-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why i using CallingConvention get invalid prototype #4559
Comments
The default calling convention analysis does not recover variable or function argument types. You'll want to decompile the function and see if the decompiler can give you a function prototype with more precise argument types. Try doing this at the end of your script: dec = p.analyses.Decompiler(func, cfg=cfg.model)
print(func.prototype) |
thanks it works. but I decided to try on another example where I analyzed the function func and instead of getting the prototype (int,int) I got (unsigned long,unsigned long). Also I was wondering what prototypes angr will output when embedding sanitizer in an executable file using 'gcc -fsanitize=undefined test.c -o test' and the prototype I got was (unsigned long,unsigned long,unsigned long,unsigned long,unsigned long,unsigned long,unsigned long) how it happened. Source text of the file I tried to analyze
|
angr decompiler does not aggressively narrow register-passing arguments (e.g., long long ->int) during decompilation, so this can totally be the expected behavior. But I can't be sure unless you post your binary.
As of now, angr decompiler is not aware of sanitizers and will not try to eliminate sanitizer artifacts. I can imagine the sanitization logic will attempt to load all possible register-passing arguments at the beginning of your function, which will lead angr decompiler to treat all loaded registers as argument-passing containers. The end result is a function prototype that is different from the one in source. However, this is the expected behavior (unless angr decompiler is aware of sanitizers one day). |
thanks ,there source and error |
Question
Hi angr team! Excuse my English. I just recently started working with angr. And ran into a problem when researching functions in fauxware. Using CallingConvention for authenticate function I get prototype (long long (64 bits), long long (64 bits)) -> int (32 bits) although the prototype should be (char*,char*) -> int. How can I fix this and why it happens like this . Can you explain and if possible give me a code sample. I using code
The text was updated successfully, but these errors were encountered: