Command to forward type propagate into called functions

[plafosse]

Forward type propagation into called functions is very tricky to do correctly. This is something we haven't yet attempted. However it's frequent that when reverse engineering we do this manually. We should simplify this process by providing a Command which will do this. Something like "Infer function prototype"

[xusheng6]

Related to https://github.com/Vector35/binaryninja-api/issues/772 and https://github.com/Vector35/binaryninja-api/issues/3270

[xusheng6]

A related workflow is to select a variable or a type, and do froward propagation at all function calls where this type is seen. Might need to repeat the process until no new one is seen.

[robert-yates]

this is indeed a painful repetitive task, i want to create a simple script where i can click a variable and make it set the name and type in the prototype of all calls where its used in the function, and eventually recursively

it doesn't seem so straight forward, does anyone have an implementation suggestion?

my use case and idea is as follows:

1. manually identified a structure on the stack and created its type.
2. in HLIL find all calls
3. check if call uses this variable
4. set a name and type

i choose HLIL because calls can take direct pointer types of the structure and it removes the need to find all assignments in MLIL that create an additional pointer type.

however how to find all calls in HLIL to get their parameters? it seems to me i have to parse each instructions AST as calls can be deep inside an expression and requires knowledge of every single instruction to parse in order just to find the calls.

is there an easier way? i suspect there is :)

[xusheng6]

Note this is the opposite direction of https://github.com/Vector35/binaryninja-api/issues/773

[xusheng6]

I think we should not only propagate the type, we should probably also propagate the parameter name. Not sure if we want it to be optional, though