Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-analysis doesn't trigger for functions that make an inlined call to an external symbol when its prototype is changed #6249

Open
WeiN76LQh opened this issue Dec 11, 2024 · 0 comments
Open

Re-analysis doesn't trigger for functions that make an inlined call to an external symbol when its prototype is changed #6249

WeiN76LQh opened this issue Dec 11, 2024 · 0 comments

Comments

@WeiN76LQh
Copy link

Version and Platform (required):

  • Binary Ninja Version: 4.3.6550-dev (1ae64a95)
  • OS: macOS
  • OS Version: 15.1.1
  • CPU Architecture: M1

Bug Description:
I have a situation where I'm creating external symbols that have a type thats a pointer to a function. Modifying that prototype to change the return value type is not causing the functions, that make a call using the external symbol, to run re-analysis. If I right-click Reanalyze Current Function then the variable being assigned the return value is updated to have a type that corresponds to the new return type of the external symbol. This is what I would expect to happen but without me having to manually do the right-click Reanalyze Current Function.

Its a bit of a weird scenario because I've basically modified the Objective-C workflow plugin to create external symbols, in a new section that doesn't exist in the binary, and replace the objc_msgSend call with a call to the external symbol. The external symbol once created has a data variable defined at its location with a function pointer type. The section, symbols and data variables are invisible in the UI, I believe due to #6132. I'm doubtful thats anything to do with it because its a UI issue and I'd imagine thats separate to the analysis engine that triggers re-analysis, but thought I'd mention it.

The reason for the creation of the external symbols is to handle objc_msgSend call inlining more eloquently. Currently the plugin just chooses the first Objective-C function with a matching selector as the actual target for the call. This is wrong alot of the time. I've modified the plugin to behave more like IDA does, which is to look at the type or symbol name (for Objective-C classes) for the self parameter and to use that combined with the selector to more accurately identify the target function. If the target function does not appear to exist in the binary, IDA will create an external symbol and then reference that symbol at the call site. I've essentially implemented the same feature in Binary Ninja, except now I've uncovered the issue that if I modify the function prototype of the external symbol, re-analysis for callers of the symbol, where the call has been inlined from another function, won't be triggered.
@WeiN76LQh WeiN76LQh changed the title Re-analysis doesn't trigger for functions that make a call to an external symbol when its prototype is changed Re-analysis doesn't trigger for functions that make an inlined call to an external symbol when its prototype is changed Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@WeiN76LQh