Different behavior when opening local vs remote files.

Question

Different behavior when opening local vs remote files.

Opened this issue 10 months ago · 3 comments

With this file (repro.elf.gz) I see different behavior when running the decompiler locally or via RAP.

When running directly on a file, the string literal gets recognized:

$ r2 repro.elf
[0x00001000]> ss sym.main
[0x00001050]> af
[0x00001050]> pdg

ulong sym.main(void)

{
    sym.puts_plt("Hello, world!");
    return 0;
}

However, when running via RAP it is not:

$ r2 -nn repro.elf rap://:9999/ &
$ r2 rap://127.0.0.1:9999/
[0x00001000]> ss sym.main
[0x00001050]> af
[0x00001050]> pdg

ulong sym.main(void)

{
    sym.puts_plt(0x2004);
    return 0;
}

Possibly related to #52.

Answer 1 · 2023-09-16T18:05:08.000Z

If you do -nn no strings or symbols are parsed so its expected

Answer 2 · 2023-09-16T18:06:32.000Z

As you can see, the "main" symbol does get recognized on the second set of commands. My guess is that the second r2 sees the ELF magic within the remote memory and does its own processing of the ELF format, including symbols, but for some reason the string literal is not recognized.

Answer 3 · 2023-09-16T18:15:22.000Z

I've run some tests, and it seems that the direct r2 (as in the first set of commands) only recognizes the string if the size of the .data section is no more than 10 MiB. If the section is larger, the string is not recognized in either way.