Radare2: Radare2 not finding function

Created on 3 Aug 2016  路  4Comments  路  Source: radareorg/radare2

This might be a case of user error, but radare2 seems not to be able to find a function that IDA has listed. For information, the version that I'm using is

r2 -v
radare2 0.10.5-git 11982 @ linux-x86-64 git.0.10.4-142-g8d5e5d4
commit: 8d5e5d4add1421cbe8dda000457c77d3317758ce build: 2016-08-02

The binary that I am looking at is 0b322ccfe2431909dff50c4735e9ef01 (attached with a password of infected).

In IDA the function 0x406F30 is located and in the function list.
image

It also disassembles just fine in the main window.
image

However this function is not seen or listed in Radare. I'll paste the commands used below.

r2 -A 0b322ccfe2431909dff50c4735e9ef01
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[ ] [*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan))
 -- radare2 contributes to the One Byte Per Child fundation.
[0x0040111d]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[0x00402a8e esil_diveq: empty stackeferences (aae)
0x00402abc esil_diveq: empty stack
0x0040314b esil_eq: invalid src
0x00403222 esil_diveq: empty stack
0x004032a2 esil_diveq: empty stack
0x00403347 esil_diveq: empty stack
0x00403355 esil_diveq: empty stack
0x0040594a esil_eq: invalid src
0x0040597c esil_eq: invalid src
0x004059ae esil_eq: invalid src
0x00406fec esil_diveq: empty stack
0x00407464 esil_eq: invalid src
0x00407866 esil_eq: invalid src
[x] Emulate code to find computed references (aae)
[x] Analyze consecutive function (aat)
[aav: using from to 0x400000 0x40dc00
Using vmin 0x401000 and vmax 0x411c00
aav: Cannot find section at 0x4238337
[x] Analyze value pointers (aav)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)

And then searching for the function (using afl) The function is not found.

