Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ghidra Decompiler Error: Could not finish collapsing block structure #203

Open
XVilka opened this issue Mar 11, 2021 · 3 comments
Open

Ghidra Decompiler Error: Could not finish collapsing block structure #203

XVilka opened this issue Mar 11, 2021 · 3 comments
Labels
bug Something isn't working high-priority rizin Related to the Rizin plugin test-attached

Comments

@XVilka
Copy link
Member

XVilka commented Mar 11, 2021
edited

Since the binary is the unlinked object file, be sure to use rizinorg/rizin#799 for the Rizin

[i] ℤ rizin rawmem.c-gcc-x64-O3.o
Warning: run rizin with -e io.cache=true to fix relocations in disassembly
 -- give | and > a try piping and redirection
[0x08000040]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08000040]> s sym.owWrite
sym.owWrite             sym.owWritePagePacket
[0x08000040]> s sym.owWrite
[0x08000230]> pdf
╭ sym.owWrite (int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5);
│           ; arg int64_t arg2 @ rsi
│           ; arg int64_t arg3 @ rdx
│           ; arg int64_t arg4 @ rcx
│           ; arg int64_t arg5 @ r8
│           0x08000230      mov   r11d, esi                            ; arg2
│           0x08000233      mov   rsi, rdx                             ; arg3
│           0x08000236      mov   edx, ecx                             ; arg4
│           0x08000238      movzx eax, byte [rsi]
│           0x0800023b      mov   rcx, r8                              ; arg5
│           0x0800023e      and   eax, 0x7f                            ; 127
│           0x08000241      sub   eax, 4
│           0x08000244      cmp   al, 0x73                             ; 115
│       ╭─< 0x08000246      ja    0x8000268
│       │   0x08000248      lea   r10, [0x0800024f]                    ; RELOC 32 .rodata @ 0x08001a34 - 0x7fffeaf
│       │   ; DATA XREF from sym.owWrite @ 0x8000248
│       │   0x0800024f      movzx eax, al
│       │   0x08000252      movsxd rax, dword [r10 + rax*4]
│       │   0x08000256      add   rax, r10
│       │   0x08000259      jmp   rax
..
│     │││   ; CODE XREF from sym.owWrite @ 0x8000246
│     │││   ; CODE XREF from reloc.writeEPROM @ +0xc
│     │││   ; CODE XREF from reloc.writeAppReg @ +0x13
│     ││╰─> 0x08000268      nop             dword [rax + rax]
╰     ││    0x0800026a      ret
[0x08000230]> pdg

And it stuck for a loooooooong time, after that returning the following error message:

Ghidra Decompiler Error: Could not finish collapsing block structure

rawmem.c-gcc-x64-O3.o.zip

Ghidra 10.0 output:

undefined8 owWrite(undefined8 param_1,undefined4 param_2,byte *param_3,undefined4 param_4)
{
  undefined8 uVar1;
  int iVar2;
  
  iVar2 = (int)param_1;
  switch(*param_3 & 0x7f) {
  case 4:
  case 6:
  case 8:
  case 10:
  case 0xc:
  case 0x18:
  case 0x1a:
  case 0x1d:
  case 0x21:
  case 0x23:
    if (0 < iVar2) {
      uVar1 = writeNV(param_1,param_2,param_3,param_4);
      return uVar1;
    }
    if (iVar2 == 0) {
      uVar1 = writeScratch(param_1,param_2,param_3,param_4);
      return uVar1;
    }
    break;
  case 9:
  case 0xb:
  case 0xf:
  case 0x12:
  case 0x13:
    uVar1 = writeEPROM(param_1,param_2,param_3,param_4);
    return uVar1;
  case 0x14:
    if (0 < iVar2) {
      uVar1 = writeEE(param_1,param_2,param_3,param_4);
      return uVar1;
    }
    if (iVar2 == 0) {
      uVar1 = writeAppReg(0,param_2,param_3,param_4);
      return uVar1;
    }
    break;
  case 0x33:
    uVar1 = writeSHAEE(param_1,param_2,param_3,param_4);
    return uVar1;
  case 0x37:
  case 0x77:
    if (0 < iVar2) {
      uVar1 = writeEE77(param_1,param_2,param_3,param_4);
      return uVar1;
    }
    if (iVar2 == 0) {
      uVar1 = writeScratchPadEx77(param_2);
      return uVar1;
    }
  }
  return 0;
}

