-
Notifications
You must be signed in to change notification settings - Fork 1
/
plugin.json
28 lines (28 loc) · 5.05 KB
/
plugin.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
{
"pluginmetadataversion" : 2,
"name": "Division and Modulo Deoptimizer",
"type": ["ui", "binaryview", "helper"],
"api": ["python3"],
"description": "Deoptimize Divisions and Modulos in Binary Ninja.",
"longdescription": "# Binary Ninja Division and Modulo Deoptimizer\n\nThis plugin uses z3 and a binary search to deoptimize divisions and modulos in binary ninja. It operates on MLIL, so it should be architecture agnostic. Because z3 is used and instructions are followed, the deoptimization is also pattern agnostic, so different compiler optimizations should still work.\n\nIt works by following the operands of a SSA MLIL instruction. After following the operands, the z3 value representing the final MLIL variable will be a function of an unconstrained input variable. We can use a binary search with different arguments to that function to determine what the actual divisor is.\n\nNotes about speed: This is slow. It takes about a second per MLIL instruction tested, so large functions will not be analyzed quickly. There are a couple easy speed improvements that can be made, and some more complex ones. Testing every other MLIL line should still catch most if not all divisions/modulos, only running the division pass or modulo pass, not analyzing instructions that are too far away from relevant arethmetic are some examples of potential speed improvements, and reusing analysis effort on nearby lines are some potential future speed improvements.\n\n# Usage\n\nThe plugin registers two commands - \"Deoptimize Operations - Function\" and \"Deoptimize Operations - Line\". \n\n![](images/before_running.png)\n\nFor \"Deoptimize Operations - Line\", open the context menu on the line in which the result of the division is stored in a register or IL variable. Then run the analysis, and if a division is found, a comment will be added.\n\n![](images/after_running.png)\n\nTo analyze every line in the current function, run \"Deoptimize Operation - Function\".\n\n![](images/deoptimize_function.png)\n\n# Installation\n\nClone or symlink this repository into your plugin folder. (https://docs.binary.ninja/guide/plugins.html#using-plugins)\n\n# Known Failures\n\nThese failures are caused by the incomplete impletation of the MLIL.\n\n - 64 bit dividing or performing modulos by very large numbers.\n - 32 bit, when large enough numbers are used that `__divdi3` and similar methods are called.\n```c\n int b;\n unsigned long e;\n scanf(\"%d\", &b);\n printf(\"b / 435939234853 = %d\", x / 435939234853); // Doesn't work\n scanf(\"%ld\", &e);\n printf(\"UNSIGNED LONG b / 435939234853 = %ld\", x / 435939234853); // Also doesn't work\n scanf(\"%d\", &b);\n printf(\"b % 435939234853 = %d\", x % 435939234853); // Still doesn't work\n scanf(\"%ld\", &e);\n printf(\"UNSIGNED LONG b % 435939234853 = %ld\", x % 435939234853); // Shockingly, this still doesn't work\n```\n\n - 64 bit, divide or modulo by 32, and possibly other powers of 2. There's an issue with variable sizes so that a division of a 4-byte int results in 9223372032559808544, which is technically correct... `c_int(9223372032559808544).value == 32`. Modulo doesn't have any result.\n",
"license": {
"name": "MIT",
"text": "Copyright (c) 2020 Nathan Peercy\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
},
"platforms" : ["Darwin", "Linux", "Windows"],
"installinstructions" : {
"Darwin": "To install this manually, please see the \"Using Plugins\" section of the [Getting Started Guide](https://docs.binary.ninja/getting-started.html#using-plugins).",
"Linux": "To install this manually, please see the \"Using Plugins\" section of the [Getting Started Guide](https://docs.binary.ninja/getting-started.html#using-plugins).",
"Windows": "To install this manually, please see the \"Using Plugins\" section of the [Getting Started Guide](https://docs.binary.ninja/getting-started.html#using-plugins)."
},
"dependencies": {
"pip": ["z3-solver"],
"apt": [],
"installers": [],
"other": []
},
"version": "0.1.3",
"author": "Nathan Peercy",
"minimumbinaryninjaversion": 2085,
"projectUrl": "https://github.com/jmprdi/binja-division-deoptimization"
}