Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible infinite loop on decompiling simple functions on x86_64 binaries. #204

Open
XVilka opened this issue Mar 11, 2021 · 7 comments
Open

Possible infinite loop on decompiling simple functions on x86_64 binaries. #204

XVilka opened this issue Mar 11, 2021 · 7 comments
Labels
bug Something isn't working test-attached

Comments

@XVilka
Copy link
Member

XVilka commented Mar 11, 2021

Since all below binaries are unlinked object files, be sure to use rizinorg/rizin#799 for the Rizin

First case

[i] ℤ rizin harp-utils.c-gcc-arm64-O0.o
Warning: run rizin with -e io.cache=true to fix relocations in disassembly
 -- You can mark an offset in visual mode with the cursor and the ',' key. Later press '.' to go back
[0x08000040]> aaa
[../librz/analysis/p/analysis_arm_cs.c:1701:26: runtime error: left shift of 65535 by 48 places cannot be represented in type 'long long int'
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Finding xrefs in noncode section with analysis.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x08004548 to 0x08005be0 (aav)
[x] 0x08004548-0x08005be0 in 0x8004548-0x8005be0 (aav)
[x] 0x08004548-0x08005be0 in 0x8000040-0x8003580 (aav)
[x] Value from 0x08000040 to 0x08003580 (aav)
[x] 0x08000040-0x08003580 in 0x8004548-0x8005be0 (aav)
[x] 0x08000040-0x08003580 in 0x8000040-0x8003580 (aav)
[x] Emulate functions to find computed references (aaef)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08000040]> s sym.harp_get_valid_min_for_type
[0x08000e74]> pdf
╭ sym.harp_get_valid_min_for_type (int64_t arg1);
│           ; var int64_t var_1ch @ x29+0x1c
│           ; var int64_t var_28h @ x29+0x28
│           ; var int64_t var_30h @ sp+0x0
│           ; var int64_t var_30h_2 @ sp+0x8
│           ; arg int64_t arg1 @ x0
│           0x08000e74      stp   x29, x30, [var_30h]!
│           0x08000e78      mov   x29, sp
│           0x08000e7c      str   w0, [var_1ch]                        ; arg1
│           0x08000e80      ldr   w0, [var_1ch]                        ; [0x1c:4]=-1 ; 28
│           0x08000e84      cmp   w0, 2
│       ╭─< 0x08000e88      b.eq  0x8000ed4
│       │   0x08000e8c      cmp   w0, 2
│      ╭──< 0x08000e90      b.hi  0x8000ea8
│      ││   0x08000e94      cmp   w0, 0
│     ╭───< 0x08000e98      b.eq  0x8000ebc
│     │││   0x08000e9c      cmp   w0, 1
│    ╭────< 0x08000ea0      b.eq  0x8000ec8
│   ╭─────< 0x08000ea4      b     0x8000efc
│   │││││   ; CODE XREF from sym.harp_get_valid_min_for_type @ 0x8000e90
│   │││╰──> 0x08000ea8      cmp   w0, 3
│   │││╭──< 0x08000eac      b.eq  0x8000ee0
│   │││││   0x08000eb0      cmp   w0, 4
│  ╭──────< 0x08000eb4      b.eq  0x8000ef0
│ ╭───────< 0x08000eb8      b     0x8000efc
│ │││││││   ; CODE XREF from sym.harp_get_valid_min_for_type @ 0x8000e98
│ ││││╰───> 0x08000ebc      movn  w0, 0x7f
│ ││││ ││   0x08000ec0      strb  w0, [var_28h]
│ ││││╭───< 0x08000ec4      b     0x8000f20
│ │││││││   ; CODE XREF from sym.harp_get_valid_min_for_type @ 0x8000ea0
│ │││╰────> 0x08000ec8      movn  w0, 0x7fff
│ │││ │││   0x08000ecc      strh  w0, [var_28h]
│ │││╭────< 0x08000ed0      b     0x8000f20
│ │││││││   ; CODE XREF from sym.harp_get_valid_min_for_type @ 0x8000e88
│ ││││││╰─> 0x08000ed4      movz  w0, 0x8000, lsl 16
│ ││││││    0x08000ed8      str   w0, [var_28h]
│ ││││││╭─< 0x08000edc      b     0x8000f20
│ │││││││   ; CODE XREF from sym.harp_get_valid_min_for_type @ 0x8000eac
│ │││││╰──> 0x08000ee0      bl    0x8000ee0
│ │││││ │   0x08000ee4      fcvt  s0, d0
│ │││││ │   0x08000ee8      str   s0, [var_28h]
│ │││││╭──< 0x08000eec      b     0x8000f20
│ │││││││   ; CODE XREF from sym.harp_get_valid_min_for_type @ 0x8000eb4
│ │╰──────> 0x08000ef0      bl    0x8000ef0
│ │ │││││   0x08000ef4      str   d0, [var_28h]
│ │╭──────< 0x08000ef8      b     0x8000f20
│ │││││││   ; CODE XREFS from sym.harp_get_valid_min_for_type @ 0x8000ea4, 0x8000eb8
│ ╰─╰─────> 0x08000efc      adrp  x0, loc.imp.__ctype_b_loc            ; loc.imp.__memset_chk
│  │ ││││                                                              ; 0x8000000
│  │ ││││   0x08000f00      add   x2, x0, 0                            ; 0x8000000
│  │ ││││                                                              ; loc.imp.__memset_chk
│  │ ││││   0x08000f04      adrp  x0, loc.imp.__ctype_b_loc            ; loc.imp.__memset_chk
│  │ ││││                                                              ; 0x8000000
│  │ ││││   0x08000f08      add   x1, x0, 0                            ; 0x8000000
│  │ ││││                                                              ; loc.imp.__memset_chk
│  │ ││││   0x08000f0c      adrp  x0, loc.imp.__ctype_b_loc            ; loc.imp.__memset_chk
│  │ ││││                                                              ; 0x8000000
│  │ ││││   0x08000f10      add   x0, x0, 0                            ; 0x8000000
│  │ ││││                                                              ; loc.imp.__memset_chk
│  │ ││││   0x08000f14      mov   x3, x2
│  │ ││││   0x08000f18      movz  w2, 0x22a
│  │ ││││   0x08000f1c      bl    0x8000f1c
│  │ ││││   ; CODE XREFS from sym.harp_get_valid_min_for_type @ 0x8000ec4, 0x8000ed0, 0x8000edc, 0x8000eec, 0x8000ef8
│  ╰─╰╰╰╰─> 0x08000f20      ldr   x0, [var_28h]                        ; [0x28:4]=-1 ; 40
│           0x08000f24      ldp   x29, x30, [sp], 0x30
╰           0x08000f28      ret
[0x08000e74]> pdg

And it stuck forever

harp-utils.c-gcc-arm64-O0.o.zip

Second case

[i] ℤ rizin s_ceill.c-gcc-x86-O2.o
Warning: run rizin with -e io.cache=true to fix relocations in disassembly
 -- Get a free shell with 'rz_gg -i exec -x'
[0x08000040]> aaa
[Fail to load 32 bytes of data at 0x08000345 entry0 (aa)
Fail to load 32 bytes of data at 0x0800034f
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[Fail to load 32 bytes of data at 0x08000345
Fail to load 32 bytes of data at 0x0800034f
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08000040]> s sym.ceill_long_double
[0x08000040]> pdf
            ;-- section..text:
            ;-- .text:
╭ sym.ceill_long_double ();
│           ; var int32_t var_8h @ esp+0x8
│           ; var int32_t var_ch @ esp+0xc
│           ; var int32_t var_14h @ esp+0x14
│           ; var int32_t var_24h @ esp+0x24
│           ; var signed int var_39h @ esp+0x39
│           ; var int32_t var_40h @ esp+0x40
│           ; var signed int var_59h @ esp+0x59
│           ; var int32_t var_60h @ esp+0x60
│           ; var int32_t var_74h @ esp+0x74
│           ; var signed int var_89h @ esp+0x89
│           ; var int32_t var_90h @ esp+0x90
│           ; var int32_t var_a4h @ esp+0xa4
│           ; var int32_t var_b8h @ esp+0xb8
│           ; var int32_t var_c0h @ esp+0xc0
│           ; var int32_t var_c4h @ esp+0xc4
│           ; var int32_t var_c8h @ esp+0xc8
│           0x08000040      push  ebp                                  ; [02] -r-x section size 785 named .text
│           0x08000041      push  edi
│           0x08000042      push  esi
│           0x08000043      push  ebx
│           0x08000044      call  __x86.get_pc_thunk.dx                ; RELOC 32 __x86.get_pc_thunk.dx @ 0x08000360 - 0x8000045
│           0x08000049      add   edx, 2                               ; RELOC 32 _GLOBAL_OFFSET_TABLE_
│           0x0800004f      sub   esp, 0xec
│           0x08000055      fld   xword [esp + 0x100]
│           0x0800005c      fld   st(0)
│           0x0800005e      fstp  xword [esp + 0xc0]
│           0x08000065      movzx ebx, word [var_c8h]
│           0x0800006d      mov   ebp, ebx
│           0x0800006f      and   bp, 0x7fff
│           0x08000074      movzx ecx, bp
│           0x08000077      lea   eax, [ecx - 0x3fff]
│           0x0800007d      cmp   eax, 0x1e                            ; 30
│       ╭─< 0x08000080      jg    0x8000188
│       │   0x08000086      test  eax, eax
│      ╭──< 0x08000088      js    .LC2
│      ││   0x0800008e      sub   ecx, 0x3ffe
│      ││   0x08000094      xor   edi, edi
│      ││   0x08000096      mov   esi, 0xffffffff                      ; -1
│      ││   0x0800009b      shrd  esi, edi, cl
│      ││   0x0800009e      shr   edi, cl
│      ││   0x080000a0      test  cl, 0x20                             ; 32
│     ╭───< 0x080000a3      je    0x80000a7
│     │││   0x080000a5      mov   esi, edi
│     │││   ; CODE XREF from ceill(long double) @ 0x80000a3
│     ╰───> 0x080000a7      fld   st(0)
│      ││   0x080000a9      fstp  xword [esp + 0x70]
│      ││   0x080000ad      mov   edi, esi
│      ││   0x080000af      mov   dword [var_8h], esi
│      ││   0x080000b3      mov   ecx, edi
│      ││   0x080000b5      mov   esi, dword [var_74h]
│      ││   0x080000b9      fld   st(0)
│      ││   0x080000bb      fstp  xword [esp + 0x60]
│      ││   0x080000bf      and   ecx, esi
│      ││   0x080000c1      mov   dword [var_ch], esi
│      ││   0x080000c5      or    ecx, dword [var_60h]
│      ││   0x080000c9      fld   st(0)
│     ╭───< 0x080000cb      je    0x8000160
│     │││   0x080000d1      fstp  st(0)
│     │││   0x080000d3      fld   st(0)
│     │││   0x080000d5      fstp  xword [esp + 0x50]
│     │││   0x080000d9      cmp   byte [var_59h], 0
│    ╭────< 0x080000de      js    0x8000127
│    ││││   0x080000e0      mov   ecx, 0x1f                            ; 31
│    ││││   0x080000e5      mov   esi, 1
│    ││││   0x080000ea      sub   ecx, eax
│    ││││   0x080000ec      xor   eax, eax
│    ││││   0x080000ee      shl   esi, cl
│    ││││   0x080000f0      test  cl, 0x20                             ; 32
│    ││││   0x080000f3      cmovne esi, eax
