radare2 icon indicating copy to clipboard operation
radare2 copied to clipboard

Published 20 hours ago verified publisher icon radareorg

String detection via aae on ARM Thumb binary fails

Open AlexanderKrampe opened this issue 2 years ago • 1 comments

Environment


Do 26. Jan 14:47:18 CET 2023

radare2 5.8.3 29823 @ linux-x86-64 git.5.8.2-2-g4d256dbae1
commit: 4d256dbae164e50a060d3e35be7dbd1506580853 build: 2023-01-23__17:39:08

Linux x86_64

Description

When running aae on (some) ARM binaries the pointer to the string gets substituted with the whole string overwriting program code. Some parts of the fcn.08000380 gets overwritten with a string. BeforeAAE AfterAAE

First picture: Before running aee Second picture: After running aae

Test

To reproduce: Load binary from here (original from attify): click me

I used this configuration in an r2 script e asm.arch=arm e asm.bits=16 e asm.emu = true e emu.str=true e anal.loads=true e asm.cpu=cortex e anal.strings=true e r2ghidra.roprop=3 e r2ghidra.indent=2 e anal.armthumb=true e bin.baddr = 0x08000000 f flash = 0x08000000 on STM32F103C-firmware.bin flash rwx om 3 0xE0000000 0x100000 0xE0000000 rw- Peripherals om 3 0x20000000 0x5000 0x20000000 rwx SRAM om 3 0x00000000 0xffff 0x00000000 rwx flash_mirror

Then run aap and aac to get the output of the first picture. After running the two commands above run aae to get the output of the second picture.

AlexanderKrampe avatar Jan 26 '23 14:01 AlexanderKrampe