Undersizing array accesses due to liberal load/store split heuristics

joelreymont commented 5 months ago

Version and Platform (required):

Binary Ninja Version: 4.1.5272-dev, 3a057a87
OS: macos
OS Version: 14.4
CPU Architecture: arm64

Internal binary major dine favor.

Here's IDA Pro

uint64_t __fastcall DjiIdentityVerify_GetSerialNumber(
        struct CommandManager *mgr,
        struct CommandHeader *header,
        char *payload)
{
  ProductInfo info; // [xsp+10h] [xbp+10h] BYREF
  char *v5; // [xsp+2E8h] [xbp+2E8h]
  struct CommandHeader *header_1; // [xsp+2F0h] [xbp+2F0h]
  struct CommandManager *mgr_1; // [xsp+2F8h] [xbp+2F8h]
  ProductInfo info_1; // [xsp+300h] [xbp+300h] BYREF
  char payload_1[40]; // [xsp+5C8h] [xbp+5C8h] BYREF
  uint64_t err; // [xsp+5F0h] [xbp+5F0h]
  char *payload_2; // [xsp+5F8h] [xbp+5F8h]

  mgr_1 = mgr;
  header_1 = header;
  v5 = payload;
  payload_2 = payload;
  *(_QWORD *)payload_1 = 0x2000LL;
  memset(&payload_1[8], 0, 0x1B);
  DjiProductInfo_GetInfo(&info);
  memcpy(&info_1, &info, sizeof(info_1));
  *(_QWORD *)&payload_1[3] = *(_QWORD *)info_1.user_info.appKey;
  *(_QWORD *)&payload_1[11] = *(_QWORD *)&info_1.user_info.appKey[8];
  *(_QWORD *)&payload_1[19] = *(_QWORD *)&info_1.user_info.appKey[16];
  *(_QWORD *)&payload_1[27] = *(_QWORD *)&info_1.user_info.appKey[24];
  err = DjiCommand_SendAckData(mgr_1, header_1, payload_1, 0x23);
  if ( err )
    DjiLogger_Output(
      "auth",
      0,
      "[%s:%d) get serial number ack error:0x%08llX",
      "DjiIdentityVerify_GetSerialNumber",
      281LL,
      err);
  return err;
}

Here's the original BN. I tried to undefine the function but the result was the same.

0007bef0  uint64_t DjiIdentityVerify_GetSerialNumber(struct CommandManager* mgr, struct CommandHeader* header)

0007bf0c      int64_t x2
0007bf0c      int64_t var_8 = x2
0007bf14      int64_t payload = 0
0007bf14      int64_t s
0007bf14      __builtin_memset(s: &s, c: 0, n: 0x1b)
0007bf28      payload.b = 0
0007bf34      payload:1.w = 0x20
0007bf40      void info
0007bf40      DjiProductInfo_GetInfo(info: &info)
0007bf50      void var_300
0007bf50      memcpy(&var_300, &info, 0x2c4)
0007bf60      int64_t payload_1
0007bf60      payload = payload_1
0007bf60      int64_t s_1
0007bf60      s = s_1
0007bf68      int64_t var_2c0
0007bf68      int64_t var_28 = var_2c0
0007bf68      int64_t var_2b8
0007bf68      int64_t var_20 = var_2b8
0007bf80      uint64_t result = DjiCommand_SendAckData(mgr, header, payload: &payload, payload_size: 0x23)
0007bf90      if (result != 0)
0007bfc0          DjiLogger_Output(tag: "auth", level: 0, fmt: "[%s:%d) get serial number ack er…", "DjiIdentityVerify_GetSerialNumbe…", 0x119, result)
0007bfd0      return result

My ProductInfo type

struct ProductInfo __packed
{
    struct T_DjiUserInfo user_info;
    __padding char _297[1];
    char field_298[0x0];
    __padding char _298[4];
    char field_29c[0x0];
    __padding char _29c[1];
    __padding char _29d[1];
    __padding char _29e[1];
    __padding char _29f[1];
    __padding char _2a0[2];
    __padding char _2a2[0x1e];
    __padding char _2c0[4];
};

