radare2 icon indicating copy to clipboard operation
radare2 copied to clipboard

Published 20 hours ago verified publisher icon radareorg

Functions analysis errors (some end too early, some data recognized as function)

Open pinkflawd opened this issue 8 years ago • 6 comments

  • [ ] Plenty of functions are detected, but not disassembled correctly, the end too early or show invalid instructions in the end

Some examples are the functions:

  • [ ] 0x0040856d

  • [ ] 0x00404490

  • [x] 0x0040734b

  • [ ] The binary has data and strings located at the beginning of the code section, radare interprets these as functions (functions located between 0x401000 and 0x401975)

password: infected 0bfbda37af78a9d0318b0d0e3024d831c271e6d42f0da41372c8785425a864aa.zip

pinkflawd avatar Nov 15 '16 16:11 pinkflawd

Use pdr instead of pdf

On 15 Nov 2016, at 17:18, pinkflawd [email protected] wrote:

Plenty of functions are detected, but not disassembled correctly, the end too early or show invalid instructions in the end Some examples are the functions: 0x0040856d 0x00404490 0x0040734b

The binary has data and strings located at the beginning of the code section, radare interprets these as functions (functions located between 0x401000 and 0x401975) password: infected 0bfbda37af78a9d0318b0d0e3024d831c271e6d42f0da41372c8785425a864aa.zip

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

radare avatar Nov 15 '16 17:11 radare

My issue is that ?v $FB @ [addr] in the respective cases doesn't get me the function containing [addr], for all the [addr] in the not-disassembled area :)

pinkflawd avatar Nov 15 '16 20:11 pinkflawd

but also, somewhere in the back of my head I remember that could have something to do with jmp instructions at the (incorrect) end of the function? played with the jmptbl flag, but didnt change anything obvious

pinkflawd avatar Nov 15 '16 20:11 pinkflawd

There are many jump table implementations and several varians depending on how its computed the destination pointer. So its nothing easy or simple to solve. We shoyld implement this for each use case. But i would like to rework the standard anal loop, so this can probably go for 1.2

On 15 Nov 2016, at 21:04, pinkflawd [email protected] wrote:

but also, somewhere in the back of my head I remember that could have something to do with jmp instructions at the (incorrect) end of the function? played with the jmptbl flag, but didnt change anything obvious

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

radare avatar Nov 16 '16 14:11 radare

Related to https://github.com/radare/radare2/issues/5833

Maijin avatar Feb 26 '17 13:02 Maijin

It seems some of the basic blocks of those half-complete functions are coming only from references inside the data section. Probably some function pointers in static structures or something like that and r2 fails to identify those.

ret2libc avatar Jul 09 '20 07:07 ret2libc