radare2 Cross references are broken in rebased binaries

$> r2 challenge1.exe
[]>aaa
[]>iz ~pass                                                                                                                                                   
vaddr=0x0040d198 paddr=0x0000bf98 ordinal=001 sz=18 len=17 section=.rdata type=ascii string=Enter password:\r\n                                                      
vaddr=0x0040d1b8 paddr=0x0000bfb8 ordinal=003 sz=17 len=16 section=.rdata type=ascii string=Wrong password\r\n  
[]>axt 0x0040d198                                                                                                                                              
data 0x40144e push str.Enter_password:_r_n in sub.KERNEL32.dll_GetStdHandle_420  

$ r2 -B 0xfd0000 challenge1.exe
[]>aaa
[]>iz ~pass                                                                                                                                                   
vaddr=0x00fdd198 paddr=0x0000bf98 ordinal=001 sz=18 len=17 section=.rdata type=ascii string=Enter password:\r\n                                                           
vaddr=0x00fdd1b8 paddr=0x0000bfb8 ordinal=003 sz=17 len=16 section=.rdata type=ascii string=Wrong password\r\n 
[]>axt 0x00fdd198

this is the used binary challenge1.exe.zip

Oct 03 '16 21:10 oddcoder

i think @ret2libc fixed this, can you confirm?

Mar 18 '19 11:03 radare

I'm honestly not sure I did... or when. But please re-test the reproducer :)

Mar 18 '19 13:03 ret2libc

nope, not fixed, actually addresses failed to relocate and triggered an issue in afta as well

➜  Downloads r2 -B 0xfd0000 challenge1.exe
[0x00fd170d]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[Stack isn't initialized.s for all functions (aaft)
Try running aei and aeim commands before aft for default stack initialization
Stack isn't initialized.
[.. bunch of failing to initialize stacks ...]
Try running aei and aeim commands before aft for default stack initialization
Stack isn't initialized.
[x] Type matching analysis for all functions (aaft)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00fd170d]> iz~pass
001 0x0000bf98 0x0040d198  17  18 (.rdata) ascii Enter password:\r\n
003 0x0000bfb8 0x0040d1b8  16  17 (.rdata) ascii Wrong password\r\n
[0x00fd170d]> axt 0x0040d1b8
[0x00fd170d]> axt 0x00fdd198

Mar 18 '19 16:03 oddcoder

is this bini relocatable? anyway, -B doesnt seems to work fine with strings, so the strings flags are not relocated at all

On 18 Mar 2019, at 17:07, Ahmed Abd El Mawgood [email protected] wrote:

nope, not fixed, actually addresses failed to relocate and triggered an issue in afta as well

➜ Downloads r2 -B 0xfd0000 /bin/ls [0x00fd5310]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Type matching analysis for all functions (aaft) [x] Use -AA or aaaa to perform additional experimental analysis. [0x00fd5310]> q ➜ Downloads r2 -B 0xfd0000 challenge1.exe [0x00fd170d]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [Stack isn't initialized.s for all functions (aaft) Try running aei and aeim commands before aft for default stack initialization Stack isn't initialized. [.. bunch of failing to initialize stacks ...] Try running aei and aeim commands before aft for default stack initialization Stack isn't initialized. [x] Type matching analysis for all functions (aaft) [x] Use -AA or aaaa to perform additional experimental analysis. [0x00fd170d]> iz~pass 001 0x0000bf98 0x0040d198 17 18 (.rdata) ascii Enter password:\r\n 003 0x0000bfb8 0x0040d1b8 16 17 (.rdata) ascii Wrong password\r\n [0x00fd170d]> axt 0x0040d1b8 [0x00fd170d]> axt 0x00fdd198 — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/5905#issuecomment-473979966, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lqdOgXlzO-glSDvzDzUevMmbjAe0ks5vX7nfgaJpZM4KNEpc.

Mar 19 '19 09:03 radare

Will be fixed with https://github.com/radare/radare2/issues/13753. Do you wanna work on it? or at least write some tests when its implemented?

Apr 15 '19 13:04 radare

sure I can unit test it once it is implemented just mention me in the PR, right now I can't see a pr for it

Apr 15 '19 16:04 oddcoder

enotime for this rls

May 09 '19 09:05 radare

can you provide a test?

Oct 23 '19 11:10 radare

I have a trigger explained above ^ and the binary file as well

Oct 23 '19 12:10 oddcoder

cc @yossizap

Jan 17 '20 12:01 radare

Will look into it

Jan 17 '20 12:01 yossizap

@yossizap 12h left for the release. any update on this?

Jan 19 '20 22:01 radare

Sorry, didn't have a ton of time. This is a PE specific issue.

https://github.com/radareorg/radare2/blob/35b05d86972f32e8962758c336d4914a757bf1b9/libr/bin/format/pe/pe.c#L341-L348

It uses the baddr from the header instead of using the actual binaddr. Attempting to fix.

Jan 19 '20 22:01 yossizap

thanks

Jan 19 '20 22:01 radare

That was a separate issue that was misleading. Can't really find any other differences specific to PEs that deal with baddr. This will require more time, maybe I'll be able to find something tomorrow morning.

Not an issue in debug rebase btw, just with this type of rebase.

EDIT: Also, not an issue with other windows binaries. This seems to be specific to something in that binary.

Jan 19 '20 23:01 yossizap

see the new rb command (needs to implement anal things)

Mar 02 '20 13:03 radare

radare2 radare2 copied to clipboard

Cross references are broken in rebased binaries

radare2
radare2 copied to clipboard