Typing the two product infos give me the following

0007bef0  uint64_t DjiIdentityVerify_GetSerialNumber(struct CommandManager* mgr, struct CommandHeader* header)

0007bf0c      int64_t x2
0007bf0c      int64_t var_8 = x2
0007bf14      int64_t payload = 0
0007bf14      int64_t s
0007bf14      __builtin_memset(s: &s, c: 0, n: 0x1b)
0007bf28      payload.b = 0
0007bf34      payload:1.w = 0x20
0007bf40      struct ProductInfo info
0007bf40      DjiProductInfo_GetInfo(info: &info)
0007bf50      struct ProductInfo info_1
0007bf50      memcpy(&info_1, &info, 0x2c4)
0007bf5c      int64_t payload_1
0007bf5c      payload_1.b = info_1.user_info.appKey[0]
0007bf5c      payload_1:1.b = info_1.user_info.appKey[1]
0007bf5c      payload_1:2.b = info_1.user_info.appKey[2]
0007bf5c      payload_1:3.b = info_1.user_info.appKey[3]
0007bf5c      payload_1:4.b = info_1.user_info.appKey[4]
0007bf5c      payload_1:5.b = info_1.user_info.appKey[5]
0007bf5c      payload_1:6.b = info_1.user_info.appKey[6]
0007bf5c      payload_1:7.b = info_1.user_info.appKey[7]
0007bf5c      int64_t s_1
0007bf5c      s_1.b = info_1.user_info.appKey[8]
0007bf5c      s_1:1.b = info_1.user_info.appKey[9]
0007bf5c      s_1:2.b = info_1.user_info.appKey[0xa]
0007bf5c      s_1:3.b = info_1.user_info.appKey[0xb]
0007bf5c      s_1:4.b = info_1.user_info.appKey[0xc]
0007bf5c      s_1:5.b = info_1.user_info.appKey[0xd]
0007bf5c      s_1:6.b = info_1.user_info.appKey[0xe]
0007bf5c      s_1:7.b = info_1.user_info.appKey[0xf]
0007bf60      payload = payload_1
0007bf60      s = s_1
0007bf64      int64_t x0_2
0007bf64      x0_2.b = info_1.user_info.appKey[0x10]
0007bf64      x0_2:1.b = info_1.user_info.appKey[0x11]
0007bf64      x0_2:2.b = info_1.user_info.appKey[0x12]
0007bf64      x0_2:3.b = info_1.user_info.appKey[0x13]
0007bf64      x0_2:4.b = info_1.user_info.appKey[0x14]
0007bf64      x0_2:5.b = info_1.user_info.appKey[0x15]
0007bf64      x0_2:6.b = info_1.user_info.appKey[0x16]
0007bf64      x0_2:7.b = info_1.user_info.appKey[0x17]
0007bf64      int64_t x1_1
0007bf64      x1_1.b = info_1.user_info.appKey[0x18]
0007bf64      x1_1:1.b = info_1.user_info.appKey[0x19]
0007bf64      x1_1:2.b = info_1.user_info.appKey[0x1a]
0007bf64      x1_1:3.b = info_1.user_info.appKey[0x1b]
0007bf64      x1_1:4.b = info_1.user_info.appKey[0x1c]
0007bf64      x1_1:5.b = info_1.user_info.appKey[0x1d]
0007bf64      x1_1:6.b = info_1.user_info.appKey[0x1e]
0007bf64      x1_1:7.b = info_1.user_info.appKey[0x1f]
0007bf68      int64_t var_28 = x0_2
0007bf68      int64_t var_20 = x1_1
0007bf80      uint64_t result = DjiCommand_SendAckData(mgr, header, payload: &payload, payload_size: 0x23)
0007bf90      if (result != 0)
0007bfc0          DjiLogger_Output(tag: "auth", level: 0, fmt: "[%s:%d) get serial number ack er…", "DjiIdentityVerify_GetSerialNumbe…", 0x119, result)
0007bfd0      return result

