addr": 4295070996,
    "fcn_last": 4295202322,
    "size": 6,
    "opcode": "invoke-static {v3, v4}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I",
    "disasm": "invoke-static {v3, v4}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I",
    "bytes": "71209f004300",
    "family": "cpu",
    "type": "call",
    "reloc": false,
    "type_num": 3,
    "type2_num": 0,
    "jump": 549755814206,
    "fail": 4295071548,
    "xrefs_from": [
      {
        "addr": 549755814206,
        "type": "CALL"
      }
    ]
  },
  {
    "offset": 4295071548,
    "esil": "0x10001966e,ip,=",
    "refptr": false,
    "fcn_addr": 4295070996,
    "fcn_last": 4295202326,
    "size": 2,
    "opcode": "goto 0x10001966e",
    "disasm": "goto 0x10001966e",
    "bytes": "2899",
    "family": "cpu",
    "type": "jmp",
    "reloc": false,
    "type_num": 1,
    "type2_num": 0,
    "jump": 4295071342,
    "xrefs_from": [
      {
        "addr": 4295071342,
        "type": "CODE"
      }
    ]
  },
  {
    "offset": 4295202320,
    "esil": "8,sp,-=,0x100039616,sp,=[8],0xffffffffffffffff,ip,=",
    "refptr": false,
    "fcn_addr": 4295070044,
    "fcn_last": 4295241004,
    "size": 6,
    "opcode": "invoke-virtual {}, method+28530",
    "disasm": "invoke-virtual {}, method+28530",
    "bytes": "6e64726f6964",
    "family": "cpu",
    "type": "ucall",
    "reloc": false,
    "type_num": 4,
    "type2_num": 0
  },
  {
    "offset": 4295202326,
    "size": 1,
    "bytes": "436c",
    "opcode": "invalid"
  }

Steps to reproduce the behavior

Get the APK here and analyze it as follows.

$ rizin apk://14d9f1a92dd984d6040cc41ed06e273e.apk

[0x10001122c]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls
[x] Analyze len bytes of instructions for references
[x] Check for classes
[x] Finding xrefs in noncode section with analysis.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x10000f8ec to 0x100054714 (aav)
[x] 0x10000f8ec-0x100054714 in 0x10000f8ec-0x100054714 (aav)
[x] 0x10000f8ec-0x100054714 in 0x8000000000-0x800000079a (aav)
[x] Value from 0x8000000000 to 0x800000079a (aav)
[x] 0x8000000000-0x800000079a in 0x10000f8ec-0x100054714 (aav)
[x] 0x8000000000-0x800000079a in 0x8000000000-0x800000079a (aav)
[x] Emulate functions to find computed references
[x] Analyze local variables and arguments
[x] Applied 0 FLIRT signatures via sigdb
[x] Propagate noreturn information
[x] Resolve pointers to data sections
[x] Finding function preludes
[x] Enable constraint types analysis for variables

[0x10001122c]> pdrj @ 4295070996

Please let me know if anything is unclear.

sidra-asa commented 10 months ago

Hi, are there any updates? I found a similar issue while analyzing another sample with rizin 0.6.3.

The output of the pdr and pdrj commands are inconsistent. At 0x100069823(4295399459), the output of pdr seems to be a string, but the one of pdrj seems to be aget-byte. So I think that there might be some issues between the pdr and pdrj. I hope the information will be helpful.

$ rizin -v
rizin 0.6.3 @ darwin-arm-64
commit: 36a1bf3ec837dd74e4829a6535f2cab349fd4ad2

$ rizin apk://13667fe3b0ad496a0cd157f34b7e0c991d72a4db.apk
WARNING: No calling convention defined for this file, analysis may be inaccurate.
 -- Move the comments to the right changing their margin with asm.cmt.margin

[0x100028498]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)

[0x100028498]> pdr @ 0x100069823
│ ; DATA XREF from method.public.static.android.support.v4.app.NavUtils.void_navigateUpFromSameTask_android.app.Activity @ 0x10002d45e
│ ;-- str.Did_you_forget_to_add_the_android.support.PARENT_ACTIVITY__meta_data:
│ 0x100069823     .string " (Did you forget to add the android.support.PARENT_ACTIVITY <meta-data> " ; len=72
| ----------- true: 0x10006d7f0  false: 

[0x100028498]> pdrj @ 0x100069823 ~{}
{
    "offset": 4295399459,
    "esil": "",
    "refptr": false,
    "fcn_addr": 4295267628,
    "fcn_last": 4295415850,
    "size": 4,
    "opcode": "aget-byte v32, v40, v68",
    "disasm": "aget-byte v32, v40, v68",
    "bytes": "48202844",
    "family": "cpu",
    "type": "load",
    "reloc": false,
    "type_num": 32,
    "type2_num": 0,
    "flags": [
      "str.Did_you_forget_to_add_the_android.support.PARENT_ACTIVITY__meta_data"
    ],
    "xrefs_to": [
      {
        "addr": 4295152734,
        "type": "DATA"
      }
    ]
  },