│    ││││   0x080000f6      add   esi, dword [var_ch]
│    ││││   0x080000fa      mov   dword [var_c4h], esi
│   ╭─────< 0x08000101      jae   0x8000127
│   │││││   0x08000103      add   ebp, 1
│   │││││   0x08000106      and   bx, 0x8000
│   │││││   0x0800010b      or    esi, 0x80000000
│   │││││   0x08000111      and   bp, 0x7fff
│   │││││   0x08000116      mov   dword [var_c4h], esi
│   │││││   0x0800011d      or    ebx, ebp
│   │││││   0x0800011f      mov   word [var_c8h], bx
│   │││││   ; CODE XREFS from ceill(long double) @ 0x80000de, 0x8000101
│   ╰╰────> 0x08000127      fadd  qword [edx]                          ; RELOC 32 .LC2 @ 0x08000358
│     │││   0x0800012d      fldz
│     │││   0x0800012f      fxch  st(1)
│     │││   0x08000131      fucomip st(1)
│     │││   0x08000133      fstp  st(0)
│    ╭────< 0x08000135      jbe   0x800014f
│    ││││   0x08000137      mov   edi, dword [var_8h]
│    ││││   0x0800013b      mov   dword [var_c0h], 0
│    ││││   0x08000146      not   edi
│    ││││   0x08000148      and   dword [var_c4h], edi
│    ││││   ; CODE XREFS from ceill(long double) @ 0x8000135, 0x800024e, 0x800025f
│  ╭╭╰────> 0x0800014f      fld   xword [esp + 0xc0]
│  ╎╎╭────< 0x08000156      jmp   0x800017a
..
│  ╎╎││││   ; CODE XREF from ceill(long double) @ 0x80000cb
│  ╎╎│╰───> 0x08000160      nop
│  ╎╎│╭───< 0x08000162      jmp   0x800017a
..
│  ╎╎││││   ; CODE XREF from ceill(long double) @ 0x800018d
│ ╭───────> 0x08000168      lea     esi, [esi]
│ ────────< 0x0800016a      jmp   0x800017a
..
│ ╎╎╎││││   ; CODE XREF from ceill(long double) @ 0x80001b0
│ ────────> 0x08000170      lea     esi, [esi]
│ ────────< 0x08000172      jmp   0x800017a
..
│ ╎╎╎││││   ; CODE XREF from ceill(long double) @ 0x80002b1
│ ────────> 0x08000178      lea     esi, [esi]
│ ╎╎╎││││   ; XREFS: CODE 0x08000156  CODE 0x08000162  CODE 0x0800016a  CODE 0x08000172  CODE 0x080002cc  CODE 0x080002d8
│ ╎╎╎││││   ; XREFS: CODE 0x080002e4
│ ───╰╰───> 0x0800017a      add   esp, 0xec
│ ╎╎╎  ││   0x08000180      pop   ebx
│ ╎╎╎  ││   0x08000181      pop   esi
│ ╎╎╎  ││   0x08000182      pop   edi
│ ╎╎╎  ││   0x08000183      pop   ebp
│ ╎╎╎  ││   0x08000184      ret
..
│ ╎╎╎  ││   ; CODE XREF from ceill(long double) @ 0x8000080
│ ╎╎╎  │╰─> 0x08000188      lea     esi, [esi]                         ; 0x3e ; 62
│ ╎╎╎  │    0x0800018b      fld   st(0)
│ ╰───────< 0x0800018d      jg    0x8000168
│  ╎╎  │    0x0800018f      fxch  st(1)
│  ╎╎  │    0x08000191      fld   st(0)
│  ╎╎  │    0x08000193      fstp  xword [esp + 0x40]
│  ╎╎  │    0x08000197      mov   ebx, 0xffffffff                      ; -1
│  ╎╎  │    0x0800019c      sub   ecx, 0x3ffe
│  ╎╎  │    0x080001a2      mov   edi, ebx
│  ╎╎  │    0x080001a4      shr   edi, cl
│  ╎╎  │    0x080001a6      mov   ebx, dword [var_40h]
│  ╎╎  │    0x080001aa      test  ebx, edi
│  ╎╎  │    0x080001ac      mov   dword [var_8h], ebx
│ ────────< 0x080001b0      je    0x8000170
│  ╎╎  │    0x080001b2      fstp  st(1)
│  ╎╎  │    0x080001b4      fld   st(0)
│  ╎╎  │    0x080001b6      fstp  xword [esp + 0x30]
│  ╎╎  │    0x080001ba      cmp   byte [var_39h], 0
│  ╎╎  │╭─< 0x080001bf      js    0x8000240
│  ╎╎  ││   0x080001c1      cmp   eax, 0x1f                            ; 31
│  ╎╎ ╭───< 0x080001c4      je    0x80002f0
│  ╎╎ │││   0x080001ca      mov   ecx, 0x3f                            ; '?' ; 63
│  ╎╎ │││   0x080001cf      mov   ebx, 1
│  ╎╎ │││   0x080001d4      sub   ecx, eax
│  ╎╎ │││   0x080001d6      xor   eax, eax
│  ╎╎ │││   0x080001d8      shl   ebx, cl
│  ╎╎ │││   0x080001da      test  cl, 0x20                             ; 32
│  ╎╎ │││   0x080001dd      cmovne ebx, eax
│  ╎╎ │││   0x080001e0      mov   esi, ebx
│  ╎╎ │││   0x080001e2      add   esi, dword [var_8h]
│  ╎╎ │││   0x080001e6      mov   dword [var_c0h], esi
│  ╎╎╭────< 0x080001ed      jae   0x8000240
│  ╎╎││││   0x080001ef      fld   st(0)
│  ╎╎││││   0x080001f1      fstp  xword [esp + 0x10]
│  ╎╎││││   0x080001f5      xor   ecx, ecx
│  ╎╎││││   0x080001f7      mov   eax, dword [var_14h]
│  ╎╎││││   0x080001fb      add   eax, 1
│ ╭───────< 0x080001fe      jb    0x8000340
