r2 outputs incorrect ssdeep hashes for binary sections

[mattunleashed]

Environment

Sun Jan 26 10:54:02 CST 2025
radare2 5.9.9 33453 @ darwin-arm-32
birth: git.5.9.8-319-ga7952c1e80 2025-01-26__10:47:23
commit: a7952c1e8041ec75e4e97559f0e5a62ed788d34a
options: gpl -O2 cs:5 cl:2 make
Darwin arm64

Description

When I try to view ssdeep hashes for a target binary's sections, the hash structure in the output is not a valid ssdeep hash. I would expect to see a valid ssdeep hash of the structure block size : single chunk hash : double chunk hash.

Test

Using an example C "Hello, World" target:

> cat ~/snippets/c/hello_world.c
#include <stdio.h>

int main() {
    printf("Hello, World!\n");
    return 0;
}

> gcc -o hello_world.bin -arch x86_64 hello_world.c

> r2 ~/snippets/c/hello_world.bin
 -- ESIL ruined my life
[0x100000f60]> iS ssdeep
nth paddr       size vaddr        vsize perm flags ssdeep                                                                                                                                                                                                                                                           type             name
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000f60  0x25 0x100000f60   0x25 -r-x 0x0   313a77747341746d4a3169675a6c6c6c6c746f597a6c6c6c566c4e736c6c6c556c746d6831346d6e3a5968746d3769556c6c6c61656c6c6c56386c2f556d317200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 REGULAR          0.__TEXT.__text
1   0x00000f86   0x6 0x100000f86    0x6 -r-x 0x0   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 SYMBOL_STUBS     1.__TEXT.__stubs
2   0x00000f8c   0xf 0x100000f8c    0xf -r-x 0x0   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 CSTRINGS         2.__TEXT.__cstring
3   0x00000f9c  0x58 0x100000f9c   0x58 -r-x 0x0   313a6b6c6c6c356c6c6c6c6c6c6c356c6c6c6c6c6c6c356c6c6c6e6c6c6c46716c6c6c6c6c6c6c6c6c6c67716c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c6c683a736c6c356c696c2f2f71656c6c6c6c386c2f4c6b6c766b742f576c2f6c0000000000000000000000000000000000000000000000000000000000000000 REGULAR          3.__TEXT.__unwind_info
4   0x00001000   0x8 0x100001000    0x8 -rw- 0x0   0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 NONLAZY_POINTERS 4.__DATA_CONST.__got

The hash values remain the same if I try to output in JSON via iSj. The values also remain the same if I try to use rabin2 via:

> rabin2 -K ssdeep -S ~/snippets/c/hello_world.bin

One oddity to note in rahash2 (for the full file hash) is that the output only seems incorrect in JSON.

> rahash2 -a ssdeep ~/snippets/c/hello_world.bin
/Users/user/snippets/c/hello_world.bin: 0x00000000-0x000020ff ssdeep: 12:kmidb+6KtyQ/8tOr8tzr8tDwrtBvFyH0yInK/qWEHjqSdYtcIIcJqikPKHHcwCos:xbP/80r8Z84fUDqKi9j03RJeKHHTCmuf

> rahash2 -j -a ssdeep ~/snippets/c/hello_world.bin
[{"name":"ssdeep","hash":"31323a6b6d6964622b364b7479512f38744f7238747a7238744477727442764679483079496e4b2f715745486a7153645974634949634a71696b504b48486377436f733a7862502f383072385a3834665544714b69396a3033524a654b484854436d756600000000000000000000000000000000000000000000000000000000"}]

[mattunleashed]

Note: this probably feels like a good first issue (though maybe I'm wrong)? Is there documentation to guide someone through their first PR and making sure tests/builds pass? I know this gets covered at r2con but it might be useful to exist in long-form writing if it doesn't already.

[trufae]

See the DEVELOPERS.md

[mattunleashed]

I split the rahash2 bug into its own issue -> #23937

[trufae]

thanks for taking care of it :)

[mattunleashed]

No problem. I'm pretty sure I've tracked down the cause of the iS bug too but haven't implemented a working fix yet. Hopefully I can tackle that one this weekend.

[trufae]

cool! looking forward your next pr

[mattunleashed]

Okay - this bug should be fixed in PR #23941.

[0x100003a90]> iS ssdeep
nth paddr         size vaddr         vsize perm flags ssdeep                                                                                             type             name
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00003830  0x3c10 0x100003830  0x3c10 -r-x 0x0   24:xecd/8FGEE8Z6J/QJl38o38x8bzLbLyJgLVlnLeJLrrXLPLIgjjhob6qXK:xFE/w/QJbdLHyJOVtet/bTIgnmOy         REGULAR          0.__TEXT.__text
1   0x00007440   0x520 0x100007440   0x520 -r-x 0x0   1:lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll:                                 SYMBOL_STUBS     1.__TEXT.__auth_stubs
2   0x00007960    0xdc 0x100007960    0xdc -r-x 0x0   3:Rbis8AaroSr4o4eANUFRtlU/sGYao05teAC/mef7HZlNCvlBAevsn:Wx1piU40S5teAg77NCvlBC                     REGULAR          2.__TEXT.__const
3   0x00007a3c   0x4e9 0x100007a3c   0x4e9 -r-x 0x0   24:HfvlIEf751ylc4cBcLo6d6sV36oYEhsQNGfltM0LtIsBNSntfTioY:Hf97fl1ohcBcLB3MQN2ysPibBY                CSTRINGS         3.__TEXT.__cstring
4   0x00007f28    0xd8 0x100007f28    0xd8 -r-x 0x0   6:wUyeplqMyLtCLM+oMCgMligBpbwof/PUQ:Qwlf5kiE6of5                                                   REGULAR          4.__TEXT.__unwind_info
5   0x00008000   0x290 0x100008000   0x290 -rw- 0x0   12:N+OK+tQR0i5B96/PZPr6cld+UBlBF2FKp7lVsV4JlziVNNnpMGfRB3fn:N+8tKd5B0/JPBlBF2FKp7cNNaABv           NONLAZY_POINTERS 5.__DATA_CONST.__auth_got
6   0x00008290    0x30 0x100008290    0x30 -rw- 0x0   1:qh2kllmdnR3toYDSllNMXlltglQ7toY4dllN9XlltglqhNkln:qh2kURdouievWQGVnX9qlqAln                      NONLAZY_POINTERS 6.__DATA_CONST.__got
7   0x000082c0   0x268 0x1000082c0   0x268 -rw- 0x0   12:YZUFJj6p4T/tuP7+ltE/fg8SaRtHU4jLnmtd5FrblVUJC+ElwtSI1g0PRt1gGE:YZuJj6p4rmeu3gxaRm4jbEdYcKSIbptM REGULAR          7.__DATA_CONST.__const
8   0x0000c000    0x20 0x10000c000    0x20 -rw- 0x0   1:llllllllllllllllllllllllllllllll:                                                                REGULAR          8.__DATA.__data
9   0x00000000     0x0 0x10000c020    0xb0 -rw- 0x0                                                                                                      ZEROFILL         9.__DATA.__common
10  0x00000000     0x0 0x10000c0d0   0x150 -rw- 0x0                                                                                                      ZEROFILL         10.__DATA.__bss