Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the ability to toggle a function's '__pure' status #1712

Closed
SiD3W4y opened this issue May 26, 2020 · 10 comments
Closed

Add the ability to toggle a function's '__pure' status #1712

SiD3W4y opened this issue May 26, 2020 · 10 comments
Assignees
@CouleeApps
Labels
Component: Core Issue needs changes to the core Effort: Medium Issue should take < 1 month Impact: Medium Issue is impactful with a bad, or no, workaround Type: Enhancement Issue is a small enhancement to existing functionality
Milestone
Coruscant

Comments

@SiD3W4y
Copy link

SiD3W4y commented May 26, 2020

I have a weird behavior on a PSP Game (MIPS). A call that is present in the assembly, LLIL and MLIL view is absent from the HLIL view. This doesn't happen with all calls but only those jumping to a stub (trampoline) section. Which is correctly detected as code by binary ninja.

Assembly:
Assembly view

LLIL:
LLIL view

MLIL:
MLIL view

HLIL:
HLIL view

I can share the binary privately if needed.
@SiD3W4y
Copy link
Author

SiD3W4y commented May 26, 2020

The issue may be that the stub (import) is defined as a simple return.

Stub Code

@plafosse
Copy link
Member

plafosse commented May 26, 2020
edited

Yup this is a feature not a bug :) pure functions like this can be eliminated safely. Is there a reason that this could be considered unsafe In this binary?

@SiD3W4y
Copy link
Author

SiD3W4y commented May 26, 2020

In this binary the stubs (like sceIoOpen) are part of the dynamic linking process. At runtime they are patched and replaced by trampolines to other module functions. Here binary ninja is removing all the calls to these imports which is pretty troublesome for reverse-engineering.

Is there a way to prevent the optimization ?

@rssor
Copy link
Member

rssor commented May 26, 2020
edited

A test case binary would be pretty useful here, especially if it’s a result of missing relocations that would give us an opportunity to skip the stub and directly point it towards an extern, since BinaryViews are generally responsible setting up a post-dynamic linker environment to help with analysis for pretty much the reasons seen here.

Could you send an example binary to the support email or to one of us on slack? (rss or peter)

I don’t think there’s currently a trivial way to prevent the optimization at the moment, but that’s certainly something worth adding.

@SiD3W4y
Copy link
Author

SiD3W4y commented May 26, 2020

Thank you, I sent the binary to @plafosse on Slack.

@rssor
Copy link
Member

rssor commented May 26, 2020

As a temporary workaround, does replacing the nop instruction with a random syscall instruction suppress the behavior?

@SiD3W4y
Copy link
Author

SiD3W4y commented May 26, 2020

Yes it does seem to prevent the optimization.

@plafosse plafosse changed the title MIPS HLIL Disappearing call Add the ability to toggle a function's '__pure' status May 27, 2020
@plafosse
Copy link
Member

plafosse commented May 27, 2020
edited

To solve this issue we'll need to expose the ability to change a function's pure status, and perhaps add a setting which will not inline pure functions. I changed the title of this issue to reflect the potential solution.

@plafosse plafosse added the Type: Enhancement Issue is a small enhancement to existing functionality label May 27, 2020
@plafosse plafosse added Effort: Medium Issue should take < 1 month Impact: Medium Issue is impactful with a bad, or no, workaround labels Apr 14, 2021
@plafosse plafosse added the Component: Core Issue needs changes to the core label Jun 13, 2023
@CouleeApps CouleeApps mentioned this issue Jul 6, 2023
Closed
@w1282
Copy link

w1282 commented Jul 7, 2023

Mentioning here for others that run into this issue before it can be toggled on a function-by-function basis, pure call elimination can be disabled across the entire binary by disabling analysis.hlil.pureCallElimination in settings

@CouleeApps CouleeApps self-assigned this Jul 8, 2023
@CouleeApps CouleeApps added this to the Coruscant milestone Jul 8, 2023
@CouleeApps
Copy link
Member

This is now done in 3.5.4377-dev via the Function.is_pure member or the Pure button in the Edit Function Properties dialog.

@psifertex psifertex added the State: Duplicate Issue is a duplicate of another issue label Sep 1, 2023
@psifertex psifertex removed this from the Coruscant milestone Sep 1, 2023
@psifertex psifertex removed the State: Duplicate Issue is a duplicate of another issue label Sep 1, 2023
@psifertex psifertex added this to the Coruscant milestone Sep 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CouleeApps CouleeApps

Labels
Component: Core Issue needs changes to the core Effort: Medium Issue should take < 1 month Impact: Medium Issue is impactful with a bad, or no, workaround Type: Enhancement Issue is a small enhancement to existing functionality
Projects
None yet
Milestone
Coruscant
Development

No branches or pull requests
6 participants
@psifertex @CouleeApps @SiD3W4y @plafosse @w1282 @rssor