Ghidra 10.0 disassembly:

                         *******************************************************
                         *                      FUNCTION                       *
                         *******************************************************
                         undefined8 __stdcall owWrite(undefined8 param_1, 
           undefined8      RAX:8        <RETURN>
           undefined8      RDI:8        param_1
           undefined4      ESI:4        param_2
           byte *          RDX:8        param_3
           undefined4      ECX:4        param_4
                         owWrite                                   XREF[2]:   Entry Point(*), 00106120(*)  
      001001f0 41 89 f3      MOV       R11D,param_2
      001001f3 48 89 d6      MOV       param_2,param_3
      001001f6 89 ca         MOV       param_3,param_4
      001001f8 0f b6 06      MOVZX     EAX,byte ptr [param_2]
      001001fb 4c 89 c1      MOV       param_4,R8
      001001fe 83 e0 7f      AND       EAX,0x7f
      00100201 83 e8 04      SUB       EAX,0x4
      00100204 3c 73         CMP       AL,0x73
      00100206 77 20         JA        switchD_00100219::caseD_5
      00100208 4c 8d 15      LEA       R10,[switchD_00100219::switchdataD_00101d  = FFFFE48Ch
               85 1b 00 
               00
      0010020f 0f b6 c0      MOVZX     EAX,AL
      00100212 49 63 04      MOVSXD    RAX,dword ptr [R10 + RAX*0x4]=>switchD_00  = FFFFE48Ch
               82
      00100216 4c 01 d0      ADD       RAX,R10
                         switchD_00100219::switchD
      00100219 ff e0         JMP       RAX
      0010021b 0f            ??        0Fh
      0010021c 1f            ??        1Fh
      0010021d 44            ??        44h    D
      0010021e 00            ??        00h
      0010021f 00            ??        00h
                         switchD_00100219::caseD_6                 XREF[1]:   00100219(j)  
                         switchD_00100219::caseD_8
                         switchD_00100219::caseD_a
                         switchD_00100219::caseD_c
                         switchD_00100219::caseD_18
                         switchD_00100219::caseD_1a
                         switchD_00100219::caseD_1d
                         switchD_00100219::caseD_21
                         switchD_00100219::caseD_23
                         switchD_00100219::caseD_4
      00100220 85 ff         TEST      param_1,param_1
      00100222 7f 64         JG        LAB_00100288
      00100224 85 ff         TEST      param_1,param_1
      00100226 74 6d         JZ        LAB_00100295
                         switchD_00100219::caseD_7                 XREF[4]:   00100206(j), 00100219(j), 
                         switchD_00100219::caseD_d                             00100255(j), 00100275(j)  
                         switchD_00100219::caseD_e
                         switchD_00100219::caseD_10
                         switchD_00100219::caseD_11
                         switchD_00100219::caseD_15
                         switchD_00100219::caseD_16
                         switchD_00100219::caseD_17
                         switchD_00100219::caseD_19
                         switchD_00100219::caseD_1b
                         switchD_00100219::caseD_1c
                         switchD_00100219::caseD_1e
                         switchD_00100219::caseD_1f
                         switchD_00100219::caseD_20
                         switchD_00100219::caseD_22
                         switchD_00100219::caseD_24
                         switchD_00100219::caseD_25
                         switchD_00100219::caseD_26
                         switchD_00100219::caseD_27
                         switchD_00100219::caseD_28
                         switchD_00100219::caseD_29
                         switchD_00100219::caseD_2a
                         switchD_00100219::caseD_2b
                         switchD_00100219::caseD_2c
                         switchD_00100219::caseD_2d
                         switchD_00100219::caseD_2e
                         switchD_00100219::caseD_2f
                         switchD_00100219::caseD_30
                         switchD_00100219::caseD_31
                         switchD_00100219::caseD_32
                         switchD_00100219::caseD_34
                         switchD_00100219::caseD_35
                         switchD_00100219::caseD_36
                         switchD_00100219::caseD_38
                         switchD_00100219::caseD_39
                         switchD_00100219::caseD_3a
                         switchD_00100219::caseD_3b
