IRSB VEX does not capture calls

[nimrodpar]

Hi, big fan here!

Trying to use the IRSB class directly to translate bytes (extracted from IDA) to VEX.

When i try to translate the following:

        "push    rbp",
        "mov     rbp, rsp",
        "sub     rsp, 10h",
        "mov     [rbp+var_4], edi",
        "mov     edi, offset aHereWeGo; \"Here we go!\"",
        "call    _puts",
        "mov     eax, [rbp+var_4]",
        "imul    eax, 64h",
        "mov     esi, offset aYo ; \"Yo\"",
        "mov     edi, eax",
        "call    callee",
        "nop",
        "leave",
        "retn"

using pyvex.IRSB(bytes, 0x0000000000400623, cle.archinfo.arch.ArchAMD64()), i get the following VEX:

IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
IR-NoOp
------ IMark(0x400622, 1, 0) ------
t0 = GET:I64(rbp)
t9 = GET:I64(rsp)
t8 = Sub64(t9,0x0000000000000008)
t1 = t8
PUT(rsp) = t1
STle(t1) = t0
PUT(rip) = 0x0000000000400623
------ IMark(0x400623, 3, 0) ------
t10 = GET:I64(rsp)
PUT(rbp) = t10
PUT(rip) = 0x0000000000400626
------ IMark(0x400626, 4, 0) ------
t4 = GET:I64(rsp)
t3 = 0x0000000000000010
t2 = Sub64(t4,t3)
PUT(cc_op) = 0x0000000000000008
PUT(cc_dep1) = t4
PUT(cc_dep2) = t3
PUT(rsp) = t2
PUT(rip) = 0x000000000040062a
------ IMark(0x40062a, 3, 0) ------
t12 = GET:I64(rbp)
t11 = Add64(t12,0xfffffffffffffffc)
t5 = t11
t14 = GET:I64(rdi)
t13 = 64to32(t14)
STle(t5) = t13
PUT(rip) = 0x000000000040062d
------ IMark(0x40062d, 5, 0) ------
t15 = 32Uto64(0x00400734)
PUT(rdi) = t15
PUT(rip) = 0x0000000000400632
------ IMark(0x400632, 5, 0) ------
t17 = GET:I64(rsp)
t16 = Sub64(t17,0x0000000000000008)
t6 = t16
PUT(rsp) = t6
STle(t6) = 0x0000000000400637
t7 = 0x0000000000400470
t18 = Sub64(t6,0x0000000000000080)
====== AbiHint(0xt18, 128, t7) ======
PUT(rip) = 0x0000000000400470
t19 = GET:I64(rip)

Which i guess is consistent, up to the point of calls.

Any idea where them calls at? Thanks!

[rhelmot]

Looks like you figured it out, since you closed it, but VEX only lifts a single basic block at a time - a call instruction is the end of a basic block so it's going to stop here. the IRSB you pasted is a little cut off - it should say that the "jumpkind" for this block is Ijk_Call, meaning the jump off the end of this block has the semantics of a function call.

[nimrodpar]

Yeah, actually just writing the issue helped me understand a lot :) Thanks for the prompt reply!

[gitttt]

@nimrodpar Does your approach work to get an entire function (from IDA) converted to vex? In other words, does it work to pass these "bytes" representing an entire function to pyvex? Or do I need to break up the IDA function in basic blocks? Does pyvex automatically break the "bytes" up into several IRSBs?

[nimrodpar]

@gitttt: from my experience if you give pyvex a stream of bytes, it will translate them up to the first jump (or 400 bytes, what comes first) so yeah, a good approach would be to get the blocks from IDA and translate them individually. Note that pyvex will still break the block if a call is encountered..