I'm trying to set the size of payload used here

0007bf80      uint64_t result = DjiCommand_SendAckData(mgr, header, payload: &payload, payload_size: 0x23)

I was able to adjust payload in IDA by looking at the space available between err at stack offset 0x5F0 and payload_1 at stack offset 0x5C8. This is how I got the 40.

char payload_1[40]; // [xsp+5C8h] [xbp+5C8h] BYREF
 uint64_t err; // [xsp+5F0h] [xbp+5F0h]

I thought I'd try the same using the BN Stack View. Hovering over &payload below tells me that the variable is at stack offset -0x38. This is indeed the case per the Stack View. I don't see result anywhere near, though, and there's not enough space between adjacent variables to fit a 40-character buffer.

0007bf80      uint64_t result = DjiCommand_SendAckData(mgr, header, payload: &payload, payload_size: 0x23)

Very strange but maybe all is not lost. Maybe I should look at 0x5F0 and 0xFC8? The former offset holds info and there's nothing at the latter offset.

Maybe BN will just do the right thing if I set the size of payload? I do know it's 40 characters after all!

What about this assignment, though? Should I take the offset of payload_1 instead? Can't because BN says it's in register X0.

0007bf60      payload = payload_1

I'm just gonna go ahead and set the type of payload_1 to char[40] and cross my fingers. And...

How do I get out of this mess I got myself into?

And how do I use the Stack View in this case?

0007bef0  uint64_t DjiIdentityVerify_GetSerialNumber(struct CommandManager* mgr, struct CommandHeader* header)

0007bf0c      int64_t x2
0007bf0c      int64_t var_8 = x2
0007bf14      int64_t payload = 0
0007bf14      int64_t s
0007bf14      __builtin_memset(s: &s, c: 0, n: 0x1b)
0007bf28      payload.b = 0
0007bf34      payload:1.w = 0x20
0007bf40      struct ProductInfo info
0007bf40      DjiProductInfo_GetInfo(info: &info)
0007bf50      struct ProductInfo info_1
0007bf50      memcpy(&info_1, &info, 0x2c4)
0007bf5c      char payload_1[0x28]
0007bf5c      payload_1[0] = info_1.user_info.appKey[0]
0007bf5c      payload_1[1] = info_1.user_info.appKey[1]
0007bf5c      payload_1[2] = info_1.user_info.appKey[2]
0007bf5c      payload_1[3] = info_1.user_info.appKey[3]
0007bf5c      payload_1[4] = info_1.user_info.appKey[4]
0007bf5c      payload_1[5] = info_1.user_info.appKey[5]
0007bf5c      payload_1[6] = info_1.user_info.appKey[6]
0007bf5c      payload_1[7] = info_1.user_info.appKey[7]
0007bf5c      int64_t s_1
0007bf5c      s_1.b = info_1.user_info.appKey[8]
0007bf5c      s_1:1.b = info_1.user_info.appKey[9]
0007bf5c      s_1:2.b = info_1.user_info.appKey[0xa]
0007bf5c      s_1:3.b = info_1.user_info.appKey[0xb]
0007bf5c      s_1:4.b = info_1.user_info.appKey[0xc]
0007bf5c      s_1:5.b = info_1.user_info.appKey[0xd]
0007bf5c      s_1:6.b = info_1.user_info.appKey[0xe]
0007bf5c      s_1:7.b = info_1.user_info.appKey[0xf]
0007bf60      payload = payload_1
0007bf60      s = s_1
0007bf64      int64_t x0_2
0007bf64      x0_2.b = info_1.user_info.appKey[0x10]
0007bf64      x0_2:1.b = info_1.user_info.appKey[0x11]
0007bf64      x0_2:2.b = info_1.user_info.appKey[0x12]
0007bf64      x0_2:3.b = info_1.user_info.appKey[0x13]
0007bf64      x0_2:4.b = info_1.user_info.appKey[0x14]
0007bf64      x0_2:5.b = info_1.user_info.appKey[0x15]
0007bf64      x0_2:6.b = info_1.user_info.appKey[0x16]
0007bf64      x0_2:7.b = info_1.user_info.appKey[0x17]
0007bf64      int64_t x1_1
0007bf64      x1_1.b = info_1.user_info.appKey[0x18]
0007bf64      x1_1:1.b = info_1.user_info.appKey[0x19]
0007bf64      x1_1:2.b = info_1.user_info.appKey[0x1a]
0007bf64      x1_1:3.b = info_1.user_info.appKey[0x1b]
0007bf64      x1_1:4.b = info_1.user_info.appKey[0x1c]
0007bf64      x1_1:5.b = info_1.user_info.appKey[0x1d]
0007bf64      x1_1:6.b = info_1.user_info.appKey[0x1e]
0007bf64      x1_1:7.b = info_1.user_info.appKey[0x1f]
0007bf68      int64_t var_28 = x0_2
0007bf68      int64_t var_20 = x1_1
0007bf80      uint64_t result = DjiCommand_SendAckData(mgr, header, payload: &payload, payload_size: 0x23)
0007bf90      if (result != 0)
0007bfc0          DjiLogger_Output(tag: "auth", level: 0, fmt: "[%s:%d) get serial number ack er…", "DjiIdentityVerify_GetSerialNumbe…", 0x119, result)
0007bfd0      return result

