rizin
rizin copied to clipboard
rizinorg
Wrong switch-case analysis on MacOS M1 ARM
Work environment
| Questions | Answers |
|---|---|
| OS/arch/bits (mandatory) | MacOS 12.6 M1 Max |
| File format of the file you reverse (mandatory) | MachO |
| Architecture/bits of the file (mandatory) | M1 Max |
rizin -v full output, not truncated (mandatory) |
rizin 0.5.0 @ darwin-arm-64 commit: b81d9225fc411c976502fd1c110c2feac0b17c9b |
Expected behavior
0x100003c44 0x100003c64 00:0000 32 s 0x100003c64 s 0x1000040f8 s 0x100003ec4 s 0x100003ed4 s [...]
In general, the value from the table at 0x100004638 should be added to 0x100003c58.
Actual behavior
0x100003c44 0x100003c64 00:0000 32 s 0x0000000c s 0x000004a0 s 0x0000026c s 0x0000027c s [...]
Steps to reproduce the behavior
$ rizin -A /bin/ls
> s. 3c44
> afbi
Additional Logs, screenshots, source code, configuration dump, ...
Standard /bin/ls from MacOS binls.zip
> pdb @ 0x100003c44
│ 0x100003c44 cmp x16, 0x5b
│ 0x100003c48 csel x16, x16, xzr, ls
│ 0x100003c4c adr x17, sym.func.100004638 ; 0x100004638
│ 0x100003c50 nop
│ 0x100003c54 ldrsw x16, [x17, x16, lsl 2]
│ 0x100003c58 adr x17, 0x100003c58
│ 0x100003c5c add x16, x17, x16
│ ;-- switch
│ 0x100003c60 br x16 ; switch table (92 cases) at 0x100004638
You need to open it with rizin -a arm ls if you are on a x86 machine. Its this weird macho thing that it contains x86 and arm assembly in the same binary.
rizin -a arm -Qc "pd 10" ls
;-- main:
;-- entry0:
;-- func.100003a90:
0x100003a90 pacibsp
0x100003a94 stp x28, x27, [sp, -0x60]!
0x100003a98 stp x26, x25, [sp, 0x10]
0x100003a9c stp x24, x23, [sp, 0x20]
0x100003aa0 stp x22, x21, [sp, 0x30]
0x100003aa4 stp x20, x19, [sp, 0x40]
0x100003aa8 stp fp, lr, [sp, 0x50]
0x100003aac add fp, sp, 0x50
0x100003ab0 sub sp, sp, 0x640
0x100003ab4 mov x19, x1