│ │╎╎││││   ; CODE XREF from ceill(long double) @ 0x8000345
│ ────────> 0x08000204      test  ecx, ecx
│ │╎╎││││   0x08000206      mov   dword [var_c4h], eax
│ ────────< 0x0800020d      je    0x8000240
│ │╎╎││││   0x0800020f      movzx eax, word [var_c8h]
│ │╎╎││││   0x08000217      add   ebp, 1
│ │╎╎││││   0x0800021a      mov   dword [var_c4h], 0x80000000          ; [0x80000000:4]=-1
│ │╎╎││││   0x08000225      and   bp, 0x7fff
│ │╎╎││││   0x0800022a      and   ax, 0x8000
│ │╎╎││││   0x0800022e      or    ebp, eax
│ │╎╎││││   0x08000230      mov   word [var_c8h], bp
│ │╎╎││││   0x08000238      nop
│ │╎╎││││   0x08000239      lea   esi, [esi]
│ │╎╎││││   ; CODE XREFS from ceill(long double) @ 0x80001bf, 0x80001ed, 0x800020d, 0x800030a, 0x800033b
│ ───╰──╰─> 0x08000240      fadd  qword [edx]                          ; RELOC 32 .LC2 @ 0x08000358
│ │╎╎ ││    0x08000246      fldz
│ │╎╎ ││    0x08000248      fxch  st(1)
│ │╎╎ ││    0x0800024a      fucomip st(1)
│ │╎╎ ││    0x0800024c      fstp  st(0)
│ │╰──────< 0x0800024e      jbe   0x800014f
│ │ ╎ ││    0x08000254      mov   eax, edi
│ │ ╎ ││    0x08000256      not   eax
│ │ ╎ ││    0x08000258      and   dword [var_c0h], eax
│ │ ╰─────< 0x0800025f      jmp   0x800014f
..
│ │   ││    ; CODE XREF from ceill(long double) @ 0x8000088
│ │   │╰──> 0x08000268      lea     esi, [esi]
│ │   │     0x0800026a      fadd  qword [edx]                          ; RELOC 32 .LC2 @ 0x08000358
│ │   │     0x08000270      fldz
│ │   │     0x08000272      fxch  st(1)
│ │   │     0x08000274      fucomip st(1)
│ │   │     0x08000276      fstp  st(0)
│ │   │ ╭─< 0x08000278      jbe   0x80002d8
│ │   │ │   0x0800027a      fld   st(0)
│ │   │ │   0x0800027c      fstp  xword [esp + 0xb0]
│ │   │ │   0x08000283      test  word [var_b8h], 0x7fff
│ │   │╭──< 0x0800028d      jne   0x80002b9
│ │   │││   0x0800028f      fld   st(0)
│ │   │││   0x08000291      fstp  xword [esp + 0xa0]
│ │   │││   0x08000298      mov   eax, dword [var_a4h]
│ │   │││   0x0800029f      fld   st(0)
│ │   │││   0x080002a1      fstp  xword [esp + 0x90]
│ │   │││   0x080002a8      or    eax, dword [var_90h]
│ │   │││   0x080002af      fld   st(0)
│ ────────< 0x080002b1      je    0x8000178
│ │   │││   0x080002b7      fstp  st(0)
│ │   │││   ; CODE XREF from ceill(long double) @ 0x800028d
│ │   │╰──> 0x080002b9      fstp  xword [esp + 0x80]
│ │   │ │   0x080002c0      cmp   byte [var_89h], 0
│ │   │╭──< 0x080002c8      js    0x80002e0
│ │   │││   0x080002ca      fld1
│ ────────< 0x080002cc      jmp   0x800017a
..
│ │   │││   ; CODE XREF from ceill(long double) @ 0x8000278
│ ──────╰─> 0x080002d8      lea     esi, [esi]
..
│ │   ││    ; CODE XREF from ceill(long double) @ 0x80002c8
│ │   │╰──> 0x080002e0      lea     esi, [esi]
│ │   │     0x080002e2      fchs
│ ────────< 0x080002e4      jmp   0x800017a
..
│ │   │     ; CODE XREF from ceill(long double) @ 0x80001c4
│ │   ╰───> 0x080002f0      lea     esi, [esi]
│ │         0x080002f2      fstp  xword [esp + 0x20]
│ │         0x080002f6      xor   ecx, ecx
│ │         0x080002f8      mov   eax, dword [var_24h]
│ │         0x080002fc      add   eax, 1
│ │     ╭─< 0x080002ff      jb    0x800034a
│ │     │   ; CODE XREF from ceill(long double) @ 0x800034f
│ │    ╭──> 0x08000301      test  ecx, ecx
│ │    ╎│   0x08000303      mov   dword [var_c4h], eax
│ ────────< 0x0800030a      je    .LC2
│ │    ╎│   0x08000310      add   ebp, 1
│ │    ╎│   0x08000313      mov   dword [var_c4h], 0x80000000          ; [0x80000000:4]=-1
│ │    ╎│   0x0800031e      mov   eax, ebp
│ │    ╎│   0x08000320      movzx ebp, word [var_c8h]
│ │    ╎│   0x08000328      and   ax, 0x7fff
│ │    ╎│   0x0800032c      and   bp, 0x8000
│ │    ╎│   0x08000331      or    ebp, eax
│ │    ╎│   0x08000333      mov   word [var_c8h], bp
│ ────────< 0x0800033b      jmp   .LC2
│ │    ╎│   ; CODE XREF from ceill(long double) @ 0x80001fe
│ ╰───────> 0x08000340      mov   ecx, 1
│ ────────< 0x08000345      jmp   0x8000204
│      ╎│   ; CODE XREF from ceill(long double) @ 0x80002ff
│      ╎╰─> 0x0800034a      mov   ecx, 1
╰      ╰──< 0x0800034f      jmp   0x8000301
[0x08000040]> pdg

