dewolf
dewolf copied to clipboard
Published
20 hours ago •
fkie-cad
fkie-cad
[CSE] Adjust tresholds for elimination
Proposal
See the following example: example.zip
Dewolf is currently creating the following code:
int main(int argc, char ** argv, char ** envp) {
unsigned long var_1;
long i;
long var_0;
void * var_3;
__builtin_strcpy(/* dest */ &var_0, /* src */ "This is an example.");
var_1 = strlen(&var_0);
for (i = 0L; i < var_1; i++) {
var_3 = &var_0 + i;
if ((int)*var_3 != 32) {
*var_3 = *var_3 ^ ' ';
}
printf(/* format */ "%c", (unsigned int)(int)*(&var_0 + i));
}
return 0;
}
The array access will be replaced by a temp variable through the Common Subexpression Elimination. This makes the code less legible.
If we would skip the stage, the for-loop would look like the following:
for (i = 0L; i < var_1; i++) {
if ((int)*(&var_0 + i) != 32) {
*(&var_0 + i) = *(&var_0 + i) ^ ' ';
}
printf(/* format */ "%c", (unsigned int)(int)*(&var_0 + i));
}
This should be the preferred variant.
Used Binary Ninja version: 3.5.4526
Approach
The CSE should be skipped for those expressions.
There could be several options to get this done:
- exclude expressions with array access in CSE stage
- run array access stage before CSE (the array has to be correct detected for that)
- adjust the threshold value of expression complexity in CSE stage
- fine-tune the calculation of the expression complexity
- ...
Other approaches can be possible.
The best option should be evaluated, tested and implemented.
