Hello,
I tested function detection on a VisualStudio binary with not much more than one function, and seems the function is found but length is not determined correctly. Binary attached, pw. infected
The function in question is located at 0x401090, when disassembled with pdf @ ... the output ends at 0x40118a; true end of function though is at 0x401248.
Also curious, when listing functions with afl I see that radare does not detect functions between 0x401090 and 0x40149e at all, although there should be some.
Theres function size and boundary, which may differ if it contains shared basic blocks or far jumps. I cant check the binary now, but i would like to know which command did u used to analyze the binary and if we miss any noreturn function in the registry (how does the function look like (ending with a call exit or so?)
On 23 Sep 2016, at 12:13, pinkflawd [email protected] wrote:
Hello,
I tested function detection on a VisualStudio binary with not much more than one function, and seems the function is found but length is not determined correctly. Binary attached, pw. infected
The function in question is located at 0x401090, when disassembled with pdf @ ... the output ends at 0x40118a; true end of function though is at 0x401248.
Also curious, when listing functions with afl I see that radare does not detect functions between 0x401090 and 0x40149e at all, although there should be some.
ConsoleApplication1.zip
โ
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Ohai :)
I used 'aaa'.
Here is the last instructions when issuing pdf @ 0x401090
| | 0x00401167 8be5 mov esp, ebp
| | 0x00401169 5d pop ebp
| | 0x0040116a c3 ret
| | ; JMP XREF from 0x0040110c (fcn.00401090)
| `--> 0x0040116b 8b5dfc mov ebx, dword [ebp - local_4h]
| 0x0040116e 83fb18 cmp ebx, 0x18 ; "@"
| ,=< 0x00401171 7272 jb 0x4011e5
| | 0x00401173 b810000000 mov eax, 0x10
| | 0x00401178 8d7708 lea esi, [edi + 8] ; 0x8
| | 0x0040117b 2bc7 sub eax, edi
| | 0x0040117d 8945d8 mov dword [ebp - local_28h], eax
| | 0x00401180 8bf8 mov edi, eax
| | ; JMP XREF from 0x004011e0 (unk)
| | 0x00401182 8b46fc mov eax, dword [esi - 4]
| | 0x00401185 83f803 cmp eax, 3
| ,==< 0x00401188 773e ja 0x4011c8
\ || 0x0040118a ff24854c1240. jmp dword [eax*4 + 0x40124c]
Here is what the end of the function should be:
0x00401226 ff75e4 push dword [ebp - 0x1c]
0x00401229 ff75e0 push dword [ebp - 0x20]
0x0040122c 6810244000 push str.Number_of_processor_L1_L2_L3_caches:__d__d__d_n ; str.Number_of_processor_L1_L2_L3_caches:__d__d__d_n ; "N" @ 0x402410
0x00401231 e8dafdffff call fcn.00401010
0x00401236 57 push edi
0x00401237 ff1554204000 call dword [sym.imp.api_ms_win_crt_heap_l1_1_0.dll_free] ; sym.imp.api_ms_win_crt_heap_l1_1_0.dll_free
0x0040123d 83c438 add esp, 0x38 ; '8'
0x00401240 33c0 xor eax, eax
0x00401242 5e pop esi
0x00401243 5f pop edi
0x00401244 5b pop ebx
0x00401245 8be5 mov esp, ebp
0x00401247 5d pop ebp
0x00401248 c3 ret
try e anal.jmptbl = true ; aaa
Cool with this pdf finds the end of the function correctly. The missing functions above 0x40149e still missing though.
Thanks!
is it detected with e anal.hasnext =true ; aaa ?
@radare @pinkflawd just added a test https://github.com/radare/radare2-regressions/commit/92dc3729bbfed760e1529b2ec693aa99c691107a
Will we see jmbtbl activated by default soon ?
Yep but not before the release. I want to do some more tests with it before enabling it
On 23 Sep 2016, at 18:07, Maijin [email protected] wrote:
@radare @pinkflawd just added a test radare/radare2-regressions@92dc372
Will we see jmbtbl activated by default soon ?
โ
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
This issue has been automatically marked as stale because it has not had recent activity. Considering a lot has changed since its creation, we kindly ask you to check again if the issue you reported is still relevant in the current version of radare2. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.
These are the last instructions printed by pdf @ 0x401090.
โ 0x0040123d 83c438 add esp, 0x38
โ 0x00401240 33c0 xor eax, eax
โ 0x00401242 5e pop esi
โ 0x00401243 5f pop edi
โ 0x00401244 5b pop ebx
โ 0x00401245 8be5 mov esp, ebp
โ 0x00401247 5d pop ebp
โ 0x00401248 c3 ret
Closing because it seems to be solved. Please re-open if you think otherwise, or just create a new issue.
Oh yeah that's fixed awesome!
Most helpful comment
Yep but not before the release. I want to do some more tests with it before enabling it