binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Constant value not leveraged in simplication if it comes from path constraint

Open xusheng6 opened this issue 1 year ago • 1 comments

In the following code, the value of export_dir_rva is known to be constant 0x0, but it is not optimized away in HLIL:

Screenshot 2024-06-20 at 1 30 23 PM

Screenshot 2024-06-20 at 1 32 10 PM

I do not know the exact cause of us not removing export_dir_rva, I guess it is because the constantness of the value is coming from a path constraint, but I could be wrong

P.S.: the original binary is obfuscated and the user had to patch the code to simplify it. While doing so, he accidentally inverted the condition, making the value of export_dir_rva to become 0x0 in the true branch (it should be the opposite, i.e., not 0x0 in the true branch). That said, in case of the wrong patching, we should optimize away export_dir_rva since it is known to be 0x0

See binary and more info at https://github.com/Vector35/binaryninja-api/discussions/5629, database is attached:

10wgyf.bndb.zip

xusheng6 avatar Jun 20 '24 05:06 xusheng6

This is likely due to the difference in the two different dataflow systems.

plafosse avatar Jun 25 '24 14:06 plafosse

Another case here:

Image

We should be able to know from the branch at 0x14171f47e that r8 will be 0x1 at 0x14171f480, add then simplify the expression to 0x10 altogether

xusheng6 avatar Apr 11 '25 06:04 xusheng6