[0x0040111d]> afl
0x0040100a    1 5            sub.KERNEL32.dll_lstrcmpiA_a
0x0040100f    1 5            fcn.0040100f
0x00401014    1 5            fcn.00401014
0x00401019    1 5            fcn.00401019
0x0040101e    1 5            sub.SHELL32.dll_SHGetFolderPathW_1e
0x00401023    1 5            sub.WININET.dll_InternetOpenA_23
0x00401028    1 5            fcn.00401028
0x0040102d    1 5            sub.KERNEL32.dll_GetCurrentProcess_2d
0x00401032    1 5            fcn.00401032
0x00401037    1 5            sub.KERNEL32.dll_GetCurrentProcess_37
0x00401041    1 10   -> 5    sub.KERNEL32.dll_CloseHandle_41
0x0040104b    1 5            sub.KERNEL32.dll_ResumeThread_4b
0x00401050    1 5            fcn.00401050
0x00401055    1 5            fcn.00401055
0x0040105a    1 10   -> 5    sub.KERNEL32.dll_CreateProcessW_5a
0x00401064    1 5            sub.KERNEL32.dll_TerminateThread_64
0x00401069    1 5            sub.KERNEL32.dll_SetLastError_69
0x0040106e    1 5            fcn.0040106e
0x00401073    1 5            fcn.00401073
0x00401078    1 5            fcn.00401078
0x00401087    1 10   -> 5    fcn.00401087
0x00401091    1 5            sub.KERNEL32.dll_LoadLibraryA_91
0x00401096    1 5            sub.ADVAPI32.dll_RegCreateKeyExA_96
0x0040109b    1 5            sub.KERNEL32.dll_FindResourceA_9b
0x004010a0    1 10   -> 5    sub.WININET.dll_InternetOpenUrlA_a0
0x004010aa    1 5            fcn.004010aa
0x004010af    1 5            sub.KERNEL32.dll_IsBadReadPtr_af
0x004010b4    1 5            sub.KERNEL32.dll_SetLastError_b4
0x004010b9    1 5            sub.KERNEL32.dll_WideCharToMultiByte_b9
0x004010be    1 5            fcn.004010be
0x004010c3    1 5            sub.WININET.dll_InternetGetCookieA_c3
0x004010c8    1 5            sub.KERNEL32.dll_lstrcpyA_c8
0x004010cd    1 5            fcn.004010cd
0x004010d2    1 5            fcn.004010d2
0x004010d7    1 5            fcn.004010d7
0x004010dc    1 10   -> 5    sub.KERNEL32.dll_EnterCriticalSection_dc
0x004010e6    1 10   -> 5    sub.KERNEL32.dll_lstrlenA_e6
0x004010f0    1 5            sub.ADVAPI32.dll_RegOpenKeyExA_f0
0x004010f5    1 10   -> 5    fcn.004010f5
0x004010ff    1 5            sub.KERNEL32.dll_GetSystemInfo_ff
0x00401104    1 5            sub.ADVAPI32.dll_RegOpenKeyExA_104
0x0040110e    1 5            sub.KERNEL32.dll_CreateFileA_10e
0x00401113    1 5            sub.KERNEL32.dll_GetTickCount_113
0x00401118    1 5            sub.ADVAPI32.dll_RegCreateKeyExA_118
0x0040111d    1 5            entry0
0x00401122    1 5            sub.SHELL32.dll_SHGetFolderPathW_122
0x00401127    1 5            sub.KERNEL32.dll_GetTickCount_127
0x0040112c    1 5            sub.KERNEL32.dll_LoadLibraryA_12c
0x00401131    1 5            sub.KERNEL32.dll_lstrlenA_131
0x00401136    1 5            sub.KERNEL32.dll_lstrlenA_136
0x0040113b    1 5            sub.KERNEL32.dll_OpenProcess_13b
0x00401140    1 5            fcn.00401140
0x00401145    1 5            fcn.00401145
0x0040114a    1 5            sub.KERNEL32.dll_GetTickCount_14a
0x0040114f    1 10   -> 5    fcn.0040114f
0x00401159    1 5            fcn.00401159
0x0040115e    1 5            sub.ole32.dll_CoCreateGuid_15e
0x00401168    1 7608 -> 5    fcn.00401168
0x00402f20    4 47           loc.00402f20
0x00403300    1 24           loc.00403300
0x004033c0    1 29           loc.004033c0
0x004033f0    1 54           loc.004033f0
0x00403440    1 110          loc.00403440
0x004038d0    3 91           loc.004038d0
0x00403b70    1 118          loc.00403b70
0x00403ef0    1 98           loc.00403ef0
0x004047b0    1 161          loc.004047b0
0x004057c0    3 268          loc.004057c0
0x004069a0    3 111          loc.004069a0
0x00408860    1 328          loc.00408860
0x00409030    3 356          loc.00409030
0x004091f0    1 182          loc.004091f0
0x00409790    1 6            sub.KERNEL32.dll_Process32Next_790
0x004097a8    1 6            sub.KERNEL32.dll_Process32First_7a8
0x004097ae    1 6            sub.KERNEL32.dll_CreateToolhelp32Snapshot_7ae
0x0040999a    1 6            sub.urlmon.dll_ObtainUserAgentString_99a
0x004099a0    1 6            sub.WS2_32.dll_inet_ntoa_9a0
0x004099a6    1 6            sub.WS2_32.dll_gethostbyname_9a6
0x004099ac    1 6            sub.WS2_32.dll_gethostname_9ac

Trying to disassemble the function using pdf

[0x0040111d]> pdf @ 0x00406F30
Cannot find function at 0x00406f30

Oddly enough radare will locate the function that is responsible for calling 0x00406F30 which is just a stub at 0x4010AA. The screenshot of this function in IDA is below.

image

In Radare this function can be seen in the function listing and displayed with pdf.

