The question of Disassembly of $gp register on MIPS architecture

[hxlszxy]

---

First of all, i want to ask :In MIPS architecture, somtines the disassemble result can parse the string addr in .rodata section, but somtimes the result just disassemble the instruction into the form like "lw $X, number($gp)".I know the $gp is the global pointer register, but how can i get the string addr?.
For example,when i disassembled a binary by using angr, i got block like this at addr 0x41f1a0:

0x41f1d8: lw $v0, -0x7da4($gp)
0x41f1dc: lw $a1, -0x7fe4($gp)
> 0x41f1ec: addiu $a1, $a1, -0x5eb4

and the vex ir of the block is like this:

------ IMark(0x41f1d8, 4, 0) ------ Ist_IMark
t7 = GET:I32(offset=120) Ist_WrTmp
t6 = Add32(t7,0xffff825c) Ist_WrTmp
t8 = LDle:I32(t6) Ist_WrTmp
PUT(offset=16) = t8 Ist_Put
PUT(offset=136) = 0x0041f1dc Ist_Put
------ IMark(0x41f1dc, 4, 0) ------ Ist_IMark
t9 = Add32(t7,0xffff801c) Ist_WrTmp
t11 = LDle:I32(t9) Ist_WrTmp
PUT(offset=136) = 0x0041f1e0 Ist_Put
> ------ IMark(0x41f1ec, 4, 0) ------ Ist_IMark
t21 = Add32(t11,0xffffa14c) Ist_WrTmp
PUT(offset=28) = t21 Ist_Put

but when i disassembled it using ida, i got the block like this:

.text:0041F1D8 la $v0, stderr
.text:0041F1DC la $a1, 0x440000
> .text:0041F1EC addiu $a1, (aPppdVersionS - 0x440000) # "pppd version %s\n"

As shown above,the angr can not get the string "aPppdVersionS " addr.At 0041F1EC, the angr disassembly result is "addiu $a1, $a1, -0x5eb4", if we go back up we can see that the $a1 is relevent to $gp.
But it is strange that in another binary, which i code by myself, angr can get the string addr in .rodata section.Here is the reuslt:

angr disassemble result:
0x40076c: move $a1, $v0
0x400774: addiu $a0, $v0, 0xbc8

angr vex result:

------ IMark(0x40076c, 4, 0) ------ Ist_IMark
PUT(offset=28) = t19 Ist_Put
------ IMark(0x400770, 4, 0) ------ Ist_IMark
> ------ IMark(0x400774, 4, 0) ------ Ist_IMark
> PUT(offset=24) = 0x00400bc8 Ist_Put
PUT(offset=136) = 0x00400778 Ist_Put

ida result

.text:0040076C move $a1, $v0
.text:00400770 lui $v0, 0x40
> .text:00400774 addiu $a0, $v0, (aVersionIsSDD - 0x400000) # "Version is : %s, %d, %d"

So,when the angr disassemble a mips binary with using $gp register，how can i get the string reference addrs?
Thanks!

[ltfish]

$gp register in MIPS is a "special" register: It points to a global area in memory (see here). Usually it is initialized to a concrete memory address at the beginning of each function. I believe that is the heuristic that IDA Pro relies on when it parses memory references that are calculated from $gp.

angr has implemented a similar (if not exactly the same) heuristic in CFGFast_process_block_arch_specific(). Take a look at that function. Or if you only need the value of $gp, take a look at func.info['gp'] where func is the Function object of the function that you care about. As you may already know, I had to implement this heuristic so that angr's memory reference discovery can yield reasonable results.

[ltfish]

By the way, you can disable IDA's simplified displaying of memory references involving $gp by turning off "Prudent search of $gp" in Options -> General -> Analysis -> Processor specific analysis options.

[hxlszxy]

Thank you for your detailed explanations and patient advice!!!