ghidra
ghidra copied to clipboard
NationalSecurityAgency
Cannot create function from bad thunk
Describe the bug
Scrolling through an image for undefined functions. I cannot create a function and get an error Function body must contain the entrypoint. The xref to the function is a thunk (not labeled as a thunk)
the thunk is
3d 60 aa bb lis r11,0xaabb
39 6b cc dd addi r11,r11,0xccdd
7d 69 03 a6 mtspr CTR,r11
4e 80 04 20 bctr
and then the body is
/* WARNING: Treating indirect jump as call */
(*(code *)0xaabbccdd)();
Environment (please complete the following information):
- OS: 22.04
- Java Version: 17.0.7
- Ghidra Version: 10.3
- Ghidra Origin: official
Additional context Add any other context about the problem here.
Questions:
- How are you attempting to create the function? (current location, action, script method, api call, etc.). It would seem the function body was not defined properly.
- Are you trying to make a function on the first thunk instruction shown above or at the "thunked" address
aabbccdd? - Is there a SUB_ label on the function entry point where you have tried to define the function?
The scenario I'm seeing is (this is sort of from memory, dont have that image in front of me)
THUNK_FUNC: #(aabb0000)
lis r11, %hi(FUNC)
ori r11, r11, %lo(FUNC)
bctr r11
...
FUNC: #(aabbccdd)
stwu r1, -0x20(r1)
mfspr r0, LR
...
addi r1, r1, 0x20
mtspr LR, r0
blr LR
...
OTHER_FUNC: #(aabbff00)
stwu r1, -0x20(r1)
mfspr r0, LR
...
bl FUNC
...
addi r1, r1, 0x20
mtspr LR, r0
blr LR
I did not do really anything at this point in interacting with either 3, this was done in auto-analysis, i may have selected large regions and disassembled, but that would be all from the user's POV.
OTHER_FUNC gets turned into a function
THUNK_FUNC gets turned into a function (non-thunk)
FUNC is a subroutine (yes, sorry I should have called out the SUB_)
OTHER_FUNC sees FUNC as funcxaabbccdd (or whatever the name subroutines get)
going to FUNC and pressing F or right click Create Function produces popup
edit: well sub for this case where another function calls it as well as a thunk, some other instances only have the "thunk", I don't recall if that had SUB_
This is one of those cases where we would need gzf in state prior to your invoking the F action to properly diagnose. There is insufficient detail to attempt to reproduce which would require quite a bit of effort.
I assume the "popup" error message only occurs as a result of your invoking the Create Function action (F key press) at 0xaabbccdd after analysis has left in state indicated above. This seems very unexpected since it should have attempted to discover function body starting from entry point.
Thanks for taking a look @ghidra1 ... yeah this def seems like a hard problem to accurately describe and I'm not certain I could share my target binary. I did attempt to recreate this with hand jamming bytes and it looks like I have repro, but not sure if it's 100% equivalent since some of it might be USER_ANALYSIS vs generated through auto-analysis
(i just changed gzf extension name to allow github upload)
Sample, which does appear to replicate your reported issue, has the first byte at SUB_07000020 as part of the body for the preceeding function at FUN_07000008 which is tripping-up the body computation for the create function command at SUB_07000020. While this in itself seems to be an issue, it should not have interfered with the function creation as it appears to. I have a fix for it which is in review for 10.3.2 release.