[0x0040111d]> pdf @ 0x4010AA
/ (fcn) fcn.004010aa 5
|           ; var int local_7ch @ ebp-0x7c
|           ; var int local_38h @ ebp-0x38
|           ; var int local_34h @ ebp-0x34
|           ; var int local_30h @ ebp-0x30
|           ; var int local_2ch @ ebp-0x2c
|           ; var int local_28h @ ebp-0x28
|           ; var int local_24h @ ebp-0x24
|           ; var int local_20h @ ebp-0x20
|           ; var int local_1ch @ ebp-0x1c
|           ; var int local_18h @ ebp-0x18
|           ; var int local_14h @ ebp-0x14
|           ; var int local_10h @ ebp-0x10
|           ; var int local_ch @ ebp-0xc
|           ; var int local_8h @ ebp-0x8
|           ; var int local_4h @ ebp-0x4
|           ; arg int arg_8h @ ebp+0x8
|           ; arg int arg_ch @ ebp+0xc
|           ; CALL XREF from 0x004074f0 (unk)
|           ; CALL XREF from 0x004078f2 (unk)
|           ; CALL XREF from 0x00407f58 (unk)
|           ; CALL XREF from 0x0040829e (unk)
\       ,=< 0x004010aa      e9815e0000     jmp 0x406f30
[0x0040111d]> 

Is there some additional arguments that I can use to ensure that Radare will recognize the same functions that IDA found? Is this a bug or a case of user error?

Thank you for the time and I appreciate the help. The attached file is below.

df2a17ca69531b4433e82124c377c264fde4e0b5c15b4e282c8d6afc2b8f0929.zip

Most helpful comment

That does seem to find the function now.

r2 -A 0b322ccfe2431909dff50c4735e9ef01
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[ ] [*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan))
 -- There's a branch for that.

And then running aap

[0x0040111d]> aap
[>] Scanning mrwx 0x401000 - 0x40ac00 done
Analyzed 60 functions based on preludes

Disassembling the function at 0x00406f30 (which was previously not found)

[0x0040111d]> pdf @ 0x00406f30
/ (fcn) fcn.00406f30 206
|           ; var int local_7ch @ ebp-0x7c
|           ; var int local_38h @ ebp-0x38
|           ; var int local_34h @ ebp-0x34
|           ; var int local_30h @ ebp-0x30
|           ; var int local_2ch @ ebp-0x2c
|           ; var int local_28h @ ebp-0x28
....

Is this behavior that should run automatically with aaaa ?

All 4 comments

Well if r2 is not able to detect, since i don't know if those jmp located in 0x004010aa (and throughout code) is considered as function by r2, define by hand using af @ dir or from visual mode using df.

[0x0040111d]> pi 20
jmp 0x405f30
jmp 0x4053e0
jmp 0x403270
jmp 0x408860
jmp 0x4047b0
jmp 0x408d20
jmp 0x403c10
jmp 0x402f20
jmp 0x4071b0
jmp 0x403ef0
jmp 0x407240
jmp 0x402a50
jmp 0x402cb0
jmp 0x4033f0
jmp 0x405ee0
jmp 0x402fb0
jmp 0x403b10
jmp 0x406680

Besides using aap that search for preludes should fix it. It seems that -A or aaaa does not throw this analysis.

That does seem to find the function now.

r2 -A 0b322ccfe2431909dff50c4735e9ef01
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[ ] [*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan))
 -- There's a branch for that.

And then running aap

[0x0040111d]> aap
[>] Scanning mrwx 0x401000 - 0x40ac00 done
Analyzed 60 functions based on preludes

Disassembling the function at 0x00406f30 (which was previously not found)

[0x0040111d]> pdf @ 0x00406f30
/ (fcn) fcn.00406f30 206
|           ; var int local_7ch @ ebp-0x7c
|           ; var int local_38h @ ebp-0x38
|           ; var int local_34h @ ebp-0x34
|           ; var int local_30h @ ebp-0x30
|           ; var int local_2ch @ ebp-0x2c
|           ; var int local_28h @ ebp-0x28
....

Is this behavior that should run automatically with aaaa ?

Stop using aaa or aaaa on special cases, learn how to use the other aa?.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

radare picture radare  路  8Comments

eagleoflqj picture eagleoflqj  路  7Comments

NotAFile picture NotAFile  路  6Comments

RazviAlex picture RazviAlex  路  4Comments

Manouchehri picture Manouchehri  路  3Comments