lancelot icon indicating copy to clipboard operation
lancelot copied to clipboard

Published 20 hours ago verified publisher icon williballenthin

switch detection

Open williballenthin opened this issue 6 years ago • 4 comments

samples:

  • cc688ff3a525bac5e1241d13fae8d97a:10001EA1

williballenthin avatar Jan 02 '19 18:01 williballenthin

32-bit added in 3e378a4b218e60efe8bf6f771543354ca5cd78e5

williballenthin avatar Jun 25 '19 22:06 williballenthin

in mimi64, function 0x140056250 has a massive switch jmp at 0x1400562BF

image

williballenthin avatar Jun 25 '19 22:06 williballenthin

some programs will place the jump tables contiguously, so need to be able to detect if the targets are already part of a prior jump table. if this is the case, then we need to remove the existing references. likewise, we should stop reading a jump table when encountering entries that already have references.

for example, given the following:

  jtable_1:
    j1
    j2
    j3
    j4
  jtable_2:
    j5
    j6
    j7
    j8

the cases:

  1. consider that jtable_1 is already defined, and we want to now add jtable_2. need to remove the entries j5 - j8 from jtable_1 and add them to jtable_2.
  2. consider that jtable_2 is already defined and we want to now add jtable_1. need to add only up to j4 and not continue across j5 and above.

note: we could probably have these two cases happening at the same time (a sandwich). so, we probably want to find the end of the logical array first, then find any prior tables, and finally update/add the xrefs.

williballenthin avatar Sep 10 '19 17:09 williballenthin

external refs:

  • https://github.com/vivisect/vivisect/pull/251
  • https://github.com/vivisect/vivisect/pull/247#issuecomment-527244982

williballenthin avatar Sep 10 '19 17:09 williballenthin