binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Incorrect MLIL->HLIL lifting for obfuscated code

Open xusheng6 opened this issue 1 year ago • 2 comments

For the following code, the last instruction should be something like:

0040121c          int32_t eax_4 = counter
0040121c          counter = eax_4 + 1

which basically increments the counter variable by 1. However, the HLIL is wrong:

Screenshot 2024-05-10 at 2 00 24 PM

The input file is an obfuscated with junk code, and I have highlighted the relevant instructions:

Screenshot 2024-05-10 at 2 02 15 PM

BNDB: keygenme4.exe.bndb.zip

I verified the lifting is correct till MLIL, but it becomes wrong in HLIL.

Screenshot 2024-05-10 at 2 04 05 PM

xusheng6 avatar May 10 '24 06:05 xusheng6

My guess is the MLIL 50 and 51 are already occupied by the orphaned HLIL instruction 0x4011ac (see the first screenshot for the awkward instruction that only has counter in it), so they are no longer used by later instruciotns

xusheng6 avatar May 10 '24 06:05 xusheng6

We're somehow losing track that a variable is being used. From the end of step 1 of hlil debug report: image is turning into image Note the eax_428#2 on the last line didn't get replaced with counter

negasora avatar Jun 01 '24 02:06 negasora