x86 binary loops r2 #520

roysjosh · 2014-01-07T21:37:35Z

The i386 binary out of the MachO "fat" binary at http://energylab.hpa.edu/public/vr/vr-archive/programs/EyeTV.app/Contents/MacOS/EyeTV loops r2 -A x86 where x86 is the extracted binary from rabin2 -x EyeTV renamed from EyeTV.fat/EyeTV.x86_32.1 to x86.

The text was updated successfully, but these errors were encountered:

zonkzonk · 2014-01-07T21:40:54Z

"built from git yesterday at commit 34e2473"

roysjosh · 2014-01-08T15:02:54Z

Left valgrind -v --trace-children=yes --log-file=valgrind.log --num-callers=32 --leak-check=full r2 -A x86 running overnight. Partial log: https://gist.github.com/roysjosh/be1ee2c791c0de92f35d

radare · 2014-01-09T00:23:13Z

In fact the fatmach0 binary is not loaded properly. text section looks filled by zeroes.

Loading the extracted x86-32 binary with rabin2 -x works fine here.

roysjosh · 2014-01-09T00:54:00Z

To be clear, r2 loads the binary when you use the -A flag? How long does it take to complete the analysis? It could be my environment, which is RHEL6.

radare · 2014-01-09T00:56:33Z

That’s a big binary, the analysis can take a lot of time.

With the wrong IO the analysis is completely wrong too. Just press ^C

If you use -A it will analyze the whole binary at start, that’s fine.

On 09 Jan 2014, at 01:54, roysjosh notifications@github.com wrote:

To be clear, r2 loads the binary when you use the -A flag? How long does it take to complete the analysis? It could be my environment, which is RHEL6.

—
Reply to this email directly or view it on GitHub.

roysjosh · 2014-01-09T01:00:05Z

Well, I suppose that's the question of this ticket: should -A lead to a seemingly endless loop? I left r2 running over night, and almost 20 hours later it had consumed ~12GB of RAM and was still going on the analysis.

roysjosh · 2014-01-09T01:01:53Z

Oh, my semi-metric was that the ppc binary analysis completed within an hour or two.

radare · 2014-01-09T01:05:47Z

This binary is huge. but surely 20h of analysis is pretty bad news. There maybe a bug in the analysis, but bear in mind that the x86 code analysis is more complex and complete than the arm one. also, there are several points to optimize this. The thing is that there shuold be no endless loops in the analysis. If there’s one it shuold be reproducible in a smaller binary.

On 09 Jan 2014, at 02:00, roysjosh notifications@github.com wrote:

Well, I suppose that's the question of this ticket: should -A lead to a seemingly endless loop? I left r2 running over night, and almost 20 hours later it had consumed ~12GB of RAM and was still going on the analysis.

—
Reply to this email directly or view it on GitHub.

radare · 2014-03-26T09:00:42Z

There have been several analysis optimizations which should make the analysis faster and take much less memory. I have also fixed some mach0 issues, but not all of them, and the binary is not yet loaded properly. There are several other optimizations planned, and hopefully I'll have some time to review that mach0 issue soon

