radare2 icon indicating copy to clipboard operation
radare2 copied to clipboard

Published 20 hours ago verified publisher icon radareorg

Radare2 does not find XREF for Xtensa

Open cryptax opened this issue 2 years ago • 6 comments

Environment

Tue 26 Jul 2022 04:04:40 PM CEST
radare2 5.7.5 28611 @ linux-x86-64 git.5.7.4-104-g03b1b2325
commit: 03b1b23256edb52e5e33df3c44a24f919be1a10b build: 2022-07-26__16:09:06
Linux x86_64

Description

I want to find where a given string is used in the code (Cross reference). I expect axt (or axf) to provide the address of where the string is used. Or I expect pd 1 @ str.address to show the XREF in disassembly comment.

Unfortunately, this is not the case. axt, axf, pd 1 .. do not provide any XREF although a XREF does exist (and there is nothing particularly sneaky with it).

The issue seems to occur for any Xtensa ELF file.

Test

I am supplying a test: this is the zipped ELF file. demoxref.elf.zip

$ file demoxref.elf
demoxref.elf: ELF 32-bit LSB executable, Tensilica Xtensa, version 1 (SYSV), statically linked, not stripped
$ sha256sum demoxref.elf 
d09d316a8a177d69f26da971722b32e51c4780e09c7657434b7e5ab828ff4001  demoxref.elf

Let's analyze demoxref.elf with radare2, and for instance, we're going to try and find xrefs using the string "Greetz from @cryptax".

$ r2 ./demoxref.elf
[0x40082af8]> aaa
[0x40082af8]> iz~cryptax
5    0x00000378 0x3f400120 20  21   .flash.rodata ascii   Greetz from @cryptax

We have the address (0x3f400120) of the string. Usually, using pd 1 on the address provides the XREF in a comment. But this is not the case for this executable :(

[0x40082af8]> pd 1 @ 0x3f400120
            ;-- str.Greetz_from__cryptax:
            0x3f400120     .string "Greetz from @cryptax" ; len=21     ; branch if bit clear immediate

Let's try another solution, and use axf and axt. Unfortunately, they do not show any xref either :(

[0x40082af8]> s 0x3f400120
[0x3f400120]> axt
[0x3f400120]> axf

The string is used. Proof:

[0x400d0020]> s 0x400d11e5
[0x400d11e5]> pd 20
            0x400d11e5      d192fb         l32r a13, 0x400d0030        ; load 32-bit PC-relative ; a13=0x3f400120 "Greetz from @cryptax" str.Greetz_from__cryptax
            0x400d11e8      ad02           mov.n a10, a2               ; narrow move ; a10=0xffff
            0x400d11ea      3c2c           movi.n a12, 50              ; narrow move immediate ; a12=0x32

I would have expected the output of pd 1... to display the xref (0x400d11e5). For example, something like:

[0x40082af8]> pd 1 @ 0x3f400120
            ;-- str.Greetz_from__cryptax: XREF at 0x400d11e5
            0x3f400120     .string "Greetz from @cryptax" ; len=21     ; branch if bit clear immediate

There is a temporary workaround to find the XREF: search the entire code section for the string : pd 0x21010~cryptax. However, this is not a reasonable solution because it is very slow on normally sized executables (the one I supplied is extremely small). Not the way to do it...

[0x400d0020]> pd 0x21010~cryptax
            0x400d11e5      d192fb         l32r a13, 0x400d0030        ; load 32-bit PC-relative ; a13=0x3f400120 "Greetz from @cryptax" str.Greetz_from__cryptax

cryptax avatar Jul 26 '22 14:07 cryptax

The '/r' works for you? How slow is it in your scenario?

richardpl avatar Jul 26 '22 16:07 richardpl

That looks like a computed reference to me as the xref appears after aae

trufae avatar Jul 28 '22 04:07 trufae

If you enable asm.emu=true you get this

Screenshot 2022-07-28 at 00 30 53

trufae avatar Jul 28 '22 04:07 trufae

Screenshot 2022-07-28 at 00 31 36

trufae avatar Jul 28 '22 04:07 trufae

Ok this works fine! You need both e asm.emu=true and aae. May I ask why? Why do we have to "emulate assembly"?

A slightly strange this also is that pd 1 reports the 2 function names for XREF, while axt says "nofunc" for one of them... ?

[0x3f400120]> pd 1
            ;-- str.Greetz_from__cryptax:
            ;-- pc:
            ; DATA XREF from fcn.4008a99c @ 0x4008a9f7(r)
            ; DATA XREF from fcn.400d0ae8 @ +0x6fd(r)
            0x3f400120     .string "Greetz_from__cryptax" ; len=20     ; branch if bit clear immediate
[0x3f400120]> axt
fcn.4008a99c 0x4008a9f7 [DATA:r--] l32r a10, str.Greetz_from__cryptax
(nofunc) 0x400d11e5 [DATA:r--] l32r a13, str.Greetz_from__cryptax

and actually axt looks correct, because fcn.400d0ae8 does not have any reference to the string If I am correct.

cryptax avatar Jul 28 '22 06:07 cryptax

Can we close this ticket?

trufae avatar Sep 14 '22 15:09 trufae

sure!

cryptax avatar Oct 07 '22 10:10 cryptax

sorry ,but the reason is not got

andrewpedia avatar Jul 27 '23 11:07 andrewpedia

What do you mean?

trufae avatar Jul 27 '23 11:07 trufae

Ok this works fine! You need both e asm.emu=true and aae. May I ask why? Why do we have to "emulate assembly"?

A slightly strange this also is that pd 1 reports the 2 function names for XREF, while axt says "nofunc" for one of them... ?

[0x3f400120]> pd 1
            ;-- str.Greetz_from__cryptax:
            ;-- pc:
            ; DATA XREF from fcn.4008a99c @ 0x4008a9f7(r)
            ; DATA XREF from fcn.400d0ae8 @ +0x6fd(r)
            0x3f400120     .string "Greetz_from__cryptax" ; len=20     ; branch if bit clear immediate
[0x3f400120]> axt
fcn.4008a99c 0x4008a9f7 [DATA:r--] l32r a10, str.Greetz_from__cryptax
(nofunc) 0x400d11e5 [DATA:r--] l32r a13, str.Greetz_from__cryptax

and actually axt looks correct, because fcn.400d0ae8 does not have any reference to the string If I am correct.

the answer? please

andrewpedia avatar Jul 27 '23 13:07 andrewpedia

Just run "aae" to find computed xrefs. Not sure if thats your question anyway. Its already solved unless theres something im missing and its not clear

trufae avatar Jul 27 '23 15:07 trufae

thanks .

andrewpedia avatar Aug 01 '23 17:08 andrewpedia