Then it stuck forever

s_ceill.c-gcc-x86-O2.o.zip

Third case

[i] ℤ rizin sv_bot.c-gcc-x64-O1.o
Warning: run rizin with -e io.cache=true to fix relocations in disassembly
 -- You can redefine descriptive commands in the hud file and using the 'V_' command.
[0x08000040]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08000040]> s sym.BotImport_Print
[0x08000739]> pdf
            ; DATA XREF from sym.SV_BotInitBotLib @ 0x8000dad
╭ sym.BotImport_Print (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5, int64_t arg6, int64_t arg7, int64_t arg8, int64_t arg9, int64_t arg10, int64_t arg11, int64_t arg_8e0h);
│           ; var int64_t var_8h @ rsp+0x8
│           ; var int64_t var_ch @ rsp+0xc
│           ; var int64_t var_10h @ rsp+0x10
│           ; var int64_t var_18h @ rsp+0x18
│           ; var int64_t var_20h @ rsp+0x20
│           ; var int64_t var_820h @ rsp+0x820
│           ; var int64_t var_830h @ rsp+0x830
│           ; var int64_t var_838h @ rsp+0x838
│           ; var int64_t var_840h @ rsp+0x840
│           ; var int64_t var_848h @ rsp+0x848
│           ; var int64_t var_850h @ rsp+0x850
│           ; var int64_t var_860h @ rsp+0x860
│           ; var int64_t var_870h @ rsp+0x870
│           ; var int64_t var_880h @ rsp+0x880
│           ; var int64_t var_890h @ rsp+0x890
│           ; var int64_t var_8a0h @ rsp+0x8a0
│           ; var int64_t var_8b0h @ rsp+0x8b0
│           ; var int64_t var_8c0h @ rsp+0x8c0
│           ; arg int64_t arg_8e0h @ rsp+0x8e0
│           ; arg int64_t arg1 @ rdi
│           ; arg int64_t arg2 @ rsi
│           ; arg int64_t arg3 @ rdx
│           ; arg int64_t arg4 @ rcx
│           ; arg int64_t arg5 @ r8
│           ; arg int64_t arg6 @ r9
│           ; arg int64_t arg7 @ xmm0
│           ; arg int64_t arg8 @ xmm1
│           ; arg int64_t arg9 @ xmm2
│           ; arg int64_t arg10 @ xmm3
│           ; arg int64_t arg11 @ xmm4
│           0x08000739      push  rbx
│           0x0800073a      sub   rsp, 0x8d0
│           0x08000741      mov   ebx, edi                             ; arg1
│           0x08000743      mov   qword [var_830h], rdx                ; arg3
│           0x0800074b      mov   qword [var_838h], rcx                ; arg4
│           0x08000753      mov   qword [var_840h], r8                 ; arg5
│           0x0800075b      mov   qword [var_848h], r9                 ; arg6
│           0x08000763      test  al, al
│       ╭─< 0x08000765      je    0x80007a7
│       │   0x08000767      movaps xmmword [var_850h], xmm0            ; arg7
│       │   0x0800076f      movaps xmmword [var_860h], xmm1            ; arg8
│       │   0x08000777      movaps xmmword [var_870h], xmm2            ; arg9
│       │   0x0800077f      movaps xmmword [var_880h], xmm3            ; arg10
│       │   0x08000787      movaps xmmword [var_890h], xmm4            ; arg11
│       │   0x0800078f      movaps xmmword [var_8a0h], xmm5
│       │   0x08000797      movaps xmmword [var_8b0h], xmm6
│       │   0x0800079f      movaps xmmword [var_8c0h], xmm7
│       │   ; CODE XREF from sym.BotImport_Print @ 0x8000765
│       ╰─> 0x080007a7      mov   dword [var_8h], 0x10                 ; [0x10:4]=-1 ; 16
│           0x080007af      mov   dword [var_ch], 0x30                 ; '0'
│                                                                      ; [0x30:4]=-1 ; 48
│           0x080007b7      lea   rax, [arg_8e0h]
│           0x080007bf      mov   qword [var_10h], rax
│           0x080007c4      lea   rax, [var_820h]
│           0x080007cc      mov   qword [var_18h], rax
│           0x080007d1      lea   rdi, [var_20h]
│           0x080007d6      lea   r9, [var_8h]
│           0x080007db      mov   r8, rsi                              ; arg2
│           0x080007de      mov   ecx, 0x800                           ; 2048
