Analysis: missing xrefs on MIPS binaries #8245
Comments
|
Hi! It's a known bug caused by migrating to siol. Currently ESIL is broken. |
|
Hi @XVilka , it is not only the Best, |
|
We are doing tons of breaking changes because there is no tomorrow.
Rollback some commits ago and if it was happening its an issue if not just keep calm and wait a bit.
… On 19 Aug 2017, at 22:58, Eduardo Novella ***@***.***> wrote:
Hi,
Problem
Apparently, after analysis some MIPS binaries do not contain xrefs to strings.
Radare2 pulled from Git
[22:54 ***@***.*** tmp] > r2 -v
radare2 1.7.0-git 15624 @ linux-x86-64 git.1.6.0-385-g622df1f
commit: 622df1f build: 2017-08-19__18:21:31
Analysis
[22:54 ***@***.*** tmp] > r2 libminiupnpd.so
-- r2 talks to you. tries to make you feel well.
[0x000017b0]> aaaa
[read errro all flags starting with sym. and entry0 (aa)
Cannot find function 'entry0' at 0x000017b0
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
read errro
[x] Analyze all flags starting with sym. and entry0 (aa)
[ ]
[aav: using from to 0x0 0x9a28
Using vmin 0xf4 and vmax 0x18d40
aav: using from to 0x0 0x9a28
Using vmin 0xf4 and vmax 0x18d40
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[x] Emulate code to find computed references (aae)
[read errro consecutive function (aat)
[x] Analyze consecutive function (aat)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Type matching analysis for all functions (afta)
[0x000017b0]>
MIPS binary to reproduce
libminiupnpd.so.zip
Cheers
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Hi @radare, the issue was indeed happening a while ago. Also, totally understandable other priorities to be fixed first. :) Cheers, |
|
Did you tried just with aav?
… On 20 Aug 2017, at 13:14, Eduardo Novella ***@***.***> wrote:
Hi @radare,
the issue was indeed happening a while ago. Also, totally understandable other priorities to be fixed first. :)
Cheers,
enovella
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Hi @radare ,
Cheers |
|
that’s because anal.gp points to unallocated memory. this depends on the loc._gp symbol, which is wrong.. or needs to be modified somehow. any pointers here? can you check what others tool do in this case?
if i adjust the anal.gp to be 0x18a40 (instead of 0x20a40), which is inside the allocated memory, i get a bunch of string references in the disasselbmy
… On 23 Aug 2017, at 17:18, Eduardo Novella ***@***.***> wrote:
Hi @radare <https://github.com/radare> ,
aav was tried with no luck in an old r2 installation (some months). Xrefs to strings are still missing.
Cheers
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#8245 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lgkebUMiKw6iOoLHUYb3xZhCHxkpks5sbEK-gaJpZM4O8cP5>.
|
|
|
|
Hi @radare, Sorry for my little delay :). There's odd behaviour when printing xrefs in the binary. For instance; We try to obtain xrefs in the first string, however we do not appreciate XREF in the string below. However, when manually jumping into the code that should have the xref, we see the xref in there: Regarding the global pointer pointing to unallocated memory, I need more time to analyze it. But I can confirm you that the strings you were showing me in the screenshot, they appear without adjusting the Will try to find some time to clearly spot the issue. Also, checking other binaries (attached goahead.zip) prove that xrefs are missing. Cheers. |
|
then its just a matter to solve the refs, but if they are shown in the disasm its just 50% of the issue :P
im quite busy right now, but that shuold be easy to fix, maybe it gets fixed with other regressions in io.
… On 29 Aug 2017, at 08:49, Eduardo Novella ***@***.***> wrote:
Hi @radare <https://github.com/radare>,
Sorry for my little delay :). There's odd behaviour when printing xrefs in the binary. For instance;
We try to obtain xrefs in the first string, however we do not appreciate XREF in the string below.
Flags in flagspace 'strings'. Press '?' for help.
> 000 0x000075d0 50 str.Failed_to_open_socket_for_receiving_SSDP._EXITING
001 0x00007604 17 str.socket_http_:__m
002 0x00007618 35 str.setsockopt_http__SO_REUSEADDR_:__m
003 0x0000763c 15 str.bind_http_:__m
004 0x0000764c 17 str.listen_http_:__m
005 0x00007660 40 str.Failed_to_open_socket_for_HTTP._EXITING
006 0x00007688 64 str.Failed_to_open_socket_for_sending_SSDP_notify_messages._EXITING
007 0x000076c8 19 str.gettimeofday__:__m
008 0x000076dc 16 str.select_all_:__m
009 0x000076ec 32 str.Failed_to_select_open_sockets.
