New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature request] Getting the function's argument values for each xrefs-to it #10783

Open
ITAYC0HEN opened this Issue Jul 19, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@ITAYC0HEN
Contributor

ITAYC0HEN commented Jul 19, 2018

Given a function flag-name or an address, it would list the value of the arguments that will pass to this function for each of its xrefs-to.
This command should implement it statically, maybe by using ESIL.

Example:
Imagine the following C code:

#include <stdio.h>

int print_it(char c, int n) {
    for (int i = 0; i < n; i++) {
        printf ("%c", c);
    }

    printf ("\n");
}

void dumb_function(int n) {
        print_it ('q', n);
}

int main(int argc, char *argv[]) {

    print_it ('a', 7);
    print_it ('k', 17);
    int n = 5;
    n = n * 3; // n = 15
    dumb_function(n);
    print_it ('b', 9);

    return 0;
}

I want to get all the xrefs-to print_it() with the values of arguments that were pushed to it in each xref (CALL).

While opened in radare2, main() would look like this:

  [0x00000540]> pdf @ main                                                                            
           ;-- main:                                                                               
  │ (fcn) sym.main 96                                                                                 
  │   sym.main (int arg1, int arg2);                                                                  
           ; var int local_20h @ rbp-0x20                                                          
           ; var int local_14h @ rbp-0x14                                                          
           ; var int local_4h @ rbp-0x4                                                            
           ; DATA XREF from entry0 (0x55d)                                                         
0x000006a4      55             push rbp                                                 
0x000006a5      4889e5         mov rbp, rsp                                             
0x000006a8      4883ec20       sub rsp, 0x20                                            
0x000006ac      897dec         mov dword [local_14h], edi  ; arg1                       
0x000006af      488975e0       mov qword [local_20h], rsi  ; arg2                       
0x000006b3      be07000000     mov esi, 7                                               
0x000006b8      bf61000000     mov edi, 0x61               ; 'a'                        
0x000006bd      e888ffffff     call sym.print_it                                        
0x000006c2      be11000000     mov esi, 0x11                                            
0x000006c7      bf6b000000     mov edi, 0x6b               ; 'k'                        
0x000006cc      e879ffffff     call sym.print_it                                        
0x000006d1      c745fc050000.  mov dword [local_4h], 5                                  
0x000006d8      8b55fc         mov edx, dword [local_4h]                                
0x000006db      89d0           mov eax, edx                                             
0x000006dd      01c0           add eax, eax                                             
0x000006df      01d0           add eax, edx                                             
0x000006e1      8945fc         mov dword [local_4h], eax                                
0x000006e4      8b45fc         mov eax, dword [local_4h]                                
0x000006e7      89c7           mov edi, eax                                             
0x000006e9      e899ffffff     call sym.dumb_function                                   
0x000006ee      be09000000     mov esi, 9                                               
0x000006f3      bf62000000     mov edi, 0x62               ; 'b'                        
0x000006f8      e84dffffff     call sym.print_it                                        
0x000006fd      b800000000     mov eax, 0                                               
0x00000702      c9             leave                                                    
0x00000703      c3             ret                                                                                                                                          

dumb_function would look like this:

[0x00000540]> pdf @ sym.dumb_function
│ (fcn) sym.dumb_function 29
│   sym.dumb_function (int arg1);
           ; var int local_4h @ rbp-0x4
           ; CALL XREF from sym.main (0x6e9)
0x00000687      55             push rbp
0x00000688      4889e5         mov rbp, rsp
0x0000068b      4883ec10       sub rsp, 0x10
0x0000068f      897dfc         mov dword [local_4h], edi   ; arg1
0x00000692      8b45fc         mov eax, dword [local_4h]
0x00000695      89c6           mov esi, eax
0x00000697      bf71000000     mov edi, 0x71               ; 'q'
0x0000069c      e8a9ffffff     call sym.print_it
0x000006a1      90             nop
0x000006a2      c9             leave
0x000006a3      c3             ret

Using axt sym.print_it we can get to following result:

[0x00000540]> axt sym.print_it
sym.dumb_function 0x69c [CALL] call sym.print_it
sym.main 0x6bd [CALL] call sym.print_it
sym.main 0x6cc [CALL] call sym.print_it
sym.main 0x6f8 [CALL] call sym.print_it

My feature request is for a command that will output something like this:

[0x00000540]> new_command sym.print_it
0x69c: sym.print_it (0x71, 15)
0x6bd: sym.print_it (0x61, 7)
0x6cc: sym.print_it (0x6b, 0x11)
0x6f8: sym.print_it (0x62, 9)

It should probably be under af and should take into consideration the architecture, calling-convention, etc

@ITAYC0HEN

This comment has been minimized.

Show comment
Hide comment
@ITAYC0HEN
Contributor

ITAYC0HEN commented Jul 19, 2018

@ITAYC0HEN

This comment has been minimized.

Show comment
Hide comment
Contributor

ITAYC0HEN commented Jul 19, 2018

@ITAYC0HEN ITAYC0HEN changed the title from Feature request: Getting the function's argument values for each xrefs-to it to [Feature request] Getting the function's argument values for each xrefs-to it Jul 19, 2018

@Maijin

This comment has been minimized.

Show comment
Hide comment
@Maijin

Maijin Jul 20, 2018

Collaborator

using e asm.emu/e asm.emuwrite/aeim you can do something similar.

This is currently only enabled for functions that have function definition, the work from @sivaramaaa for the type inference should now be able to complete the work of @oddcoder.

@sivaramaaa is going to add the function definition prediction with this behavior 👍

Collaborator

Maijin commented Jul 20, 2018

using e asm.emu/e asm.emuwrite/aeim you can do something similar.

This is currently only enabled for functions that have function definition, the work from @sivaramaaa for the type inference should now be able to complete the work of @oddcoder.

@sivaramaaa is going to add the function definition prediction with this behavior 👍

@XVilka

This comment has been minimized.

Show comment
Hide comment
@XVilka

XVilka Jul 20, 2018

Collaborator

It is related to recursive emulation, otherwise results might be TOO wrong #6194

Collaborator

XVilka commented Jul 20, 2018

It is related to recursive emulation, otherwise results might be TOO wrong #6194

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment