zignature includes bytes which are a pointer to data

[edeca]

Environment

radare2 5.9.8 1 @ windows-x86-64
birth: git.5.9.8 Tue 11/19/2024__11:46:03.42
commit: 4eb49d5ad8c99eaecc8850a2f10bad407067c898
options: gpl -O? cs:5 cl:1 meson

Description

I have been generating signatures for some executables using rasign and then using them with YARA.

I noticed with some samples that certain bytes aren't masked, even though they point to data.

Test

For example, loading this sample^sample_hash and creating a signature for the following function (aaaa; s 0x4070A0; zaf):

[0x004070a0]> pd 10
/ 84: fcn.004070a0 ();
|           0x004070a0      55             push ebp
|           0x004070a1      8bec           mov ebp, esp
|           0x004070a3      33c0           xor eax, eax
|           0x004070a5      55             push ebp
|           0x004070a6      68f4704000     push 0x4070f4
|           0x004070ab      64ff30         push dword fs:[eax]
|           0x004070ae      648920         mov dword fs:[eax], esp
|           0x004070b1      ff05b8454900   inc dword [0x4945b8]    <- instruction points to data
|       ,=< 0x004070b7      752d           jne 0x4070e6
|       |   0x004070b9      b850404900     mov eax, 0x494050           ; 'P@I'

In the signature the corresponding bytes for the address 0x4945b8 are not masked:

fcn.004070a0:
  bytes: 558bec33c05568f470400064ff30648920ff05b8454900752db850404900e835c6ffffb81c42 [ snip ]
  mask:  ffffffffffffff00000000ffffffffffffffffffffffffff00ff00000000ff00000000ff0000 [ snip ]
                                               ^^^^^^^^ these bytes should be masked

I believe the instruction is inc dword ptr ds:0x4945b8, so it should be possible to detect this is a pointer to data that might change if the data moves in a subsequent compilation.