GrammaTech
Help with ddisasm hint
Hello,
I have a binary in which ddisasm incorrectly guesses that a data constant is a symbolic address. (i.e it generates assembly like cmp RCX,OFFSET SomeSymbol+70987, when it is actually a comparison to an integer constant).
I would like to use a hint to prevent this error. Is there some sort of hint I can use that would specify that there is no symbolic data access at this location, and it is just a constant?
Thanks
I think the unlikely_have_symbolic_immediate rule may be what I want: https://github.com/GrammaTech/ddisasm/blob/5a8779f427ddfecd085f5bfd86c3a2006251ef8d/src/datalog/code_inference.dl#L207
But I'm unable to specify this in a hint file. When I try, I get this warning: WARNING: ignoring hint in line 1: unknown relation unlikely_have_symbolic_immediate
My hint file looks like:
disassembly.unlikely_have_symbolic_immediate 0x452bd1
Hi @avncharlie
Instead of unlikely_have_symbolic_immediate, you can use symbolic_operand_point: something like the following:
disassembly.symbolic_operand_point 0x452bd1 1 -100 "user-hint-constant"
1 is the operand index.
-100 is an arbitrary negative score sufficient to prevent the operand from being symbolized.
"user-hint-constant" is a brief description explaining the reason for this score.
Hope this helps.
Thanks, this worked! I think it would be helpful to have a few more examples of user hints in the readme, including:
- Known code / not code (already in readme, and I believe is "valid/invalid")
- Not symbolic operand ("symbolic_operand_point" as above)
- Jump table manipulation (I.e adding/removing/modifying Symbol+Symbol data)