radareorg/radare2

Base addresses not setting properly on PIE enabled binaries

Open

#9,051 创建于 2017年12月19日

在 GitHub 查看
 (7 评论) (0 反应) (0 负责人)C (23,826 star) (3,229 fork)batch import
RBingood first issue

描述

radare2 2.2.0-git 16757 @ linux-x86-64 git.2.1.0-173-gf06a360
commit: f06a36097e7a310dbbc2ccd08f790119c31e100b build: 2017-12-19__18:44:21

While setting the base address with the -B switch in r2, it loads the base address fine.

└─▪ radare2 -B 0x40000000 funmail 
 -- The '?' command can be used to evaluate math expressions. Like this: '? (0x34+22)*4'
[0x40000540]> ij~{bin.pic}
true
[0x40000540]>

But not when the e flag is being set even after reloading the binary.

└─▪ radare2 -e "bin.baddr=0x40000000" funmail 
 -- Setup dbg.fpregs to true to visualize the fpu registers in the debugger view.
[0x00000540]> ij~{bin.pic}
true
[0x00000540]> oo
[0x00000540]>

The same applies to setting bin.baddr from the console:

└─▪ radare2 funmail 
 -- Use scr.accel to browse the file faster!
[0x00000540]> e bin.baddr = 0x40000000
[0x00000540]> oo
[0x00000540]>

Additionally: after the binary is loaded with -B and debugged, the base address gets thrown off.

└─▪ radare2 -B 0x40000000 funmail 
 -- The more 'a' you add after 'aa' the more analysis steps are executed.
[0x40000540]> doo
Process with PID 11052 started...
File dbg:///vagrant/tuctf/rev/funmail  reopened in read-write mode
= attach 11052 11052
WARNING: bin_strings buffer is too big (0xffffffffa99de26c). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
WARNING: bin_strings buffer is too big (0xffffffffa99dcf44). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
11052
[0xf77d1a20]> dcu main
Continue until 0x56624b27 using 1 bpsize
hit breakpoint at: 56624b27
[0x56624b27]> s main
[0x56624b27]> pd 4
            ;-- main:
            ;-- main:
            ;-- eip:
            0x56624b27      8d4c2404       lea ecx, esp + 4            ; 4
            0x56624b2b      83e4f0         and esp, 0xfffffff0
            0x56624b2e      ff71fc         push dword [ecx - 4]
            0x56624b31      55             push ebp
[0x56624b27]> ij~{bin.pic}
true
[0x56624b27]>

The above is consistent with setting base address with bin.baddr also

贡献者指南

技术栈
c
领域
cli
议题类型
bug
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
3
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
3-5 days
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
stale
清晰度议题是否清楚说明期望改动、验收标准和下一步。
clear
前置要求
Familiarity with radare2C programming basicsUnderstanding of PIE binaries
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
25
研究方向
The issue reports that setting the base address via ` B` works but via `bin.baddr` eval does not. In debug mode, ` B` base address gets overwritten. To resolve, investigate how `bin.baddr` is handled in binary loading (see libr/core/cio.c and libr/core/bin.c). Look at how `oo` (reload) applies the eval setting vs command line flag. Also check the debugger attach code that may reset base address. Review comments on the issue for additional clues.