How do I get rid of

0007bf5c      int64_t s_1
...
0007bf60      payload = payload_1
0007bf60      s = s_1
0007bf64      int64_t x0_2
...
0007bf64      int64_t x1_1
...
0007bf68      int64_t var_28 = x0_2
0007bf68      int64_t var_20 = x1_1

and make sure just payload is used?

joelreymont commented 5 months ago

The disassembly

0007bef0  uint64_t DjiIdentityVerify_GetSerialNumber(struct CommandManager* mgr, struct CommandHeader* header)

0007bef0  ffc317d1   sub     sp, sp, #0x5f0
0007bef4  fd7bbfa9   stp     x29, x30, [sp, #-0x10]! {__saved_x29} {__saved_x30}
0007bef8  fd030091   mov     x29, sp {__saved_x29}
0007befc  a07f01f9   str     x0, [x29, #0x2f8 {var_308}]
0007bf00  a17b01f9   str     x1, [x29, #0x2f0 {var_310}]
0007bf04  a27701f9   str     x2, [x29, #0x2e8 {var_318}]
0007bf08  a07741f9   ldr     x0, [x29, #0x2e8 {var_318}]
0007bf0c  a0ff02f9   str     x0, [x29, #0x5f8 {var_8}]
0007bf10  a0231791   add     x0, x29, #0x5c8 {payload}
0007bf14  1f7c00a9   stp     xzr, xzr, [x0] {payload}  {0x0}  {0x0}
0007bf18  a0631791   add     x0, x29, #0x5d8
0007bf1c  1f7c00a9   stp     xzr, xzr, [x0]  {0x0}  {0x0}
0007bf20  bfd30b79   strh    wzr, [x29, #0x5e8 {var_18}]  {0x0}
0007bf24  bfab1739   strb    wzr, [x29, #0x5ea {var_16}]  {0x0}
0007bf28  bf231739   strb    wzr, [x29, #0x5c8 {payload}]  {0x0}
0007bf2c  00048052   mov     w0, #0x20
0007bf30  a1271791   add     x1, x29, #0x5c9 {payload+0x1}
0007bf34  20000079   strh    w0, [x1 {payload+0x1}]  {0x20}
0007bf38  a0430091   add     x0, x29, #0x10 {info}
0007bf3c  e80300aa   mov     x8, x0 {info}
0007bf40  e58a0094   bl      DjiProductInfo_GetInfo
0007bf44  a0030c91   add     x0, x29, #0x300 {info_1}
0007bf48  a1430091   add     x1, x29, #0x10 {info}
0007bf4c  825880d2   mov     x2, #0x2c4
0007bf50  7c59fe97   bl      memcpy
0007bf54  a22f1791   add     x2, x29, #0x5cb {payload+0x3}
0007bf58  a3c30c91   add     x3, x29, #0x330 {info_1.user_info.appKey}
0007bf5c  600440a9   ldp     x0, x1, [x3] {info_1.user_info.appKey[0]} {info_1.user_info.appKey[1]} {info_1.user_info.appKey[2]} {info_1.user_info.appKey[3]} {info_1.user_info.appKey[4]} {info_1.user_info.appKey[5]} {info_1.user_info.appKey[6]} {info_1.user_info.appKey[7]} {info_1.user_info.appKey[8]} {info_1.user_info.appKey[9]} {info_1.user_info.appKey[0xa]} {info_1.user_info.appKey[0xb]} {info_1.user_info.appKey[0xc]} {info_1.user_info.appKey[0xd]} {info_1.user_info.appKey[0xe]} {info_1.user_info.appKey[0xf]}
0007bf60  400400a9   stp     x0, x1, [x2] {payload+0x3} {s+0x3}
0007bf64  600441a9   ldp     x0, x1, [x3, #0x10] {info_1.user_info.appKey[0x10]} {info_1.user_info.appKey[0x11]} {info_1.user_info.appKey[0x12]} {info_1.user_info.appKey[0x13]} {info_1.user_info.appKey[0x14]} {info_1.user_info.appKey[0x15]} {info_1.user_info.appKey[0x16]} {info_1.user_info.appKey[0x17]} {info_1.user_info.appKey[0x18]} {info_1.user_info.appKey[0x19]} {info_1.user_info.appKey[0x1a]} {info_1.user_info.appKey[0x1b]} {info_1.user_info.appKey[0x1c]} {info_1.user_info.appKey[0x1d]} {info_1.user_info.appKey[0x1e]} {info_1.user_info.appKey[0x1f]}
0007bf68  400401a9   stp     x0, x1, [x2, #0x10] {var_28+0x3} {var_20+0x3}
0007bf6c  a0231791   add     x0, x29, #0x5c8 {payload}
0007bf70  63048052   mov     w3, #0x23
0007bf74  e20300aa   mov     x2, x0 {payload}
0007bf78  a17b41f9   ldr     x1, [x29, #0x2f0 {var_310}]
0007bf7c  a07f41f9   ldr     x0, [x29, #0x2f8 {var_308}]
0007bf80  129cff97   bl      DjiCommand_SendAckData
0007bf84  a0fb02f9   str     x0, [x29, #0x5f0 {var_10}]
0007bf88  a0fb42f9   ldr     x0, [x29, #0x5f0 {var_10}]
0007bf8c  1f0000f1   cmp     x0, #0
0007bf90  a0010054   b.eq    0x7bfc4

0007bf94  000600b0   adrp    x0, 0x13c000
0007bf98  02c03691   add     x2, x0, #0xdb0
0007bf9c  000600b0   adrp    x0, 0x13c000
0007bfa0  01202591   add     x1, x0, #0x948
0007bfa4  000600b0   adrp    x0, 0x13c000
0007bfa8  00c01b91   add     x0, x0, #0x6f0  {data_13c6f0, "auth"}
0007bfac  a5fb42f9   ldr     x5, [x29, #0x5f0 {var_10}]
0007bfb0  24238052   mov     w4, #0x119
0007bfb4  e30302aa   mov     x3, x2  {__FUNCTION__.7456, "DjiIdentityVerify_GetSerialNumbe…"}
0007bfb8  e20301aa   mov     x2, x1  {data_13c948, "[%s:%d) get serial number ack er…"}
0007bfbc  01008052   mov     w1, #0
0007bfc0  cf150094   bl      DjiLogger_Output

