evm_cfg_builder icon indicating copy to clipboard operation
evm_cfg_builder copied to clipboard

Published 20 hours ago verified publisher icon crytic

End of analysis but not functions where processed

Open gustavo-grieco opened this issue 7 years ago • 3 comments

Using LNOToken.evm which corresponds to the compiled version of the LinoToken in LNOToken.sol results in no functions processed:

g@g:~/Code/evm_cfg_builder$ python evm_cfg_builder/cfg_builder.py ~/Projects/zoo/LNOToken.evm 
End of analysis

gustavo-grieco avatar Oct 01 '18 17:10 gustavo-grieco

That's because LNOToken.evm begins with its constructor: image I took the provided file, and created a new file from offset 0x54 to the end (see the parameters of the CODECOPY). I opened that as a new file and got: image

I think what's really needed is a feature request for the cfg_builder.py to identify a constructor versus the actual contract code, parse the parameters of the CODECOPY, and then disassemble both the constructor and the runtime code.

joshwatson avatar Oct 02 '18 06:10 joshwatson

In the meantime, you can export the runtime bytecode with solc --bin-runtime LNOToken.sol

$ python evm_cfg_builder/cfg_builder.py lnotoken.evm 
Analyze 0x4
Analyze approve(address,uint256)
Analyze totalSupply()
Analyze transferFrom(address,address,uint256)
Analyze decreaseApproval(address,uint256)
Analyze balanceOf(address)
Analyze transfer(address,uint256)
Analyze increaseApproval(address,uint256)
Analyze allowance(address,address)
End of analysis
0x4, 1 #bbs , payable,view,pure
approve(address,uint256), 5 #bbs 
totalSupply(), 5 #bbs , view
transferFrom(address,address,uint256), 20 #bbs 
decreaseApproval(address,uint256), 12 #bbs 
balanceOf(address), 5 #bbs , view
transfer(address,uint256), 17 #bbs 
increaseApproval(address,uint256), 9 #bbs 
allowance(address,address), 5 #bbs , view

Note that the dispatcher is not yet correctly reported

montyly avatar Oct 02 '18 07:10 montyly

Hello, using evm_cfg_builder with https://github.com/trailofbits/evm_cfg_builder/files/2435010/LNOToken.evm.txt at the CODECOPY parameter position indeed finds the methods of the smart contract, however I think I've found an issue (or a limitation) in how evm_cfg_bulider resolves the JUMP address instructions.

There are JUMP instructions at addresses 0x1829, 0x140c, 0xc64, 0x1237 and 0x993 that are not resolved by evm_cfg_builder. They are simply ignored. The JUMP address in this case is obtained by the smart contract using, typically, the following prior instructions: PUSH2 - , SWAP1, SWAP2, SWAP1, PUSH4 - , AND, JUMP.

adelapie avatar Nov 09 '20 08:11 adelapie