A terminating node was encountered that was not expected: '<type 'float'>'

[trippleflux]

I am on Binary Ninja version 2, and also using windows, after some some mods finally i get into PaperMachete and Binaryninja processing the function but currently stuck at the following errors :

  function: sub_401ae2 (asm-addr: 0x401b01)
A terminating node was encountered that was not expected: '<type 'float'>'
Traceback (most recent call last):
  File "paper_machete.py", line 284, in <module>
    main()
  File "paper_machete.py", line 187, in main
    pmanalyze.main(join(ANALYSIS, binary))
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 487, in main
    analyze(bv, func_list)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 463, in analyze
    process_instruction(func, block, insn)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 136, in process_instruction
    ast_parse([func, block, insn])
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 329, in ast_parse
    ast_name_element(args, il_type, il)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 311, in ast_name_element
    ast_build_json(args, name, il)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 228, in ast_build_json
    ast_build_json(args, child_name, o, level+1, edge_label)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 228, in ast_build_json
    ast_build_json(args, child_name, o, level+1, edge_label)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 228, in ast_build_json
    ast_build_json(args, child_name, o, level+1, edge_label)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 228, in ast_build_json
    ast_build_json(args, child_name, o, level+1, edge_label)
  File "C:\Users\echelon\Documents\Works\Tools\PaperMachete\pmanalyze.py", line 305, in ast_build_json
    raise ValueError
ValueError

The windows binary that i am targetting is here : ioA.zip

Also is there any chance to move completely into python 3?

[cetfor]

Hey @trippleflux,

So the issue is that PM is finding a terminating node of a Float, but it only checks for long, Variable, and SSAVariable. See here: https://github.com/cetfor/PaperMachete/blob/9d79d1201843d0128fc0498cfb47a39e142c8397/pmanalyze.py#L258

Duplicating the first long case and modifying for float should get past this issue. As for Python 3, at this point I think it's safe to move past Python 2. Binary Ninja supports it, and the bridge for Grakn does.

In my own research and work, I've dropped graph databases and knowledge graphs completely. This was a fun project, but ultimately it transfers the burden of knowledge from one domain to another. Namely, it tries to sidestep program analysis and replace it with complicated queries.

Grakn is awesome. But at the time, running PM on a (albeit rather complex) firmware took a 72 core machine over a day to analyze and insert into the database. Any time we had updates on analysis, that needed to be run again. For small binaries it's fine, but once you start to venture into real-world targets, poop hits the fan pretty fast.

In my current research, I do live analysis of binary targets. Binary Ninja and Ghidra are both capable of this, though I much prefer Binary Ninja's ILs. It requires significantly more data flow analysis, but it's way faster than PM and best of all, no magic queries.

I started writing a series on this, which had to be put on hold for a conflict of interest with my day job. But I hope to finish it in the future. https://medium.com/@cetfor/finding-cwe-369-divide-by-zero-bugs-with-binary-ninja-part-1-e14b484b2551

Unfortunately, I just don't have the bandwidth to maintain this, especially as I feel there are faster, and frankly better methods of automated bug finding.

I'm happy to help with any questions you might have, just ping me here. Thanks.

[trippleflux]

Thanks man, yes, just realize it will be going to take a long time for real world case.