0007bfc4  a0fb42f9   ldr     x0, [x29, #0x5f0 {var_10}]
0007bfc8  fd7bc1a8   ldp     x29, x30, [sp], #0x10 {__saved_x29} {__saved_x30}
0007bfcc  ffc31791   add     sp, sp, #0x5f0
0007bfd0  c0035fd6   ret

plafosse commented 4 months ago

This is too much information please try to simplify down exactly what you're asking for.

joelreymont commented 4 months ago

How do I get the compact output of the kind that IDA Pro gives me?

memcpy(&info_1, &info, sizeof(info_1));
  *(_QWORD *)&payload_1[3] = *(_QWORD *)info_1.user_info.appKey;
  *(_QWORD *)&payload_1[11] = *(_QWORD *)&info_1.user_info.appKey[8];
  *(_QWORD *)&payload_1[19] = *(_QWORD *)&info_1.user_info.appKey[16];
  *(_QWORD *)&payload_1[27] = *(_QWORD *)&info_1.user_info.appKey[24];
  err = DjiCommand_SendAckData(mgr_1, header_1, payload_1, 0x23);

negasora commented 4 months ago

Typing things correctly results in better output:

0007bef0  uint64_t DjiIdentityVerify_GetSerialNumber(struct CommandManager* arg1, struct CommandHeader* arg2)

0007bf0c      int64_t x2
0007bf0c      int64_t var_8 = x2
0007bf14      char payload[0x23]
0007bf14      payload[0].q = 0
0007bf14      payload[8].q = 0
0007bf1c      payload[0x10].q = 0
0007bf1c      payload[0x18].q = 0
0007bf20      payload[0x20].w = 0
0007bf24      payload[0x22] = 0
0007bf28      payload[0] = 0
0007bf34      payload[1].w = 0x20
0007bf40      char info_output[0x2c4]
0007bf40      DjiProductInfo_GetInfo(&info_output)
0007bf50      char copy_target[0x2c4]
0007bf50      memcpy(&copy_target, &info_output, 0x2c4)
0007bf60      payload[3].q = copy_target[0x30].q
0007bf60      payload[0xb].q = copy_target[0x38].q
0007bf68      payload[0x13].q = copy_target[0x40].q
0007bf68      payload[0x1b].q = copy_target[0x48].q
0007bf80      uint64_t result = DjiCommand_SendAckData(mgr: arg1, header: arg2, &payload, payload_size: 0x23)
0007bf90      if (result != 0)
0007bf90      {
0007bfc0          DjiLogger_Output(tag: "auth", level: 0, fmt: "[%s:%d) get serial number ack error:0x%08llX", "DjiIdentityVerify_GetSerialNumber", 0x119, result)
0007bf90      }
0007bfd0      return result

plafosse commented 4 months ago

I wonder why we're not picking up on the memset operation though. ... oh probably because of the payload[1].w = 0x20

yeah looks like IDA handles this as such

  *(_QWORD *)payload_1 = 0x2000LL;
  memset(&payload_1[8], 0, 0x1B);

joelreymont commented 4 months ago

@negasora The code is trying to stuff parts of product info into a buffer so the type of product_info is not char[0x2c4] but ProductInfo, a structure of the same size.

Why all the code with phantom variables, e.g. char payload_1[0x28], int64_t x1_1, int64_t x0_2 and int64_t x1_2?

