binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

HLIL does not use array access

Open xusheng6 opened this issue 1 year ago • 6 comments

In the following code, 0x6021d0 is a data variable whose type is set to char input[0x100], and r15 is set to uint64_t. I believe the HLIL should simplify the code to input[r15]

Screenshot 2024-02-28 at 4 51 12 PM

xusheng6 avatar Feb 28 '24 08:02 xusheng6

The binary is from https://www.root-me.org/en/Challenges/Cracking/Voracious-Nanomites, which is not yet publicly available. A user shared the file in private. V35 folks should search for "concealed zantiot metabolize laughful backed" to find the file

xusheng6 avatar Feb 28 '24 08:02 xusheng6

The binary shared here has a similar problem. https://github.com/Vector35/binaryninja-api/issues/5074

plafosse avatar Mar 05 '24 18:03 plafosse

This might be a duplicate of: #4251

plafosse avatar Mar 19 '24 18:03 plafosse

So from what I've been able to tell from a little while debugging. The problem is that when an array reference is duplicated for the sake of condition duplication during control flow structuring the duplicates don't have the type information propagated to them.

plafosse avatar Mar 19 '24 18:03 plafosse

This particular case is because it isn't being recognized as a pointer at all. Converting the address to a pointer by pressing 'O' on it resolves this automatically.

D0ntPanic avatar Apr 12 '24 00:04 D0ntPanic

This file is an ELF that is not relocatable, and the address is being set directly as a constant with no way for us to know directly what is a pointer and what is not. This is running into heuristics and borderline undecidable problems (even if this case could be decided, it still has to be done heuristically). There is no obvious solution to this issue, other than pressing 'O' on the pointer.

D0ntPanic avatar Apr 12 '24 00:04 D0ntPanic