Radare2: Function detection issue

Created on 23 Sep 2016  ยท  10Comments  ยท  Source: radareorg/radare2

Hello,

I tested function detection on a VisualStudio binary with not much more than one function, and seems the function is found but length is not determined correctly. Binary attached, pw. infected

The function in question is located at 0x401090, when disassembled with pdf @ ... the output ends at 0x40118a; true end of function though is at 0x401248.

Also curious, when listing functions with afl I see that radare does not detect functions between 0x401090 and 0x40149e at all, although there should be some.

ConsoleApplication1.zip

RAnal bug test-required

Most helpful comment

Yep but not before the release. I want to do some more tests with it before enabling it

On 23 Sep 2016, at 18:07, Maijin [email protected] wrote:

@radare @pinkflawd just added a test radare/radare2-regressions@92dc372

Will we see jmbtbl activated by default soon ?

โ€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

All 10 comments

Theres function size and boundary, which may differ if it contains shared basic blocks or far jumps. I cant check the binary now, but i would like to know which command did u used to analyze the binary and if we miss any noreturn function in the registry (how does the function look like (ending with a call exit or so?)

On 23 Sep 2016, at 12:13, pinkflawd [email protected] wrote:

Hello,

I tested function detection on a VisualStudio binary with not much more than one function, and seems the function is found but length is not determined correctly. Binary attached, pw. infected

The function in question is located at 0x401090, when disassembled with pdf @ ... the output ends at 0x40118a; true end of function though is at 0x401248.

Also curious, when listing functions with afl I see that radare does not detect functions between 0x401090 and 0x40149e at all, although there should be some.

ConsoleApplication1.zip

โ€”
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Ohai :)
I used 'aaa'.

Here is the last instructions when issuing pdf @ 0x401090

|      |    0x00401167      8be5           mov esp, ebp
|      |    0x00401169      5d             pop ebp
|      |    0x0040116a      c3             ret
|      |    ; JMP XREF from 0x0040110c (fcn.00401090)
|      `--> 0x0040116b      8b5dfc         mov ebx, dword [ebp - local_4h]
|           0x0040116e      83fb18         cmp ebx, 0x18               ; "@"
|       ,=< 0x00401171      7272           jb 0x4011e5
|       |   0x00401173      b810000000     mov eax, 0x10
|       |   0x00401178      8d7708         lea esi, [edi + 8]          ; 0x8
|       |   0x0040117b      2bc7           sub eax, edi
|       |   0x0040117d      8945d8         mov dword [ebp - local_28h], eax
|       |   0x00401180      8bf8           mov edi, eax
|       |   ; JMP XREF from 0x004011e0 (unk)
|       |   0x00401182      8b46fc         mov eax, dword [esi - 4]
|       |   0x00401185      83f803         cmp eax, 3
|      ,==< 0x00401188      773e           ja 0x4011c8
\      ||   0x0040118a      ff24854c1240.  jmp dword [eax*4 + 0x40124c]

Here is what the end of the function should be:

            0x00401226      ff75e4         push dword [ebp - 0x1c]
            0x00401229      ff75e0         push dword [ebp - 0x20]
            0x0040122c      6810244000     push str.Number_of_processor_L1_L2_L3_caches:__d__d__d_n ; str.Number_of_processor_L1_L2_L3_caches:__d__d__d_n ; "N" @ 0x402410
            0x00401231      e8dafdffff     call fcn.00401010
            0x00401236      57             push edi
            0x00401237      ff1554204000   call dword [sym.imp.api_ms_win_crt_heap_l1_1_0.dll_free] ; sym.imp.api_ms_win_crt_heap_l1_1_0.dll_free
            0x0040123d      83c438         add esp, 0x38               ; '8'
            0x00401240      33c0           xor eax, eax
            0x00401242      5e             pop esi
            0x00401243      5f             pop edi
            0x00401244      5b             pop ebx
            0x00401245      8be5           mov esp, ebp
            0x00401247      5d             pop ebp
            0x00401248      c3             ret

try e anal.jmptbl = true ; aaa

Cool with this pdf finds the end of the function correctly. The missing functions above 0x40149e still missing though.
Thanks!

is it detected with e anal.hasnext =true ; aaa ?

@radare @pinkflawd just added a test https://github.com/radare/radare2-regressions/commit/92dc3729bbfed760e1529b2ec693aa99c691107a

Will we see jmbtbl activated by default soon ?

Yep but not before the release. I want to do some more tests with it before enabling it

On 23 Sep 2016, at 18:07, Maijin [email protected] wrote:

@radare @pinkflawd just added a test radare/radare2-regressions@92dc372

Will we see jmbtbl activated by default soon ?

โ€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

This issue has been automatically marked as stale because it has not had recent activity. Considering a lot has changed since its creation, we kindly ask you to check again if the issue you reported is still relevant in the current version of radare2. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.

These are the last instructions printed by pdf @ 0x401090.

โ”‚           0x0040123d      83c438         add esp, 0x38
โ”‚           0x00401240      33c0           xor eax, eax
โ”‚           0x00401242      5e             pop esi
โ”‚           0x00401243      5f             pop edi
โ”‚           0x00401244      5b             pop ebx
โ”‚           0x00401245      8be5           mov esp, ebp
โ”‚           0x00401247      5d             pop ebp
โ””           0x00401248      c3             ret

Closing because it seems to be solved. Please re-open if you think otherwise, or just create a new issue.

Oh yeah that's fixed awesome!

Was this page helpful?
0 / 5 - 0 ratings