Please provide a test cases for ARM analysis

[XVilka]

Saw this:

NOT works with ARM binary

    radare does not analyze data dependency correctly

Please provide the samples, we'll check what we can do to fix.

[K-atc]

Thank you for asking.

I remembered a little.

I checked this problem today. This is my radare2 version.

K_atc% r2 -v
radare2 2.7.0 0 @ linux-x86-64 git.2.7.0
commit: HEAD build: 2018-07-16__22:44:26

I attached Intel & ARM binaries and analyze.py (this python script uses radare2).

lwip-bug-finder-issue-4.zip

Case of Intel

Fist, this is sample analysis for a Intel binary echop,

K_atc% ./analyze.py bin/echop-STABLE-1_3_0 dns_recv 
{'sym.memp_free', 'sym.ntohl', 'sym.dns_parse_name', 'sym.pbuf_free', 'sym.mem_free', 'sym.pbuf_copy_partial', 'sym.dns_recv'}
{'obj.ram_end', 'obj.ram', 'obj.dns_payload', 'obj.memp_tab', 'obj.lfree', 'obj.dns_table'}

and this is output of radare2.

[0x004014b0]> ax | grep 'DATA' | grep 'dns_recv'
                         sym.dns_recv+11 0x404dee ->      DATA -> 0x410905 str.dns_recv:_pbuf_too_big
                         sym.dns_recv+39 0x404e0a ->      DATA -> 0x41091c str.dns_recv:_pbuf_too_small
              [lwip-bug-finder-issue-4.zip](https://github.com/ertlnagoya/lwip-bug-finder/files/2238686/lwip-bug-finder-issue-4.zip)
           sym.dns_recv+56 0x404e1b ->      DATA -> 0x61c980 obj.dns_payload
                         sym.dns_recv+80 0x404e33 ->      DATA -> 0x61c980 obj.dns_payload
                        sym.dns_recv+117 0x404e58 ->      DATA -> 0x61cba0 obj.dns_table
                        sym.dns_recv+130 0x404e65 ->      DATA -> 0x61cba0 obj.dns_table

We see that radare2 outputs symbol name including dns_table.

Case of ARM

Second, this is output of radare2 (httpsample is ARM binary).

% r2 bin/httpsample.el
... snipped ...
[0x1800b8e0]> ax | grep 'DATA' 
                             loc._a_7+32 0x18004e0c ->      DATA -> 0x18004e14 loc._d_15
                            loc._a_27+40 0x18006020 ->      DATA -> 0x18006054 loc._d_21
                            loc._a_35+32 0x18006148 ->      DATA -> 0x1800617c loc._d_25
                            loc._a_36+12 0x1800618c ->      DATA -> 0x1800625c loc._d_26
                           loc._a_142+12 0x18008814 ->      DATA -> 0x1800883c loc._d_41
                           loc._a_146+12 0x18008930 ->      DATA -> 0x18008958 loc._d_42
               sym._kernel_inthdr_232+16 0x1800b83c ->      DATA -> 0x1800b854 loc._d_62
                        loc.goToSleep+64 0x1800b928 ->      DATA -> 0x1800ba14 loc._d_7
                        loc.goToSleep+72 0x1800b930 ->      DATA -> 0x1800ba18 loc._d_7+4
                       loc.goToSleep+144 0x1800b978 ->      DATA -> 0x1800ba1c loc._d_7+8
... snipped ...

dns_recv[0x00000000]> ax | grep 'DATA' | grep 'dns_'
[0x00000000]> 

We see that radare outputs less symbol names. and there are NO dns_table.
radare2 has failed to recover symbol information?

Symbol dns_table should be appeared in httpsample because echop and httpsample uses lwip.
So I think radare2 fails to analyze data dependency.

K_atc% nm bin/httpsample.elf | grep dns_table
2003acac b dns_table

supplement

• httpsample is a sample program of https://github.com/ertlnagoya/asp-gr_peach_gcc-mbed .

P. S.

• radare2 changed output form of ax?
  • Before (as of 2017/11): A -> data mem -> B
  • After (as of now): B -> DATA -> A