scanf/printf - detect small strings like "%s"

[Maijin]

Actually not sure if regression or if it always happened but notice the scanf when doing aaa / pdd in crackme0x00.exe (r2r/bins/pe/ioli)

scanf (0x404024);

Instead should be:

scanf ("%s", &s1);

[wargio]

Hmm maybe a regression. I'll check later

[wargio]

fixed scanf with commit 9b27dfd

[0x00401310]> Cs 3 @ 0x404024
[0x00401310]> pdd
/* r2dec pseudo code output */
/* ~/radare2-regressions/bins/pe/crackme0x00.exe @ 0x401310 */
#include <stdint.h>
 
int32_t main (void) {
    int32_t var_1ch;
    char * s1;
    char * s2;
    eax = 0;
    eax += 0xf;
    eax += 0xf;
    eax >>= 4;
    eax <<= 4;
    var_1ch = eax;
    fcn_00402c70 ();
    _main ();
    printf ("IOLI Crackme Level 0x00\n");
    printf ("Password: ");
    eax = &s1;
    scanf ("%s", eax);
    eax = &s1;
    eax = _strcmp (eax, "250382");
    if (eax != 0) {
        printf ("Invalid Password!\n");
    } else {
        printf ("Password OK :)\n");
    }
    eax = 0;
    return eax;
}

[Maijin]

Hum, I still have scanf (0x404024, eax);

[radare]

Did you do af or aaa?

…

On 2 Jul 2019, at 20:34, Maijin ***@***.***> wrote: Reopened #173. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[Maijin]

same result both.

[wargio]

@Maijin Cs 3 @ 0x404024
the string is too short to be detected with default options

[Maijin]

those %XX should be handled by either r2dec or radare2, I think in radare2 it will be hard because of this default option, but r2dec could automatically have some routines to detect %XX strings no?

[wargio]

yes i could, but i would like to let the user to choose what to do.

[Maijin]

Hum how would that be useful for a user to not show scanf/printf format strings 🤔

[wargio]

hmmm... i could add that logic, but not so sure how to handle it. for example how about native android logger? should i support that too? it might be complex..

[Maijin]

Can always start small and enhance later, worth giving it a shot imho because those are very prevalent.

[wargio]

okok.

[elicn]

I agree with @wargio, this is a r2 configuration that should be tweaked per user preference.

[Maijin]

But changing this introduce tons of false positives on radare2 and inherently r2dec side though.

[wargio]

what i mean is also on other decompilers you have the user to choose to try to convert an address to string, etc..

[Maijin]

Sure but those scanf/printf cases work out of the boxes in all other decompilers :p