rizin icon indicating copy to clipboard operation
rizin copied to clipboard
verified publisher icon rizinorg

Offset immediates not searcheable

Open bqv opened this issue 2 years ago • 1 comments

Work environment

Questions Answers
OS/arch/bits (mandatory) Manjaro x86 64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) armeabi-v7a
rizin -v full output, not truncated (mandatory) rizin 0.6.2 @ linux-x86-64

Expected behavior

Tried to find all ldr instructions with immediate 0x398 Searched with /ad, /a etc with it

Actual behavior

Found no results, but should have since I can see them in the disassembly

Steps to reproduce the behavior

Binary: binary.zip

/ad/a ldr.*0x398

# No results

Additional Logs, screenshots, source code, configuration dump, ...

/ai 0x398 works fine.

mattermost-messages
bqv
  • i'm trying to search for an instruction with rizin
  • i'm getting nothing - no hits, each time
rot127
  • Can you list the commands you use and what the outcome is you are hoping for?
bqv
  • sure
  • I tried / 0x398 naively, in case that works, but i'm fairly sure that's not how things work, so instead i also tried variations like :> /ad/a ldr r., [r0, .*]
  • :> /ad/a ldr.w r3, [r0, 0x2e4]
  • :> /a ldr.w r3, [r0, 0x2e4]
  • i even tried /a blx, which i'm sure should have hit
  • none of those hit anything, even though those last two are verbatim instructions in the function i'm currently inspecting
  • instead if i try / DICT for the data string nearby, that matches
  • but i'm looking to find values in the offset of that ldr instruction
  • basically, i want to find all ldr instructions with an offset of e.g. 0x2e4 or 0x398
rot127
  • @bqv Try /ai 0x398
  • Should give you every instructoin using this immediate.
bqv
  • it matches! yes!
  • thank you.
rot127
  • The problem with ldr is, that the offset is depends on the PC the instruction is located.
  • The immediate is an offset.
  • My guess is, that the search doesn't find them, because it disassembles each instruction again, but with address 0
  • Hence, the result of the offset is only 0x8 instead of 0x398 for example
bqv
  • oh dear, ok
rot127
  • If the instrucion is located at 0x390 I mean
  • Just a guess so
bqv
  • yeah, i follow
  • is that the case for all immediate values?
bqv
  • or just that instruction?
rot127
  • Could you open an issue about it? Maybe it does work as expected. But than the docs are not specific enough
  • Every ARM instruction which interprets the immediate as offset to its address
  • https://developer.arm.com/documentation/dui0041/c/Babbfdih
  • LDR is one of them.
  • Jumps to an offset/relative jumps as well I guess
rot127
  • The issue template should guide you. write what you wrote above:
    • I'd tried to find all ldr instructions with immediate 0x398
    • Searched with /ad, /a etc with it.
    • Found no results, but should have since I can see them n the disassembly
  • Something like this
  • It would be of great help
  • I'll add the details later when I have time

bqv avatar Nov 05 '23 20:11 bqv

LDR only saves an offset relative to the current PC. So if ldr is located at 0x390, the immediate of the instruction would be 0x8.

/ad likely disassembles every instruction again for the search, but with PC = 0, hence returns ldr ... 0x8 and the search query doesn't match.

Just a guess. Though this would also effect other instructions with relative immediate vals (jumps etc.)

Either way, the documentation of the command should make the behavior more clear.

Rot127 avatar Nov 05 '23 20:11 Rot127