binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

IL inlining of jump table dispatch routines

Open plafosse opened this issue 1 year ago • 1 comments

Discussed in https://github.com/Vector35/binaryninja-api/discussions/5193

Originally posted by mostthingsweb March 18, 2024 I'm dealing with an ARM binary that has some jump tables in it. The tricky thing is the jump table logic is encapsulated in its own routine (which I've named doJumpTable):

image

arg1 (r3) is passed as the index into the jump table. lr is used to locate the jump table, which exists right after the bl doJumpTable in the caller.

I have already worked through the disassembly for one of the callers and resolved the possible jump targets, using this article as inspiration: https://www.lodsb.com/reversing-complex-jumptables-in-binary-ninja.

Question: The "Inline during analysis (experimental)" option is disabled for doJumpTable. Any ideas why this might be?

If it were enabled, I would be able to use UIDF to constrain the r3 input and have Binja trace through the possible jumps. But without the ability to inline doJumpTable, Binja doesn't see the jumps. What's the best way to proceed here?

plafosse avatar Apr 09 '24 14:04 plafosse

We unfortunately don't support IL inlining of jump table dispatches at the moment.

plafosse avatar Apr 09 '24 14:04 plafosse