"afbij" otput wrog json format
GhostFrankWu opened this issue · comments
Environment
radare2 5.9.1 32046 @ linux-x86-64
birth: git.5.9.0-163-gb9e47794e3 2024-05-10__18:31:14
commit: b9e47794e3c7287326c63bbbd0122d8ab363cbd0
options: gpl -O? cs:5 cl:2 make
Linux x86_64
Description
For x86, "afbi" returns multiple basic blocks. This will make "afbij" output wrong json format, example:
[0x08048736]> aaaa
[0x08048736]> afbij @ 0x804f41f
{"addr":134542360,"size":8,"jump":134542368,"opaddr":134542360,"inputs":1,"outputs":1,"ninstr":1,"instrs":[134542360],"traced":1}
{"addr":134542361,"size":7,"jump":134542368,"opaddr":134542361,"inputs":1,"outputs":1,"ninstr":1,"instrs":[134542361],"traced":1}
.text:0804F40E loc_804F40E: ; CODE XREF: sub_804F360+68↑j
.text:0804F40E cmp large dword ptr gs:0Ch, 0
.text:0804F416 jz short loc_804F419
.text:0804F418 lock
.text:0804F419
.text:0804F419 loc_804F419: ; CODE XREF: sub_804F360+B6↑j
.text:0804F419 sub ds:dword_80EC4C0, 1
.text:0804F420 jz short loc_804F42D
.text:0804F422 lea eax, dword_80EC4C0
.text:0804F428 call sub_806FE40
.text:0804F42D
.text:0804F42D loc_804F42D: ; CODE XREF: sub_804F360+C0↑j
.text:0804F42D or [esp+15Ch+var_A4], 10000h
.text:0804F438 sub esp, 4
.text:0804F43B lea edi, [esp+160h+var_128]
I'm not sure if this is expected behavior, but based on #18284 (comment) , at lest result format of json is went wrong.
Test
I'm not sure if this is caused by the "afbij" or "lock" instruction form x86 arch, as in my environment, r2 actually seems unable to deassemble the code at that address.
I was unable to craft a simple binary to reproduce this problem, so here I provide my original binary program (a statically linked CTF challenge):
754392adc-radare2-issue.zip
This address is part of two basic blocks, i dont think any other tool except radare supports a single address to be covered by two basic blocks or a single basic block shared between two functions. And this is a design decision.
This address is not in the begining of any instruction in any basic block. the address is not listed in your disasm and its neither listed in the disasm of r2.
Yeah showing two json objects as output is not valid json, so it should be fixed
![Screenshot 2024-05-16 at 17 28 51](https://private-user-images.githubusercontent.com/6431515/331271716-7ded8b07-0a55-4c78-be8a-23393528ccaa.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3NDg1NDQsIm5iZiI6MTcyMTc0ODI0NCwicGF0aCI6Ii82NDMxNTE1LzMzMTI3MTcxNi03ZGVkOGIwNy0wYTU1LTRjNzgtYmU4YS0yMzM5MzUyOGNjYWEucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MjNUMTUyNDA0WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZWU4NjcyZDBkYWYxYjc0YmRmNDcyMTUyMGFkOTg3ODM3OTM1YjZlNDdlMTJkZDE5NWZkMDc1MjY2YmZkMzBkZiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.ymx_Su7wig7mZLuNZm16YtseWSis8GiEj7wgcg5qhso)
![Screenshot 2024-05-16 at 17 30 34](https://private-user-images.githubusercontent.com/6431515/331272234-8397b6b9-aa03-4c74-b66d-d8a61cb534d5.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3NDg1NDQsIm5iZiI6MTcyMTc0ODI0NCwicGF0aCI6Ii82NDMxNTE1LzMzMTI3MjIzNC04Mzk3YjZiOS1hYTAzLTRjNzQtYjY2ZC1kOGE2MWNiNTM0ZDUucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MjNUMTUyNDA0WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MWNkOGIzMTk1MzZmNTJhNTE1ZDQ2MDcwYzUzZTFlYjVlYjZlNTM2NDUxMzAwNDVmZTFmNDEwOGZlNjU2MDdiOCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.WBEl8p5bz8pKsE9_ElAMgbR0vqnU1yPEBtYTePovogk)
As you can see, the address is in the middle of two instructions listed as two separate basic blocks, so linear disassembly wont show it properly unless you set flags on each basic block and then use the bbmiddle option, use pdr or agfv
.afb*
e asm.bbmiddle=true
![Screenshot 2024-05-16 at 17 33 17](https://private-user-images.githubusercontent.com/6431515/331273105-83eeec8b-a56d-4e61-ae0b-821c775e9111.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3NDg1NDQsIm5iZiI6MTcyMTc0ODI0NCwicGF0aCI6Ii82NDMxNTE1LzMzMTI3MzEwNS04M2VlZWM4Yi1hNTZkLTRlNjEtYWUwYi04MjFjNzc1ZTkxMTEucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MjNUMTUyNDA0WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9YWI4MzhhN2M2MzlkOGE3YTRmYjU3NWRhZWNhYWVhYzA5ZGZiMWNlZjM5NGUwMjk0ZTkwY2RhZDJmZGMxNWVmNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.i9k0LHBUdcpLdxIG6g_ES5yt4E52HSY16o4VOq6_MRg)
![Screenshot 2024-05-16 at 17 31 32](https://private-user-images.githubusercontent.com/6431515/331272529-d5520139-4eeb-4630-a551-c7ba0e6d0410.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3NDg1NDQsIm5iZiI6MTcyMTc0ODI0NCwicGF0aCI6Ii82NDMxNTE1LzMzMTI3MjUyOS1kNTUyMDEzOS00ZWViLTQ2MzAtYTU1MS1jN2JhMGU2ZDA0MTAucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MjNUMTUyNDA0WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9YmFhNDRjOTMxM2JhNjMwMTI0MmQ3NmZmNjEwYTMzNzgyOGIzYjRkZTMyNjkzNzc0OTcwNTNmMjBjNWEzNTEyZCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.IqmwbFttHu05QQJsS-G2VkQdLFYos18CjAiuO6DEMBc)
As you see r2 can disassemble the lock instruction properly, but that's an antidisassembly trick and needs to be treated properly to handle it.
So my proposal here is:
- Make afbj return an array (may break some scripts i guess, but worth doing the change) fixed in #22948
if you enable asm.bbmiddle, which should be set by default you should be able to see both instructions, the lock and the sub. so its the je
that breaks the thing and the lock is actually never executed i think
![Screenshot 2024-05-16 at 18 10 59](https://private-user-images.githubusercontent.com/6431515/331287979-fe50c41a-8368-47a2-8397-402eff656d74.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3NDg1NDQsIm5iZiI6MTcyMTc0ODI0NCwicGF0aCI6Ii82NDMxNTE1LzMzMTI4Nzk3OS1mZTUwYzQxYS04MzY4LTQ3YTItODM5Ny00MDJlZmY2NTZkNzQucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MjNUMTUyNDA0WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MmU5NWE5NTFhYWMwNDQxOGRkM2VkZDA5OTI1NDYxMTEzZWJmZGQzNTA0Y2U1YTA4OTYyNzE3NGI3NzJjZWFlMyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.XXcFjd9ClyOi701b-pTWHWFDjZwCB3watHSq1rLvyHM)