search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
897 stars 200 forks source link

Better .plt section support for PPC thunk functions #1183

Open BrenanHornseth opened 5 years ago

BrenanHornseth commented 5 years ago

Binary ninja does not handle references to the .plt section for the PPC architecture if thunk functions are involved.

For instance in the library libosipparser2.so.1.1.0 in the function msg_osip_body_parse() though binja is smart enough to know the register value of r30 when I mouse over it (0x57acc) it does use that value for the memcpy() thunk function sub_33880 call at 0x1e59c and instead leaves the thunk function unlabeled without an xref inside.

Thunk function sub_33880 code (taken from IDA):

lwz       r11, (memcpy_plt - 0x57ACC)(r30) # __imp_memcpy
mtctr     r11
bctr

There are many more examples like this inside libosipparser2.so.1.1.0 - I have attached a binary for reference. I have been using libosip2-4.1.0 if you prefer to compile your own.

libosipparser2.so.11.0.0.zip

BrenanHornseth commented 5 years ago

I believe I have encountered this issue again with another PPC binary, libtasn1.so.6.2.4 (attached). This time the lack of proper detection of the underlying thunk function leads to a control flow issue where asn1_der_decoding falls through to the next function asn1_der_decoding_element

This illustrates the proper detection on x64: screenshot from 2018-11-09 20-21-46

And here's the same call for the ppc binary: screenshot from 2018-11-09 20-21-51

And diving into the thunk functions on PPC: screenshot from 2018-11-09 20-25-33

The final thunk function on PPC. If this xref was properly detected I assume binja would label it as "no return" screenshot from 2018-11-09 20-25-38

I have also attached the PPC binary for reference. libtasn1.so.6.2.4.zip