Open xusheng6 opened 1 year ago
We are dealing with the same issue in x64 slightly better:
That we at least indicated the write to the __return_addr. Although we do not redirect the control flow in the IL
This may be a duplicate of this issue: #1052
A user reported a bug that BN does not handle the return address properly when the x30 value is known. The sample is obfuscated, and it is using the
ret
instruction to do a jump. At the end of the function, it first calculates the jump target in x30, and then returns. BN is unaware of the trick and during LLIL->MLIL translation, the information is lost and the code is treated as a regular return.The user does not wish to share the binary in public, so I recreated the issue on a different binary. helloworld_bug.zip For comparison, the original binary is attached as well: helloworld.zip
Given the above function epilog, it loads 0x1234 into x30. After the
ret
instruction, thepc
will become 0x1234. The code effectively does ab 0x1234
. The LLIL is fine:However, things are screwed up in MLIL:
To deal with this, we need to do the following things:
__saved_x30
.