AngeloD2022
commented
3 weeks ago It won't be a const varnode directly but a unique varnode, so you will have to go backwards via the definitions to the const varnode.
When looking at the HighFunction pcode, the arguments for the CALL were immediately available and seemingly directly associated with the op.
...
--- CBRANCH (ram, 0x100007cf0, 1) , (unique, 0x18f80, 1)
(VARIABLE, 0x0, 16) CALL (ram, 0x100041c00, 8) , (ram, 0x10008eea0, 8)
...0x100041c00 -> _objc_alloc
0x10008eea0 -> PTR__OBJC_CLASS_$_NSPopUpButton_10008ee90
Do we intend on using the lower-level pcode for this?
fmagin
With the types from #14 we can now start applying them:
We need an analysis that over all
objc_alloccallsites (i.e. all P-Code CALL ops with the first argument being theobjc_allocaddress) and then retrieve the constant value behind the second argument. It won't be a const varnode directly but a unique varnode, so you will have to go backwards via the definitions to the const varnode.Then we need to map the address back to the type somehow. I see a few options for this, not sure which works best. The most straightforward one is probably getting the symbol at that address and looking for a matching type name. Later we might want to coordinate this via some class or service that keeps track of those mappings.
Then we need use the same API to override the call signature at an address which is used by
OverridePrototypeActionAnalyzerType.FUNCTION_ANALYZERwithAnalysisPriority.FUNCTION_ANALYSIS.after()