radareorg / radeco

radare2-based decompiler and symbol executor
372 stars 52 forks source link

esil is not parsed properly #289

Open VPaulV opened 8 years ago

VPaulV commented 8 years ago

parser.rs fails to parse esil expressions that contain DUP opcode: 0,zf,=,cf,401528,+,eax,+,0,cf,=,DUP,0xffffffff,<,?{,1,cf,=,},eax,=,=,0xffffffff,eax,&,!,?{,1,zf,=,}

Also expressions with 'ds' are not parsed: esp,[4],ds,=,4,esp,+

radare commented 8 years ago

What is ds? Why should be parsed?

On 19 May 2016, at 04:48, Paul notifications@github.com wrote:

parser.rs fails to parse esil expressions that contains DUP instruction: 0,zf,=,cf,401528,+,eax,+,0,cf,=,DUP,0xffffffff,<,?{,1,cf,=,},eax,=,=,0xffffffff,eax,&,!,?{,1,zf,=,}

Also expressions with 'ds' are not parsed: esp,[4],ds,=,4,esp,+

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub

VPaulV commented 8 years ago

@radare Well, it was my first question that I asked in #radare xD One can get an expression containing 'ds' with this sample: malware_sample.zip - Password:infected

radare commented 8 years ago

Which instiction produces ths esil?

On 19 May 2016, at 12:52, Paul notifications@github.com wrote:

@radare Well, it was my first question that I asked in #radare xD One can get 'ds' with this sample: malware_sample.zip - Password:infected

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub

VPaulV commented 8 years ago

asm:

0x0042edc0      1e             push ds
...
0x0042f5c4      1f             pop ds

esil:

0x0042edc0      1e             4,esp,-=,ds,esp,=[4]       ; esp=0xfffffffb -> 0xffffff00
...
0x0042f5c4      1f             esp,[4],ds,=,4,esp,+=
radare commented 8 years ago

ok its 16bit x86 code. this is ok, the problem is that ds register is not in the regprofile, just needs to fix that thing.

ds is the data segment register

On 19 May 2016, at 15:40, Paul notifications@github.com wrote:

asm:

0x0042edc0 1e push ds ... 0x0042f5c4 1f pop ds esil:

0x0042edc0 1e 4,esp,-=,ds,esp,=[4] ; esp=0xfffffffb -> 0xffffff00 ... 0x0042f5c4 1f esp,[4],ds,=,4,esp,+= — You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/radare/radeco/issues/14#issuecomment-220327202

XVilka commented 6 years ago

@kriw @HMPerson1 @chinmaydd please check if still is applicable. If not - close.