Some feedback
Closed this issue · 4 comments
If the binary wasn't previously analyzed, an exception is thrown:
[0x0001691c]> [22:08 edu@localhost armeabi-v7a] > r2 libtarget.so
Module version mismatch /home/edu/.config/radare2/plugins/io_frida.so (2.2.0-git) vs (2.3.0)
-- Hold on, this should never happen!
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
p: Cannot find function at 0x0000cb00
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 88, in create_rule
rule += ' ' + self.format_rule_opcodes(self.get_func_yara_opcodes()) + '\r\n\r\n'
File "/home/edu/r2scripts/functoyara.py", line 177, in get_func_yara_opcodes
return sigj[0]['bytes'].replace('.','?')
IndexError: list index out of range
Perhaps, you can count the number of functions with aflc
. If this is bigger than 0, then it was analyzed.
After analyzed, the script aborts radare2 session:
[0x0000cb00]> aaa
[ WARNING : block size exceeding max block size at 0x00042df0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0001be48
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00033044
[+] Try changing it with e anal.bb.maxsize
[x] Analyze all flags starting with sym. and entry0 (aa)
[ ]
[Value from 0x00000000 to 0x0004b2bc
aav: 0x00000000-0x0004b2bc in 0x0-0x4b2bc
aav: 0x00000000-0x0004b2bc in 0x4d120-0x64b3c
Value from 0x0004d120 to 0x00064b3c
aav: 0x0004d120-0x00064b3c in 0x0-0x4b2bc
aav: 0x0004d120-0x00064b3c in 0x4d120-0x64b3c
[x] Analyze len bytes of instructions for references (aar)
[ WARNING : block size exceeding max block size at 0x0000fca0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00011288
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00013330
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0003c8f8
[+] Try changing it with e anal.bb.maxsize
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
Cannot open ttyname(0) (null)
sh: error while loading shared libraries: libc.so.6: cannot open shared object file: Error 24
[0x0000cb00]> [22:10 edu@localhost armeabi-v7a] >
If the binary isnt analyzed or if I perform analysis with aaa
, the radare2 session is aborted.
However, if I perform analysis with only aa
, the script works as intended:
0000cb00]> aa
[ WARNING : block size exceeding max block size at 0x00042df0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0001be48
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00033044
[+] Try changing it with e anal.bb.maxsize
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x0000cb00]> s sym.JNI_OnLoad
[0x0001691c]> #!pipe python /home/edu/r2scripts/functoyara.py -n rule -a edu
rule rule {
meta:
author = "edu"
file = "xxxxxxx.so"
strings:
// 2de9f04f push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr}
// adf66c6d subw sp, sp, 0xe6c
// dff808ac ldr.w sl, [pc, 0xc08]
// 0021 movs r1, 0
// dff8083c ldr.w r3, [pc, 0xc08]
// fa44 add sl, pc
// 0e90 str r0, [sp, 0x38]
// 5af80320 ldr.w r2, [sl, r3]
It would be great to give the chance to fingerprint from current offset, and providing an input argument with size, to create Yara rules of size
bytes or instrucctions. If I got some time, I could implement it too. It shouldn't take too much effort. Anyhow, thanks for the script.
[22:58 edu@xxxxx tmp] > r2 classes.dex
Module version mismatch /home/edu/.config/radare2/plugins/io_frida.so (2.2.0-git) vs (2.4.0-git)
-- Use '-e bin.strings=false' to disable automatic string search when loading the binary.
[0x00000628]> ic
0x00000344 [0x00000628 - 0x00000d98] (sz 1904) class 0 Lo/QC$a super: Ljava/lang/ClassLoader;
0x00000628 method 0 sC Lo/QC$a.method.<clinit>()V
0x00000744 method 1 C Lo/QC$a.method.<init>(Ljava/lang/Object;)V
0x00000788 method 2 sp Lo/QC$a.method.f()Ljava/lang/Object;
0x00000d48 method 3 sP Lo/QC$a.method.j(IBB)Ljava/lang/String;
0x0000076c method 4 Lo/QC$a.method.f(Ljava/lang/String;)Ljava/lang/Class;
0x00000b3c method 5 r Lo/QC$a.method.findClass(Ljava/lang/String;)Ljava/lang/Class;
0x00000d20 method 6 r Lo/QC$a.method.findLibrary(Ljava/lang/String;)Ljava/lang/String;
[0x00000628]> s 0x00000d20
[0x00000d20]> pd 5
;-- Lo/QC$a.method.findLibrary(Ljava/lang/String;)Ljava/lang/String;:
;-- method.protected.Lo_QC_a.Lo_QC_a.method.findLibrary_Ljava_lang_String__Ljava_lang_String:
0x00000d20 1c000d00 const-class v0, Lo/QC$a;
0x00000d24 6e1001000000 invoke-virtual {v0}, Ljava/lang/Class.getClassLoader()Ljava/lang/ClassLoader; ; 0x1
0x00000d2a 0c00 move-result-object v0
0x00000d2c 6e2006002000 invoke-virtual {v0, v2}, Ljava/lang/ClassLoader.findLibrary(Ljava/lang/String;)Ljava/lang/String; ; 0x6
0x00000d32 0c00 move-result-object v0
[0x00000d20]> #!pipe python /home/edu/r2scripts/functoyara.py -n dex -a Edu
p: Cannot find function at 0x00000d20
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 88, in create_rule
rule += ' ' + self.format_rule_opcodes(self.get_func_yara_opcodes()) + '\r\n\r\n'
File "/home/edu/r2scripts/functoyara.py", line 177, in get_func_yara_opcodes
return sigj[0]['bytes'].replace('.','?')
IndexError: list index out of range
[0x00000d20]>
Nice feedback - thanks. Error handling could likely be improved across the board as my testing was limited to my workflow.
I added analysis checks using aflc into multiple parts of these scripts. I split out the offset/size request into a separate issue in #8. I'm closing this out for now.