                         switchD_00100219::caseD_3c
                         switchD_00100219::caseD_3d
                         switchD_00100219::caseD_3e
                         switchD_00100219::caseD_3f
                         switchD_00100219::caseD_40
                         switchD_00100219::caseD_41
                         switchD_00100219::caseD_42
                         switchD_00100219::caseD_43
                         switchD_00100219::caseD_44
                         switchD_00100219::caseD_45
                         switchD_00100219::caseD_46
                         switchD_00100219::caseD_47
                         switchD_00100219::caseD_48
                         switchD_00100219::caseD_49
                         switchD_00100219::caseD_4a
                         switchD_00100219::caseD_4b
                         switchD_00100219::caseD_4c
                         switchD_00100219::caseD_4d
                         switchD_00100219::caseD_4e
                         switchD_00100219::caseD_4f
                         switchD_00100219::caseD_50
                         switchD_00100219::caseD_51
                         switchD_00100219::caseD_52
                         switchD_00100219::caseD_53
                         switchD_00100219::caseD_54
                         switchD_00100219::caseD_55
                         switchD_00100219::caseD_56
                         switchD_00100219::caseD_57
                         switchD_00100219::caseD_58
                         switchD_00100219::caseD_59
                         switchD_00100219::caseD_5a
                         switchD_00100219::caseD_5b
                         switchD_00100219::caseD_5c
                         switchD_00100219::caseD_5d
                         switchD_00100219::caseD_5e
                         switchD_00100219::caseD_5f
                         switchD_00100219::caseD_60
                         switchD_00100219::caseD_61
                         switchD_00100219::caseD_62
                         switchD_00100219::caseD_63
                         switchD_00100219::caseD_64
                         switchD_00100219::caseD_65
                         switchD_00100219::caseD_66
                         switchD_00100219::caseD_67
                         switchD_00100219::caseD_68
                         switchD_00100219::caseD_69
                         switchD_00100219::caseD_6a
                         switchD_00100219::caseD_6b
                         switchD_00100219::caseD_6c
                         switchD_00100219::caseD_6d
                         switchD_00100219::caseD_6e
                         switchD_00100219::caseD_6f
                         switchD_00100219::caseD_70
                         switchD_00100219::caseD_71
                         switchD_00100219::caseD_72
                         switchD_00100219::caseD_73
                         switchD_00100219::caseD_74
                         switchD_00100219::caseD_75
                         switchD_00100219::caseD_76
                         switchD_00100219::caseD_5
      00100228 31 c0         XOR       EAX,EAX
      0010022a c3            RET
      0010022b 0f            ??        0Fh
      0010022c 1f            ??        1Fh
      0010022d 44            ??        44h    D
      0010022e 00            ??        00h
      0010022f 00            ??        00h
                         switchD_00100219::caseD_33                XREF[1]:   00100219(j)  
      00100230 89 d1         MOV       param_4,param_3
      00100232 48 89 f2      MOV       param_3,param_2
      00100235 44 89 de      MOV       param_2,R11D
      00100238 e9 33 6e      JMP       writeSHAEE                                 undefined writeSHAEE()
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
      0010023d 0f            ??        0Fh
      0010023e 1f            ??        1Fh
      0010023f 00            ??        00h
                         switchD_00100219::caseD_b                 XREF[1]:   00100219(j)  
                         switchD_00100219::caseD_f
                         switchD_00100219::caseD_12
                         switchD_00100219::caseD_13
                         switchD_00100219::caseD_9
      00100240 89 d1         MOV       param_4,param_3
      00100242 48 89 f2      MOV       param_3,param_2
      00100245 44 89 de      MOV       param_2,R11D
      00100248 e9 2b 6e      JMP       writeEPROM                                 undefined writeEPROM()
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
      0010024d 0f            ??        0Fh
      0010024e 1f            ??        1Fh
