Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question about the PC address reported by mythril #1766

Open
ShangzhiXu opened this issue May 4, 2023 · 2 comments
Open

Question about the PC address reported by mythril #1766

ShangzhiXu opened this issue May 4, 2023 · 2 comments

Comments

@ShangzhiXu
Copy link

ShangzhiXu commented May 4, 2023

Description

So to sum up, I found that the PC address reported does not match the disassemble code generated by solc. I don't know if I made any mistake in usage or if I apprehend the meaning of PC addresswrongly.
Thanks for your help!!

Tests

Let's use the example in README:

root@i10940x:/home/usr/mythril# myth analyze solidity_examples/killbilly.sol -t 3
==== Unprotected Selfdestruct ====
SWC ID: 106
Severity: High
Contract: KillBilly
Function name: commencekilling()
PC address: 354
    Code: selfdestruct(msg.sender)
Estimated Gas Usage: 974 - 1399
Any sender can cause the contract to self-destruct.
Any sender can trigger execution of the SELFDESTRUCT instruction to destroy this contract account and withdraw its balance to an arbitrary address. Review the transaction trace generated for this issue and make sure that appropriate security controls are in place to prevent unrestricted access.
--------------------
In file: solidity_examples/killbilly.sol:22

selfdestruct(msg.sender)

--------------------
Initial State:

Account: [CREATOR], balance: 0x0, nonce:0, storage:{}
Account: [ATTACKER], balance: 0x0, nonce:0, storage:{}

Transaction Sequence:

Caller: [CREATOR], calldata: , decoded_data: , value: 0x0
Caller: [ATTACKER], function: killerize(address), txdata: 0x9fa299ccadadadadadadadadadadadaddeadbeefdeadbeefdeadbeefdeadbeefdeadbeef, value: 0x0
Caller: [ATTACKER], function: activatekillability(), txdata: 0x84057065, value: 0x0
Caller: [ATTACKER], function: commencekilling(), txdata: 0x7c11da20, value: 0x0

There is an item in the report PC address: 354. I considered it as the offset of the opcode in bytecode. Like here, I think at PC address: 354, the opcode should be CALL, but when I try to check this out by reading the disassemble code generated by solc, I found they are different. The disassemble code looks like this at 354 (equal to 0x162)

0162    50    POP
	0163    50    POP
	0164    60    PUSH1 0x40
	0166    51    MLOAD
	0167    80    DUP1
	0168    91    SWAP2
	0169    03    SUB
	016A    90    SWAP1
	016B    F3    *RETURN
	016C    5B    JUMPDEST
	016D    60    PUSH1 0x00
	016F    80    DUP1

which is a pop.
Same thing happen when handling integer overflow, the PC address does not match the disassemble code generated by solc. For example, mythril reports PC address : 100, but the opcode in the disassemble code at offset 100 may not be MUL, ADD or other opcodes that might lead to overflow, instead, opcode at offset 100 might be POP CALL or other things.

Thanks for your help!!

@norhh
Copy link
Collaborator

norhh commented May 6, 2023

Hi @ShangzhiXu are you checking runtime disassembly or creation disassembly? In this case, you'd have to check runtime disassembly.

@ShangzhiXu
Copy link
Author

Thanks!I'll check it out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants