analyzer: better heuristic of frame_size

plasma-disassembler / plasma

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.

GNU General Public License v3.0

3.05k stars 275 forks source link

analyzer: better heuristic of frame_size #62

Closed ghost closed 7 years ago

ghost commented 8 years ago

Currently, the analyzer compute wrong variable offsets when the sp is modified, example :

mov rbx, [rsp] ; get one qword from rsp
push rax ; first arg of func
call func
; func should pop the arg
mov rbx, [rsp] ; the analyzer gives a different for this one

ghost commented 8 years ago

It works only if func is known, ie the code is in the binary. If func is an import, we can't analyze the function.

-> The solution could be to guess the frame size and detect when arguments are pushed, they will be pushed after the frame.

ghost commented 8 years ago

The heuristic to compute the frame size is very simple (lib.arch.*.utils.guess_frame_size) and may fail. We need to allow the user modify the frame size, then re analyze the function.

ghost commented 7 years ago

6668796e725b0ec6f3cc3f08fa1b2d2472925ab3 b1c50296e3b26ff871b73bd002e119f83ed96967