      0010024f 00            ??        00h
                         switchD_00100219::caseD_14                XREF[1]:   00100219(j)  
      00100250 83 ff 00      CMP       param_1,0x0
      00100253 7f 63         JG        LAB_001002b8
      00100255 75 d1         JNZ       switchD_00100219::caseD_5
      00100257 89 d1         MOV       param_4,param_3
      00100259 31 ff         XOR       param_1,param_1
      0010025b 48 89 f2      MOV       param_3,param_2
      0010025e 44 89 de      MOV       param_2,R11D
      00100261 e9 1a 6e      JMP       writeAppReg                                undefined writeAppReg()
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
      00100266 66            ??        66h    f
      00100267 2e            ??        2Eh    .
      00100268 0f            ??        0Fh
      00100269 1f            ??        1Fh
      0010026a 84            ??        84h
      0010026b 00            ??        00h
      0010026c 00            ??        00h
      0010026d 00            ??        00h
      0010026e 00            ??        00h
      0010026f 00            ??        00h
                         switchD_00100219::caseD_77                XREF[1]:   00100219(j)  
                         switchD_00100219::caseD_37
      00100270 83 ff 00      CMP       param_1,0x0
      00100273 7f 33         JG        LAB_001002a8
      00100275 75 b1         JNZ       switchD_00100219::caseD_5
      00100277 45 89 c8      MOV       R8D,R9D
      0010027a 44 89 df      MOV       param_1,R11D
      0010027d e9 06 6e      JMP       writeScratchPadEx77                        undefined writeScratchPadEx7
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
      00100282 66            ??        66h    f
      00100283 0f            ??        0Fh
      00100284 1f            ??        1Fh
      00100285 44            ??        44h    D
      00100286 00            ??        00h
      00100287 00            ??        00h
                         LAB_00100288                              XREF[1]:   00100222(j)  
      00100288 89 d1         MOV       param_4,param_3
      0010028a 48 89 f2      MOV       param_3,param_2
      0010028d 44 89 de      MOV       param_2,R11D
      00100290 e9 fb 6d      JMP       writeNV                                    undefined writeNV()
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
                         LAB_00100295                              XREF[1]:   00100226(j)  
      00100295 89 d1         MOV       param_4,param_3
      00100297 48 89 f2      MOV       param_3,param_2
      0010029a 44 89 de      MOV       param_2,R11D
      0010029d e9 f6 6d      JMP       writeScratch                               undefined writeScratch()
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
      001002a2 66            ??        66h    f
      001002a3 0f            ??        0Fh
      001002a4 1f            ??        1Fh
      001002a5 44            ??        44h    D
      001002a6 00            ??        00h
      001002a7 00            ??        00h
                         LAB_001002a8                              XREF[1]:   00100273(j)  
      001002a8 89 d1         MOV       param_4,param_3
      001002aa 48 89 f2      MOV       param_3,param_2
      001002ad 44 89 de      MOV       param_2,R11D
      001002b0 e9 eb 6d      JMP       writeEE77                                  undefined writeEE77()
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
      001002b5 0f            ??        0Fh
      001002b6 1f            ??        1Fh
      001002b7 00            ??        00h
                         LAB_001002b8                              XREF[1]:   00100253(j)  
      001002b8 89 d1         MOV       param_4,param_3
      001002ba 48 89 f2      MOV       param_3,param_2
      001002bd 44 89 de      MOV       param_2,R11D
      001002c0 e9 e3 6d      JMP       writeEE                                    undefined writeEE()
               00 00
                         -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
      001002c5 90            ??        90h
      001002c6 66            ??        66h    f
      001002c7 2e            ??        2Eh    .
      001002c8 0f            ??        0Fh
      001002c9 1f            ??        1Fh
      001002ca 84            ??        84h
      001002cb 00            ??        00h
      001002cc 00            ??        00h
      001002cd 00            ??        00h
      001002ce 00            ??        00h
      001002cf 00            ??        00h
@XVilka XVilka added bug Something isn't working high-priority test-attached labels Mar 11, 2021
@thestr4ng3r
Copy link
Member