jvoisin · 2014-04-28T01:47:34Z

$ rabin2 -x ./EyeTV 
WARNING: bin_strings buffer is too big at 0x0115bf40
WARNING: bin_strings buffer is too big at 0x0120c418
EyeTV.fat/EyeTV.unknown_0.0 created (39657344)
EyeTV.fat/EyeTV.unknown_0.1 created (39657344)
$ r2 -A EyeTV.fat/EyeTV.unknown_0.1 
WARNING: bin_strings buffer is too big at 0x0115bf40
WARNING: bin_strings buffer is too big at 0x0120c418
NOTE: Fat binary found. Selected sub-bin is: -a x86 -b 64
NOTE: Use -a and -b to select sub binary in fat binary
No extract info found.
No extract info found.
 -- Select your character: RBin Wizard, Master Anal Paladin or Assembly Wizard
[0x00000000]> i
-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0xFFFFFFFFFFFFFE00  RBX: 0x00007FFF09A8DFF0  RBP: 0x0000000000000001  RSP: 0x00007FFF09A8DFB8  o d I t s Z a P c 
  RDI: 0x000000000000129C  RSI: 0x00007FFF09A8DFF0  RDX: 0x0000000000000000  RCX: 0xFFFFFFFFFFFFFFFF  RIP: 0x00007F40E729698C
  R8 : 0x00007F40E75966E0  R9 : 0x0000000000000000  R10: 0x0000000000000000  R11: 0x0000000000000246  R12: 0x00007FFF09A8E010
  R13: 0x00007FFF09A8F290  R14: 0x0000000000000000  R15: 0x0000000000000000
  CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B                
[0x002B:0x00007FFF09A8DFB8]-------------------------------------------------------------------------------------------[stack]
0x00007FFF09A8E008 : 67 93 9B E7 40 7F 00 00 - 00 04 00 00 00 00 00 00 g...@...........
0x00007FFF09A8DFF8 : 10 E0 A8 09 FF 7F 00 00 - 8A E4 EE 1C 00 00 00 00 ................
0x00007FFF09A8DFE8 : 00 00 00 00 00 00 00 00 - 20 E0 A8 09 FF 7F 00 00 ........ .......
0x00007FFF09A8DFD8 : C0 DF A8 09 FF 7F 00 00 - 00 00 00 00 00 00 00 00 ................
0x00007FFF09A8DFC8 : 00 00 00 00 00 00 00 00 - 30 B8 21 E7 40 7F 00 00 ........0.!.@...
0x00007FFF09A8DFB8 : 92 B5 21 E7 40 7F 00 00 - 9C 12 00 00 40 7F 00 00 ..!.@.......@...
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7f40e729698c <__libc_waitpid+28>:  cmp    rax,0xfffffffffffff000
   0x7f40e7296992 <__libc_waitpid+34>:  ja     0x7f40e7296995 <__libc_waitpid+37>
   0x7f40e7296994 <__libc_waitpid+36>:  ret    
   0x7f40e7296995 <__libc_waitpid+37>:  mov    rdx,QWORD PTR [rip+0x2fd4cc]        # 0x7f40e7593e68
   0x7f40e729699c <__libc_waitpid+44>:  neg    eax
   0x7f40e729699e <__libc_waitpid+46>:  mov    DWORD PTR fs:[rdx],eax
   0x7f40e72969a1 <__libc_waitpid+49>:  or     rax,0xffffffffffffffff
   0x7f40e72969a5 <__libc_waitpid+53>:  ret    
-----------------------------------------------------------------------------------------------------------------------------
0x00007f40e729698c in __libc_waitpid (pid=0x129c, stat_loc=stat_loc@entry=0x7fff09a8dff0, options=options@entry=0x0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
31  ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
gdb$ bt
#0  0x00007f40e729698c in __libc_waitpid (pid=0x129c, stat_loc=stat_loc@entry=0x7fff09a8dff0, options=options@entry=0x0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
#1  0x00007f40e721b592 in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
#2  0x00007f40e79d8656 in r_sandbox_system (x=0x20bcff0 "gdb --pid 4763", n=0x1) at sandbox.c:62
#3  0x00007f40e79c869c in r_sys_cmd (str=0x20bcff0 "gdb --pid 4763") at sys.c:442
#4  0x00007f40e79c7aa8 in signal_handler (signum=0xb) at sys.c:195
#5  <signal handler called>
#6  r_core_file_info (core=0x606520 <r>, mode=0x0) at cmd_info.c:69
#7  0x00007f40eab00f14 in cmd_info_bin (core=0x606520 <r>, offset=0x0, va=0x0, mode=0x0) at cmd_info.c:82
#8  0x00007f40eab01067 in cmd_info (data=0x606520 <r>, input=0x204f031 "") at cmd_info.c:109
#9  0x00007f40eab2e03a in r_cmd_call (cmd=0x20898e0, input=0x204f030 "i") at cmd_api.c:171
#10 0x00007f40eab14232 in r_core_cmd_subst_i (core=0x606520 <r>, cmd=0x204f030 "i") at cmd.c:1406
#11 0x00007f40eab1270c in r_core_cmd_subst (core=0x606520 <r>, cmd=0x204f030 "i") at cmd.c:966
#12 0x00007f40eab14d78 in r_core_cmd (core=0x606520 <r>, cstr=0x20b6850 "i", log=0x1) at cmd.c:1591
#13 0x00007f40eaaead31 in r_core_prompt_exec (r=0x606520 <r>) at core.c:737
#14 0x00000000004047ef in main (argc=0x3, argv=0x7fff09a8f298, envp=0x7fff09a8f2b8) at radare2.c:595
gdb$

radare · 2014-04-28T07:01:26Z

Fatmachos are broken . See @deeso

On 28 Apr 2014, at 03:47, jvoisin notifications@github.com wrote:

