Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decompile x86 code with segment registers #322

Closed
don1001 opened this issue Jun 4, 2018 · 2 comments
Closed

Decompile x86 code with segment registers #322

don1001 opened this issue Jun 4, 2018 · 2 comments
Labels
C-bin2llvmir C-capstone2llvmir enhancement P-output T-arch-x86

Comments

@don1001
Copy link

don1001 commented Jun 4, 2018

Hi,
I was decompiling x86 code and noticed segment registers are not handled correctly e.g.

Asm:

.text:08048907 0x08048907:
.text:08048907    push ebp
.text:08048908    mov ebp, esp
.text:0804890a    sub esp, 0x38
.text:0804890d    mov eax, [ebp+0x08]
.text:08048910    mov [ebp-0x1C], eax
.text:08048913    mov eax, [ebp+0x0C]
.text:08048916    mov [ebp-0x20], eax
.text:08048919    mov eax, gs:[0x00000014]
.text:0804891f    mov [ebp-0x0C], eax
.text:08048922    xor eax, eax
.text:08048924    mov edx, [ebp-0x20]
.text:08048927    mov eax, [0x0804B1B8]
.text:0804892c    mov dword ptr [esp+0x0C], 0x00
.text:08048934    mov [esp+0x08], edx
.text:08048938    mov edx, [ebp-0x1C]
.text:0804893b    mov [esp+0x04], edx
.text:0804893f    mov [esp], eax
.text:08048942    call _recv
.text:08048947    mov ecx, [ebp-0x0C]
.text:0804894a    xor ecx, gs:[0x00000014] ;using a canary value stored at GS+0x14
.text:08048951    jz 0x08048958
.text:08048953    call ___stack_chk_fail
.text:08048958
.text:08048958 0x08048958:
.text:08048958    leave
.text:08048959    ret

IDA:

ssize_t __cdecl sub_8048907(void *a1, size_t a2)
{
  int v2; // ST2C_4@1
  ssize_t result; // eax@1
  int v4; // ecx@1

  v2 = *MK_FP(__GS__, 20);
  result = recv(fd, a1, a2, 0);
  v4 = *MK_FP(__GS__, 20) ^ v2;
  return result;
}

RetDec

// Address range: 0x8048907 - 0x8048959
int32_t function_8048907(int32_t * buf, int32_t length) {
    int32_t v1 = recv((int32_t)g10, buf, length, 0); // 0x8048942
    int32_t result; // 0x8048959
    if (*(int32_t *)20 != *(int32_t *)20) { //decompiled incorrectly
        // 0x8048953
        __stack_chk_fail();
        int32_t * v2;
        result = (int32_t)&v2;
        // branch -> 0x8048958
    } else {
        result = v1;
    }
    // 0x8048958
    return result;
}

Could you implement something like IDA does ? MK_FP make far pointer to handle gs, fs registers.
@PeterMatula
Copy link
Collaborator

Yeah, segments registers are kinda ignored right now, I will have to look into it - how to properly handle and represent this.

@PeterMatula
Copy link
Collaborator

This should be fixed by #391. I was adding some test for it, but since there is no sample here, I cannot add it. Try it yourself and re-open/report an issue if it does not work, or send me a sample to test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bin2llvmir C-capstone2llvmir enhancement P-output T-arch-x86
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PeterMatula @don1001