thestr4ng3r commented Apr 27, 2021
edited

It's related to relocs patching. It currently "works" with io.cache=1 but you get a lot of garbage code (also takes long). In Ghidra it works fine so I suspect something is wrong with the way rizin patches the relocs.

@XVilka XVilka added the rizin Related to the Rizin plugin label May 6, 2021
@XVilka XVilka mentioned this issue May 14, 2021
Merged
@XVilka
Copy link
Member Author

XVilka commented Sep 15, 2021
edited

Indeed, I retried with the latest Rizin/Rz-Ghidra:

[i] ℤ rizin rawmem.c-gcc-x64-O3.o                                                                                                                                                                                                 15:08:02 
 -- You can 'copy/paste' bytes using the cursor in visual mode 'c' and using the 'y' and 'Y' keys
[0x08000040]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08000040]> s sym.owWrite
sym.owWrite             sym.owWritePagePacket   
[0x08000040]> s sym.owWrite
[0x08000230]> pdf
╭ sym.owWrite (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5, int64_t arg6);
│           ; arg int64_t arg1 @ rdi
│           ; arg int64_t arg2 @ rsi
│           ; arg int64_t arg3 @ rdx
│           ; arg int64_t arg4 @ rcx
│           ; arg int64_t arg5 @ r8
│           ; arg int64_t arg6 @ r9
│           0x08000230      mov   r11d, esi                            ; arg2
│           0x08000233      mov   rsi, rdx                             ; arg3
│           0x08000236      mov   edx, ecx                             ; arg4
│           0x08000238      movzx eax, byte [rsi]
│           0x0800023b      mov   rcx, r8                              ; arg5
│           0x0800023e      and   eax, 0x7f                            ; 127
│           0x08000241      sub   eax, 4
│           0x08000244      cmp   al, 0x73                             ; 115
│       ╭─< 0x08000246      ja    case.0x8000259.5
│       │   0x08000248      lea   r10, reloc..text.231                 ; 0x8001dd4; RELOC 32 .rodata @ 0x08001a34 - 0x7fffeaf
│       │   0x0800024f      movzx eax, al
│       │   0x08000252      movsxd rax, dword [r10 + rax*4]
│       │   0x08000256      add   rax, r10
│       │   ;-- switch
│       │   0x08000259      jmp   rax                                  ; switch table (116 cases) at 0x8001dd4
..
│       │   ; CODE XREF from sym.owWrite @ 0x8000259
│       │   ;-- case 4:                                                ; from 0x8000259
│       │   ;-- case 8:                                                ; from 0x8000259
│       │   ;-- case 12:                                               ; from 0x8000259
│       │   ;-- case 26:                                               ; from 0x8000259
│       │   ;-- case 33:                                               ; from 0x8000259
│       │   0x08000260      nop     dword [rax + rax]                  ; arg1
│      ╭──< 0x08000262      jg    0x80002c8
│      ││   0x08000264      test  edi, edi                             ; arg1
│     ╭───< 0x08000266      je    0x80002d5
│     │││   ; CODE XREFS from sym.owWrite @ 0x8000246, 0x8000259, 0x8000295, 0x80002b5
│     │││   ;-- case 5:                                                ; from 0x8000259
│     │││   ;-- case 13...14:                                          ; from 0x8000259
│     │││   ;-- case 16:                                               ; from 0x8000259
│     │││   ;-- case 17:                                               ; from 0x8000259
│     │││   ;-- case 22...23:                                          ; from 0x8000259
│     │││   ;-- case 25:                                               ; from 0x8000259
│     │││   ;-- case 27...28:                                          ; from 0x8000259
│     │││   ;-- case 30:                                               ; from 0x8000259
│     │││   ;-- case 31...32:                                          ; from 0x8000259
│     │││   ;-- case 34:                                               ; from 0x8000259
│     │││   ;-- case 36...50:                                          ; from 0x8000259
│     │││   ;-- case 52:                                               ; from 0x8000259
│     │││   ;-- case 53...54:                                          ; from 0x8000259
│     │││   ;-- case 56:                                               ; from 0x8000259
│     │││   ;-- default:                                               ; from 0x8000259
│   ╭╭──╰─> 0x08000268      xor   eax, eax
│   ╎╎││    0x0800026a      ret
..
│   ╎╎││    ; CODE XREF from sym.owWrite @ 0x8000259
│   ╎╎││    ;-- case 51:                                               ; from 0x8000259
│   ╎╎││    0x08000270      nop     dword [rax + rax]
│   ╎╎││    0x08000272      mov   rdx, rsi
│   ╎╎││    0x08000275      mov   esi, r11d
│   ╎╎││╭─< 0x08000278      jmp   reloc.target.writeSHAEE              ; RELOC 32 writeSHAEE
..
│   ╎╎│││   ; CODE XREF from sym.owWrite @ 0x8000259
│   ╎╎│││   ;-- case 9:                                                ; from 0x8000259
│   ╎╎│││   ;-- case 15:                                               ; from 0x8000259
│   ╎╎│││   ;-- case 19:                                               ; from 0x8000259
│   ╎╎│││   0x08000280      nop     dword [rax]
│   ╎╎│││   0x08000282      mov   rdx, rsi
│   ╎╎│││   0x08000285      mov   esi, r11d
│  ╭──────< 0x08000288      jmp   reloc.target.writeEPROM              ; RELOC 32 writeEPROM
..
│  │╎╎│││   ; CODE XREF from sym.owWrite @ 0x8000259
│  │╎╎│││   ;-- case 20:                                               ; from 0x8000259
│  │╎╎│││   0x08000290      nop     dword [rax]                        ; arg1
│ ╭───────< 0x08000293      jg    0x80002f8
│ ││╰─────< 0x08000295      jne   case.0x8000259.5
│ ││ ╎│││   0x08000297      mov   ecx, edx
│ ││ ╎│││   0x08000299      xor   edi, edi
│ ││ ╎│││   0x0800029b      mov   rdx, rsi
│ ││ ╎│││   0x0800029e      mov   esi, r11d
│ ││╭─────< 0x080002a1      jmp   reloc.target.writeAppReg             ; RELOC 32 writeAppReg
..
│ │││╎│││   ; CODE XREF from sym.owWrite @ 0x8000259
│ │││╎│││   ;-- case 55:                                               ; from 0x8000259
│ │││╎│││   0x080002b0      nop     word cs:[rax + rax]                ; arg1
│ ────────< 0x080002b3      jg    0x80002e8
│ │││╰────< 0x080002b5      jne   case.0x8000259.5
│ │││ │││   0x080002b7      mov   r8d, r9d                             ; arg6
│ │││ │││   0x080002ba      mov   edi, r11d
│ │││╭────< 0x080002bd      jmp   reloc.target.writeScratchPadEx77     ; RELOC 32 writeScratchPadEx77
..
│ │││││││   ; CODE XREF from sym.owWrite @ 0x8000262
│ │││││╰──> 0x080002c8      nop     word [rax + rax]
│ │││││ │   0x080002ca      mov   rdx, rsi
│ │││││ │   0x080002cd      mov   esi, r11d
│ │││││╭──< 0x080002d0      jmp   reloc.target.writeNV                 ; RELOC 32 writeNV
│ │││││││   ; CODE XREF from sym.owWrite @ 0x8000266
│ ││││╰───> 0x080002d5      mov   ecx, edx
│ ││││ ││   0x080002d7      mov   rdx, rsi
│ ││││ ││   0x080002da      mov   esi, r11d
│ ││││╭───< 0x080002dd      jmp   reloc.target.writeScratch            ; RELOC 32 writeScratch
..
│ │││││││   ; CODE XREF from sym.owWrite @ 0x80002b3
│ ────────> 0x080002e8      nop     word [rax + rax]
│ │││││││   0x080002ea      mov   rdx, rsi
│ │││││││   0x080002ed      mov   esi, r11d
│ ────────< 0x080002f0      jmp   reloc.target.writeEE77               ; RELOC 32 writeEE77
..
│ │││││││   ; CODE XREF from sym.owWrite @ 0x8000293
│ ╰───────> 0x080002f8      nop     dword [rax]
│  ││││││   0x080002fa      mov   rdx, rsi
│  ││││││   0x080002fd      mov   esi, r11d
╰ ╭───────< 0x08000300      jmp   reloc.target.writeEE                 ; RELOC 32 writeEE
[0x08000230]> pdg