010 0x0000770c 17 str.accept_http_:__m
011 0x00007720 27 str.HTTP_connection_from__s:_d
012 0x0000773c 22 str.New_upnphttp___failed
013 0x00007754 43 str.Failed_to_broadcast_good_bye_notifications
Selected: str.Failed_to_open_socket_for_receiving_SSDP._EXITING
;-- str.Failed_to_open_socket_for_receiving_SSDP._EXITING:
;-- section_end..fini:
;-- section..rodata:
0x000075d0 .string "Failed to open socket for receiving SSDP. EXITING" ; len=50 ; section 13 va=0x000075d0 pa=0x000075d0 sz=5152 vsz=5152 rwx=--r-- .rodata
0x00007602 0000 unaligned
0x00007603 00 unaligned
;-- str.socket_http_:__m:
0x00007604 .string "socket(http): %m" ; len=17
0x00007615 000000 unaligned
0x00007616 0000 unaligned
0x00007617 00 unaligned
However, when jumping into the code that should have the xref, we see the xref in there:
[0x000075d0]> s 0x000022f8
[0x000022f8]> pd 5
| 0x000022f8 24a575d0 addiu a1, a1, str.Failed_to_open_socket_for_receiving_SSDP._EXITING
| 0x000022fc 24020001 addiu v0, zero, 1
| 0x00002300 8fbf01ac lw ra, 0x1ac(sp)
| 0x00002304 8fbe01a8 lw fp, 0x1a8(sp)
| 0x00002308 8fb701a4 lw s7, 0x1a4(sp)
Regarding the global pointer pointing to unallocated memory, I need more time to analyze it. But I can confirm you that the strings you were showing me in the screenshot, they appear without adjusting the $gp and they are shown just analyzing the binary with aa.
Will try to find some time to clearly spot the issue. Also, checking other binaries (attached goahead.zip) prove that xrefs are missing.
Cheers.
goahead.zip <https://github.com/radare/radare2/files/1259322/goahead.zip>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#8245 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lmJILEJuVOMgJYKmImMpMXc89OWvks5sc7RzgaJpZM4O8cP5>.
|
|
I realized that the same issue occurs on ARM32 binaries. At least, when r2-ing the crackme "validate" of the OWASP crackmes. Binary: validate https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android/License_01 |
|
Any progress so far on this topic? I see similar issue at #8795 |
|
https://github.com/radare/radare2-regressions/blob/master/t.anal/mips/mips-ref#L31 Creating test would speed-up process and ensure no regression @enovella |
|
Should this be added to |
|
Add by itself is useless. You need more context to do so, and this context is provided by esil emulation. Aka aae, /re, and others
… On 29 Nov 2017, at 19:29, Srimanta Barua ***@***.***> wrote:
aa, aar etc don't handle R_ANAL_OP_TYPE_ADD and so on for refs. So addui etc aren't resolved correctly, if at all.
iirc disasm checks refs, then falls back to checking the immediate value for a null-terminated string.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
In this case, the immediate value in the |
|
Wat? Addui sums a delta to a base address. If u dont know that base address computed in previous instructions it will not work
… On 30 Nov 2017, at 14:01, Srimanta Barua ***@***.***> wrote:
In this case, the immediate value in the addui points to the string. Esil emulation helps with indirect references, but I don't see why it's needed here.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Yep. I was talking about the examples by @enovella At 0x2ff8, the instruction is Agreed that it makes more sense to generate a ref if the result of the add points to a string. But should this generate a ref too? If yes, then this case doesn't need emulation since it's in the immediate value. |
|
Hi! A lot has changed since you opened this issue. Could you please double-check whether the problem is still there? If not, please close this issues, otherwise just leave a comment here. Thanks again for opening this. |
|
I'm closing this as this is the current output: Please re-open if you feel this is not fixed yet or open a new issue if something else is happening now. Thanks for reporting this! |
|
@ret2libc can you add a test with the output you are showing here? |
Actually no, sorry. I'm reading, reviewing, moving, reproducing a lot of issues lately. Issues that have been accumulated in the last ~7 years and I don't intend to spend 2 months just to read, review, add reproducers for each one of them. If we were in a manageable state with regard to issues I'd be more than happy to add test cases for each one of them, but with so many that were forgotten here honestly I have no will/time to create test cases (with prs and such) for each one of them. Of course if the reporter (cc @enovella ) would like to help with this and create a PR with the given test case we can happily merge it, but 1/2 persons can't be the single point of failure. We should try to distribute a bit more the work by asking reporters to help us. |
|
I'm not asking you to do that for every single issue, but for the few that matter we should, and this one is important because we don't like analysis regressions and despite it's tedious, boring and such is necessary if we want issues to not come back again, otherwise i would read, review, write fixes and tests for the 1200 mails i got in my inbox last weeks. Ideally @enovella should make that PR, but as long as you tested it you are probably more in context than him right now, and probably you have more time than he or me have right now. Anyway, ill do that PR in case edu can't make it. So keeping this issue open until we have a test is the way to go, though having tests and reproducers was also important for you |
|
Also the issue is assigned to me |
Hi,
Problem
Apparently, after analysis some MIPS binaries do not contain xrefs to strings.
Radare2 pulled from Git
Analysis
Missing xrefs to strings
MIPS binary to reproduce
libminiupnpd.so.zip
Cheers
The text was updated successfully, but these errors were encountered: