Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
921 stars 208 forks source link

PowerPC not handling large number of function arguments #4553

Open w1282 opened 1 year ago

w1282 commented 1 year ago

Version and Platform (required):

Bug Description: When analyzing PPC32 binaries with functions that take a relatively large number of arguments (sometimes as low as 8, sometimes not until the 10th argument) the output fails to properly present the function call.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Open the attached PPC binary
  2. Observe that the call to my_func should have 10 arguments, but instead it has 8

Expected Behavior: Please provide a clear and concise description of what you expected to happen.

Screenshots: image

Additional Information: My initial thought was that it was stumbling when parsing arguments passed on the stack, but it occasionally falters on register arguments and also occasionally identifies some but not all arguments on the stack.

test.zip

xusheng6 commented 1 year ago

@w1282 I am kind of confused by this. I do see that the format string of printf is asking for 10 arguments, but I only see that arguments r3-10 (which are 8 in total) are passed as arguments. Where are the other two arguments? Sorry I am not very good at ppc arch.

w1282 commented 1 year ago

@xusheng6 They're being stored on to the stack by the instructions between 0x100005b8 - 0x100005cc (in main) and then copied onto the stack again by my_func between 0x10000530 and 0x1000054c.

This is being presented in the MLIL at main.mlil[0] and my_func.mlil[0] as var_[30|50] = &arg_0 which is passed as the final argument to each call.