$ rabin2 -x ./EyeTV
WARNING: bin_strings buffer is too big at 0x0115bf40
WARNING: bin_strings buffer is too big at 0x0120c418
EyeTV.fat/EyeTV.unknown_0.0 created (39657344)
EyeTV.fat/EyeTV.unknown_0.1 created (39657344)
$ r2 -A EyeTV.fat/EyeTV.unknown_0.1
WARNING: bin_strings buffer is too big at 0x0115bf40
WARNING: bin_strings buffer is too big at 0x0120c418
NOTE: Fat binary found. Selected sub-bin is: -a x86 -b 64
NOTE: Use -a and -b to select sub binary in fat binary
No extract info found.
No extract info found.
-- Select your character: RBin Wizard, Master Anal Paladin or Assembly Wizard
[0x00000000]> i
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0xFFFFFFFFFFFFFE00 RBX: 0x00007FFF09A8DFF0 RBP: 0x0000000000000001 RSP: 0x00007FFF09A8DFB8 o d I t s Z a P c
RDI: 0x000000000000129C RSI: 0x00007FFF09A8DFF0 RDX: 0x0000000000000000 RCX: 0xFFFFFFFFFFFFFFFF RIP: 0x00007F40E729698C
R8 : 0x00007F40E75966E0 R9 : 0x0000000000000000 R10: 0x0000000000000000 R11: 0x0000000000000246 R12: 0x00007FFF09A8E010
R13: 0x00007FFF09A8F290 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
[0x002B:0x00007FFF09A8DFB8]-------------------------------------------------------------------------------------------[stack]
0x00007FFF09A8E008 : 67 93 9B E7 40 7F 00 00 - 00 04 00 00 00 00 00 00 g...@...........
0x00007FFF09A8DFF8 : 10 E0 A8 09 FF 7F 00 00 - 8A E4 EE 1C 00 00 00 00 ................
0x00007FFF09A8DFE8 : 00 00 00 00 00 00 00 00 - 20 E0 A8 09 FF 7F 00 00 ........ .......
0x00007FFF09A8DFD8 : C0 DF A8 09 FF 7F 00 00 - 00 00 00 00 00 00 00 00 ................
0x00007FFF09A8DFC8 : 00 00 00 00 00 00 00 00 - 30 B8 21 E7 40 7F 00 00 ........0.!.@...
0x00007FFF09A8DFB8 : 92 B5 21 E7 40 7F 00 00 - 9C 12 00 00 40 7F 00 00 ..!.@.......@...
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7f40e729698c <__libc_waitpid+28>: cmp rax,0xfffffffffffff000
0x7f40e7296992 <__libc_waitpid+34>: ja 0x7f40e7296995 <__libc_waitpid+37>
0x7f40e7296994 <__libc_waitpid+36>: ret
0x7f40e7296995 <__libc_waitpid+37>: mov rdx,QWORD PTR [rip+0x2fd4cc] # 0x7f40e7593e68
0x7f40e729699c <__libc_waitpid+44>: neg eax
0x7f40e729699e <__libc_waitpid+46>: mov DWORD PTR fs:[rdx],eax
0x7f40e72969a1 <__libc_waitpid+49>: or rax,0xffffffffffffffff

0x7f40e72969a5 <__libc_waitpid+53>: ret

0x00007f40e729698c in __libc_waitpid (pid=0x129c, stat_loc=stat_loc@entry=0x7fff09a8dff0, options=options@entry=0x0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
31 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
gdb$ bt
#0 0x00007f40e729698c in __libc_waitpid (pid=0x129c, stat_loc=stat_loc@entry=0x7fff09a8dff0, options=options@entry=0x0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
#1 0x00007f40e721b592 in do_system (line=) at ../sysdeps/posix/system.c:148
#2 0x00007f40e79d8656 in r_sandbox_system (x=0x20bcff0 "gdb --pid 4763", n=0x1) at sandbox.c:62
#3 0x00007f40e79c869c in r_sys_cmd (str=0x20bcff0 "gdb --pid 4763") at sys.c:442
#4 0x00007f40e79c7aa8 in signal_handler (signum=0xb) at sys.c:195
#5
#6 r_core_file_info (core=0x606520 , mode=0x0) at cmd_info.c:69
#7 0x00007f40eab00f14 in cmd_info_bin (core=0x606520 , offset=0x0, va=0x0, mode=0x0) at cmd_info.c:82
#8 0x00007f40eab01067 in cmd_info (data=0x606520 , input=0x204f031 "") at cmd_info.c:109
#9 0x00007f40eab2e03a in r_cmd_call (cmd=0x20898e0, input=0x204f030 "i") at cmd_api.c:171
#10 0x00007f40eab14232 in r_core_cmd_subst_i (core=0x606520 , cmd=0x204f030 "i") at cmd.c:1406
#11 0x00007f40eab1270c in r_core_cmd_subst (core=0x606520 , cmd=0x204f030 "i") at cmd.c:966
#12 0x00007f40eab14d78 in r_core_cmd (core=0x606520 , cstr=0x20b6850 "i", log=0x1) at cmd.c:1591
#13 0x00007f40eaaead31 in r_core_prompt_exec (r=0x606520 ) at core.c:737
#14 0x00000000004047ef in main (argc=0x3, argv=0x7fff09a8f298, envp=0x7fff09a8f2b8) at radare2.c:595
gdb$
—
Reply to this email directly or view it on GitHub.

