Adam Meily
Adam Meily
This has been confirmed to be a limitation of binrec because `jmp` based indirect function calls are not implemented.
The `ln` sample is failing to lift when performing a hard link because it does an indirect function call to `linkat` from `rpl_linkat`. These functions appear to be provided by...
I'm seeing this on `dd` as well, with the `rpl_fclose` function: ``` Dump of assembler code for function rpl_fclose: # ... instructions ... 0x08050b34 : pop ebx 0x08050b35 : pop...
This is also occurring on `expand`: ```gdb Dump of assembler code for function rpl_fflush: # ... instructions ... 0x0804bc93 : pop ebx 0x0804bc94 : jmp 0x8048c80 ```
Interestingly, with all the updated to S2E and binrec, the `insert_calls` pass is now correctly identifying indirect function calls and bailing early. ``` binrec.errors.BinRecLiftingError: failed to perform initial lifting of...
It looks like the function being indirectly called is removed in the `recover_functions` pass. My initial thought was to update `insert_calls`, which runs after `recover_functions`, to unconditionally branch to the...
> Do you know why it's being removed? It looks like the function that is being called indirectly is merged into the body of the function performing the indirect call....
I think the `cat` sample is very specific because the `Func_8049200` function is actually a library function (`posix_fadvise`). So, the `recover_functions` pass is incorrectly merging the stub function, which performs...
I've confirmed that `recover_functions` appears to be treating `jmp` based indirect function calls as part of the function body, which is an issue when the function being indirectly called is...
Binrec does not support lifting tail calls to external functions and, for the time being, this issue will not be addressed. ### Example The coreutils `cat` sample has a tail...