Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[← Prev[Date]  [Next →] [← Prev[Thread]  [Next →]

Re: [DynInst_API:] where to find the code for handling switch() statements?

Date: Tue, 22 Aug 2017 13:26:18 +0200
From: Thomas Dullien <thomasdullien@xxxxxxxxxx>
Subject: Re: [DynInst_API:] where to find the code for handling switch() statements?
Hey there,

an example from 32-bit code where the default switch handling fails:

.text:00412990         sub   esp, 50h
.text:00412993         mov   eax, ___security_cookie
.text:00412998         xor   eax, esp
.text:0041299A         mov   [esp+50h+var_4], eax
.text:0041299E         mov   edx, [esp+50h+arg_0]
.text:004129A2         push  Âebx
.text:004129A3         mov   ebx, ecx
.text:004129A5         lea   eax, [edx-1]
.text:004129A8         cmp   eax, 6     Â; switch 7 cases
.text:004129AB         ja   Âloc_412F7E   Â; jumptable 004129B4 default case
.text:004129B1         push  Âebp
.text:004129B2         push  Âesi
.text:004129B3         push  Âedi
.text:004129B4         jmp   ds:off_412F90[eax*4] ; switch jump

Enough of this for the moment, though :-)) -- I will check your branch now :-)

Cheers,
Thomas

On Tue, Aug 22, 2017 at 1:24 PM, Thomas Dullien <thomasdullien@xxxxxxxxxx> wrote:
Hey there,

I am back at work on this :-).Â

A few questions:
Â- Your fork is a fork of Dyninst 9 ?
Â- Are there any things I need to be aware of when building it?

The particular scenario I am dealing with right now is the following construct (x86_64 disassembly of
Visual Studio compiled code).

.text:000000014004D970         mov   [rsp+arg_8], edx
.text:000000014004D974         mov   [rsp+arg_0], rcx
.text:000000014004D979         push  Ârdi
.text:000000014004D97A         sub   rsp, 220h
.text:000000014004D981         mov   rdi, rsp
.text:000000014004D984         mov   ecx, 88h
.text:000000014004D989         mov   eax, 0CCCCCCCCh
.text:000000014004D98E Â Â Â Â Â Â Â Â rep stosd
.text:000000014004D990         mov   rcx, [rsp+228h+arg_0]
.text:000000014004D998         mov   rax, cs:__security_cookie
.text:000000014004D99F         xor   rax, rsp
.text:000000014004D9A2         mov   [rsp+228h+var_18], rax
.text:000000014004D9AA         mov   eax, [rsp+228h+arg_8]
.text:000000014004D9B1         mov   [rsp+228h+var_80], eax
.text:000000014004D9B8         mov   eax, [rsp+228h+var_80]
.text:000000014004D9BF         dec   eax
.text:000000014004D9C1         mov   [rsp+228h+var_80], eax
.text:000000014004D9C8         cmp   [rsp+228h+var_80], 5 ; switch 6 cases
.text:000000014004D9D0         ja   Âloc_14004EA48  ; jumptable 000000014004D9EF default case
.text:000000014004D9D6 Â Â Â Â Â Â Â Â movsxd Ârax, [rsp+228h+var_80]
.text:000000014004D9DE         lea   rcx, cs:140000000h
.text:000000014004D9E5         mov   eax, ds:(off_14004EA70 - 140000000h)[rcx+rax*4]
.text:000000014004D9EC         add   rax, rcx
.text:000000014004D9EF         jmp   rax       ; switch jump
.text:000000014004D9F1 ; ---------------------------------------------------------------------------

Cheers,
Thomas

On Tue, Jun 13, 2017 at 4:35 PM, Thomas Dullien <thomasdullien@xxxxxxxxxx> wrote:
Hey there,

excellent, thanks for your quick response :-) I will give your fork a try in the next 2-3 days -- I am currently
at a conference and hence won't have time to try it today :-)

Cheers,
Thomas

On Tue, Jun 13, 2017 at 10:30 AM, Xiaozhu Meng <mxz297@xxxxxxxxx> wrote:
Hi Thomas,Â

I am working with an improved jump table analysis. Its prototype is available at my Dyninst fork (https://github.com/mxz297/dyninst/tree/jump_table_multi_slices). This improved version should be merged back to mainstream Dyninst in the near future. Could you try my version to see whether it solves your problem? If the problem remains, could you provide me the problematic binary so that I can further improve my code?

Thanks,

--Xiaozhu

On Tue, Jun 13, 2017 at 7:25 AM, Thomas Dullien <thomasdullien@xxxxxxxxxx> wrote:
Hey all,

I am using DynInst for a small project that helps search for similar
and noticed that most switch statements that it encounters are not
handled properly (e.g. the control flow reconstruction fails to resolve
the switch targets).

Where in the source code should I go looking for the relevant code?
I'd love to have a look around to see if it can be improved.

Cheers,
Thomas

_______________________________________________
Dyninst-api mailing list
Dyninst-api@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api





[← Prev in Thread] Current Thread [Next in Thread→]
Previous by Date:  Re: [DynInst_API:] where to find the code for handling switch() statements?, Thomas Dullien
Next by Date:  Re: [DynInst_API:] where to find the code for handling switch() statements?, Thomas Dullien
Previous by Thread:  Re: [DynInst_API:] where to find the code for handling switch() statements?, Thomas Dullien
Next by Thread:  Re: [DynInst_API:] where to find the code for handling switch() statements?, Thomas Dullien
Indexes:  [Date] [Thread]