Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r2 outputs incorrect ssdeep hashes for binary sections #23930

Open
mattunleashed opened this issue Jan 26, 2025 · 3 comments
Open

r2 outputs incorrect ssdeep hashes for binary sections #23930

mattunleashed opened this issue Jan 26, 2025 · 3 comments
Milestone
6.0.0

Comments

@mattunleashed
Copy link

Environment

Sun Jan 26 10:54:02 CST 2025
radare2 5.9.9 33453 @ darwin-arm-32
birth: git.5.9.8-319-ga7952c1e80 2025-01-26__10:47:23
commit: a7952c1e8041ec75e4e97559f0e5a62ed788d34a
options: gpl -O2 cs:5 cl:2 make
Darwin arm64

Description

When I try to view ssdeep hashes for a target binary's sections, the hash structure in the output is not a valid ssdeep hash. I would expect to see a valid ssdeep hash of the structure block size : single chunk hash : double chunk hash.

Test

Using an example C "Hello, World" target:

> cat ~/snippets/c/hello_world.c
#include <stdio.h>

int main() {
    printf("Hello, World!\n");
    return 0;
}

> gcc -o hello_world.bin -arch x86_64 hello_world.c

> r2 ~/snippets/c/hello_world.bin
 -- ESIL ruined my life
[0x100000f60]> iS ssdeep
nth paddr       size vaddr        vsize perm flags ssdeep                                                                                                                                                                                                                                                           type             name
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000f60  0x25 0x100000f60   0x25 -r-x 0x0   313a77747341746d4a3169675a6c6c6c6c746f597a6c6c6c566c4e736c6c6c556c746d6831346d6e3a5968746d3769556c6c6c61656c6c6c56386c2f556d317200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 REGULAR          0.__TEXT.__text
1   0x00000f86   0x6 0x100000f86    0x6 -r-x 0x0   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 SYMBOL_STUBS     1.__TEXT.__stubs
2   0x00000f8c   0xf 0x100000f8c    0xf -r-x 0x0   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 CSTRINGS         2.__TEXT.__cstring
3   0x00000f9c  0x58 0x100000f9c   0x58 -r-x 0x0   313a6b6c6c6c356c6c6c6c6c6c6c356c6c6c6c6c6c6c356c6c6c6e6c6c6c46716c6c6c6c6c6c6c6c6c6c67716c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c683a736c6c356c696c2f2f71656c6c6c6c386c2f4c6b6c766b742f576c2f6c0000000000000000000000000000000000000000000000000000000000000000 REGULAR          3.__TEXT.__unwind_info
4   0x00001000   0x8 0x100001000    0x8 -rw- 0x0   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 NONLAZY_POINTERS 4.__DATA_CONST.__got

The hash values remain the same if I try to output in JSON via iSj. The values also remain the same if I try to use rabin2 via:

> rabin2 -K ssdeep -S ~/snippets/c/hello_world.bin

One oddity to note in rahash2 (for the full file hash) is that the output only seems incorrect in JSON.

> rahash2 -a ssdeep ~/snippets/c/hello_world.bin
/Users/user/snippets/c/hello_world.bin: 0x00000000-0x000020ff ssdeep: 12:kmidb+6KtyQ/8tOr8tzr8tDwrtBvFyH0yInK/qWEHjqSdYtcIIcJqikPKHHcwCos:xbP/80r8Z84fUDqKi9j03RJeKHHTCmuf

> rahash2 -j -a ssdeep ~/snippets/c/hello_world.bin
[{"name":"ssdeep","hash":"31323a6b6d6964622b364b7479512f38744f7238747a7238744477727442764679483079496e4b2f715745486a7153645974634949634a71696b504b48486377436f733a7862502f383072385a3834665544714b69396a3033524a654b484854436d756600000000000000000000000000000000000000000000000000000000"}]
@mattunleashed
Copy link
Author

Note: this probably feels like a good first issue (though maybe I'm wrong)? Is there documentation to guide someone through their first PR and making sure tests/builds pass? I know this gets covered at r2con but it might be useful to exist in long-form writing if it doesn't already.

@trufae
Copy link
Collaborator

trufae commented Jan 26, 2025

See the DEVELOPERS.md

@trufae trufae added this to the 6.0.0 milestone Jan 27, 2025
This was referenced Jan 27, 2025
Open
Open
@mattunleashed
Copy link
Author

I split the rahash2 bug into its own issue -> #23937

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.0.0
Development

No branches or pull requests
2 participants
@trufae @mattunleashed