And then it prints a lot of endless garbage like that:

 // WARNING: Control flow encountered bad instruction data
undefined  [16] sym.owWrite(int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5, int64_t arg6)
{
    char cVar1;
    code *pcVar2;
    int32_t iVar3;
    
    pcVar2 = reloc..text.231 + *(int32_t *)(reloc..text.231 + (uint64_t)(uint8_t)((*(uint8_t *)arg3 & 0x7f) - 4) * 4);
    iVar3 = (int32_t)arg1;
    cVar1 = (char)pcVar2;
    // switch table (116 cases) at 0x8001dd4
    switch(*(uint8_t *)arg3 & 0x7f) {
    case 4:
    case 6:
    case 8:
    case 10:
    case 0xc:
    case 0x18:
    case 0x1a:
    case 0x1d:
    case 0x21:
    case 0x23:
        if (0 < iVar3) goto code_r0x08023298;
        if (iVar3 != 0) goto code_r0x08000268;
        goto code_r0x080232a0;
    default:
code_r0x08000268:
        return ZEXT816((uint64_t)arg4) << 0x40 & (undefined  [16])0xffffffffffffffff;
    case 9:
    case 0xb:
    case 0xf:
    case 0x12:
    case 0x13:
        break;
    case 0x14:
        if (0 < iVar3) goto code_r0x080232b0;
        if (iVar3 != 0) goto code_r0x08000268;
        goto code_r0x08023288;
    case 0x33:
        *pcVar2 = (code)((char)*pcVar2 + cVar1);
        *pcVar2 = (code)((char)*pcVar2 + cVar1);
        *pcVar2 = (code)((char)*pcVar2 + cVar1);
        *pcVar2 = (code)((char)*pcVar2 + cVar1);
        break;
    case 0x37:
    case 0x77:
        if (iVar3 < 1) {
            if (iVar3 != 0) goto code_r0x08000268;
            goto code_r0x08023290;
        }
        goto code_r0x080232a8;
    }
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
code_r0x08023288:
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);

.... (thousands of lines like that)

    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
    *pcVar2 = (code)((char)*pcVar2 + cVar1);
        // WARNING: Bad instruction - Truncating control flow here
    halt_baddata();

Attaching the full output here:
rawmem_owWrite_pdg.c.zip

@XVilka XVilka mentioned this issue Sep 15, 2021
Closed
@XVilka
Copy link
Member Author

XVilka commented Jan 23, 2023

Despite all fixes in relocations it is still happening.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working high-priority rizin Related to the Rizin plugin test-attached
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@XVilka @thestr4ng3r