search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.65k stars 355 forks source link

Offset immediates not searcheable #3957

Open bqv opened 10 months ago

bqv commented 10 months ago

Work environment

Questions Answers
OS/arch/bits (mandatory) Manjaro x86 64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) armeabi-v7a
rizin -v full output, not truncated (mandatory) rizin 0.6.2 @ linux-x86-64

Expected behavior

Tried to find all ldr instructions with immediate 0x398 Searched with /ad, /a etc with it

Actual behavior

Found no results, but should have since I can see them in the disassembly

Steps to reproduce the behavior

Binary: binary.zip

/ad/a ldr.*0x398

# No results

Additional Logs, screenshots, source code, configuration dump, ...

/ai 0x398 works fine.

mattermost-messages ##### bqv - i'm trying to search for an instruction with rizin - i'm getting nothing - no hits, each time ##### rot127 - Can you list the commands you use and what the outcome is you are hoping for? ##### bqv - sure - I tried / 0x398 naively, in case that works, but i'm fairly sure that's not how things work, so instead i also tried variations like :> /ad/a ldr r., [r0, .*] - :> /ad/a ldr.w r3, [r0, 0x2e4] - :> /a ldr.w r3, [r0, 0x2e4] - i even tried /a blx, which i'm sure should have hit - none of those hit anything, even though those last two are verbatim instructions in the function i'm currently inspecting - instead if i try / DICT for the data string nearby, that matches - but i'm looking to find values in the offset of that ldr instruction - basically, i want to find all ldr instructions with an offset of e.g. 0x2e4 or 0x398 ##### rot127 - @bqv Try /ai 0x398 - Should give you every instructoin using this immediate. ##### bqv - it matches! yes! - thank you. ##### rot127 - The problem with ldr is, that the offset is depends on the PC the instruction is located. - The immediate is an offset. - My guess is, that the search doesn't find them, because it disassembles each instruction again, but with address 0 - Hence, the result of the offset is only 0x8 instead of 0x398 for example ##### bqv - oh dear, ok ##### rot127 - If the instrucion is located at 0x390 I mean - Just a guess so ##### bqv - yeah, i follow - is that the case for all immediate values? ##### bqv - or just that instruction? ##### rot127 - Could you open an issue about it? Maybe it does work as expected. But than the docs are not specific enough - Every ARM instruction which interprets the immediate as offset to its address - https://developer.arm.com/documentation/dui0041/c/Babbfdih - LDR is one of them. - Jumps to an offset/relative jumps as well I guess ##### rot127 - The issue template should guide you. write what you wrote above: - I'd tried to find all ldr instructions with immediate 0x398 - Searched with /ad, /a etc with it. - Found no results, but should have since I can see them n the disassembly - Something like this - It would be of great help - I'll add the details later when I have time
Rot127 commented 10 months ago

LDR only saves an offset relative to the current PC. So if ldr is located at 0x390, the immediate of the instruction would be 0x8.

/ad likely disassembles every instruction again for the search, but with PC = 0, hence returns ldr ... 0x8 and the search query doesn't match.

Just a guess. Though this would also effect other instructions with relative immediate vals (jumps etc.)

Either way, the documentation of the command should make the behavior more clear.