Initial implementation of the bin.aslr ##bin

radareorg · Dec 22, 2024 · decded3 · decded3
1 parent 31864f3
commit decded3
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 8 deletions.
diff --git a/libr/core/cbin.c b/libr/core/cbin.c
@@ -1416,8 +1416,8 @@ static bool bin_main(RCore *r, PJ *pj, int mode, int va) {
 	} else if (IS_MODE_SIMPLE (mode)) {
 		r_cons_printf ("%"PFMT64d, addr);
 	} else if (IS_MODE_RAD (mode)) {
-		r_cons_printf ("fs symbols\n");
-		r_cons_printf ("f main @ 0x%08"PFMT64x"\n", addr);
+		r_cons_printf ("'fs symbols\n");
+		r_cons_printf ("'@0x%08"PFMT64x"'f main\n", addr);
 		if (isthumb) {
 			r_cons_printf ("'@0x%08"PFMT64x"'ahb 16\n", addr);
 		}

diff --git a/libr/core/cconfig.c b/libr/core/cconfig.c
@@ -2323,12 +2323,21 @@ static bool cb_io_cache(void *user, void *data) {
 	return true;
 }
 
+#if 0
 static bool cb_ioaslr(void *user, void *data) {
 	RCore *core = (RCore *) user;
 	RConfigNode *node = (RConfigNode *) data;
 	core->io->aslr = (bool)node->i_value;
 	return true;
 }
+#endif
+
+static bool cb_binaslr(void *user, void *data) {
+	RCore *core = (RCore *) user;
+	RConfigNode *node = (RConfigNode *) data;
+	core->bin->options.fake_aslr = (bool)node->i_value;
+	return true;
+}
 
 static bool cb_io_pava(void *user, void *data) {
 	RCore *core = (RCore *) user;
@@ -4536,7 +4545,8 @@ R_API int r_core_config_init(RCore *core) {
 	SETICB ("io.mask", 0, &cb_iomask, "mask addresses before resolving as maps");
 	SETBPREF ("io.exec", "true", "see !!r2 -h~-x");
 	SETICB ("io.0xff", 0xff, &cb_io_oxff, "use this value instead of 0xff to fill unallocated areas");
-	SETCB ("io.aslr", "false", &cb_ioaslr, "disable ASLR for spawn and such");
+	// SETCB ("dbg.aslr", "false", &cb_ioaslr, "disable ASLR for spawn and such");
+	SETCB ("bin.aslr", "false", &cb_binaslr, "pick a random bin.baddr to simulate ASLR for static analysis");
 	SETCB ("io.va", "true", &cb_iova, "use virtual address layout");
 	SETBPREF ("io.voidwrites", "true",
 		"handle writes to fully unmapped areas as valid operations (requires io.va to be set)");

diff --git a/libr/core/cfile.c b/libr/core/cfile.c
@@ -78,7 +78,12 @@ R_API bool r_core_file_reopen(RCore *core, const char *args, int perm, int loadb
 		}
 	}
 	if (new_baddr == UT64_MAX) {
-		new_baddr = r_config_get_i (core->config, "bin.baddr");
+		if (r_config_get_b (core->config, "bin.aslr")) {
+			new_baddr = r_num_rand (32) << 24;
+			r_config_set_i (core->config, "bin.baddr", new_baddr);
+		} else {
+			new_baddr = r_config_get_i (core->config, "bin.baddr");
+		}
 	}
 
 	if (r_sandbox_enable (0)) {
@@ -158,7 +163,12 @@ R_API bool r_core_file_reopen(RCore *core, const char *args, int perm, int loadb
 			} else if (new_baddr != UT64_MAX) {
 				baddr = new_baddr;
 			} else {
-				baddr = r_config_get_i (core->config, "bin.baddr");
+				if (r_config_get_b (core->config, "bin.aslr")) {
+					baddr = r_num_rand (32) << 24;
+					r_config_set_i (core->config, "bin.baddr", baddr);
+				} else {
+					baddr = r_config_get_i (core->config, "bin.baddr");
+				}
 			}
 			ret = r_core_bin_load (core, obinfilepath, baddr);
 			r_core_bin_update_arch_bits (core);
@@ -453,6 +463,13 @@ static int r_core_file_load_for_io_plugin(RCore *r, ut64 baseaddr, ut64 loadaddr
 	}
 	R_CRITICAL_ENTER (r);
 	r_io_use_fd (r->io, fd);
+	if (baseaddr == UT64_MAX) {
+		// ASLR - this is probably the only place where bin.aslr is used. maybe move into rbin.options before R2_600
+		if (r_config_get_b (r->config, "bin.aslr")) {
+			baseaddr = r_num_rand (32) << 24;
+			r_config_set_i (r->config, "bin.baddr", baseaddr);
+		}
+	}
 	RBinFileOptions opt;
 	r_bin_file_options_init (&opt, fd, baseaddr, loadaddr, r->bin->rawstr);
 	// opt.fd = fd;

diff --git a/libr/include/r_bin.h b/libr/include/r_bin.h
@@ -435,6 +435,10 @@ typedef struct r_bin_create_options_t {
 	int bits;
 } RBinCreateOptions;
 
+typedef struct r_bin_options_t {
+	bool fake_aslr;
+} RBinOptions;
+
 struct r_bin_t {
 	const char *file;
 	RBinFile *cur; // TODO: deprecate
@@ -475,6 +479,7 @@ struct r_bin_t {
 	bool use_xtr; // use extract plugins when loading a file?
 	bool use_ldr; // use loader plugins when loading a file?
 	RStrConstPool constpool;
+	RBinOptions options; // R2_600 - move all the options from rbin into this struct
 };
 
 typedef struct r_bin_xtr_metadata_t {

diff --git a/libr/include/r_io.h b/libr/include/r_io.h
@@ -138,7 +138,6 @@ typedef struct r_io_t {
 	bool ff;
 	ut8 Oxff; // which printable char to use instead of 0xff for unallocated bytes
 	size_t addrbytes; // XXX also available in RArchConfig.addrbytes
-	bool aslr;
 	bool autofd;
 	bool overlay;
 	// moved into cache.mode // ut32 cached; // uses R_PERM_RWX // wtf cache for exec?

diff --git a/test/db/cmd/cmd_i b/test/db/cmd/cmd_i
@@ -3023,8 +3023,8 @@ NAME=iM* command
 FILE=bins/elf/redpill
 CMDS=iM*
 EXPECT=<<EOF
-fs symbols
-f main @ 0x0000142e
+'fs symbols
+'@0x0000142e'f main
 EOF
 RUN