Disassembly prints incorrectly after pd -55

[whoami-defnotme]

Environment

Tue May 31 04:19:38 EDT 2022
radare2 5.6.9 28192 @ darwin-arm-64 git.5.5.0-1048-g85c77e26b
commit: 85c77e26b3afe1221c5b28ccb38d22100c882a30 build: 2022-05-23__17:02:49
Darwin arm64

Description

When I try to print disassembly backwards from a given offset, the disassembly suddenly gets incorrect after a certain threshold.

Test

First, seek to my target address:

> s 0x1000018bf

For example's sake, look around:

[0x1000018bf]> pd -5
│           0x1000018a5      e806faffff     call sym.func.1000012b0
│           0x1000018aa      488d051f0800.  lea rax, section.8.__DATA.__data ; 0x1000020d0
│           0x1000018b1      48058c000000   add rax, 0x8c              ; 140
│           0x1000018b7      4889c7         mov rdi, rax               ; int64_t arg1
│           0x1000018ba      be16000000     mov esi, 0x16              ; 22 ; int64_t arg2
[0x1000018bf]> pd 5
│           0x1000018bf      e8fcf8ffff     call sym.func.1000011c0
│           0x1000018c4      488d05050800.  lea rax, section.8.__DATA.__data ; 0x1000020d0
│           0x1000018cb      4883c05b       add rax, 0x5b              ; 91
│           0x1000018cf      4889c7         mov rdi, rax               ; int64_t arg1
│           0x1000018d2      be16000000     mov esi, 0x16              ; 22 ; int64_t arg2
[0x1000018bf]>

I'm specifically trying to backtrace from this address to get a set of instructions to potentially emulate; however, behavior gets weird after trying to backtrace a certain threshold, seemingly 55.

Here's -54 where disassembly is still correct:

[0x1000018bf]> pd -54
...
TRUNCATED
...
│     0x10000188b      e820faffff     call sym.func.1000012b0
│     │     0x100001890      488d05390800.  lea rax, section.8.__DATA.__data ; 0x1000020d0
│     │     0x100001897      48058c000000   add rax, 0x8c              ; 140
│     │     0x10000189d      4889c7         mov rdi, rax               ; int64_t arg1
│     │     0x1000018a0      be16000000     mov esi, 0x16              ; 22 ; int64_t arg2
│     │     0x1000018a5      e806faffff     call sym.func.1000012b0
│     │     0x1000018aa      488d051f0800.  lea rax, section.8.__DATA.__data ; 0x1000020d0
│     │     0x1000018b1      48058c000000   add rax, 0x8c              ; 140
│     │     0x1000018b7      4889c7         mov rdi, rax               ; int64_t arg1
│     │     0x1000018ba      be16000000     mov esi, 0x16              ; 22 ; int64_t arg2

And now here's -55 where things go bad:

[0x1000018bf]> pd -55
...
TRUNCATED
...
0x10000188b      e820faffff     call sym.func.1000012b0
│     │     0x100001890      488d05390800.  lea rax, section.8.__DATA.__data ; 0x1000020d0
│     │     0x100001897      48058c000000   add rax, 0x8c              ; 140
│     │     0x10000189d      4889c7         mov rdi, rax               ; int64_t arg1
│     │     0x1000018a0      be16000000     mov esi, 0x16              ; 22 ; int64_t arg2
│     │     0x1000018a5      e806faffff     call sym.func.1000012b0
│     │     0x1000018aa      f9             stc                        ; 0x1000020d0
│     │                                                                ; section.8.__DATA.__data
│     │     0x1000018ab      ff             invalid
│     │     0x1000018ac      ff83f8000f84   inc dword [rbx - 0x7bf0ff08]
│     │     0x1000018b2      058c000000     add eax, 0x8c              ; 140

Disassembly starts printing incorrectly at address 0x1000018aa. Any number <= 54 seems to print okay while any number >= 55 prints incorrectly.

[whoami-defnotme]

mal_bin.zip

pw: infected

[trufae]

That's affected by the blocksize. Try using a bigger blocksize like b 0x400 as a workaround before doing the negative disasm. but still with this the last instruction printed is sometimes wrong. So that will need further review and a proper fix