Radare2 Call $+5 and register-based cross-references not found

Question

I have a library of ~65MB which uses this "technique" as a kind of PIC.

First, it gets some kind of base address (it is always the same):

0x00708497      e800000000     call 0x70849c
0x0070849c      5b             pop ebx
0x0070849d      81c3ac442601   add ebx, 0x12644ac

And then it's used to reference strings or global variables:

0x007084bc      8d832e29a8ff   lea eax, [ebx - 0x57d6d2]

So, is there any analysis command which could find these references?

score 1 · Answer 1 · answered Oct 17 '18 at 19:22

1

There are a few issues on radare's GitHub about such code, e.g.:

Invalid strings xref in x86

String(DATA) xref does not work with x86 binary built with -fPIC -m32

According to some comments on them, aae is supposed to resolve such references after this change, so try it. If not, open a new issue or try other support options.

answered Oct 17 '18 at 19:22

Igor Skochinsky

36,553
7
65
115

I will create a issue once I make a smaller library reproducing the issue, for now I made a python script using r2pipe to find these references – Fabian Mendez Oct 18 '18 at 02:41
@FabianMendez so, have you found a way to do a smaller reproducer? Opening an issue even just "as is" can help too. – Anton Kochkov Nov 20 '18 at 09:22
@AntonKochkov There is an issue already: https://github.com/radare/radare2/issues/11309 – Fabian Mendez Nov 21 '18 at 15:34

Radare2 Call $+5 and register-based cross-references not found

1 Answers1