-
|
I have a question about radare2's function detection algorithm: when I analyzed the stripped ELF binaries in radare2, it seemed to detect the start and end addresses of functions correctly, even if they contain indirect branch instructions (e.g. libc's It seems that radare2 uses “Nucleus Algorithm” to analyze basic blocks and functions, but can it detect functions correctly for any ELF binaries? Alternatively, if there are any corner cases that are impossible to analyze, I would like to know about them. Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
i dont think “perfect” is anything we can ensure when facing reverse engineering topics, there are always corner cases or ways to break the assumptions. For example in archs mixing data and code or programs sharing basic blocks across functions. Im happy that it worked well for you and i always try my best to improve the analysis when i spot issues like this but i dont think any tool works well in all cases with no human interaction at some point on all possible binaries |
Beta Was this translation helpful? Give feedback.
-
|
@trufae “Targeting ELF binaries produced by conventional compilers (i.e., not malware or obfuscated code), is it possible to guarantee that for each function detected by radare2, no jump from another function lands in the middle of that function?” In other words, I want to know whether it can be ensured that there is no entry point within the body of any detected function. (Please set aside setjmp/longjmp for now.) Considering the diversity of compilers and optimization techniques, would it be difficult to guarantee this? |
Beta Was this translation helpful? Give feedback.
-
|
switch tables and reused basic blocks across functions are the most annoying code constructions nowadays, and compilers evolve to make things weirder on every update. no need for obfuscations to break analysis, so i would never guarantee that. i dont think any tool can guarantee this. but as said, r2 does it's best to achieve that and any case that doesn't work should be reported and fixed. also im considering you are refering to x86-64, because there are many tricky constructions on x86-16 or arm-thumb2 that are hard to autoanalize properly without human interaction |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much. I understand now. I appreciate radare2’s daily improvements in functionality. |
Beta Was this translation helpful? Give feedback.
switch tables and reused basic blocks across functions are the most annoying code constructions nowadays, and compilers evolve to make things weirder on every update. no need for obfuscations to break analysis, so i would never guarantee that. i dont think any tool can guarantee this. but as said, r2 does it's best to achieve that and any case that doesn't work should be reported and fixed. also im considering you are refering to x86-64, because there are many tricky constructions on x86-16 or arm-thumb2 that are hard to autoanalize properly without human interaction