Fix string ref direction and improve false positive xref types ##anal…

…ysis
radareorg · Nov 14, 2024 · e14fa9a · e14fa9a
1 parent 1c363de
commit e14fa9a
Show file tree

Hide file tree

Showing 14 changed files with 362 additions and 36 deletions.
diff --git a/libr/anal/vtable.c b/libr/anal/vtable.c
@@ -286,6 +286,7 @@ R_API RList *r_anal_vtable_search(RVTableContext *context) {
 	return vtables;
 }
 
+// R2_600 - rename to RAnal.vtablesList()
 R_API void r_anal_list_vtables(RAnal *anal, int rad) {
 	RVTableContext context = {0};
 	r_anal_vtable_begin (anal, &context);

diff --git a/libr/core/anal_objc.c b/libr/core/anal_objc.c
@@ -1,4 +1,4 @@
-/* radare2 - LGPL - Copyright 2019-2022 - pancake */
+/* radare2 - LGPL - Copyright 2019-2024 - pancake */
 
 /* This code has been written by pancake which has been based on Alvaro's
  * r2pipe-python script which was based on FireEye script for IDA Pro.
@@ -303,6 +303,7 @@ static bool objc_find_refs(RCore *core) {
 			if (xrefs) {
 				RAnalRef *ref;
 				R_VEC_FOREACH (xrefs, ref) {
+					// maybe ICOD?
 					r_anal_xrefs_set (core->anal, ref->addr, funcVA, R_ANAL_REF_TYPE_CODE);
 					total_xrefs++;
 				}

diff --git a/libr/core/canal.c b/libr/core/canal.c
@@ -4602,6 +4602,10 @@ static bool found_xref(RCore *core, ut64 at, ut64 xref_to, RAnalRefType type, PJ
 	if (!rad) {
 		if (cfg_anal_strings && R_ANAL_REF_TYPE_MASK (type) == R_ANAL_REF_TYPE_DATA) {
 			add_string_ref (core, at, xref_to);
+		} else if (cfg_anal_strings && R_ANAL_REF_TYPE_MASK (type) == R_ANAL_REF_TYPE_ICOD) {
+			add_string_ref (core, at, xref_to);
+		} else if (cfg_anal_strings && R_ANAL_REF_TYPE_MASK (type) == R_ANAL_REF_TYPE_STRN) {
+			add_string_ref (core, at, xref_to);
 		} else if (xref_to) {
 			r_anal_xrefs_set (core->anal, at, xref_to, type);
 		}
@@ -4745,10 +4749,10 @@ R_API int r_core_anal_search_xrefs(RCore *core, ut64 from, ut64 to, PJ *pj, int
 			}
 			uninit = false;
 		}
-		// check if meta tells its code
 		(void) r_anal_op (core->anal, &op, at, buf, bsz, R_ARCH_OP_MASK_BASIC | R_ARCH_OP_MASK_HINT);
 		while ((i + maxopsz) < bsz && !r_cons_is_breaked ()) {
 			r_anal_op_fini (&op);
+			// check if meta tells its code
 			{
 				ut64 size;
 				RAnalMetaItem *mi = r_meta_get_at (core->anal, at + i, R_META_TYPE_ANY, &size);
@@ -4766,7 +4770,7 @@ R_API int r_core_anal_search_xrefs(RCore *core, ut64 from, ut64 to, PJ *pj, int
 			}
 			ret = r_anal_op (core->anal, &op, at + i, buf + i, bsz - i, R_ARCH_OP_MASK_BASIC | R_ARCH_OP_MASK_HINT);
 			if (ret < 1) {
-				R_LOG_DEBUG ("aar invalid op %llx %d", at + i, codealign);
+				R_LOG_DEBUG ("aar invalid op 0x%"PFMT64x" %d", at + i, codealign);
 				i += minopsz;
 				if (codealign > 1) {
 					int d = (at + i) % codealign;
@@ -4790,14 +4794,31 @@ R_API int r_core_anal_search_xrefs(RCore *core, ut64 from, ut64 to, PJ *pj, int
 			}
 			// find references
 			if (op.ptr && op.ptr != UT64_MAX && op.ptr != UT32_MAX) {
+#if 1
+				const int type = core_type_by_addr (core, op.ptr);
+				/// XXX R2_600. we need op.ptrdir . because op.ptr can be op[0] or op[1]
+				const ut64 perm = (type == R_ANAL_REF_TYPE_STRN)? R_ANAL_OP_DIR_READ: (op.direction &= (~R_ANAL_OP_DIR_REF));
+				const int reftype = type | r_anal_perm_to_reftype (perm);
+#else
 				const ut64 perm = op.direction &= (~R_ANAL_OP_DIR_REF);
-				if (found_xref (core, op.addr, op.ptr, R_ANAL_REF_TYPE_DATA | r_anal_perm_to_reftype(perm), pj, rad, cfg_debug, cfg_anal_strings)) {
+				const int reftype = R_ANAL_REF_TYPE_DATA | r_anal_perm_to_reftype (perm);
+#endif
+				if (found_xref (core, op.addr, op.ptr, reftype, pj, rad, cfg_debug, cfg_anal_strings)) {
 					count++;
 				}
 			} else {
 				// check for using reg+disp, which shouldnt be valid if op.ptr is set
 				if (op.addr > 512 && op.disp > 512 && op.disp && op.disp != UT64_MAX) {
-					if (found_xref (core, op.addr, op.disp, R_ANAL_REF_TYPE_DATA, pj, rad, cfg_debug, cfg_anal_strings)) {
+#if 0
+					// TODO: experiment with this fix
+					// R2R db/anal/x86_32
+					const int type = core_type_by_addr (core, op.disp);
+					const ut64 perm = op.direction &= (~R_ANAL_OP_DIR_REF);
+					const int reftype = type | r_anal_perm_to_reftype (perm);
+#else
+					const int reftype = R_ANAL_REF_TYPE_DATA;
+#endif
+					if (found_xref (core, op.addr, op.disp, reftype, pj, rad, cfg_debug, cfg_anal_strings)) {
 						count++;
 					}
 				}
@@ -6114,7 +6135,20 @@ R_API void r_core_anal_esil(RCore *core, const char *str /* len */, const char *
 			// arm64
 			if (cur && arch == R2_ARCH_ARM64) {
 				if (CHECKREF (ESIL->cur)) {
+#if 1
+					int type = core_type_by_addr (core, ESIL->cur);
+					if (type == R_ANAL_REF_TYPE_NULL) {
+						type = R_ANAL_REF_TYPE_DATA;
+					}
+					if (type == R_ANAL_REF_TYPE_ICOD) {
+						type |= R_ANAL_REF_TYPE_EXEC;
+					} else {
+						type |= R_ANAL_REF_TYPE_READ;
+					}
+					r_anal_xrefs_set (core->anal, cur, ESIL->cur, type);
+#else
 					r_anal_xrefs_set (core->anal, cur, ESIL->cur, R_ANAL_REF_TYPE_STRN | R_ANAL_REF_TYPE_READ);
+#endif
 				}
 #if 0
 				ut64 dst = esilbreak_last_read;