│           0x080007e3      mov   edx, 1
│           0x080007e8      mov   esi, 0x800                           ; 2048
│           0x080007ed      call  __vsnprintf_chk                      ; RELOC 32 __vsnprintf_chk
│           ; CALL XREF from sym.BotImport_Print @ 0x80007ed
│           0x080007f2      cmp   ebx, 5                               ; 5
│       ╭─< 0x080007f5      ja    .LC12
│       │   0x080007fb      mov   ebx, ebx
│       │   0x080007fd      lea   rdx, [0x08000804]                    ; RELOC 32 .rodata @ 0x080011c0 - 0x8000804
│       │   ; DATA XREF from sym.BotImport_Print @ 0x80007fd
│       │   0x08000804      movsxd rax, dword [rdx + rbx*4]
│       │   0x08000808      add   rax, rdx
│       │   0x0800080b      jmp   rax
..
        │   ; DATA XREF from reloc..rodata @ +0x12
│       │   ; CALL XREF from reloc..LC7 @ +0x9
│       │   ; CODE XREF from reloc..LC8 @ +0xe
│       │   ; CODE XREF from reloc..LC9 @ +0xe
│       │   ; CODE XREF from reloc..LC10 @ +0xe
│       │   ; CODE XREF from sym.BotImport_Print @ 0x80008a0
│   ╭╭╭╭──> 0x08000823      lea           rsi, [rsp + 0x20]
│   ╎╎╎╎│   0x0800082a      pop   rbx
│   ╎╎╎╎│   0x0800082b      ret
..
    ╎╎╎╎│   ; DATA XREF from reloc..LC7 @ +0x1c
    │╎╎╎│   ; CALL XREF from reloc..LC8 @ +0x9
     ╎╎╎│   ; DATA XREF from reloc..LC8 @ +0x15
     │╎╎│   ; CALL XREF from reloc..LC9 @ +0x9
      ╎╎│   ; DATA XREF from reloc..LC9 @ +0x15
      │╎│   ; CALL XREF from reloc..LC10 @ +0x9
       ╎│   ; DATA XREF from reloc..LC10 @ +0x15
│      ╎│   ; CODE XREF from sym.BotImport_Print @ 0x80007f5
│      ╎│   ; CALL XREF from reloc..LC11 @ +0xe
│      ╎╰─> 0x0800088f      lea                                           rsi, [rsp + 0x20] ; 0x8000896; RELOC 32 .LC12 @ 0x0800109e - 0x8000896
│      ╎    ; DATA XREF from sym.BotImport_Print @ 0x800088f
│      ╎    0x08000896      mov   eax, 0
│      ╎    0x0800089b      call  Com_Printf                           ; RELOC 32 Com_Printf
│      │    ; CALL XREF from sym.BotImport_Print @ 0x800089b
╰      ╰──< 0x080008a0      jmp   0x8000823
[0x08000739]> pdg

Then it stuck forever

sv_bot.c-gcc-x64-O1.o.zip
@XVilka XVilka added bug Something isn't working test-attached labels Mar 11, 2021
@XVilka
Copy link
Member Author

XVilka commented Mar 16, 2021

Also happens on filetime.c-clang-x64-O0.o:

i] ℤ rizin filetime.c-clang-x64-O0.o                                                                                                                                                                                             12:03:55 
Warning: run rizin with -e io.cache=true to fix relocations in disassembly
 -- Setup dbg.fpregs to true to visualize the fpu registers in the debugger view.
[0x08000040]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[Fail to load 32 bytes of data at 0x08000820
Fail to load 32 bytes of data at 0x0800080e
Fail to load 32 bytes of data at 0x08000811
Fail to load 32 bytes of data at 0x0800081c
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08000040]> s sym.showVersion
[0x08000610]> pdf
            ; CALL XREF from sym.main @ 0x80000b0
╭ sym.showVersion ();
│           0x08000610      push  rbp
│           0x08000611      mov   rbp, rsp
│           0x08000614      mov   edi, 1
│           0x08000619      movabs rsi, 0                              ; RELOC 64 .rodata.str1.1 @ 0x08000636 + 0xd1
│           0x08000623      mov   eax, 0x11d                           ; 285
│           0x08000628      mov   edx, eax
│           0x0800062a      call  sym.Vwrite
│           0x0800062f      xor   edi, edi
╰           0x08000631      call  exit                                 ; RELOC 32 exit
[0x08000610]> pdg
zsh: terminated  rizin filetime.c-clang-x64-O0.o

filetime.c-clang-x64-O0.o.zip

@thestr4ng3r
Copy link
Member

First and second case (harp-utils.c-gcc-arm64-O0.o, s_ceill.c-gcc-x86-O2.o): Both of these also happen in Java Ghidra, please report to them primarily.
Third and fourth case (sv_bot.c-gcc-x64-O1.o, filetime.c-clang-x64-O0.o): Only happen in rz-ghidra, but both quite deep in the Ghidra code, so not sure yet where the issue is there.

@XVilka XVilka mentioned this issue Mar 17, 2021
Closed
@XVilka
Copy link
Member Author

XVilka commented Mar 17, 2021

@thestr4ng3r opened a bug for the first two then: NationalSecurityAgency/ghidra#2851

thestr4ng3r added a commit that referenced this issue Apr 5, 2021
@thestr4ng3r
Update Ghidra for #204
c8da303
@thestr4ng3r thestr4ng3r mentioned this issue Apr 5, 2021
Merged
@thestr4ng3r
Copy link
Member

First two are fixed by NationalSecurityAgency/ghidra@636102a, second two still present.

thestr4ng3r added a commit that referenced this issue Apr 5, 2021
@thestr4ng3r
Update Ghidra for #204
b224b3d
thestr4ng3r added a commit that referenced this issue Apr 5, 2021
@thestr4ng3r
Update Ghidra for #204 (#222)
3ef3feb
@XVilka
Copy link
Member Author

XVilka commented Jan 23, 2023

s_ceil

Was fixed:

[0x08000040]> pdg

// WARNING: Could not reconcile some variable overlaps

unkfloat10 sym.ceill_long_double(unkfloat10 param_1)
{
    uint8_t uVar1;
    uint8_t uVar2;
    uint32_t uVar3;
    int32_t extraout_EDX;
    double *pdVar4;
    uint16_t uVar5;
    uint32_t uVar6;
    int32_t iVar7;
    unkfloat10 Var8;
    int32_t var_f4h;
    int32_t var_f0h;
    int32_t var_e8h;
    int32_t var_d8h;
    int32_t var_c3h;
    int32_t var_bch;
    int32_t var_a3h;
    int32_t var_9ch;
    int32_t var_88h;
    int32_t var_73h;
    int32_t var_6ch;
    int32_t var_58h;
    int32_t var_44h;
    int32_t var_3ch;
    int32_t var_38h;
    int32_t var_34h;
    
    // [02] -r-x section size 785 named .text
    // ceill(long double)
    sym.__x86.get_pc_thunk.dx();
    pdVar4 = (double *)(extraout_EDX + 2);
    _var_3ch = param_1;
    var_34h._0_2_ = (uint16_t)((unkuint10)param_1 >> 0x40);
    uVar5 = (uint16_t)var_34h & 0x7fff;
    iVar7 = uVar5 - 0x3fff;
    var_3ch = SUB104(param_1, 0);
    var_88h = (int32_t)((unkuint10)param_1 >> 0x20);
    if (iVar7 < 0x1f) {
        if (iVar7 < 0) {
            if (((unkfloat10)0 < param_1 + (unkfloat10)*pdVar4) &&
               ((((unkuint10)param_1 & 0x7fff) != 0 || ((var_88h | var_3ch) != 0)))) {
                if ((unkint10)param_1 < 0) {
                    param_1 = -(unkfloat10)0;
                } else {
                    param_1 = (unkfloat10)1;
                }
            }
        } else {
            uVar3 = uVar5 - 0x3ffe;
            uVar1 = (uint8_t)uVar3;
            uVar2 = uVar1 & 0x1f;
            uVar6 = 0xffffffffU >> uVar2 | 0 << 0x20 - uVar2;
            if ((uVar3 & 0x20) != 0) {
                uVar6 = 0 >> (uVar1 & 0x1f);
            }
            if ((uVar6 & var_88h | var_3ch) != 0) {
                if (-1 < (unkint10)param_1) {
                    uVar2 = 0x1f - (char)iVar7;
                    uVar6 = 1 << (uVar2 & 0x1f);
                    if ((uVar2 & 0x20) != 0) {
                        uVar6 = 0;
                    }
                    _var_3ch = (uint64_t)(uint32_t)var_3ch;
                    if (CARRY4(uVar6, var_88h)) {
                        _var_3ch = (unkfloat10)
                                   (CONCAT28((uint16_t)var_34h & 0x8000 | uVar5 + 1 & 0x7fff, 
                                             (uint64_t)(uint32_t)var_3ch) | 0x8000000000000000);
                    }
                }
                Var8 = param_1 + (unkfloat10)*pdVar4;
                param_1 = _var_3ch;
                if ((unkfloat10)0 < Var8) {
                    _var_3ch = (unkfloat10)((unkuint10)_var_3ch & 0xffffffff00000000);
                    param_1 = _var_3ch;
                }
            }
        }
    } else if ((iVar7 < 0x3f) && (uVar6 = 0xffffffff >> ((char)uVar5 + 2U & 0x1f), (var_3ch & uVar6) != 0)) {
        if (-1 < (unkint10)param_1) {
            if (iVar7 == 0x1f) {
                _var_3ch = CONCAT44(var_88h + 1, var_3ch);
                if (0xfffffffe < (uint32_t)var_88h) {
                    _var_3ch = CONCAT44(0x80000000, var_3ch);
                    _var_3ch = (unkfloat10)CONCAT28((uint16_t)var_34h & 0x8000 | uVar5 + 1 & 0x7fff, _var_3ch);
                }
            } else {
                uVar3 = 1 << ((uint8_t)(0x3fU - iVar7) & 0x1f);
                if ((0x3fU - iVar7 & 0x20) != 0) {
                    uVar3 = 0;
                }
                iVar7 = uVar3 + var_3ch;
                _var_38h = (unkbyte6)((unkuint10)param_1 >> 0x20);
                _var_3ch = (unkfloat10)CONCAT64(_var_38h, iVar7);
                if (CARRY4(uVar3, var_3ch)) {
                    _var_3ch = CONCAT44(var_88h + 1, iVar7);
                    if (0xfffffffe < (uint32_t)var_88h) {
                        _var_3ch = CONCAT44(0x80000000, iVar7);
                        _var_3ch = (unkfloat10)CONCAT28(uVar5 + 1 & 0x7fff | (uint16_t)var_34h & 0x8000, _var_3ch);
                    }
                }
            }
        }
        Var8 = param_1 + (unkfloat10)*pdVar4;
        param_1 = _var_3ch;
        if ((unkfloat10)0 < Var8) {
            _var_3ch = (unkfloat10)CONCAT64(_var_38h, var_3ch & ~uVar6);
            param_1 = _var_3ch;
        }
    }
    return param_1;
}
[0x08000040]>

@XVilka
Copy link
Member Author

XVilka commented Jan 23, 2023

sv_bot

Was fixed:

[0x08000739]> pdg

// WARNING: Could not reconcile some variable overlaps
// WARNING: [rz-ghidra] Detected overlap for variable var_8cch
// WARNING: [rz-ghidra] Detected overlap for variable var_8c8h
// WARNING: [rz-ghidra] Removing arg arg_858h because it doesn't fit into ProtoModel

void sym.BotImport_Print(int64_t arg7, int64_t arg8, int64_t arg9, int64_t arg10, int64_t arg11,
                        undefined8 placeholder_5, undefined8 placeholder_6, undefined8 placeholder_7, int64_t arg1,
                        int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5, int64_t arg6, int64_t arg_8h)
{
    char in_AL;
    undefined8 in_XMM0_Qb;
    undefined8 in_XMM1_Qb;
    undefined8 in_XMM2_Qb;
    undefined8 in_XMM3_Qb;
    undefined8 in_XMM4_Qb;
    undefined8 in_XMM5_Qb;
    undefined8 in_XMM6_Qb;
    undefined8 in_XMM7_Qb;
    int64_t var_8d0h;
    int64_t *var_8c8h;
    int64_t var_8c0h;
    int64_t var_8b8h;
    int64_t var_b8h;
    int64_t var_a8h;
    int64_t var_a0h;
    int64_t var_98h;
    int64_t var_90h;
    undefined auStack136 [16];
    int64_t var_78h;
    int64_t var_68h;
    int64_t var_58h;
    int64_t var_48h;
    int64_t var_38h;
    int64_t var_28h;
    int64_t var_18h;
    
    if (in_AL != '\0') {
        auStack136 = CONCAT88(in_XMM0_Qb, arg7);
        _var_78h = CONCAT88(in_XMM1_Qb, arg8);
        _var_68h = CONCAT88(in_XMM2_Qb, arg9);
        _var_58h = CONCAT88(in_XMM3_Qb, arg10);
        _var_48h = CONCAT88(in_XMM4_Qb, arg11);
        _var_38h = CONCAT88(in_XMM5_Qb, placeholder_5);
        _var_28h = CONCAT88(in_XMM6_Qb, placeholder_6);
        _var_18h = CONCAT88(in_XMM7_Qb, placeholder_7);
    }
    var_8d0h._0_4_ = 0x10;
    var_8d0h._4_4_ = 0x30;
    var_8c8h = &arg_8h;
    var_8c0h = (int64_t)&var_b8h;
    var_a8h = arg3;
    var_a0h = arg4;
    var_98h = arg5;
    var_90h = arg6;
    __vsnprintf_chk(&var_8b8h, 0x800, 1, 0x800, arg2, &var_8d0h);
    // switch table (6 cases) at 0x80011c0
    switch(arg1 & 0xffffffff) {
    case 1:
        Com_Printf(reloc.target..LC7, &var_8b8h);
        break;
    case 2:
        Com_Printf("^3Warning: %s", &var_8b8h);
        break;
    case 3:
        Com_Printf("^1Error: %s", &var_8b8h);
        break;
    case 4:
        Com_Printf("^1Fatal: %s", &var_8b8h);
        break;
    case 5:
        Com_Error(1, "^1Exit: %s", &var_8b8h);
    default:
        Com_Printf("unknown print type\n");
    }
    return;
}
[0x08000739]>

@XVilka
Copy link
Member Author

XVilka commented Jan 23, 2023
edited
Loading

The only remaining is the filetime one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working test-attached
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@XVilka @thestr4ng3r