search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.71k stars 363 forks source link

tricore: missing global variable reference/address detection #4020

Open XVilka opened 11 months ago

XVilka commented 11 months ago

Missing global variable reference in Erika3 OS:

$ rizin -A out/erika3app.elf
[0x8000433a]> pdf @ dbg.ErrorHook
        ╎   ; XREFS(28)
╭ void ErrorHook(StatusType Error)
│       ╎   ; arg StatusType Error @ d4
│       ╎   0x8000433a      910000f7       movh.a a15, #0x7000         ; Core0.c:105
│       ╎   0x8000433e      19ff1000       ld.w  d15, [a15]#0x10
│       ╎   0x80004342      3bf00f40       mov   d4, #0xff             ; Core0.c:109
│       ╎   0x80004346      c21f           add   d15, #1               ; Core0.c:108
│       ╎   0x80004348      59ff1000       st.w  [a15]#0x10, d15
╰       ╰─< 0x8000434c      1dff5afe       j led_blink                 ; Core0.c:109 ; sym.led_blink
[0x8000433a]> avg~myErrorCounter
global OsEE_reg myErrorCounter @ 0x70000010
[0x8000433a]> avgx myErrorCounter
[0x8000433a]>

But if you check the objdump output (erika3app.dump):

8000433a <ErrorHook>:

void ErrorHook(StatusType Error)
{
  (void)Error;

  ++myErrorCounter;
8000433a:   91 00 00 f7     movh.a %a15,28672
8000433e:   19 ff 10 00     ld.w %d15,[%a15]16 <70000010 <myErrorCounter>>
  led_blink(OSEE_TRIBOARD_2X5_ALL_LEDS);
80004342:   3b f0 0f 40     mov %d4,255

void ErrorHook(StatusType Error)
{
  (void)Error;

  ++myErrorCounter;
80004346:   c2 1f           add %d15,1
80004348:   59 ff 10 00     st.w [%a15]16 <70000010 <myErrorCounter>>,%d15
  led_blink(OSEE_TRIBOARD_2X5_ALL_LEDS);
8000434c:   1d ff 5a fe     j 80004000 <led_blink>

And the assembly output (obj/Core0.c.s):

    .align 1
    .global ErrorHook
    .type   ErrorHook, @function
ErrorHook:
.LFB75:
    .loc 4 105 0
.LVL76:
    .loc 4 108 0
    movh.a  %a15, hi:myErrorCounter
    ld.w    %d15, [%a15] lo:myErrorCounter
    .loc 4 109 0
    mov %d4, 255
.LVL77:
    .loc 4 108 0
    add %d15, 1
    st.w    [%a15] lo:myErrorCounter, %d15
    .loc 4 109 0
    j   led_blink
.LVL78:
.LFE75:
    .size   ErrorHook, .-ErrorHook

And the preprocessor output file (obj/Core0.c.i):

OsEE_reg myErrorCounter;

void ErrorHook(StatusType Error)
{
  (void)Error;

  ++myErrorCounter;
  led_blink(OSEE_TRIBOARD_2X5_ALL_LEDS);
}

Please create also new test with global and static variables for Tricore, checking pdf, agvx and axt commands. I recommmend also checking other globals from Erika OS image.

imbillow commented 11 months ago 
│       ╎   0x8000433a      910000f7       movh.a a15, #0x7000         ; Core0.c:105
│       ╎   0x8000433e      19ff1000       ld.w  d15, [a15]#0x10
│       ╎   0x80004342      3bf00f40       mov   d4, #0xff             ; Core0.c:109
│       ╎   0x80004346      c21f           add   d15, #1               ; Core0.c:108
│       ╎   0x80004348      59ff1000       st.w  [a15]#0x10, d15

In this case

a15 = 0x7000_0000
d15 = Mem[a15 + 0x10] = Mem[0x7000_0010] = myErrorCounter

but the instructions must be executed during disassembly to obtain this information. I guess in some architectures esil is used to simulate execution? But tricore does not implement the esil function.

@XVilka

XVilka commented 11 months ago

@imbillow good point. Lets postpone this after implementing RzIL for Tricore: https://github.com/rizinorg/rizin/pull/3478

And since we plan to do also Tricore, MIPS, V850/V810 RzIL conversion, we will also migrate the analysis loop to use RzIL instead too: https://github.com/rizinorg/rizin/issues/2080