Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for PcodeOp not implemented #2

Open
vanhauser-thc opened this issue May 8, 2020 · 1 comment
Open

Support for PcodeOp not implemented #2

vanhauser-thc opened this issue May 8, 2020 · 1 comment

Comments

@vanhauser-thc
Copy link

vanhauser-thc commented May 8, 2020
edited
Loading

Tried the MallocTrace.java script against an open source binary to play around and got this:

Error running script: MallocTrace.java
ghidra.util.exception.NotYetImplementedException: Support for PcodeOp (unique, 0x10001abb, 4) SUBPIECE (register, 0x0, 8) , (const, 0x0, 4)not implemented
ghidra.util.exception.NotYetImplementedException: Support for PcodeOp (unique, 0x10001abb, 4) SUBPIECE (register, 0x0, 8) , (const, 0x0, 4)not implemented
	at MallocTrace.processOneVarnode(MallocTrace.java:593)

The output windows shows:

Call @ 0x1038d1 [main] to 0x103210 [malloc] (2 pcodeops)
	Parameter #1 - (register, 0x80, 8) @ 0x80
0x1038c4 - processOneVarnode: (register, 0x80, 8) INT_ZEXT (register, 0xb0, 4)
0x1038b3 - processOneVarnode: (register, 0xb0, 4) INT_ADD (unique, 0x10001abb, 4) , (const, 0x1, 4)
0x1038b3 - processOneVarnode: (unique, 0x10001abb, 4) SUBPIECE (register, 0x0, 8) , (const, 0x0, 4)
Error running script: MallocTrace.java

The instruction at 0x1038b3 is

        001038b3 44 8d 70 01     LEA        R14D,[RAX + 0x1]

This looks very standard to me - why would that result in support for pcodeop not implemented?

In a larger context its basically

          sVar15 = strlen(__s);
          __fd_01 = sVar15 + 1;
          if (0x40000000 < __fd_01) goto LAB_00106360;
          __dest = malloc(__fd_01);

or

        001038ab 4c 89 ef        MOV        param_1,R13
        001038ae e8 4d fa        CALL       strlen                                           size_t strlen(char * __s)
                 ff ff
        001038b3 44 8d 70 01     LEA        R14D,[RAX + 0x1]
        001038b7 41 81 fe        CMP        R14D,0x40000000
                 00 00 00 40
        001038be 0f 87 99        JA         LAB_0010635d
                 2a 00 00
        001038c4 45 89 f0        MOV        param_5,R14D
        001038c7 4c 89 c7        MOV        param_1,param_5
        001038ca 4c 89 85        MOV        qword ptr [RBP + local_1078],param_5
                 98 ef ff ff
        001038d1 e8 3a f9        CALL       malloc                                           void * malloc(size_t __size)
                 ff ff
        001038d6 48 85 c0        TEST       RAX,RAX
@0xAlexei
Copy link
Owner

0xAlexei commented May 8, 2020

Thanks for you interest!

The script is getting caught up on PcodeOp.SUBPIECE, which I didn't write code to handle, and is hitting the default switch case at

INFILTRATE2019/PCodeMallocDemo/MallocTrace.java

Line 592 in 76bc8ad

default: {

Presumably, you could add a switch case for PcodeOp.SUBPIECE to make this work. I never encountered this PcodeOp while developing this proof of concept script, so I didn't implement support for it.

I will note, this script has no notion of a memory model, it just tracks registers mainly, so instructions like "LEA" are likely to be problematic anyhow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xAlexei @vanhauser-thc