search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
845 stars 194 forks source link

Phantom variables #5551

Open joelreymont opened 1 month ago

joelreymont commented 1 month ago

Version and Platform (required):

Internal binary major dine favor.

I typed payload_1 as char[30] and BN created a phantom unused payload_2.

000d1e88  uint64_t DjiAircraftConnection_ReceiveFCGetVersionHandle(struct MessageBroker* broker, struct MessageHeader* header, char* payload)

000d1e98      char* payload_2 = payload
000d1ea0      char payload_1[0x1e]
000d1ea0      payload_1[0].q = 0
000d1ea0      payload_1[8].q = 0
000d1ea4      payload_1[0x10].q = 0
000d1ea8      payload_1[0x18].d = 0
000d1eac      payload_1[0x1c].w = 0
000d1ec0      int64_t var_30 = *0x782e33204b445358
000d1ec4      payload_1[0] = 0
000d1ed4      payload_1[1] = (0xf & payload_1[1]) | 0x30
000d1ee0      payload_1[1] &= 0xf0
000d1ef0      payload_1[2].q = 0x782e33204b445350
000d1ef0      payload_1[0xa].q = *0x782e33204b445358
000d1ef4      int16_t var_3a = 0
000d1efc      payload_1[0x19] = 3
000d1f00      payload_1[0x18] = 0
000d1f08      payload_1[0x16].w = 0
000d1f20      uint64_t err = DjiCommand_SendAckData(broker, header, payload: &payload_1, payload_size: 30)
000d1e88      
000d1f30      if (err != 0)
000d1f60          DjiLogger_Output(tag: "infor", level: 0, fmt: "[%s:%d) get version ack error:0x…", "DjiAircraftConnection_ReceiveFCG…", 0x16a, err)
000d1e88      
000d1f6c      return err

Also, IDA outputs something nicer

int64_t __fastcall DjiAircraftConnection_ReceiveFCGetVersionHandle(
        struct MessageBroker *broker,
        struct MessageHeader *header,
        char *payload)
{
  char payload_1[30]; // [xsp+48h] [xbp+48h] BYREF
  int64_t err; // [xsp+68h] [xbp+68h]

  payload_1[0] = 0;
  *(_QWORD *)&payload_1[16] = 0LL;
  *(_DWORD *)&payload_1[0x18] = 0x300;
  *(_WORD *)&payload_1[28] = 0;
  *(_DWORD *)&payload_1[1] = 0x30;
  strcpy(&payload_1[2], "PSDK 3.x");
  payload_1[11] = 0;
  *(_WORD *)&payload_1[12] = 0;
  *(_DWORD *)&payload_1[14] = 0;
  err = DjiCommand_SendAckData(broker, header, payload_1, 30);
  if ( err )
    DjiLogger_Output(
      "infor",
      0,
      "[%s:%d) get version ack error:0x%08llX",
      "DjiAircraftConnection_ReceiveFCGetVersionHandle",
      362LL,
      err);
  return err;
}
xusheng6 commented 1 month ago

Related -- the strange output int64_t var_30 = *0x782e33204b445358 is caused by https://github.com/Vector35/binaryninja-api/issues/3996