Some feedback
Closed this issue · 4 comments
enovella commented
If the binary wasn't previously analyzed, an exception is thrown:
[0x0001691c]> [22:08 edu@localhost armeabi-v7a] > r2 libtarget.so
Module version mismatch /home/edu/.config/radare2/plugins/io_frida.so (2.2.0-git) vs (2.3.0)
-- Hold on, this should never happen!
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
p: Cannot find function at 0x0000cb00
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 88, in create_rule
rule += ' ' + self.format_rule_opcodes(self.get_func_yara_opcodes()) + '\r\n\r\n'
File "/home/edu/r2scripts/functoyara.py", line 177, in get_func_yara_opcodes
return sigj[0]['bytes'].replace('.','?')
IndexError: list index out of range
Perhaps, you can count the number of functions with aflc. If this is bigger than 0, then it was analyzed.
After analyzed, the script aborts radare2 session:
[0x0000cb00]> aaa
[ WARNING : block size exceeding max block size at 0x00042df0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0001be48
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00033044
[+] Try changing it with e anal.bb.maxsize
[x] Analyze all flags starting with sym. and entry0 (aa)
[ ]
[Value from 0x00000000 to 0x0004b2bc
aav: 0x00000000-0x0004b2bc in 0x0-0x4b2bc
aav: 0x00000000-0x0004b2bc in 0x4d120-0x64b3c
Value from 0x0004d120 to 0x00064b3c
aav: 0x0004d120-0x00064b3c in 0x0-0x4b2bc
aav: 0x0004d120-0x00064b3c in 0x4d120-0x64b3c
[x] Analyze len bytes of instructions for references (aar)
[ WARNING : block size exceeding max block size at 0x0000fca0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00011288
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00013330
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0003c8f8
[+] Try changing it with e anal.bb.maxsize
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
Cannot open ttyname(0) (null)
sh: error while loading shared libraries: libc.so.6: cannot open shared object file: Error 24
[0x0000cb00]> [22:10 edu@localhost armeabi-v7a] >
enovella commented
If the binary isnt analyzed or if I perform analysis with aaa , the radare2 session is aborted.
However, if I perform analysis with only aa, the script works as intended:
0000cb00]> aa
[ WARNING : block size exceeding max block size at 0x00042df0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0001be48
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00033044
[+] Try changing it with e anal.bb.maxsize
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x0000cb00]> s sym.JNI_OnLoad
[0x0001691c]> #!pipe python /home/edu/r2scripts/functoyara.py -n rule -a edu
rule rule {
meta:
author = "edu"
file = "xxxxxxx.so"
strings:
// 2de9f04f push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr}
// adf66c6d subw sp, sp, 0xe6c
// dff808ac ldr.w sl, [pc, 0xc08]
// 0021 movs r1, 0
// dff8083c ldr.w r3, [pc, 0xc08]
// fa44 add sl, pc
// 0e90 str r0, [sp, 0x38]
// 5af80320 ldr.w r2, [sl, r3]
enovella commented
It would be great to give the chance to fingerprint from current offset, and providing an input argument with size, to create Yara rules of size bytes or instrucctions. If I got some time, I could implement it too. It shouldn't take too much effort. Anyhow, thanks for the script.
[22:58 edu@xxxxx tmp] > r2 classes.dex
Module version mismatch /home/edu/.config/radare2/plugins/io_frida.so (2.2.0-git) vs (2.4.0-git)
-- Use '-e bin.strings=false' to disable automatic string search when loading the binary.
[0x00000628]> ic
0x00000344 [0x00000628 - 0x00000d98] (sz 1904) class 0 Lo/QC$a super: Ljava/lang/ClassLoader;
0x00000628 method 0 sC Lo/QC$a.method.<clinit>()V
0x00000744 method 1 C Lo/QC$a.method.<init>(Ljava/lang/Object;)V
0x00000788 method 2 sp Lo/QC$a.method.f()Ljava/lang/Object;
0x00000d48 method 3 sP Lo/QC$a.method.j(IBB)Ljava/lang/String;
0x0000076c method 4 Lo/QC$a.method.f(Ljava/lang/String;)Ljava/lang/Class;
0x00000b3c method 5 r Lo/QC$a.method.findClass(Ljava/lang/String;)Ljava/lang/Class;
0x00000d20 method 6 r Lo/QC$a.method.findLibrary(Ljava/lang/String;)Ljava/lang/String;
[0x00000628]> s 0x00000d20
[0x00000d20]> pd 5
;-- Lo/QC$a.method.findLibrary(Ljava/lang/String;)Ljava/lang/String;:
;-- method.protected.Lo_QC_a.Lo_QC_a.method.findLibrary_Ljava_lang_String__Ljava_lang_String:
0x00000d20 1c000d00 const-class v0, Lo/QC$a;
0x00000d24 6e1001000000 invoke-virtual {v0}, Ljava/lang/Class.getClassLoader()Ljava/lang/ClassLoader; ; 0x1
0x00000d2a 0c00 move-result-object v0
0x00000d2c 6e2006002000 invoke-virtual {v0, v2}, Ljava/lang/ClassLoader.findLibrary(Ljava/lang/String;)Ljava/lang/String; ; 0x6
0x00000d32 0c00 move-result-object v0
[0x00000d20]> #!pipe python /home/edu/r2scripts/functoyara.py -n dex -a Edu
p: Cannot find function at 0x00000d20
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 88, in create_rule
rule += ' ' + self.format_rule_opcodes(self.get_func_yara_opcodes()) + '\r\n\r\n'
File "/home/edu/r2scripts/functoyara.py", line 177, in get_func_yara_opcodes
return sigj[0]['bytes'].replace('.','?')
IndexError: list index out of range
[0x00000d20]>
cmatthewbrooks commented
Nice feedback - thanks. Error handling could likely be improved across the board as my testing was limited to my workflow.
cmatthewbrooks commented
I added analysis checks using aflc into multiple parts of these scripts. I split out the offset/size request into a separate issue in #8. I'm closing this out for now.