deeso · 2014-05-14T03:08:57Z

Fixed here: 1fbc7f2. Try now.

roysjosh · 2014-05-17T01:22:44Z

I'm still learning r2, but analysis has definitely gotten faster and memory use seems to be more stable. Thanks.

radare · 2014-05-17T02:31:38Z

fatmach0s should be working again now.

On 28 Apr 2014, at 09:01, Sergi Alvarez pancake@nopcode.org wrote:

Fatmachos are broken . See @deeso

On 28 Apr 2014, at 03:47, jvoisin notifications@github.com wrote:

$ rabin2 -x ./EyeTV
WARNING: bin_strings buffer is too big at 0x0115bf40
WARNING: bin_strings buffer is too big at 0x0120c418
EyeTV.fat/EyeTV.unknown_0.0 created (39657344)
EyeTV.fat/EyeTV.unknown_0.1 created (39657344)
$ r2 -A EyeTV.fat/EyeTV.unknown_0.1
WARNING: bin_strings buffer is too big at 0x0115bf40
WARNING: bin_strings buffer is too big at 0x0120c418
NOTE: Fat binary found. Selected sub-bin is: -a x86 -b 64
NOTE: Use -a and -b to select sub binary in fat binary
No extract info found.
No extract info found.
-- Select your character: RBin Wizard, Master Anal Paladin or Assembly Wizard
[0x00000000]> i
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0xFFFFFFFFFFFFFE00 RBX: 0x00007FFF09A8DFF0 RBP: 0x0000000000000001 RSP: 0x00007FFF09A8DFB8 o d I t s Z a P c
RDI: 0x000000000000129C RSI: 0x00007FFF09A8DFF0 RDX: 0x0000000000000000 RCX: 0xFFFFFFFFFFFFFFFF RIP: 0x00007F40E729698C
R8 : 0x00007F40E75966E0 R9 : 0x0000000000000000 R10: 0x0000000000000000 R11: 0x0000000000000246 R12: 0x00007FFF09A8E010
R13: 0x00007FFF09A8F290 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
[0x002B:0x00007FFF09A8DFB8]-------------------------------------------------------------------------------------------[stack]
0x00007FFF09A8E008 : 67 93 9B E7 40 7F 00 00 - 00 04 00 00 00 00 00 00 g...@...........
0x00007FFF09A8DFF8 : 10 E0 A8 09 FF 7F 00 00 - 8A E4 EE 1C 00 00 00 00 ................
0x00007FFF09A8DFE8 : 00 00 00 00 00 00 00 00 - 20 E0 A8 09 FF 7F 00 00 ........ .......
0x00007FFF09A8DFD8 : C0 DF A8 09 FF 7F 00 00 - 00 00 00 00 00 00 00 00 ................
0x00007FFF09A8DFC8 : 00 00 00 00 00 00 00 00 - 30 B8 21 E7 40 7F 00 00 ........0.!.@...
0x00007FFF09A8DFB8 : 92 B5 21 E7 40 7F 00 00 - 9C 12 00 00 40 7F 00 00 ..!.@.......@...
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7f40e729698c <__libc_waitpid+28>: cmp rax,0xfffffffffffff000
0x7f40e7296992 <__libc_waitpid+34>: ja 0x7f40e7296995 <__libc_waitpid+37>
0x7f40e7296994 <__libc_waitpid+36>: ret
0x7f40e7296995 <__libc_waitpid+37>: mov rdx,QWORD PTR [rip+0x2fd4cc] # 0x7f40e7593e68
0x7f40e729699c <__libc_waitpid+44>: neg eax
0x7f40e729699e <__libc_waitpid+46>: mov DWORD PTR fs:[rdx],eax
0x7f40e72969a1 <__libc_waitpid+49>: or rax,0xffffffffffffffff

