edb-debugger icon indicating copy to clipboard operation
edb-debugger copied to clipboard

Published 20 hours ago verified publisher icon eteran

EDB's disassembler needs to be aware of memory context of an instruction

Open 10110111 opened this issue 6 years ago • 5 comments

Currently, if you have a sequence of bytes like 18 bf 49 40 in Thumb mode, you'll have as disassembly:

18 bf    it    ne
49 40    eors  r1, r1

This is obviously wrong, since the second instruction is in the IT block and must have a condition:

18 bf    it    ne
49 40    eorne r1, r1

This won't work until EDB starts at least passing something like 18 bytes to cs_disasm (maximum for an IT block). Of course, another problem would be the need to look "back" for a possible preceding IT instruction, especially when CPSR.IT≠0.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

10110111 avatar Aug 26 '17 20:08 10110111

Yea, I've been thinking that this would be a difficult challenge to deal with. My current thought is that if the user has run analysis on the region (maybe make it just happen auto-magically?) then we could look back to the beginning of the current basic block and and determine the "mode" from there?

eteran avatar Aug 28 '17 14:08 eteran

Well, if the analysis results are available, this matter is trivial. But analysis is not instant, and it seems there's a possibility to confuse the analyser (although it's just my guess, I've not looked into what the analysis does). Might be a good idea to add a "quick analysis" mode to the analyzer, so that details like this can be easily found out. Without analysis, EDB can at least check current CPU state and, if CPSR.IT≠0, then try to disassemble the block instead of single instructions.

10110111 avatar Aug 28 '17 14:08 10110111

Yea, analysis isn't instant, and it certainly isn't perfect. I was just thinking that things such as Ollydbg always do an analysis (as far as I can tell), and while sometimes it does introduce a pause (usually during dll load), user's seem to be OK with that given the usefulness of the results.

So, my thought is that perhaps, if the analysis proves to make this task significantly simpler, then it may be worth it for the average user. I'm a bit torn on this one though, as I am a fan of not wasting the user's time as well.

eteran avatar Aug 30 '17 00:08 eteran

In OllyDbg it's always possible to skip analysis (by pressing Space or Esc).

10110111 avatar Aug 30 '17 05:08 10110111

Agreed, it is cancelable of course. But it is often time consuming and is opt out, as opposed to edb's opt in analysis. We could make it cancelable, and have a config option to auto analyze as needed.

eteran avatar Aug 30 '17 19:08 eteran