binaryninja-api
binaryninja-api copied to clipboard
Vector35
_objc_msgSend rewrite parser cannot handle multiple functions sharing a selector name
Lets say there are two class. Employee class and Student class. They are not related at all but they both have function called print. current _objc_msgSend resolver doesn't account for that and sets everyone function to just one function.
You can see below its calling a function from Student when Employee is not even related to it
I think it should only set the address when you know for sure which object it is. maybe do sink -> init source analysis to know which class it is. and only change the call when it is likely correct.
Is this binary shareable? I can recreate something I believe is similar but having this test case available to me would be convenient. You're welcome to share it in private via Slack, etc. if you would prefer not to upload it here.
For employees: search internal Slack for Applause Weigh Train Urge to find the binary.
We've taken steps to mitigate this in versions >= 5.1.7572. The Objective-C call rewrite functionality will now be disabled by default on Objective-C Binaries, with the option to re-enable it application-wide or in Open with Options.
The following iOS system binary is a strong example of us confidently getting these incorrect:
I'm going to leave this issue open to track our progress on further improving this functionality.
Note that you can see the potential targets of a specific message send by clicking on the selector and looking at its cross references. After https://github.com/Vector35/binaryninja-api/pull/6814, the Objective-C workflow now adds cross-references from a selector to known implementations of that selector in the loaded binary.