Compare IDA output

DjiProductInfo_GetInfo(&info);
  memcpy(&info_1, &info, sizeof(info_1));
  *(_QWORD *)&payload_1[3] = *(_QWORD *)info_1.user_info.appKey;
  *(_QWORD *)&payload_1[11] = *(_QWORD *)&info_1.user_info.appKey[8];
  *(_QWORD *)&payload_1[19] = *(_QWORD *)&info_1.user_info.appKey[16];
  *(_QWORD *)&payload_1[27] = *(_QWORD *)&info_1.user_info.appKey[24];
  err = DjiCommand_SendAckData(mgr_1, header_1, payload_1, 0x23);

to BN

0007bf5c      char payload_1[0x28]
0007bf5c      payload_1[0] = info_1.user_info.appKey[0]
0007bf5c      payload_1[1] = info_1.user_info.appKey[1]
0007bf5c      payload_1[2] = info_1.user_info.appKey[2]
0007bf5c      payload_1[3] = info_1.user_info.appKey[3]
0007bf5c      payload_1[4] = info_1.user_info.appKey[4]
0007bf5c      payload_1[5] = info_1.user_info.appKey[5]
0007bf5c      payload_1[6] = info_1.user_info.appKey[6]
0007bf5c      payload_1[7] = info_1.user_info.appKey[7]
0007bf5c      int64_t x1_1
0007bf5c      x1_1.b = info_1.user_info.appKey[8]
0007bf5c      x1_1:1.b = info_1.user_info.appKey[9]
0007bf5c      x1_1:2.b = info_1.user_info.appKey[0xa]
0007bf5c      x1_1:3.b = info_1.user_info.appKey[0xb]
0007bf5c      x1_1:4.b = info_1.user_info.appKey[0xc]
0007bf5c      x1_1:5.b = info_1.user_info.appKey[0xd]
0007bf5c      x1_1:6.b = info_1.user_info.appKey[0xe]
0007bf5c      x1_1:7.b = info_1.user_info.appKey[0xf]
0007bf60      payload[3].q = payload_1
0007bf60      payload[0xb].q = x1_1
0007bf64      int64_t x0_2
0007bf64      x0_2.b = info_1.user_info.appKey[0x10]
0007bf64      x0_2:1.b = info_1.user_info.appKey[0x11]
0007bf64      x0_2:2.b = info_1.user_info.appKey[0x12]
0007bf64      x0_2:3.b = info_1.user_info.appKey[0x13]
0007bf64      x0_2:4.b = info_1.user_info.appKey[0x14]
0007bf64      x0_2:5.b = info_1.user_info.appKey[0x15]
0007bf64      x0_2:6.b = info_1.user_info.appKey[0x16]
0007bf64      x0_2:7.b = info_1.user_info.appKey[0x17]
0007bf64      int64_t x1_2
0007bf64      x1_2.b = info_1.user_info.appKey[0x18]
0007bf64      x1_2:1.b = info_1.user_info.appKey[0x19]
0007bf64      x1_2:2.b = info_1.user_info.appKey[0x1a]
0007bf64      x1_2:3.b = info_1.user_info.appKey[0x1b]
0007bf64      x1_2:4.b = info_1.user_info.appKey[0x1c]
0007bf64      x1_2:5.b = info_1.user_info.appKey[0x1d]
0007bf64      x1_2:6.b = info_1.user_info.appKey[0x1e]
0007bf64      x1_2:7.b = info_1.user_info.appKey[0x1f]
0007bf68      payload[0x13].q = x0_2
0007bf68      payload[0x1b].q = x1_2
0007bf80      uint64_t result = DjiCommand_SendAckData(mgr, header, &payload, payload_size: 0x23)

joelreymont commented 4 months ago

I maintain that BN is doing it wrong or can do much better here!

emesare commented 4 months ago

The cause for this seems to be the load/store splitting, we allow the operation to occur on array-struct pairs, even when the access on both sides is an array, causing the undersizing. If this can disallowed with no/little regressions then it is trivial to fix.

joelreymont commented 3 months ago

Should this still be tagged as a question given @emesare 's comment above?

It seems like an issue with load/store splitting.

emesare commented 3 months ago

Should this still be tagged as a question given @emesare 's comment above?

It seems like an issue with load/store splitting.

Yes, right now it is still being looked into, this issue will be updated when we can figure out a plan forward.

Vector35 / binaryninja-api

Undersizing array accesses due to liberal load/store split heuristics #5415