diff --git a/libr/core/cmd_anal.inc.c b/libr/core/cmd_anal.inc.c
@@ -8043,11 +8043,11 @@ R_IPI void cmd_aei(RCore *core) {
 }
 
 R_IPI int core_type_by_addr(RCore *core, ut64 addr) {
-	const RList *list = r_flag_get_list (core->flags, addr);
 	RListIter *iter;
 	RFlagItem *item;
 	bool has_flag = false;
 	int type = R_ANAL_REF_TYPE_DATA;
+	const RList *list = r_flag_get_list (core->flags, addr);
 	r_list_foreach (list, iter, item) {
 		if (strchr (item->name, '.')) {
 			has_flag = true;
@@ -8064,8 +8064,9 @@ R_IPI int core_type_by_addr(RCore *core, ut64 addr) {
 		}
 	}
 	if (!has_flag) {
+		// if we return anything but _DATA here, the `aao` and `avr` references stop working
 		// XXX assume TYPE_CODE Or TYPE_ICOD or mayb NULL if invalid address?
-		return R_ANAL_REF_TYPE_NULL; // -1 ?
+		return type; // R_ANAL_REF_TYPE_NULL; // -1 ?
 	}
 	return type;
 }

diff --git a/libr/include/r_anal/op.h b/libr/include/r_anal/op.h
@@ -33,7 +33,7 @@ typedef enum {
 	R_ANAL_OP_DIR_READ = 1,
 	R_ANAL_OP_DIR_WRITE = 2,
 	R_ANAL_OP_DIR_EXEC = 4,
-	R_ANAL_OP_DIR_REF = 8,
+	R_ANAL_OP_DIR_REF = 8, // uhm?
 } RAnalOpDirection;
 
 typedef enum {

diff --git a/test/db/anal/arm b/test/db/anal/arm
@@ -1103,7 +1103,7 @@ aae
 axt str.helloradareworld_n
 EOF
 EXPECT=<<EOF
-main 0xbf9c [STRN:-w-] add r0, pc
+main 0xbf9c [STRN:r--] add r0, pc
 EOF
 RUN
 

diff --git a/test/db/anal/arm-esil b/test/db/anal/arm-esil
@@ -12,7 +12,7 @@ EOF
 EXPECT=<<EOF
             ;-- str..._.._third_party_boringssl_src_ssl_ssl_x509.cc:
             ;-- s:
-            ; STRN XREF from f @ 0x37194e(w)
+            ; STRN XREF from f @ 0x37194e(r)
             0x00080c62     .string "../../third_party/boringssl/src/ssl/ssl_x509.cc" ; len=48
             ;-- str..._.._third_party_boringssl_src_ssl_ssl_asn1.cc:
             0x00080c92     .string "../../third_party/boringssl/src/ssl/ssl_asn1.cc" ; len=48
@@ -48,7 +48,7 @@ s 0x00001373
 axt
 EOF
 EXPECT=<<EOF
-fcn.00003004 0x337c [STRN:-w-] add x1, x1, str.3082058830820370a00302010202147dc6315182dee2344f870acce7b12d5fea665fa4300d06092a864886f70d01010b05003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643020170d3233303333313033313632355a180f32303533303333313033313632355a3074310b3009060355040613025553311330110603550408130a43616c69666f726e69613116301406035504071
+fcn.00003004 0x337c [STRN:r--] add x1, x1, str.3082058830820370a00302010202147dc6315182dee2344f870acce7b12d5fea665fa4300d06092a864886f70d01010b05003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643020170d3233303333313033313632355a180f32303533303333313033313632355a3074310b3009060355040613025553311330110603550408130a43616c69666f726e69613116301406035504071
 EOF
 RUN