Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature request] Getting the function's argument values for each xrefs-to it #10783

ITAYC0HEN opened this issue Jul 19, 2018 · 7 comments


Copy link

@ITAYC0HEN ITAYC0HEN commented Jul 19, 2018

Given a function flag-name or an address, it would list the value of the arguments that will pass to this function for each of its xrefs-to.
This command should implement it statically, maybe by using ESIL.

Imagine the following C code:

#include <stdio.h>

int print_it(char c, int n) {
    for (int i = 0; i < n; i++) {
        printf ("%c", c);

    printf ("\n");

void dumb_function(int n) {
        print_it ('q', n);

int main(int argc, char *argv[]) {

    print_it ('a', 7);
    print_it ('k', 17);
    int n = 5;
    n = n * 3; // n = 15
    print_it ('b', 9);

    return 0;

I want to get all the xrefs-to print_it() with the values of arguments that were pushed to it in each xref (CALL).

While opened in radare2, main() would look like this:

  [0x00000540]> pdf @ main                                                                            
           ;-- main:                                                                               
  │ (fcn) sym.main 96                                                                                 
  │   sym.main (int arg1, int arg2);                                                                  
           ; var int local_20h @ rbp-0x20                                                          
           ; var int local_14h @ rbp-0x14                                                          
           ; var int local_4h @ rbp-0x4                                                            
           ; DATA XREF from entry0 (0x55d)                                                         
0x000006a4      55             push rbp                                                 
0x000006a5      4889e5         mov rbp, rsp                                             
0x000006a8      4883ec20       sub rsp, 0x20                                            
0x000006ac      897dec         mov dword [local_14h], edi  ; arg1                       
0x000006af      488975e0       mov qword [local_20h], rsi  ; arg2                       
0x000006b3      be07000000     mov esi, 7                                               
0x000006b8      bf61000000     mov edi, 0x61               ; 'a'                        
0x000006bd      e888ffffff     call sym.print_it                                        
0x000006c2      be11000000     mov esi, 0x11                                            
0x000006c7      bf6b000000     mov edi, 0x6b               ; 'k'                        
0x000006cc      e879ffffff     call sym.print_it                                        
0x000006d1      c745fc050000.  mov dword [local_4h], 5                                  
0x000006d8      8b55fc         mov edx, dword [local_4h]                                
0x000006db      89d0           mov eax, edx                                             
0x000006dd      01c0           add eax, eax                                             
0x000006df      01d0           add eax, edx                                             
0x000006e1      8945fc         mov dword [local_4h], eax                                
0x000006e4      8b45fc         mov eax, dword [local_4h]                                
0x000006e7      89c7           mov edi, eax                                             
0x000006e9      e899ffffff     call sym.dumb_function                                   
0x000006ee      be09000000     mov esi, 9                                               
0x000006f3      bf62000000     mov edi, 0x62               ; 'b'                        
0x000006f8      e84dffffff     call sym.print_it                                        
0x000006fd      b800000000     mov eax, 0                                               
0x00000702      c9             leave                                                    
0x00000703      c3             ret                                                                                                                                          

dumb_function would look like this:

[0x00000540]> pdf @ sym.dumb_function
│ (fcn) sym.dumb_function 29
│   sym.dumb_function (int arg1);
           ; var int local_4h @ rbp-0x4
           ; CALL XREF from sym.main (0x6e9)
0x00000687      55             push rbp
0x00000688      4889e5         mov rbp, rsp
0x0000068b      4883ec10       sub rsp, 0x10
0x0000068f      897dfc         mov dword [local_4h], edi   ; arg1
0x00000692      8b45fc         mov eax, dword [local_4h]
0x00000695      89c6           mov esi, eax
0x00000697      bf71000000     mov edi, 0x71               ; 'q'
0x0000069c      e8a9ffffff     call sym.print_it
0x000006a1      90             nop
0x000006a2      c9             leave
0x000006a3      c3             ret

Using axt sym.print_it we can get to following result:

[0x00000540]> axt sym.print_it
sym.dumb_function 0x69c [CALL] call sym.print_it
sym.main 0x6bd [CALL] call sym.print_it
sym.main 0x6cc [CALL] call sym.print_it
sym.main 0x6f8 [CALL] call sym.print_it

My feature request is for a command that will output something like this:

[0x00000540]> new_command sym.print_it
0x69c: sym.print_it (0x71, 15)
0x6bd: sym.print_it (0x61, 7)
0x6cc: sym.print_it (0x6b, 0x11)
0x6f8: sym.print_it (0x62, 9)

It should probably be under af and should take into consideration the architecture, calling-convention, etc

Copy link
Member Author

@ITAYC0HEN ITAYC0HEN commented Jul 19, 2018

Copy link
Member Author

@ITAYC0HEN ITAYC0HEN commented Jul 19, 2018

@ITAYC0HEN ITAYC0HEN changed the title Feature request: Getting the function's argument values for each xrefs-to it [Feature request] Getting the function's argument values for each xrefs-to it Jul 19, 2018
Copy link

@Maijin Maijin commented Jul 20, 2018

using e asm.emu/e asm.emuwrite/aeim you can do something similar.

This is currently only enabled for functions that have function definition, the work from @sivaramaaa for the type inference should now be able to complete the work of @oddcoder.

@sivaramaaa is going to add the function definition prediction with this behavior 👍

Copy link

@XVilka XVilka commented Jul 20, 2018

It is related to recursive emulation, otherwise results might be TOO wrong #6194

Copy link

@radare radare commented Sep 26, 2018

my proposal is this:

> pdf
;-- main:
;-- section.0.__TEXT.__text:
;-- func.100000f60:
;-- rip:
0x100000f60      55         push rbp
0x100000f61      4889e5     mov rbp, rsp
0x100000f64      4883ec10   sub rsp, 0x10
0x100000f68      488d3d3b.  lea rdi, str.bin_ls
0x100000f6f      be010000.  mov esi, 1
0x100000f74      c745fc00.  mov dword [local_4h], 0
0x100000f7b      b000       mov al, 0
0x100000f7d      e8060000.  call
0x100000f82      4883c410   add rsp, 0x10
0x100000f86      5d         pop rbp
0x100000f87      c3         ret

> aftcj 0x100000f7d # function call type analysis
  "args": [
      "name": "path",
      "value": "/bin/ls
    }, {
      "name": "oflag",
      "value": 1


> aftc 0x100000f7d
path: /bin/ls
oflag: 1

so we get this info once when analyzing the function recursively and store the results in sdb

Copy link

@radare radare commented Sep 26, 2018

afta should do recursive emulation instead of linear otherwise it will fail in most objc bins

Copy link

@stale stale bot commented Aug 26, 2020

This issue has been automatically marked as stale because it has not had recent activity. Considering a lot has changed since its creation, we kindly ask you to check again if the issue you reported is still relevant in the current version of radare2. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Aug 26, 2020
@stale stale bot removed the stale label Aug 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.