binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Cannot figure out the parameter of the call if the parameters are moved into the stack rather than pushed

Open xusheng6 opened this issue 1 year ago • 3 comments

In the following code,

Screenshot 2024-02-05 at 3 08 13 PM

Screenshot 2024-02-05 at 3 07 50 PM

It seems the analysis is confused and it does not figure out the parameter being moved into [esp] is the parameter for the function call. What is even more puzzling is that this is NOT always the case. For example, for the sleep call, there are three occasions, and only two of them show the behavior, and the other one works just fine. For the sub_804a300, which is printf-like, we actually get it correct plenty of times, though for some of them, it does not work.

Screenshot 2024-02-05 at 3 11 22 PM

I checked the IL, and when we cannot figure out the parameters, the MLIL is MLIL_CALL_UNTYPED, and for those cases that we get it correct, it is a MLIL_CALL with the appropriate parameters.

xusheng6 avatar Feb 05 '24 07:02 xusheng6

v35 folks should search for who fade safety iron noon to find the binary

xusheng6 avatar Feb 05 '24 07:02 xusheng6

This is somehow similar to https://github.com/Vector35/binaryninja-api/issues/4986

xusheng6 avatar Feb 06 '24 14:02 xusheng6

This is most likely related to #3927 Also I'm betting the cause of this is that we're loosing track of the stack pointer and its not really indicated when we think we have a good solution. We should be much louder when this occurs. Dead giveaway is when you see *esp = 0xa

plafosse avatar Feb 13 '24 14:02 plafosse