Optional bruterforce option for find_all_calls_to

mandiant · Oct 1, 2021 · 153809b · 153809b
1 parent e1dc926
commit 153809b
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 18 deletions.
diff --git a/FIDL/compiler_consts.py b/FIDL/compiler_consts.py
@@ -42,7 +42,7 @@
     # Some other forms of control
     #cot_call:   '{x}({y})',
     cot_cast:   '({x}){y}',
-
+    cot_ref:      '&{x}',
 }
 
 expr_condition = {

diff --git a/FIDL/decompiler_utils.py b/FIDL/decompiler_utils.py
@@ -2378,41 +2378,55 @@ def find_all_calls_to_within(f_name, ea=0, c=None):
     return call_objs
 
 
-def find_all_calls_to(f_name):
+def find_all_calls_to(f_name, bruteforce=True):
     """Finds all calls to a function with the given name
 
     Note that the string comparison is relaxed to find variants of it, that is,
     searching for ``malloc`` will match as well ``_malloc``, ``malloc_0``, etc.
 
     :param f_name: the function name to search for
     :type f_name: string
+    :param bruteforce: fallback to bruteforce (search all functions)
+    :type bruteforce: bool, optional
     :return: a list of :class:`callObj`
     :rtype: list
     """
 
+    got_name = True
+
     f_ea = get_name_ea_simple(f_name)
     if f_ea == BADADDR:
-        print("Failed to resolve address for {}".format(f_name))
-        return []
+        dprint("Failed to resolve address for {}".format(f_name))
+        got_name = False
+        if not bruteforce:
+            return []
 
     callz = []
     callers = set()
-
-    for ref in XrefsTo(f_ea, True):
-        if not ref.iscode:
-            continue
 
-        # Get a set of unique *function* callers
-        f = get_func(ref.frm)
-        if f is None:
-            continue
-
-        f_ea = f.start_ea
-        callers.add(f_ea)
+    if got_name:
+        for ref in XrefsTo(f_ea, True):
+            if not ref.iscode:
+                continue
+
+            # Get a set of unique *function* callers
+            f = get_func(ref.frm)
+            if f is None:
+                continue
+
+            f_ea = f.start_ea
+            callers.add(f_ea)
+
+        for caller_ea in callers:
+            cl = find_all_calls_to_within(f_name, caller_ea)
+            callz += cl
 
-    for caller_ea in callers:
-        c = find_all_calls_to_within(f_name, caller_ea)
-        callz += c
+    else:
+        # We fallback to bruteforce
+        dprint("Falling back to bruteforce (search all functions)")
+        for f_ea in NonLibFunctions():
+            cl = find_all_calls_to_within(f_name, f_ea)
+            callz += cl
 
     return callz