Qbindiff can't guess the arch

quarkslab / qbindiff

Quarkslab Bindiffer but not only !

https://diffing.quarkslab.com

Apache License 2.0

179 stars 7 forks source link

Qbindiff can't guess the arch #20

Open Fenrisfulsur opened 1 year ago

Fenrisfulsur commented 1 year ago

While trying to use qbindiff on a ARM32 Thumb program, i got the following exception:

Cannot guess the instruction set of the instruction at 0x....

I fixed the issue by hard-coding the mode and arch inside the file qbindiff/loader/backend/binexport.py but it could be cool to let the user define the arch and mode when he knows it, something like:

differ = qbindiff.QBinDiff(
    p, q,
    distance=Distance.canberra,
    ...,
    arch="ARM-32",
    mode="THUMB"
)

patacca commented 1 year ago

This is indeed a huge problem that happens when using the BinExport backend. It originates from the fact that BinExport doesn't export enough information to reliably reconstruct a capstone object at instruction level. There have been few attempts to solve this (see #36) but it's still not over yet.

Here's a list of refinements that are left to do:

[ ] When the target architecture is not enforced (by either CLI or parameter) the algorithm has to guess it. It should be better to suggest enforcing the architecture manually when failing to guess correctly.
[ ] Use the global capstone object when disassembling with the old method