0x7f40e72969a5 <__libc_waitpid+53>: ret

0x00007f40e729698c in __libc_waitpid (pid=0x129c, stat_loc=stat_loc@entry=0x7fff09a8dff0, options=options@entry=0x0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
31 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
gdb$ bt
#0 0x00007f40e729698c in __libc_waitpid (pid=0x129c, stat_loc=stat_loc@entry=0x7fff09a8dff0, options=options@entry=0x0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
#1 0x00007f40e721b592 in do_system (line=) at ../sysdeps/posix/system.c:148
#2 0x00007f40e79d8656 in r_sandbox_system (x=0x20bcff0 "gdb --pid 4763", n=0x1) at sandbox.c:62
#3 0x00007f40e79c869c in r_sys_cmd (str=0x20bcff0 "gdb --pid 4763") at sys.c:442
#4 0x00007f40e79c7aa8 in signal_handler (signum=0xb) at sys.c:195
#5
#6 r_core_file_info (core=0x606520 , mode=0x0) at cmd_info.c:69
#7 0x00007f40eab00f14 in cmd_info_bin (core=0x606520 , offset=0x0, va=0x0, mode=0x0) at cmd_info.c:82
#8 0x00007f40eab01067 in cmd_info (data=0x606520 , input=0x204f031 "") at cmd_info.c:109
#9 0x00007f40eab2e03a in r_cmd_call (cmd=0x20898e0, input=0x204f030 "i") at cmd_api.c:171
#10 0x00007f40eab14232 in r_core_cmd_subst_i (core=0x606520 , cmd=0x204f030 "i") at cmd.c:1406
#11 0x00007f40eab1270c in r_core_cmd_subst (core=0x606520 , cmd=0x204f030 "i") at cmd.c:966
#12 0x00007f40eab14d78 in r_core_cmd (core=0x606520 , cstr=0x20b6850 "i", log=0x1) at cmd.c:1591
#13 0x00007f40eaaead31 in r_core_prompt_exec (r=0x606520 ) at core.c:737
#14 0x00000000004047ef in main (argc=0x3, argv=0x7fff09a8f298, envp=0x7fff09a8f2b8) at radare2.c:595
gdb$
—
Reply to this email directly or view it on GitHub.

ghost assigned jroimartin Jan 9, 2014

roysjosh unassigned jroimartin May 13, 2014

deeso closed this as completed May 22, 2014

yossizap pushed a commit to yossizap/radare2 that referenced this issue Dec 30, 2019

Update radare2 (radareorg#520)

3300b59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x86 binary loops r2 #520

x86 binary loops r2 #520

roysjosh commented Jan 7, 2014

zonkzonk commented Jan 7, 2014

roysjosh commented Jan 8, 2014

radare commented Jan 9, 2014

roysjosh commented Jan 9, 2014

radare commented Jan 9, 2014

roysjosh commented Jan 9, 2014

roysjosh commented Jan 9, 2014

radare commented Jan 9, 2014

radare commented Mar 26, 2014

jvoisin commented Apr 28, 2014

radare commented Apr 28, 2014

0x7f40e72969a5 <__libc_waitpid+53>: ret

deeso commented May 14, 2014

roysjosh commented May 17, 2014

radare commented May 17, 2014

0x7f40e72969a5 <__libc_waitpid+53>: ret

x86 binary loops r2 #520

x86 binary loops r2 #520

Comments

roysjosh commented Jan 7, 2014

zonkzonk commented Jan 7, 2014

roysjosh commented Jan 8, 2014

radare commented Jan 9, 2014

roysjosh commented Jan 9, 2014

radare commented Jan 9, 2014

roysjosh commented Jan 9, 2014

roysjosh commented Jan 9, 2014

radare commented Jan 9, 2014

radare commented Mar 26, 2014

jvoisin commented Apr 28, 2014

radare commented Apr 28, 2014

0x7f40e72969a5 <__libc_waitpid+53>: ret

deeso commented May 14, 2014

roysjosh commented May 17, 2014

radare commented May 17, 2014

0x7f40e72969a5 <__libc_waitpid+53>: ret