search

toolCHAINZ / jingle

SMT Modeling for Ghidra's PCODE
MIT License
8 stars 1 forks source link

Question: callother id, load/store struct #8

Closed chf0x closed 2 weeks ago

chf0x commented 2 weeks ago

Hi, could you please help me with interpreting the following structure?

    CallOther {
        output: Option<VarNode>,
        inputs: Vec<VarNode>,
    },

From the documentation, I understand that:

Each CALLOTHER must have a unique name, and as a p-code operation, it takes varnode inputs and may produce a varnode output. However, the exact effect of the operation is not specified.

How can I retrieve the callother ID/name in Jingle?

chf0x commented 2 weeks ago

I would appreciate your help with a few more opcodes if possible:

    Store {
        output: IndirectVarNode,
        input: VarNode,
    },

According to the documentation:

Parameter   | Description
------------|----------------------------------------
input0      | (special) Constant ID of space to store into.
input1      | Varnode containing pointer offset of destination.
input2      | Varnode containing data to be stored.

It seems that output corresponds to input2, and input corresponds to input1. Is that correct?

I have the same question for the Load opcode:

    Load {
        input: IndirectVarNode,
        output: VarNode,
    },

According to the documentation:

Parameter   | Description
------------|----------------------------------------
input0      | (special) Constant ID of space to load from.
input1      | Varnode containing pointer offset to data.
output      | Destination varnode.

Does output map to output, and input to input1?

Thank you!

toolCHAINZ commented 2 weeks ago

Hello! For callother, the argument varnodes I have there are just what sleigh gives. My understanding is that the first varnode input uniquely identifies the callother operation, which has been enough for my needs thus far (it might also be good to split this out: assert there will always be at least one input and store that one separately from the others). I assume there is some sleigh API for doing lookups on this number to get the name of the operation but I haven't looked into it. I can make a follow-up issue (edit: see #9). Happy to review if you figure that out yourself!

toolCHAINZ commented 2 weeks ago

For the indirect varnode stuff, I was trying to reduce the cognitive overhead of remembering the "special purposes" of load and store's inputs by grouping the inputs involved in the indirect access.

For store, output is the combination of input0 and input1; I called it output since it is identifying how to construct the output destination of the store operation. For load, input is the combination of input0 and input1.

chf0x commented 2 weeks ago

Thank you very much for the clarifications! Having only callother ID would be sufficient for my purposes as well; I just could not find any information on where it is located